virtio_device/

queue.rs

// Copyright 2021 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

//! Virtqueue management wrappers.
//!
//! This is a slightly opinionated wrapper that presents the underlying [`Device`](ring::Device) and
//! [`Driver`](ring::Driver) rings as a single 'virtqueue' where descriptor chains can be retrieved,
//! walked or iterated, and then returned.
//!
//! The primary opinionated decision taken by this wrapper is that a descriptor chain is considered
//! a formal object that can automatically returns itself to the queue when dropped. This return is
//! then required to have a mechanism to potentially signal the guest driver, via the
//! [`DriverNotify`] trait.

use crate::mem::{DeviceRange, DriverRange};
use crate::ring;
use fuchsia_sync::Mutex;
use std::sync::atomic;
use thiserror::Error;

/// Informs device that driver needs a notification.
///
/// When returning descriptor chains to the queue it may be required, due to the virtio
/// specification, that the driver is supposed to be notified. As descriptor chains can be returned
/// out-of-band during a `drop`, with no opportunity to report via a return code that a notification
/// is needed, this trait exists instead. Further, since the queue has no understanding of the
/// transport protocol, or how the guest should be notified in general, it must appeal to the higher
/// level device code using the [`Queue`].
pub trait DriverNotify {
    /// Driver requires a notification.
    ///
    /// Indicates the device must notify the driver for correct continuation of the virtio protocol.
    /// The notification does not need to happen synchronously during this call, it can be stored
    /// and performed at some later point, but the driver may not make progress until it is
    /// notified.
    fn notify(&self);
}

/// Mutable state of a virtqueue.
///
/// Includes both the reference to the [`Device`](ring::Device), which is the memory shared with the
/// guest that we actually need to manipulate, as well as additional state needed for us to
/// correctly implement the virtio protocol. Captured here in a separate struct so that it can be
/// wrapped in a [`Mutex`] in the [`Queue`].
struct State<'a> {
    device: ring::Device<'a>,
    // Next index in avail that we expect to be come available
    next: u16,
    // Next index in used that we will publish at.
    next_used: u16,
}

impl<'a> State<'a> {
    /// Return a descriptor chain.
    ///
    /// `written` is the number of bytes that were written by the device to the beginning of the
    /// buffer.
    ///
    /// Returns to the driver, by writing it to the device owned ring, and returns the index that
    /// it was published at. This index is intended to be used when determining whether the driver
    /// needs a notification.
    fn return_chain(&mut self, used: ring::Used) -> u16 {
        let submit = self.next_used;
        self.device.insert_used(used, submit);
        self.next_used = submit.wrapping_add(1);
        self.device.publish_used(self.next_used);
        // Return the index that we just published.
        submit
    }
}

/// Describes the memory ranges for a queue.
///
/// Collects the three different memory ranges that combined make up the [`Driver`](ring::Driver)
/// and [`Device`](ring::Device) portions of a queue. This exists as a way to conveniently name the
/// members for passing to [`Queue::new`]
#[derive(Debug, Clone)]
pub struct QueueMemory<'a> {
    pub desc: DeviceRange<'a>,
    pub avail: DeviceRange<'a>,
    pub used: DeviceRange<'a>,
}

/// Representation of a virtqueue.
///
/// Aside from construction of the queue the only provided method is to retrieve the [`next_chain`]
/// (Queue::next_chain) if one has been published by the driver. The [`DescChain`], if one is
/// returned, implements a custom `drop` to return the chain to the queue, and hence to the driver.
// Currently event_idx feature is hard set to false. Support exists though for the device
// requirements of handling suppression from the driver, however no interface is yet exposed here
// for the device to tell the driver any event requirements.
pub struct Queue<'a, N> {
    driver: ring::Driver<'a>,
    state: Mutex<State<'a>>,
    notify: N,
    // Whether or not the EVENT_IDX feature was negotiated. This is stored here as we need it to
    // correctly determine when we should signal a notify to the driver.
    feature_event_idx: bool,
}

impl<'a, N> Queue<'a, N> {
    /// Constructs a new [`Queue`] from memory descriptions.
    ///
    /// Takes a [`QueueMemory`], which is just a list of memory regions, for which to create a
    /// queue out of. This internally creates a [`Driver`](ring::Driver) and [`Device`]
    /// (ring::Device) from the provided regions.
    ///
    /// The rings are assumed to not have yet been used and so the used and avail indices will
    /// start at 0. There is presently no way to construct a [`Queue`] around rings that have
    /// already been in use.
    pub fn new(mem: QueueMemory<'a>, notify: N) -> Option<Self> {
        Self::new_from_rings(
            ring::Driver::new(mem.desc, mem.avail)?,
            ring::Device::new(mem.used)?,
            notify,
        )
    }

