File xsa358.patch of Package xen.17651

Overview Repositories Revisions Requests Users Attributes Meta

File xsa358.patch of Package xen.17651

evtchn/FIFO: re-order and synchronize (with) map_control_block()

For evtchn_fifo_set_pending()'s check of the control block having been
set to be effective, ordering of respective reads and writes needs to be
ensured: The control block pointer needs to be recorded strictly after
the setting of all the queue heads, and it needs checking strictly
before any uses of them (this latter aspect was already guaranteed).

This is XSA-358.

Reported-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Julien Grall <jgrall@amazon.com>
---
An alternative looks to be to drop the "head" field of struct
evtchn_fifo_queue: This seems to only be a relatively space consuming
optimization of the queue head update in evtchn_fifo_set_pending(). In
fact the struct's priority field looks to be of similar nature.
---
v3: Drop read-side barrier again, leveraging guest_test_and_set_bit().
v2: Re-base over queue locking re-work.

--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -227,6 +227,10 @@ static void evtchn_fifo_set_pending(stru
             goto unlock;
         }
 
+        /*
+         * This also acts as the read counterpart of the smp_wmb() in
+         * map_control_block().
+         */
         if ( guest_test_and_set_bit(d, EVTCHN_FIFO_LINKED, word) )
             goto unlock;
 
@@ -452,6 +456,7 @@ static int setup_control_block(struct vc
 static int map_control_block(struct vcpu *v, uint64_t gfn, uint32_t offset)
 {
     void *virt;
+    struct evtchn_fifo_control_block *control_block;
     unsigned int i;
     int rc;
 
@@ -462,10 +467,15 @@ static int map_control_block(struct vcpu
     if ( rc < 0 )
         return rc;
 
-    v->evtchn_fifo->control_block = virt + offset;
+    control_block = virt + offset;
 
     for ( i = 0; i <= EVTCHN_FIFO_PRIORITY_MIN; i++ )
-        v->evtchn_fifo->queue[i].head = &v->evtchn_fifo->control_block->head[i];
+        v->evtchn_fifo->queue[i].head = &control_block->head[i];
+
+    /* All queue heads must have been set before setting the control block. */
+    smp_wmb();
+
+    v->evtchn_fifo->control_block = control_block;
 
     return 0;
 }

Places

File xsa358.patch of Package xen.17651

Places