Received: by 10.192.165.148 with SMTP id m20csp4217326imm;
        Mon, 30 Apr 2018 14:04:29 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrK8IBu+WSthrmSk+2iIE/hzFtjn+a6l4aujcj3BikS61cBnwGBDMZxhjKbGw+C4ut4mlQb
X-Received: by 2002:a17:902:a8:: with SMTP id a37-v6mr13631156pla.238.1525122269696;
        Mon, 30 Apr 2018 14:04:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525122269; cv=none;
        d=google.com; s=arc-20160816;
        b=QJumj+8XeUIv2xlLPTAfIDVdOKAXBFdtbjIBqinlvtweZwaP6YqQZmb3slZtCRnU5B
         MWZAyLRERsLo+foJ9xVH37cahN/AkfB7ZIThZd2XJNu4uez/rJnFE6Uis0G/Xi1lPaVs
         kmhJrKmgGEk5SdCsX97usRT1b+a8faL858N1zBraVvNp0az4Fr0u9hvuZbN46Gg5F/WO
         AvqIG1dOuKayEdYX1p7hWSi9msxzT+R2yY2SaMluV2iUmEWKfTT47x1xhJmrL2bPpD0V
         HvxgogCJXdBUPCEDdBFX+iSkFSdMxyCxW94YBppL1sAknF5/1olixIQvnl2hhK0vS7M6
         bsRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:references
         :in-reply-to:mime-version:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature:arc-authentication-results;
        bh=I1R6Ri1fztw5rYvo5Mp1WQEyZ6vTzo08ga9GnsJgW4w=;
        b=DOMTfGVa8Hq8InI3NoBVwnNxNX3TVbZYbDItpI5tBwvs4XmxcQJXyuU9eMFscQxvbt
         b16hxFfckoyP8WmN6ijFSJmUgvvMQhxs5pXsORxJgWk0bqS00+VIeRnyi4J92Gd2dccN
         0nwVWyw8WeA9XOGEqYNl/XGzINOkLm2ybI9ah5ZOS06ypnJ3cbN5sX9U2DVDpDNC+F1y
         wuFXDaKmvQ87xWG8sQSNkHO10shlYP4Yc8mmSYE61Z6niGnu2Y18jefFInZENKJvT2a/
         8jlzSmvFyK8c/sR9QbwmCHXftnN4odpgGrVc8Mx50sL8Y0Lju5/+UuwW6eZJ7HWjAw0k
         Vc0A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=TgqDQsqH;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e4-v6si8188978pln.331.2018.04.30.14.04.15;
        Mon, 30 Apr 2018 14:04:29 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=TgqDQsqH;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755342AbeD3VDG (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Mon, 30 Apr 2018 17:03:06 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:60649 "EHLO
        out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1755182AbeD3VC7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 Apr 2018 17:02:59 -0400
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
        by mailout.nyi.internal (Postfix) with ESMTP id D1A0222AA5;
        Mon, 30 Apr 2018 17:02:58 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute7.internal (MEProxy); Mon, 30 Apr 2018 17:02:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=cc:content-transfer-encoding:content-type
        :date:from:in-reply-to:in-reply-to:message-id:mime-version
        :references:references:subject:to:x-me-sender:x-me-sender
        :x-sasl-enc; s=fm2; bh=I1R6Ri1fztw5rYvo5Mp1WQEyZ6vTzo08ga9GnsJgW
        4w=; b=TgqDQsqH3GdqMhsnkxKPyVnoOwjFE/UMs29dCBXxkc3602rc3HyLFNhmW
        gyQSjqJkOfk1m7eJm1QnUgSJ2yp2FdBk2rY81jNXHwKtnnqIfCfG/tu/p0hP0fnH
        rHzn9HMhX0PU2skIHncpSji/IjEKypLgMuSLu5S84kUJitTgZgIFRnfnqm20W8I3
        gVcYkx2l35gFChqF9OlA4T7jHNa14Zfb7doUb1/K/c5rkp5vaRfxCYbjZ2xN1XDm
        wVFJO1oEe0la1vtTu+yj/wpClKbAxfwuFhvh9GJwjXNoUvvwBVja5DDyc0H7cBFw
        Y9gCFcsL/A6DuW+HwyNzIrLLFrLKw==
X-ME-Sender: <xms:goTnWsaM5e1RUpbu44qzNvrQFYg0Pbm8qI_0BN7Wby-N_QijW2QP5g>
Received: from localhost.localdomain (ip5b40bfaa.dynamic.kabel-deutschland.de [91.64.191.170])
        by mail.messagingengine.com (Postfix) with ESMTPA id 8E9BCE4EAC;
        Mon, 30 Apr 2018 17:02:57 -0400 (EDT)
From:   =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= 
        <marmarek@invisiblethingslab.com>
To:     xen-devel@lists.xenproject.org
Cc:     =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= 
        <marmarek@invisiblethingslab.com>, stable@vger.kernel.org,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        Juergen Gross <jgross@suse.com>,
        Stefano Stabellini <sstabellini@kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-kernel@vger.kernel.org (open list)
Subject: [PATCH 1/6] xen: Add RING_COPY_RESPONSE()
Date:   Mon, 30 Apr 2018 23:01:45 +0200
Message-Id: <ba8ed01b01a81d79f6d1c59e08a318dc0309a95d.1525122026.git-series.marmarek@invisiblethingslab.com>
X-Mailer: git-send-email 2.13.6
In-Reply-To: <cover.7ee732ab822b728ec486a3118ec12e9c06f0f325.1525122026.git-series.marmarek@invisiblethingslab.com>
References: <cover.7ee732ab822b728ec486a3118ec12e9c06f0f325.1525122026.git-series.marmarek@invisiblethingslab.com>
MIME-Version: 1.0
In-Reply-To: <cover.7ee732ab822b728ec486a3118ec12e9c06f0f325.1525122026.git-series.marmarek@invisiblethingslab.com>
References: <cover.7ee732ab822b728ec486a3118ec12e9c06f0f325.1525122026.git-series.marmarek@invisiblethingslab.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Using RING_GET_RESPONSE() on a shared ring is easy to use incorrectly
(i.e., by not considering that the other end may alter the data in the
shared ring while it is being inspected).  Safe usage of a response
generally requires taking a local copy.