    /// Construct a new [`Queue`] from provided rings.
    ///
    /// Consumes a [`Driver`](ring::Driver) and [`Device`](ring::Device) to create a `Queue`.
    /// It is expected that [`new`](#new) will typically be more useful to automate the ring
    /// construction.
    ///
    /// Has the same initial ring state assumptions as [`new`](#new).
    pub fn new_from_rings(
        driver: ring::Driver<'a>,
        device: ring::Device<'a>,
        notify: N,
    ) -> Option<Self> {
        if driver.queue_size() != device.queue_size() {
            return None;
        }
        Some(Queue {
            driver,
            state: Mutex::new(State { device, next: 0, next_used: 0 }),
            notify,
            feature_event_idx: false,
        })
    }

    fn take_avail(&self) -> Option<u16> {
        let mut state = self.state.lock();
        let ret = self.driver.get_avail(state.next);
        if ret.is_some() {
            state.next = state.next.wrapping_add(1);
        }
        ret
    }
}

impl<'a, N: DriverNotify> Queue<'a, N> {
    /// Return any available [`DescChain`].
    ///
    /// Polls the available ring for any queued descriptor chain, and if found returns a
    /// [`DescChain`] abstraction around it.
    ///
    /// It is the responsibility of the device to know, presumably via the transport level queue
    /// notifications, when a descriptor chain might be available and to call this polling function.
    ///
    /// The [`DescChain`] is automatically returned the driver, via the used ring, when it is
    /// dropped.
    pub fn next_chain<'b>(&'b self) -> Option<DescChain<'a, 'b, N>> {
        if let Some(desc_index) = self.take_avail() {
            Some(DescChain { queue: self, first_desc: desc_index })
        } else {
            None
        }
    }
    fn return_chain(&self, used: ring::Used) {
        let submitted = self.state.lock().return_chain(used);
        // Must ensure the read of flags or used_event occurs *after* we have returned the chain
        // and published the index. We also need to ensure that in the event we do send an
        // interrupt that any state and idx updates have been written. In this case acquire/release
        // is not sufficient since the 'acquire' will prevent future loads re-ordering earlier, and
        // the release will prevent past writes from re-ordering later, but we need a past write and
        // a future load to not be re-ordered. Therefore we require sequentially consistent
        // semantics.
        atomic::fence(atomic::Ordering::SeqCst);
        if self.driver.needs_notification(self.feature_event_idx, submitted) {
            self.notify.notify();
        }
    }
}

/// Descriptor type
///
/// May be an indirect descriptor type ( see virtio spec 2.7.5.3 ) or a regular aka
///  direct descriptor type.
/// Regular descriptor wraps up [`ring::DescAccess`]
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum DescType {
    Direct(ring::DescAccess),
    Indirect,
}
/// Reference to descriptor data.
///
/// Provides a higher level representation of a descriptors payload, compared to what
/// [`ring::Desc::data`] reports. The conversion of a [`ring::Desc`] into a `Desc` necessitates some
/// error checking and can fail with a [`DescError::BadRange`].
///
/// Is provided as a [`DriverRange`] as the [`DescChain`] and its [iterator](DescChainIter) have no
/// way to translate a [`DriverRange`] and this responsibility is offloaded to the caller.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct Desc(pub DescType, pub DriverRange);

impl TryFrom<ring::Desc> for Desc {
    type Error = DescError;

    fn try_from(desc: ring::Desc) -> Result<Self, Self::Error> {
        let range = desc.data();
        TryInto::<DriverRange>::try_into(range)
            .map_err(|()| DescError::BadRange(range.0, range.1))
            .map(|range| {
                if desc.is_indirect() {
                    Desc(DescType::Indirect, range)
                } else {
                    Desc(DescType::Direct(desc.access_type()), range)
                }
            })
    }
}

/// Errors that occur when walking descriptor chains via [`DescChainIter`].
#[derive(Error, Debug, Clone, PartialEq, Eq)]
pub enum DescError {
    #[error("Descriptor {0} is not in the range of the ring")]
    InvalidIndex(u16),
    #[error("Descriptor data range addr: {0} len: {1} is not a valid driver range")]
    BadRange(u64, u32),
}

