From patchwork Sat Oct 20 07:36:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Leizhen \(ThunderTown\)" X-Patchwork-Id: 149361 Delivered-To: patch@linaro.org Received: by 2002:a2e:8595:0:0:0:0:0 with SMTP id b21-v6csp305183lji; Sat, 20 Oct 2018 00:39:54 -0700 (PDT) X-Google-Smtp-Source: ACcGV60PcAMbsVsgB4ISrONvNqui/5H+uJt1f2bnd8Oo8i+iAw/LXcOR1M8GnrKNu+6p3KMjAeeB X-Received: by 2002:a65:610e:: with SMTP id z14-v6mr35255042pgu.138.1540021194835; Sat, 20 Oct 2018 00:39:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540021194; cv=none; d=google.com; s=arc-20160816; b=WxDOgFrEA9oN+MZwBzKyOuGD6Qa/xnyB2jWkSjsaHUQt09ECT4zWUJD6TEo3Rfps2m TUBJOKss5rOJY7kfjd6g8W/2P61tSOgiu6+1S/FoL4Vg3KWUlUwY3PrMMvSrfpqdRPL7 kMRqIckLYJcakLdNQDgR5GIsxIu4aEpM7kaBDZ9mTnfiSVPeOD0VDzU0z0z1eOayHZQG 9/dtnp6qjqTMjxYS8MJ9oXz6fM5X6e5N87n9E3JROu+Jd8KDirO6Lc2fAPKYqhgRQWGg dKqLBeugn5T0/o30gu5qf9YvAPP7p2k1aG/7jAEEUiCx+6q6Jsc5etBR/678pY6v23d1 oqeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from; bh=E7LdL3BsmgQgRJ9LPAzA+Lkevgn3fEwYoo6H4UnRiic=; b=IVcLU2WFFWOdfU3H6Atk+OmAtV1+wKxfOhdM+KIQmtlGm2ttszB7UBwk0T/1atVG6l egF83QsP/WqyQlq4NDSiNLLH/wY3RjErqchO78fb9M9x5JD7UMuK7G4oQ/Hmw1wTymuZ gsTYyPdoVBcaM3+BLUYRYZ7ywErtJ8ENlCbuIHg7uOiBna4AoOd7GqhBHBA75Su9JqIR VC9KbAboorPv6yFUUbpVBptQgGnvUbHBqgG/i9JAPrlbQA/EnkD2PGOQKPhQdWMJUFiC C2uSm97E5AcsA61WzhNadfTiz0kJ5GC13+v7T2/rmqYelT5arfdtxHqf+SQKAYQcBuxJ /vSQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h33-v6si23875199plh.56.2018.10.20.00.39.54; Sat, 20 Oct 2018 00:39:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727097AbeJTPrm (ORCPT + 32 others); Sat, 20 Oct 2018 11:47:42 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:14098 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726261AbeJTPrm (ORCPT ); Sat, 20 Oct 2018 11:47:42 -0400 Received: from DGGEMS407-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 4A12089EE3D1; Sat, 20 Oct 2018 15:38:04 +0800 (CST) Received: from localhost (10.177.23.164) by DGGEMS407-HUB.china.huawei.com (10.3.19.207) with Microsoft SMTP Server id 14.3.399.0; Sat, 20 Oct 2018 15:37:57 +0800 From: Zhen Lei To: Robin Murphy , Will Deacon , Joerg Roedel , linux-arm-kernel , iommu , linux-kernel CC: Zhen Lei , LinuxArm Subject: [PATCH v2 1/1] iommu/arm-smmu-v3: eliminate a potential memory corruption on Hi16xx soc Date: Sat, 20 Oct 2018 15:36:54 +0800 Message-ID: <1540021014-8176-1-git-send-email-thunder.leizhen@huawei.com> X-Mailer: git-send-email 1.9.5.msysgit.0 MIME-Version: 1.0 X-Originating-IP: [10.177.23.164] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The standard GITS_TRANSLATER register in ITS is only 4 bytes, but Hisilicon expands the next 4 bytes to carry some IMPDEF information. That means, total 8 bytes data will be written to MSIAddress each time. MSIAddr: |----4bytes----|----4bytes----| | MSIData | IMPDEF | There is no problem for ITS, because the next 4 bytes space is reserved in ITS. But it will overwrite the 4 bytes memory following "sync_count". It's very fortunately that the previous and the next neighbour of the "sync_count" are both aligned by 8 bytes, so no problem is met now. It's good to explicitly add a workaround: 1. Add gcc __attribute__((aligned(8))) to make sure that "sync_count" is always aligned by 8 bytes. 2. Add a "int" struct member to make sure the 4 bytes padding is always exist. There is no functional change. Signed-off-by: Zhen Lei --- drivers/iommu/arm-smmu-v3.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) -- 1.8.3 diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c index 5059d09..624fdd0 100644 --- a/drivers/iommu/arm-smmu-v3.c +++ b/drivers/iommu/arm-smmu-v3.c @@ -586,7 +586,20 @@ struct arm_smmu_device { struct arm_smmu_strtab_cfg strtab_cfg; - u32 sync_count; + /* + * The alignment and padding is required by Hi16xx of Hisilicon. + * Because the ITS hardware on Hi16xx will truncate the MSIAddress(Here + * it's the address of "sync_count") to 8 bytes boundary first, then + * write 32 bits MSIdata at offset 0, and 32 bits IMPDEF data at offset + * 4. Without this workaround, the adjacent member maybe overwritten. + * + * |---4bytes---|---4bytes---| + * MSIAddress & (~0x7): MSIdata | IMPDEF data| + */ + struct { + u32 sync_count; + int padding; + } __attribute__((aligned(8))); /* IOMMU core code handle */ struct iommu_device iommu;