From: Rahul Singh <rahul.singh@arm.com>
To: xen-devel@lists.xenproject.org
Cc: Bertrand Marquis <bertrand.marquis@arm.com>,
Stefano Stabellini <sstabellini@kernel.org>,
Julien Grall <julien@xen.org>,
Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
Subject: [PATCH 03/10] xen/arm: smmuv3: Ensure queue is read after updating prod pointer
Date: Wed, 24 Aug 2022 14:53:07 +0100 [thread overview]
Message-ID: <b6051a32c515da23ed2d83467e43e59fd55127dc.1661331102.git.rahul.singh@arm.com> (raw)
In-Reply-To: <cover.1661331102.git.rahul.singh@arm.com>
Backport Linux commit a76a37777f2c936b1f046bfc0c5982c958b16bfe
"Ensure queue is read after updating prod pointer"
Original commit message:
iommu/arm-smmu-v3: Ensure queue is read after updating prod pointer
Reading the 'prod' MMIO register in order to determine whether or
not there is valid data beyond 'cons' for a given queue does not
provide sufficient dependency ordering, as the resulting access is
address dependent only on 'cons' and can therefore be speculated
ahead of time, potentially allowing stale data to be read by the
CPU.
Use readl() instead of readl_relaxed() when updating the shadow copy
of the 'prod' pointer, so that all speculated memory reads from the
corresponding queue can occur only from valid slots.
Signed-off-by: Zhou Wang <wangzhou1@hisilicon.com>
Link: https://lore.kernel.org/r/1601281922-117296-1-git-send-email-wangzhou1@hisilicon.com
[will: Use readl() instead of explicit barrier. Update 'cons' side to match.]
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Rahul Singh <rahul.singh@arm.com>
---
xen/drivers/passthrough/arm/smmu-v3.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/xen/drivers/passthrough/arm/smmu-v3.c b/xen/drivers/passthrough/arm/smmu-v3.c
index 64d39bb4d3..93891a0704 100644
--- a/xen/drivers/passthrough/arm/smmu-v3.c
+++ b/xen/drivers/passthrough/arm/smmu-v3.c
@@ -963,8 +963,15 @@ static void queue_inc_cons(struct arm_smmu_ll_queue *q)
static int queue_sync_prod_in(struct arm_smmu_queue *q)
{
+ u32 prod;
int ret = 0;
- u32 prod = readl_relaxed(q->prod_reg);
+
+ /*
+ * We can't use the _relaxed() variant here, as we must prevent
+ * speculative reads of the queue before we have determined that
+ * prod has indeed moved.
+ */
+ prod = readl(q->prod_reg);
if (Q_OVF(prod) != Q_OVF(q->llq.prod))
ret = -EOVERFLOW;
--
2.25.1
next prev parent reply other threads:[~2022-08-24 13:59 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-24 13:53 [PATCH 00/10] xen/arm: smmuv3: Merge Linux fixes to Xen Rahul Singh
2022-08-24 13:53 ` [PATCH 01/10] xen/arm: smmuv3: Fix l1 stream table size in the error message Rahul Singh
2022-08-24 14:58 ` Julien Grall
2022-09-01 10:27 ` Rahul Singh
2022-09-01 14:15 ` Julien Grall
2022-08-24 13:53 ` [PATCH 02/10] xen/arm: smmuv3: Fix endianness annotations Rahul Singh
2022-08-24 13:53 ` Rahul Singh [this message]
2022-08-24 13:53 ` [PATCH 04/10] xen/arm: smmuv3: Move definitions to a header Rahul Singh
2022-08-24 15:01 ` Julien Grall
2022-08-24 13:53 ` [PATCH 05/10] xen/arm: smmuv3: Remove the page 1 fixup Rahul Singh
2022-08-24 13:53 ` [PATCH 06/10] xen/arm: smmuv3: Remove the unused fields for PREFETCH_CONFIG command Rahul Singh
2022-08-24 13:53 ` [PATCH 07/10] xen/arm: smmuv3: Change *array into *const array Rahul Singh
2022-08-24 13:53 ` [PATCH 08/10] xen/arm: smmuv3: Remove unnecessary oom message Rahul Singh
2022-08-24 13:53 ` [PATCH 09/10] xen/arm: smmuv3: Fix fall-through warning for Clang Rahul Singh
2022-08-24 13:53 ` [PATCH 10/10] xen/arm: smmuv3: Avoid open coded arithmetic in memory allocation Rahul Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b6051a32c515da23ed2d83467e43e59fd55127dc.1661331102.git.rahul.singh@arm.com \
--to=rahul.singh@arm.com \
--cc=Volodymyr_Babchuk@epam.com \
--cc=bertrand.marquis@arm.com \
--cc=julien@xen.org \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.