/// Iterates over a [`DescChain`].
///
/// The iterator provides a [`Desc`] representing each [virtio descriptor](ring::Desc) in the chain.
/// Walking this chain may generate errors due to a faulty or malicious guest providing corrupt
/// descriptors.
///
/// Only the most minimal validation is done to yield valid [`Desc`], with no virtio protocol
/// validation being performed. In particular, although the virtio specification says that all
/// readable descriptors must appear before writable ones, this is not enforced or checked for by
/// this iterator.
///
/// A lifetime is associated with the underlying [`Queue`], but not the [`DescChain`] this is
/// iterating. This makes it possible, albeit not advised, to hold an iterator after having returned
/// a chain to the guest. Doing so will almost certainly result in violating the virtio protocol and
/// will confuse the guest, but there are no safety concerns. Restricting the iterator to the
/// lifetime of the chain makes them cumbersome and you should almost always be using the
/// abstractions provided by the [`chain`](crate::chain) module instead of these iterators directly.
pub struct DescChainIter<'a, 'b, N: DriverNotify> {
    queue: &'b Queue<'a, N>,
    desc: Option<u16>,
}

impl<'a, 'b, N: DriverNotify> DescChainIter<'a, 'b, N> {
    /// Cause the iterator to complete.
    ///
    /// Places the iterator in a state where it will always produce None.
    pub fn complete(&mut self) {
        self.desc = None;
    }
}

impl<'a, 'b, N: DriverNotify> Iterator for DescChainIter<'a, 'b, N> {
    type Item = Result<Desc, DescError>;
    fn next(&mut self) -> Option<Self::Item> {
        self.desc.map(|ret| {
            match self.queue.driver.get_desc(ret.into()).ok_or(DescError::InvalidIndex(ret)) {
                Ok(desc) => {
                    // If we were able to lookup the descriptor then we can always retrieve the
                    // next one, even if this one reports a bad range.
                    self.desc = desc.next();
                    desc.try_into()
                }
                Err(e) => {
                    // Not able to find the next descriptor, so we must terminate the iteration
                    // after reporting this error.
                    self.desc = None;
                    Err(e)
                }
            }
        })
    }
}

impl<'a, 'b, N: DriverNotify> Clone for DescChainIter<'a, 'b, N> {
    fn clone(&self) -> DescChainIter<'a, 'b, N> {
        DescChainIter { queue: self.queue, desc: self.desc }
    }
}

/// Represents a chain of descriptors in the available ring.
///
/// The `DescChain` is a thin representation over a virtio descriptor chain. It can either be walked
/// using its [iterator](#iter), yielding the readable and writable portions, or it can be returned
/// to the ring.
///
/// Although returning happens automatically when dropped, if data was written into the descriptors
/// the chain needs to be explicitly returned with [`set_written`](#set_written) to propagate the
/// portion that was written.
pub struct DescChain<'a, 'b, N: DriverNotify> {
    queue: &'b Queue<'a, N>,
    first_desc: u16,
}

impl<'a, 'b, N: DriverNotify> DescChain<'a, 'b, N> {
    /// Iterate over the descriptor chain
    ///
    /// See [`DescChainIter`].
    pub fn iter(&self) -> DescChainIter<'a, 'b, N> {
        DescChainIter { queue: self.queue, desc: Some(self.first_desc) }
    }

    /// Explicitly return a written to chain.
    ///
    /// Returns the chain to the used ring, as if the chain was dropped, but also forwards how much
    /// of the chain was written to. No validation or manipulation is performed on written amount
    /// and it is faithfully passed through. In particular you can claim to have written more bytes
    /// than were made available for writing by the chain.
    pub fn return_written(self, written: u32) {
        self.queue.return_chain(ring::Used::new(self.first_desc, written));
        // Don't call drop so that we avoid returning the chain a second time.
        std::mem::forget(self)
    }
}
impl<'a, 'b, N: DriverNotify> Drop for DescChain<'a, 'b, N> {
    fn drop(&mut self) {
        // By default return the chain with a write of 0, since as far as we know nothing was
        // written.
        self.queue.return_chain(ring::Used::new(self.first_desc, 0));
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::fake_queue::{Chain, ChainBuilder, IdentityDriverMem, TestQueue};
    use crate::ring::DescAccess;
    use crate::util::NotificationCounter;

    #[test]
    fn test_create() {
        let driver_mem = IdentityDriverMem::new();
        // Should fail for non pow-2 ring
        let mem = driver_mem.alloc_queue_memory(3).unwrap();
        let notify = NotificationCounter::new();
        assert!(Queue::new(mem, notify.clone()).is_none());
        // Also fail for not same sized rings.
        let mem = driver_mem.alloc_queue_memory(4).unwrap();
        let mem2 = driver_mem.alloc_queue_memory(8).unwrap();
        assert!(Queue::new(
            QueueMemory { desc: mem.desc, avail: mem.avail, used: mem2.used },
            notify.clone(),
        )
        .is_none());
        // Correctly sized rings should work
        let mem = driver_mem.alloc_queue_memory(4).unwrap();
        assert!(Queue::new(mem, notify.clone()).is_some());
    }

