[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [Xen-devel] [PATCH v2 2/3] xenfb: move xen_rmb to the c
From: |
Andrew Cooper |
Subject: |
Re: [Qemu-devel] [Xen-devel] [PATCH v2 2/3] xenfb: move xen_rmb to the correct location |
Date: |
Tue, 12 Apr 2016 14:38:13 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.7.0 |
On 12/04/16 13:57, David Vrabel wrote:
> On 12/04/16 11:43, Wei Liu wrote:
>> It should be placed before first time producer and consumer are used.
> This change isn't necessary and is confusing as this is not what this
> barrier is for.
>
> The barrier needs to be between the load of prod and the load of the
> ring contents (there's even a comment that says this). This pairs with
> the corresponding write barrier between the store of the ring contents
> and the store of prod (in the other end).
Looking further, this code will compile to multiple reads of the page,
because there is no ACCESS_ONCE(). This code is still vulnerable to
XSA-155.
~Andrew
>
> David
>
>> Signed-off-by: Wei Liu <address@hidden>
>> ---
>> Cc: Stefano Stabellini <address@hidden>
>> Cc: Anthony Perard <address@hidden>
>>
>> Backport candidate to our own tree.
>> ---
>> hw/display/xenfb.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
>> index 9866dfd..7f4fad7 100644
>> --- a/hw/display/xenfb.c
>> +++ b/hw/display/xenfb.c
>> @@ -775,10 +775,10 @@ static void xenfb_handle_events(struct XenFB *xenfb)
>>
>> prod = page->out_prod;
>> out_cons = page->out_cons;
>> + xen_rmb();
>> if (prod - out_cons > XENFB_OUT_RING_LEN) {
>> return;
>> }
>> - xen_rmb(); /* ensure we see ring contents up to prod */
>> for (cons = out_cons; cons != prod; cons++) {
>> union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
>> uint8_t type = event->type;
>>
>
> _______________________________________________
> Xen-devel mailing list
> address@hidden
> http://lists.xen.org/xen-devel