1 files changed, 41 insertions, 0 deletions

diff --git a/main/xen/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch b/main/xen/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
new file mode 100644
index 0000000000..56a6e538f4
--- /dev/null
+++ b/main/xen/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
@@ -0,0 +1,41 @@
+From c1fce65e2b720684ea6ba76ae59921542bd154bb Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Fri, 20 Nov 2015 12:22:14 -0500
+Subject: [PATCH 3/3] libvchan: Read prod/cons only once.
+
+We must ensure that the prod/cons are only read once and that
+the compiler won't try to optimize the reads. That is split
+the read of these in multiple instructions influencing later
+branch code. As such insert barriers when fetching the cons
+and prod index.
+
+This is part of XSA155.
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+---
+ tools/libvchan/io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/libvchan/io.c b/tools/libvchan/io.c
+index 8a9629b..381cc05 100644
+--- a/tools/libvchan/io.c
++++ b/tools/libvchan/io.c
+@@ -117,6 +117,7 @@ static inline int send_notify(struct libxenvchan *ctrl, uint8_t bit)
+ static inline int raw_get_data_ready(struct libxenvchan *ctrl)
+ {
+ 	uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl);
++	xen_mb(); /* Ensure 'ready' is read only once. */
+ 	if (ready > rd_ring_size(ctrl))
+ 		/* We have no way to return errors.  Locking up the ring is
+ 		 * better than the alternatives. */
+@@ -158,6 +159,7 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl)
+ static inline int raw_get_buffer_space(struct libxenvchan *ctrl)
+ {
+ 	uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
++	xen_mb(); /* Ensure 'ready' is read only once. */
+ 	if (ready > wr_ring_size(ctrl))
+ 		/* We have no way to return errors.  Locking up the ring is
+ 		 * better than the alternatives. */
+-- 
+2.1.0
+