1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
From: Jan Beulich <jbeulich@suse.com>
Subject: AMD/IOMMU: wait for command slot to be available
No caller cared about send_iommu_command() indicating unavailability of
a slot. Hence if a sufficient number prior commands timed out, we did
blindly assume that the requested command was submitted to the IOMMU
when really it wasn't. This could mean both a hanging system (waiting
for a command to complete that was never seen by the IOMMU) or blindly
propagating success back to callers, making them believe they're fine
to e.g. free previously unmapped pages.
Fold the three involved functions into one, add spin waiting for an
available slot along the lines of VT-d's qinval_next_index(), and as a
consequence drop all error indicator return types/values.
This is part of XSA-373 / CVE-2021-28692.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Paul Durrant <paul@xen.org>
--- a/xen/drivers/passthrough/amd/iommu_cmd.c
+++ b/xen/drivers/passthrough/amd/iommu_cmd.c
@@ -20,43 +20,30 @@
#include "iommu.h"
#include "../ats.h"
-static int queue_iommu_command(struct amd_iommu *iommu, u32 cmd[])
+static void send_iommu_command(struct amd_iommu *iommu,
+ const uint32_t cmd[4])
{
- uint32_t tail, head;
+ uint32_t tail;
tail = iommu->cmd_buffer.tail + sizeof(cmd_entry_t);
if ( tail == iommu->cmd_buffer.size )
tail = 0;
- head = readl(iommu->mmio_base +
- IOMMU_CMD_BUFFER_HEAD_OFFSET) & IOMMU_RING_BUFFER_PTR_MASK;
- if ( head != tail )
+ while ( tail == (readl(iommu->mmio_base +
+ IOMMU_CMD_BUFFER_HEAD_OFFSET) &
+ IOMMU_RING_BUFFER_PTR_MASK) )
{
- memcpy(iommu->cmd_buffer.buffer + iommu->cmd_buffer.tail,
- cmd, sizeof(cmd_entry_t));
-
- iommu->cmd_buffer.tail = tail;
- return 1;
+ printk_once(XENLOG_ERR "AMD IOMMU %pp: no cmd slot available\n",
+ &PCI_SBDF2(iommu->seg, iommu->bdf));
+ cpu_relax();
}
- return 0;
-}
-
-static void commit_iommu_command_buffer(struct amd_iommu *iommu)
-{
- writel(iommu->cmd_buffer.tail,
- iommu->mmio_base + IOMMU_CMD_BUFFER_TAIL_OFFSET);
-}
+ memcpy(iommu->cmd_buffer.buffer + iommu->cmd_buffer.tail,
+ cmd, sizeof(cmd_entry_t));
-static int send_iommu_command(struct amd_iommu *iommu, u32 cmd[])
-{
- if ( queue_iommu_command(iommu, cmd) )
- {
- commit_iommu_command_buffer(iommu);
- return 1;
- }
+ iommu->cmd_buffer.tail = tail;
- return 0;
+ writel(tail, iommu->mmio_base + IOMMU_CMD_BUFFER_TAIL_OFFSET);
}
static void flush_command_buffer(struct amd_iommu *iommu)
|