Hi Oleksandr,
On 03/08/2020 19:21, Oleksandr Tyshchenko wrote:
+static int hvm_send_buffered_ioreq(struct hvm_ioreq_server *s, ioreq_t *p)
+{
[...]
+ /* Canonicalize read/write pointers to prevent their overflow. */
+ while ( (s->bufioreq_handling == HVM_IOREQSRV_BUFIOREQ_ATOMIC) &&
+ qw++ < IOREQ_BUFFER_SLOT_NUM &&
+ pg->ptrs.read_pointer >= IOREQ_BUFFER_SLOT_NUM )
+ {
+ union bufioreq_pointers old = pg->ptrs, new;
+ unsigned int n = old.read_pointer / IOREQ_BUFFER_SLOT_NUM;
+
+ new.read_pointer = old.read_pointer - n * IOREQ_BUFFER_SLOT_NUM;
+ new.write_pointer = old.write_pointer - n * IOREQ_BUFFER_SLOT_NUM;
+ cmpxchg(&pg->ptrs.full, old.full, new.full);
While working on the implementation of cmpxchg(), I realized the
operation will happen on memory shared with a the emulator.
This will need to be switched to guest_cmpxchg64() to prevent a domain
to DoS Xen on Arm.
I looked at the rest of the IOREQ and didn't notice any other example.
Cheers,
--
Julien Grall
