Commit 19c12f12 authored by Alexey Kardashevskiy's avatar Alexey Kardashevskiy Committed by Greg Kroah-Hartman

powerpc/powernv/ioda: Fix race in TCE level allocation

commit 56090a39 upstream.

pnv_tce() returns a pointer to a TCE entry and originally a TCE table
would be pre-allocated. For the default case of 2GB window the table
needs only a single level and that is fine. However if more levels are
requested, it is possible to get a race when 2 threads want a pointer
to a TCE entry from the same page of TCEs.

This adds cmpxchg to handle the race. Note that once TCE is non-zero,
it cannot become zero again.

Fixes: a68bd126 ("powerpc/powernv/ioda: Allocate indirect TCE levels on demand")
CC: stable@vger.kernel.org # v4.19+
Signed-off-by: default avatarAlexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20190718051139.74787-2-aik@ozlabs.ruSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 032ce7d7
...@@ -49,6 +49,9 @@ static __be64 *pnv_alloc_tce_level(int nid, unsigned int shift) ...@@ -49,6 +49,9 @@ static __be64 *pnv_alloc_tce_level(int nid, unsigned int shift)
return addr; return addr;
} }
static void pnv_pci_ioda2_table_do_free_pages(__be64 *addr,
unsigned long size, unsigned int levels);
static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc) static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc)
{ {
__be64 *tmp = user ? tbl->it_userspace : (__be64 *) tbl->it_base; __be64 *tmp = user ? tbl->it_userspace : (__be64 *) tbl->it_base;
...@@ -58,9 +61,9 @@ static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc) ...@@ -58,9 +61,9 @@ static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc)
while (level) { while (level) {
int n = (idx & mask) >> (level * shift); int n = (idx & mask) >> (level * shift);
unsigned long tce; unsigned long oldtce, tce = be64_to_cpu(READ_ONCE(tmp[n]));
if (tmp[n] == 0) { if (!tce) {
__be64 *tmp2; __be64 *tmp2;
if (!alloc) if (!alloc)
...@@ -71,10 +74,15 @@ static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc) ...@@ -71,10 +74,15 @@ static __be64 *pnv_tce(struct iommu_table *tbl, bool user, long idx, bool alloc)
if (!tmp2) if (!tmp2)
return NULL; return NULL;
tmp[n] = cpu_to_be64(__pa(tmp2) | tce = __pa(tmp2) | TCE_PCI_READ | TCE_PCI_WRITE;
TCE_PCI_READ | TCE_PCI_WRITE); oldtce = be64_to_cpu(cmpxchg(&tmp[n], 0,
cpu_to_be64(tce)));
if (oldtce) {
pnv_pci_ioda2_table_do_free_pages(tmp2,
ilog2(tbl->it_level_size) + 3, 1);
tce = oldtce;
}
} }
tce = be64_to_cpu(tmp[n]);
tmp = __va(tce & ~(TCE_PCI_READ | TCE_PCI_WRITE)); tmp = __va(tce & ~(TCE_PCI_READ | TCE_PCI_WRITE));
idx &= ~mask; idx &= ~mask;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment