aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoerg Roedel <jroedel@suse.de>2014-06-20 10:14:22 -0400
committerJoerg Roedel <jroedel@suse.de>2014-06-20 10:14:22 -0400
commitd73a6d722a675dbba8f6b52c964a7076a24a12c1 (patch)
tree89a5454af127be81efff8f55821a07d31e6f4ca3
parent27e249501ca06a3010519c306206cc402b61b5ab (diff)
iommu/amd: Fix small race between invalidate_range_end/start
Commit e79df31 introduced mmu_notifer_count to protect against parallel mmu_notifier_invalidate_range_start/end calls. The patch left a small race condition when invalidate_range_end() races with a new invalidate_range_start() the empty page-table may be reverted leading to stale TLB entries in the IOMMU and the device. Use a spin_lock instead of just an atomic variable to eliminate the race. Signed-off-by: Joerg Roedel <jroedel@suse.de>
-rw-r--r--drivers/iommu/amd_iommu_v2.c18
1 files changed, 13 insertions, 5 deletions
diff --git a/drivers/iommu/amd_iommu_v2.c b/drivers/iommu/amd_iommu_v2.c
index d4daa05efe60..499b4366a98d 100644
--- a/drivers/iommu/amd_iommu_v2.c
+++ b/drivers/iommu/amd_iommu_v2.c
@@ -45,7 +45,7 @@ struct pri_queue {
45struct pasid_state { 45struct pasid_state {
46 struct list_head list; /* For global state-list */ 46 struct list_head list; /* For global state-list */
47 atomic_t count; /* Reference count */ 47 atomic_t count; /* Reference count */
48 atomic_t mmu_notifier_count; /* Counting nested mmu_notifier 48 unsigned mmu_notifier_count; /* Counting nested mmu_notifier
49 calls */ 49 calls */
50 struct task_struct *task; /* Task bound to this PASID */ 50 struct task_struct *task; /* Task bound to this PASID */
51 struct mm_struct *mm; /* mm_struct for the faults */ 51 struct mm_struct *mm; /* mm_struct for the faults */
@@ -53,7 +53,8 @@ struct pasid_state {
53 struct pri_queue pri[PRI_QUEUE_SIZE]; /* PRI tag states */ 53 struct pri_queue pri[PRI_QUEUE_SIZE]; /* PRI tag states */
54 struct device_state *device_state; /* Link to our device_state */ 54 struct device_state *device_state; /* Link to our device_state */
55 int pasid; /* PASID index */ 55 int pasid; /* PASID index */
56 spinlock_t lock; /* Protect pri_queues */ 56 spinlock_t lock; /* Protect pri_queues and
57 mmu_notifer_count */
57 wait_queue_head_t wq; /* To wait for count == 0 */ 58 wait_queue_head_t wq; /* To wait for count == 0 */
58}; 59};
59 60
@@ -431,15 +432,19 @@ static void mn_invalidate_range_start(struct mmu_notifier *mn,
431{ 432{
432 struct pasid_state *pasid_state; 433 struct pasid_state *pasid_state;
433 struct device_state *dev_state; 434 struct device_state *dev_state;
435 unsigned long flags;
434 436
435 pasid_state = mn_to_state(mn); 437 pasid_state = mn_to_state(mn);
436 dev_state = pasid_state->device_state; 438 dev_state = pasid_state->device_state;
437 439
438 if (atomic_add_return(1, &pasid_state->mmu_notifier_count) == 1) { 440 spin_lock_irqsave(&pasid_state->lock, flags);
441 if (pasid_state->mmu_notifier_count == 0) {
439 amd_iommu_domain_set_gcr3(dev_state->domain, 442 amd_iommu_domain_set_gcr3(dev_state->domain,
440 pasid_state->pasid, 443 pasid_state->pasid,
441 __pa(empty_page_table)); 444 __pa(empty_page_table));
442 } 445 }
446 pasid_state->mmu_notifier_count += 1;
447 spin_unlock_irqrestore(&pasid_state->lock, flags);
443} 448}
444 449
445static void mn_invalidate_range_end(struct mmu_notifier *mn, 450static void mn_invalidate_range_end(struct mmu_notifier *mn,
@@ -448,15 +453,19 @@ static void mn_invalidate_range_end(struct mmu_notifier *mn,
448{ 453{
449 struct pasid_state *pasid_state; 454 struct pasid_state *pasid_state;
450 struct device_state *dev_state; 455 struct device_state *dev_state;
456 unsigned long flags;
451 457
452 pasid_state = mn_to_state(mn); 458 pasid_state = mn_to_state(mn);
453 dev_state = pasid_state->device_state; 459 dev_state = pasid_state->device_state;
454 460
455 if (atomic_dec_and_test(&pasid_state->mmu_notifier_count)) { 461 spin_lock_irqsave(&pasid_state->lock, flags);
462 pasid_state->mmu_notifier_count -= 1;
463 if (pasid_state->mmu_notifier_count == 0) {
456 amd_iommu_domain_set_gcr3(dev_state->domain, 464 amd_iommu_domain_set_gcr3(dev_state->domain,
457 pasid_state->pasid, 465 pasid_state->pasid,
458 __pa(pasid_state->mm->pgd)); 466 __pa(pasid_state->mm->pgd));
459 } 467 }
468 spin_unlock_irqrestore(&pasid_state->lock, flags);
460} 469}
461 470
462static void mn_release(struct mmu_notifier *mn, struct mm_struct *mm) 471static void mn_release(struct mmu_notifier *mn, struct mm_struct *mm)
@@ -650,7 +659,6 @@ int amd_iommu_bind_pasid(struct pci_dev *pdev, int pasid,
650 goto out; 659 goto out;
651 660
652 atomic_set(&pasid_state->count, 1); 661 atomic_set(&pasid_state->count, 1);
653 atomic_set(&pasid_state->mmu_notifier_count, 0);
654 init_waitqueue_head(&pasid_state->wq); 662 init_waitqueue_head(&pasid_state->wq);
655 spin_lock_init(&pasid_state->lock); 663 spin_lock_init(&pasid_state->lock);
656 664