From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 95D83D80A13 for ; Wed, 19 Jul 2023 16:31:35 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=w7iEmftk4zSYB56fOx6+ZHfclzks+5N8IhgHpIVs0Q4=; c=relaxed/simple; d=groups.io; h=X-Received:X-Received:X-Received:X-MC-Unique:X-Received:X-Received:X-Received:From:To:Cc:Subject:Date:Message-ID:MIME-Version:X-Scanned-By:X-Mimecast-Spam-Score:X-Mimecast-Originator:Precedence:List-Unsubscribe:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:X-Gm-Message-State:Content-Transfer-Encoding:Content-Type; s=20140610; t=1689784294; v=1; b=aRa02KoSY44G9kjBgxU3KFmiRrGOx08kBm4GcuZrPXUSDwjnOLwX5zkfOG+FBWmqy2pnFPaK Hci+fjf0kvkFauqCp+ZWrt0WVHKDJmW4Rw8m0AW4ImxVwv56rM6oDCxaKfXl10VDw52ysGhvDy1 jzlszIm/bHwUVrctGSK1zalQ= X-Received: by 127.0.0.2 with SMTP id MrgBYY7687511xi9vqDpnSuc; Wed, 19 Jul 2023 09:31:34 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web11.1974.1689784293553318311 for ; Wed, 19 Jul 2023 09:31:33 -0700 X-Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-586-EKkfJ-tsPjax4Ugms3-tmg-1; Wed, 19 Jul 2023 12:31:31 -0400 X-MC-Unique: EKkfJ-tsPjax4Ugms3-tmg-1 X-Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E17A43C28BF6; Wed, 19 Jul 2023 16:31:30 +0000 (UTC) X-Received: from sirius.home.kraxel.org (unknown [10.39.193.116]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A43FB1121314; Wed, 19 Jul 2023 16:31:30 +0000 (UTC) X-Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 2FAD71800613; Wed, 19 Jul 2023 18:31:29 +0200 (CEST) From: "Gerd Hoffmann" To: devel@edk2.groups.io Cc: Jordan Justen , Ard Biesheuvel , Michael Brown , Jiewen Yao , Gerd Hoffmann Subject: [edk2-devel] [PATCH v2 1/1] OvmfPkg/IoMmuDxe: add locking to IoMmuAllocateBounceBuffer Date: Wed, 19 Jul 2023 18:31:29 +0200 Message-ID: <20230719163129.318992-1-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kraxel@redhat.com X-Gm-Message-State: MYUR3c0vmgSPdAhdlOcPDkVAx7686176AA= Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=aRa02KoS; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none) Searching for an unused bounce buffer in mReservedMemBitmap and reserving the buffer by flipping the bit is a critical section which must not be interrupted. Raise the TPL level to ensure that. Without this fix it can happen that IoMmuDxe hands out the same bounce buffer twice, causing trouble down the road. Seen happening in practice with VirtioNetDxe setting up the network interface (and calling into IoMmuDxe from a polling timer callback) in parallel with Boot Manager doing some disk I/O. An ASSERT() in VirtioNet caught the buffer inconsistency. Full story with lots of details and discussions is available here: https://bugzilla.redhat.com/show_bug.cgi?id=2211060 v2: - add locking to IoMmuFreeBounceBuffer too, clearing bits in mReservedMemBitmap is not guaranteed to be atomic (Michael Brown). Signed-off-by: Gerd Hoffmann --- OvmfPkg/IoMmuDxe/IoMmuBuffer.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/OvmfPkg/IoMmuDxe/IoMmuBuffer.c b/OvmfPkg/IoMmuDxe/IoMmuBuffer.c index c8f6cf4818e8..103003cae376 100644 --- a/OvmfPkg/IoMmuDxe/IoMmuBuffer.c +++ b/OvmfPkg/IoMmuDxe/IoMmuBuffer.c @@ -367,7 +367,9 @@ IoMmuAllocateBounceBuffer ( { EFI_STATUS Status; UINT32 ReservedMemBitmap; + EFI_TPL OldTpl; + OldTpl = gBS->RaiseTPL (TPL_NOTIFY); ReservedMemBitmap = 0; Status = InternalAllocateBuffer ( Type, @@ -378,6 +380,7 @@ IoMmuAllocateBounceBuffer ( ); MapInfo->ReservedMemBitmap = ReservedMemBitmap; mReservedMemBitmap |= ReservedMemBitmap; + gBS->RestoreTPL (OldTpl); ASSERT (Status == EFI_SUCCESS); @@ -395,6 +398,8 @@ IoMmuFreeBounceBuffer ( IN OUT MAP_INFO *MapInfo ) { + EFI_TPL OldTpl; + if (MapInfo->ReservedMemBitmap == 0) { gBS->FreePages (MapInfo->PlainTextAddress, MapInfo->NumberOfPages); } else { @@ -407,9 +412,11 @@ IoMmuFreeBounceBuffer ( mReservedMemBitmap, mReservedMemBitmap & ((UINT32)(~MapInfo->ReservedMemBitmap)) )); + OldTpl = gBS->RaiseTPL (TPL_NOTIFY); MapInfo->PlainTextAddress = 0; mReservedMemBitmap &= (UINT32)(~MapInfo->ReservedMemBitmap); MapInfo->ReservedMemBitmap = 0; + gBS->RestoreTPL (OldTpl); } return EFI_SUCCESS; -- 2.41.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#107057): https://edk2.groups.io/g/devel/message/107057 Mute This Topic: https://groups.io/mt/100238846/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-