From patchwork Wed Oct 31 04:02:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Leizhen \(ThunderTown\)" X-Patchwork-Id: 149763 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp6305846ljp; Tue, 30 Oct 2018 21:04:48 -0700 (PDT) X-Google-Smtp-Source: AJdET5cIIBZ6lzd0KRFeJARNgRM40pEBtKbP2KA27idpJwH5mAUQhFrfXcmpqYUFlHavBYk/vkBl X-Received: by 2002:a62:42dc:: with SMTP id h89-v6mr1707836pfd.0.1540958688151; Tue, 30 Oct 2018 21:04:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540958688; cv=none; d=google.com; s=arc-20160816; b=d/MXEXKjwWK+/cnDyWVmDyGlllslf+q/uKiEpVXU+H/P2LleyGxVMAENOe0Cq/cKt+ Tla4RTwGfQS4x882ZfS13mKH2cbFyEikQTEDf6Q7ORsuQRTjVSjp7/nBhzakuOPdQhkk B7VLli42HpY3+5QuGianQgGjTGeqfuDSSHWE9wb2RNJHWcIS4voeprX/OQYxll604+Pl m4GIC+QL/Ok86IF+5rqjYLtph6YbG+rym4HzFYWEnZhAglK8erwX22RaO3gV/J4Iyi0r cvWrKHJ3/sNZwmQQWjTcAJ1gxM1beY3bdGFHHmy9NflaGe4K8NqArbNsJdxfQsTbb+Be rwNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from; bh=Gbr7SW+Gt/ULEUK+H7VW91zfxVc7mGTvc2QnMiR0no4=; b=aURNs/YMFRITFuxWy7TpSuNwnWSSLxDy+tqntAr9CAbqSIyRCvK8xEbRqG1lOREWJ3 EQnFVC4ly4zGyKlOW/31mYKsqRtUSmuVLoRuXzvAD9k/6CRNU4EbBTKuSmNmjoFu48ZF 6H03Ion1EmpLckwruCRBfXR4gwYpdQjoWi9oqlSYla2cxXJL99BAUT2/oWzWvfVDs6vO B+yTQN/dUSyLniEu7kbs3gvrN6WXVm6ynJ1j/lKQ8kEwDK3zFirFhueUcO9hmeRUydnw EQcoHLQz7NWEt+t3kkUrriE5iJOpVftrg0ucXDH2ffHs4CNEZUCe+HRfARoUiOij/DtH QGRw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x3-v6si9025727plr.40.2018.10.30.21.04.47; Tue, 30 Oct 2018 21:04:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729066AbeJaNBB (ORCPT + 32 others); Wed, 31 Oct 2018 09:01:01 -0400 Received: from szxga05-in.huawei.com ([45.249.212.191]:14163 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728467AbeJaNBB (ORCPT ); Wed, 31 Oct 2018 09:01:01 -0400 Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id 1EB989C66F38F; Wed, 31 Oct 2018 12:04:37 +0800 (CST) Received: from localhost (10.177.23.164) by DGGEMS411-HUB.china.huawei.com (10.3.19.211) with Microsoft SMTP Server id 14.3.408.0; Wed, 31 Oct 2018 12:04:31 +0800 From: Zhen Lei To: John Garry , Robin Murphy , Will Deacon , Joerg Roedel , linux-arm-kernel , iommu , linux-kernel CC: Zhen Lei , LinuxArm Subject: [PATCH v3 1/1] iommu/arm-smmu-v3: eliminate a potential memory corruption on hi1620 and earlier Date: Wed, 31 Oct 2018 12:02:07 +0800 Message-ID: <1540958527-15408-1-git-send-email-thunder.leizhen@huawei.com> X-Mailer: git-send-email 1.9.5.msysgit.0 MIME-Version: 1.0 X-Originating-IP: [10.177.23.164] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The standard GITS_TRANSLATER register in ITS is only 4 bytes, but Hisilicon expands the next 4 bytes to carry some IMPDEF information. That means, total 8 bytes data will be written to MSIAddress each time. MSIAddr: |----4bytes----|----4bytes----| | MSIData | IMPDEF | There is no problem for ITS, because the next 4 bytes space is reserved in ITS. But it will overwrite the 4 bytes memory following "sync_count". It's very fortunately that the previous and the next neighbour of the "sync_count" are both aligned by 8 bytes, so no problem is met now. It's good to explicitly add a workaround. Let's enclose the "sync_count" into a union and companion with a new member "padding" of type u64. There is no functional change. Signed-off-by: Zhen Lei --- drivers/iommu/arm-smmu-v3.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) -- 1.8.3 Reviewed-by: Robin Murphy diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c index 6947ccf..4e94730 100644 --- a/drivers/iommu/arm-smmu-v3.c +++ b/drivers/iommu/arm-smmu-v3.c @@ -576,7 +576,23 @@ struct arm_smmu_device { struct arm_smmu_strtab_cfg strtab_cfg; - u32 sync_count; + /* + * The member "padding" is used to make sure the member "sync_count" to + * be aligned at 8 bytes boundary, and 4 bytes padding memory followed. + * + * These are required by hi1620 and earlier of Hisilicon. Because the + * ITS hardware on hi1620 and earlier will truncate the MSIAddress(Here + * it's the address of "sync_count") to 8 bytes boundary first, then + * write 32 bits MSIdata at offset 0, and 32 bits IMPDEF data at offset + * 4. Without this workaround, the adjacent member maybe overwritten. + * + * |---4bytes---|---4bytes---| + * MSIAddress & (~0x7): MSIdata | IMPDEF data| + */ + union { + u32 sync_count; + u64 padding; + }; /* IOMMU core code handle */ struct iommu_device iommu;