File xsa402-4.patch of Package xen.26348
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: x86/amd: Work around CLFLUSH ordering on older parts
On pre-CLFLUSHOPT AMD CPUs, CLFLUSH is weakely ordered with everything,
including reads and writes to the address, and LFENCE/SFENCE instructions.
This creates a multitude of problematic corner cases, laid out in the manual.
Arrange to use MFENCE on both sides of the CLFLUSH to force proper ordering.
This is part of XSA-402.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/cpu/amd.c
+++ b/xen/arch/x86/cpu/amd.c
@@ -621,6 +621,14 @@ static void init_amd(struct cpuinfo_x86
if (!cpu_has_lfence_dispatch)
__set_bit(X86_FEATURE_MFENCE_RDTSC, c->x86_capability);
+ /*
+ * On pre-CLFLUSHOPT AMD CPUs, CLFLUSH is weakly ordered with
+ * everything, including reads and writes to address, and
+ * LFENCE/SFENCE instructions.
+ */
+ if (!boot_cpu_has(X86_FEATURE_CLFLUSHOPT))
+ __set_bit(X86_BUG_CLFLUSH_MFENCE, boot_cpu_data.x86_capability);
+
switch(c->x86)
{
case 0xf ... 0x17:
--- a/xen/arch/x86/flushtlb.c
+++ b/xen/arch/x86/flushtlb.c
@@ -257,6 +257,13 @@ unsigned int flush_area_local(const void
return flags;
}
+/*
+ * On pre-CLFLUSHOPT AMD CPUs, CLFLUSH is weakly ordered with everything,
+ * including reads and writes to address, and LFENCE/SFENCE instructions.
+ *
+ * This function only works safely after alternatives have run. Luckily, at
+ * the time of writing, we don't flush the caches that early.
+ */
void cache_flush(const void *addr, unsigned int size)
{
/*
@@ -266,6 +273,8 @@ void cache_flush(const void *addr, unsig
unsigned int clflush_size = current_cpu_data.x86_clflush_size ?: 16;
const void *end = addr + size;
+ alternative(ASM_NOP3, "mfence", X86_BUG_CLFLUSH_MFENCE);
+
addr -= (unsigned long)addr & (clflush_size - 1);
for ( ; addr < end; addr += clflush_size )
{
@@ -281,7 +290,9 @@ void cache_flush(const void *addr, unsig
[p] "m" (*(const char *)(addr)));
}
- alternative(ASM_NOP3, "sfence", X86_FEATURE_CLFLUSHOPT);
+ alternative_2(ASM_NOP3,
+ "sfence", X86_FEATURE_CLFLUSHOPT,
+ "mfence", X86_BUG_CLFLUSH_MFENCE);
}
void cache_writeback(const void *addr, unsigned int size)
--- a/xen/include/asm-x86/cpufeature.h
+++ b/xen/include/asm-x86/cpufeature.h
@@ -5,6 +5,9 @@
*/
#if defined(XEN_CPUFEATURE)
+/* Synthetic words follow the featureset words. */
+#define X86_NR_SYNTH 1
+
/* Other features, Xen-defined mapping. */
/* This range is used for feature bits which conflict or are synthesized */
XEN_CPUFEATURE(CONSTANT_TSC, (FSCAPINTS+0)*32+ 0) /* TSC ticks at a constant rate */
@@ -33,7 +36,15 @@ XEN_CPUFEATURE(SC_VERW_HVM, (FSCAPIN
XEN_CPUFEATURE(SC_VERW_IDLE, (FSCAPINTS+0)*32+ 23) /* VERW used by Xen for idle */
XEN_CPUFEATURE(XEN_SELFSNOOP, (FSCAPINTS+0)*32+ 24) /* SELFSNOOP gets used by Xen itself */
-#define NCAPINTS (FSCAPINTS + 1) /* N 32-bit words worth of info */
+/* Bug words follow the synthetic words. */
+#define X86_NR_BUG 1
+
+#define X86_BUG(x) ((FSCAPINTS + X86_NR_SYNTH) * 32 + (x))
+
+#define X86_BUG_CLFLUSH_MFENCE X86_BUG( 2) /* MFENCE needed to serialise CLFLUSH */
+
+/* Total number of capability words, inc synth and bug words. */
+#define NCAPINTS (FSCAPINTS + X86_NR_SYNTH + X86_NR_BUG) /* N 32-bit words worth of info */
#elif !defined(__ASM_I386_CPUFEATURE_H)
#ifndef X86_FEATURES_ONLY