    #[test]
    fn test_notify_and_return() {
        let driver_mem = IdentityDriverMem::new();
        let mut state = TestQueue::new(32, &driver_mem);
        // Should be nothing notified or queued yet.
        assert_eq!(state.notify.get(), 0);
        assert!(state.queue.next_chain().is_none());
        // Publish a chain
        assert!(state.fake_queue.publish(Chain::with_lengths(&[32], &[], &driver_mem)).is_some());
        let chain = state.queue.next_chain().unwrap();
        assert_eq!(state.notify.get(), 0);
        // If we drop the chain it should get returned and trigger a notification.
        std::mem::drop(chain);
        assert_eq!(state.notify.get(), 1);
        // And there should be something on the driver side.
        assert!(state.fake_queue.next_used().is_some());
        // Should also be able to explicitly return a written amount and see it in the driver.
        assert!(state.fake_queue.publish(Chain::with_lengths(&[], &[32], &driver_mem)).is_some());
        let chain = state.queue.next_chain().unwrap();
        chain.return_written(16);
        let used = state.fake_queue.next_used().unwrap();
        assert_eq!(used.written(), 16);
    }

    #[test]
    fn test_good_chain_iter() {
        let driver_mem = IdentityDriverMem::new();
        let mut state = TestQueue::new(32, &driver_mem);
        // Build and insert a variety of chains.
        let chains: [&[(DescAccess, u64, u32)]; 4] = [
            &[(DescAccess::DeviceRead, 100, 42)],
            &[(DescAccess::DeviceWrite, 200, 64)],
            &[(DescAccess::DeviceRead, 1000, 20), (DescAccess::DeviceRead, 300, 40)],
            &[
                (DescAccess::DeviceRead, 4000, 40),
                (DescAccess::DeviceWrite, 400, 64),
                (DescAccess::DeviceWrite, 8000, 80),
            ],
        ];
        for chain in chains {
            assert!(state.fake_queue.publish(Chain::with_exact_data(chain)).is_some());
        }
        // Now read them all out and walk the iterators to ensure a match.
        for chain in chains {
            assert!(state
                .queue
                .next_chain()
                .unwrap()
                .iter()
                .map(|desc| match desc {
                    Ok(Desc(DescType::Direct(access), range)) =>
                        (access, range.0.start as u64, range.0.len() as u32),
                    Ok(Desc(DescType::Indirect, _)) => (DescAccess::DeviceRead, 0, 0),
                    Err(_) => (DescAccess::DeviceRead, 0, 0),
                })
                .eq(chain.iter().cloned()));
        }
    }

    #[test]
    fn test_bad_range_iter() {
        let driver_mem = IdentityDriverMem::new();
        let mut state = TestQueue::new(32, &driver_mem);
        // Build a chain with some invalid ranges, we should still be able to iterate it.
        assert!(state
            .fake_queue
            .publish(Chain::with_exact_data(&[
                (DescAccess::DeviceRead, 100, 42),
                (DescAccess::DeviceRead, u64::MAX - 10, 20),
                (DescAccess::DeviceRead, u64::MAX - 20, 5)
            ]))
            .is_some());
        let chain = state.queue.next_chain().unwrap();
        let mut iter = chain.iter();
        assert_eq!(
            iter.next().unwrap(),
            Ok(Desc(DescType::Direct(DescAccess::DeviceRead), (100, 42).try_into().unwrap()))
        );
        assert_eq!(iter.next().unwrap(), Err(DescError::BadRange(u64::MAX - 10, 20)));
        assert_eq!(
            iter.next().unwrap(),
            Ok(Desc(
                DescType::Direct(DescAccess::DeviceRead),
                (u64::MAX - 20, 5).try_into().unwrap()
            ))
        );
        assert_eq!(iter.next(), None);
    }

    #[test]
    fn test_bad_index_iter() {
        let driver_mem = IdentityDriverMem::new();
        let mut state = TestQueue::new(32, &driver_mem);
        // Build a chain with an invalid descriptor index in the middle.
        let chain = ChainBuilder::new()
            .readable_reference(100, 42)
            .amend_next(33)
            .readable_zeroed(30, &driver_mem)
            .build();
        assert!(state.fake_queue.publish(chain).is_some());
        let chain = state.queue.next_chain().unwrap();
        let mut iter = chain.iter();
        assert_eq!(
            iter.next().unwrap(),
            Ok(Desc(DescType::Direct(DescAccess::DeviceRead), (100, 42).try_into().unwrap()))
        );
        assert_eq!(iter.next().unwrap(), Err(DescError::InvalidIndex(33)));
        assert_eq!(iter.next(), None);
    }
}