ACK: [PATCH][SRU Cosmic][SRU Bionic] iommu/arm-smmu-v3: Avoid memory corruption from Hisilicon MSI payloads

Khaled Elmously khalid.elmously at canonical.com
Fri Mar 29 07:25:20 UTC 2019 

On 2019-03-12 12:19:27 , dann frazier wrote:
> From: Zhen Lei <thunder.leizhen at huawei.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1819546
> 
> The GITS_TRANSLATER MMIO doorbell register in the ITS hardware is
> architected to be 4 bytes in size, yet on hi1620 and earlier, Hisilicon
> have allocated the adjacent 4 bytes to carry some IMPDEF sideband
> information which results in an 8-byte MSI payload being delivered when
> signalling an interrupt:
> 
> MSIAddr:
> 	 |----4bytes----|----4bytes----|
> 	 |    MSIData   |    IMPDEF    |
> 
> This poses no problem for the ITS hardware because the adjacent 4 bytes
> are reserved in the memory map. However, when delivering MSIs to memory,
> as we do in the SMMUv3 driver for signalling the completion of a SYNC
> command, the extended payload will corrupt the 4 bytes adjacent to the
> "sync_count" member in struct arm_smmu_device. Fortunately, the current
> layout allocates these bytes to padding, but this is fragile and we
> should make this explicit.
> 
> Reviewed-by: Robin Murphy <robin.murphy at arm.com>
> Signed-off-by: Zhen Lei <thunder.leizhen at huawei.com>
> [will: Rewrote commit message and comment]
> Signed-off-by: Will Deacon <will.deacon at arm.com>
> (cherry picked from commit 84a9a75774961612d0c7dd34a1777e8f98a65abd)
> Signed-off-by: dann frazier <dann.frazier at canonical.com>
> ---
>  drivers/iommu/arm-smmu-v3.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
> index 9c30fb4fccef2..a48da1c3497c0 100644
> --- a/drivers/iommu/arm-smmu-v3.c
> +++ b/drivers/iommu/arm-smmu-v3.c
> @@ -642,7 +642,11 @@ struct arm_smmu_device {
>  
>  	struct arm_smmu_strtab_cfg	strtab_cfg;
>  
> -	u32				sync_count;
> +	/* Hi16xx adds an extra 32 bits of goodness to its MSI payload */
> +	union {
> +		u32			sync_count;
> +		u64			padding;
> +	};
>  
>  	/* IOMMU core code handle */
>  	struct iommu_device		iommu;

Acked-by: Khalid Elmously <khalid.elmously at canonical.com>

More information about the kernel-team mailing list