diff options
Diffstat (limited to 'system/xen/xsa/xsa340.patch')
-rw-r--r-- | system/xen/xsa/xsa340.patch | 65 |
1 files changed, 0 insertions, 65 deletions
diff --git a/system/xen/xsa/xsa340.patch b/system/xen/xsa/xsa340.patch deleted file mode 100644 index 38d04da465..0000000000 --- a/system/xen/xsa/xsa340.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Julien Grall <jgrall@amazon.com> -Subject: xen/evtchn: Add missing barriers when accessing/allocating an event channel - -While the allocation of a bucket is always performed with the per-domain -lock, the bucket may be accessed without the lock taken (for instance, see -evtchn_send()). - -Instead such sites relies on port_is_valid() to return a non-zero value -when the port has a struct evtchn associated to it. The function will -mostly check whether the port is less than d->valid_evtchns as all the -buckets/event channels should be allocated up to that point. - -Unfortunately a compiler is free to re-order the assignment in -evtchn_allocate_port() so it would be possible to have d->valid_evtchns -updated before the new bucket has finish to allocate. - -Additionally on Arm, even if this was compiled "correctly", the -processor can still re-order the memory access. - -Add a write memory barrier in the allocation side and a read memory -barrier when the port is valid to prevent any re-ordering issue. - -This is XSA-340. - -Reported-by: Julien Grall <jgrall@amazon.com> -Signed-off-by: Julien Grall <jgrall@amazon.com> -Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> - ---- a/xen/common/event_channel.c -+++ b/xen/common/event_channel.c -@@ -178,6 +178,13 @@ int evtchn_allocate_port(struct domain * - return -ENOMEM; - bucket_from_port(d, port) = chn; - -+ /* -+ * d->valid_evtchns is used to check whether the bucket can be -+ * accessed without the per-domain lock. Therefore, -+ * d->valid_evtchns should be seen *after* the new bucket has -+ * been setup. -+ */ -+ smp_wmb(); - write_atomic(&d->valid_evtchns, d->valid_evtchns + EVTCHNS_PER_BUCKET); - } - ---- a/xen/include/xen/event.h -+++ b/xen/include/xen/event.h -@@ -107,7 +107,17 @@ void notify_via_xen_event_channel(struct - - static inline bool_t port_is_valid(struct domain *d, unsigned int p) - { -- return p < read_atomic(&d->valid_evtchns); -+ if ( p >= read_atomic(&d->valid_evtchns) ) -+ return false; -+ -+ /* -+ * The caller will usually access the event channel afterwards and -+ * may be done without taking the per-domain lock. The barrier is -+ * going in pair the smp_wmb() barrier in evtchn_allocate_port(). -+ */ -+ smp_rmb(); -+ -+ return true; - } - - static inline struct evtchn *evtchn_from_port(struct domain *d, unsigned int p) |