xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: David Vrabel <david.vrabel@citrix.com>,
	Wei Liu <wei.liu2@citrix.com>,
	qemu-devel@nongnu.org
Cc: Anthony Perard <anthony.perard@citrix.com>,
	Xen-devel <xen-devel@lists.xenproject.org>,
	Stefano Stabellini <sstabellini@kernel.org>
Subject: Re: [PATCH v2 2/3] xenfb: move xen_rmb to the correct location
Date: Tue, 12 Apr 2016 14:38:13 +0100	[thread overview]
Message-ID: <570CFA45.7070504__42690.1477425874$1460469625$gmane$org@citrix.com> (raw)
In-Reply-To: <570CF0B1.9070507@citrix.com>

On 12/04/16 13:57, David Vrabel wrote:
> On 12/04/16 11:43, Wei Liu wrote:
>> It should be placed before first time producer and consumer are used.
> This change isn't necessary and is confusing as this is not what this
> barrier is for.
>
> The barrier needs to be between the load of prod and the load of the
> ring contents (there's even a comment that says this).  This pairs with
> the corresponding write barrier between the store of the ring contents
> and the store of prod (in the other end).

Looking further, this code will compile to multiple reads of the page,
because there is no ACCESS_ONCE().  This code is still vulnerable to
XSA-155.

~Andrew

>
> David
>
>> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
>> ---
>> Cc: Stefano Stabellini <sstabellini@kernel.org>
>> Cc: Anthony Perard <anthony.perard@citrix.com>
>>
>> Backport candidate to our own tree.
>> ---
>>  hw/display/xenfb.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
>> index 9866dfd..7f4fad7 100644
>> --- a/hw/display/xenfb.c
>> +++ b/hw/display/xenfb.c
>> @@ -775,10 +775,10 @@ static void xenfb_handle_events(struct XenFB *xenfb)
>>  
>>      prod = page->out_prod;
>>      out_cons = page->out_cons;
>> +    xen_rmb();
>>      if (prod - out_cons > XENFB_OUT_RING_LEN) {
>>          return;
>>      }
>> -    xen_rmb();		/* ensure we see ring contents up to prod */
>>      for (cons = out_cons; cons != prod; cons++) {
>>  	union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
>>          uint8_t type = event->type;
>>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

  parent reply	other threads:[~2016-04-12 13:59 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-12 10:43 [PATCH v2 0/3] xenfb bug fixes and cleanup Wei Liu
2016-04-12 10:43 ` [PATCH v2 1/3] xenfb: use the correct condition to avoid excessive looping Wei Liu
2016-04-12 10:43 ` [PATCH v2 2/3] xenfb: move xen_rmb to the correct location Wei Liu
2016-04-12 12:57   ` David Vrabel
     [not found]   ` <570CF0B1.9070507@citrix.com>
2016-04-12 13:38     ` Andrew Cooper [this message]
     [not found]     ` <570CFA45.7070504@citrix.com>
2016-04-12 13:46       ` Wei Liu
     [not found]       ` <20160412134603.GC18652@citrix.com>
2016-04-12 17:31         ` Stefano Stabellini
2016-04-12 10:43 ` [PATCH v2 3/3] xenfb: remove out_cons in xenfb_handle_events Wei Liu
     [not found] ` <1460457796-1779-2-git-send-email-wei.liu2@citrix.com>
2016-04-12 17:12   ` [PATCH v2 1/3] xenfb: use the correct condition to avoid excessive looping Stefano Stabellini
     [not found]   ` <alpine.DEB.2.10.1604121012110.23347@sstabellini-ThinkPad-X260>
2016-04-22 11:16     ` Anthony PERARD
     [not found]     ` <20160422111609.GB1885@perard.uk.xensource.com>
2016-04-22 11:19       ` Wei Liu
     [not found] ` <1460457796-1779-4-git-send-email-wei.liu2@citrix.com>
2016-04-12 17:33   ` [PATCH v2 3/3] xenfb: remove out_cons in xenfb_handle_events Stefano Stabellini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='570CFA45.7070504__42690.1477425874$1460469625$gmane$org@citrix.com' \
    --to=andrew.cooper3@citrix.com \
    --cc=anthony.perard@citrix.com \
    --cc=david.vrabel@citrix.com \
    --cc=qemu-devel@nongnu.org \
    --cc=sstabellini@kernel.org \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).