Provide a RING_COPY_RESPONSE() macro to use instead of
RING_GET_RESPONSE() and an open-coded memcpy().  This takes care of
ensuring that the copy is done correctly regardless of any possible
compiler optimizations.

Use a volatile source to prevent the compiler from reordering or
omitting the copy.

This is complementary to XSA155.

CC: stable@vger.kernel.org
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
 include/xen/interface/io/ring.h | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/include/xen/interface/io/ring.h b/include/xen/interface/io/ring.h
index 3f40501..03702f6 100644
--- a/include/xen/interface/io/ring.h
+++ b/include/xen/interface/io/ring.h
@@ -201,6 +201,20 @@ struct __name##_back_ring {						\
 #define RING_GET_RESPONSE(_r, _idx)					\
     (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].rsp))
 
+/*
+ * Get a local copy of a response.
+ *
+ * Use this in preference to RING_GET_RESPONSE() so all processing is
+ * done on a local copy that cannot be modified by the other end.
+ *
+ * Note that https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 may cause this
+ * to be ineffective where _rsp is a struct which consists of only bitfields.
+ */
+#define RING_COPY_RESPONSE(_r, _idx, _rsp) do {				\
+	/* Use volatile to force the copy into _rsp. */			\
+	*(_rsp) = *(volatile typeof(_rsp))RING_GET_RESPONSE(_r, _idx);	\
+} while (0)
+
 /* Loop termination condition: Would the specified index overflow the ring? */
 #define RING_REQUEST_CONS_OVERFLOW(_r, _cons)				\
     (((_cons) - (_r)->rsp_prod_pvt) >= RING_SIZE(_r))
-- 
git-series 0.9.1