AMD IOMMU: reset command buffer pointers manually

Upstream commit cf558d25e5c9f70fa0279c9b7b8b4aed7cae9bd4

Under special circumstances the IOMMU does not reset the head and tail
pointer of its command ringbuffer to zero when the command base is
written. This causes the IOMMU to fetch random memory and executes it as
an command. Since these commands are likely illegal IOMMU stops fetching
further commands including IOTLB flushes. This leads to completion wait
errors at boot and in some cases to data corruption and kernel crashes.

Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/arch/x86/kernel/amd_iommu_init.c b/arch/x86/kernel/amd_iommu_init.c
index a1378c4..1226ec6 100644 (file)
--- a/arch/x86/kernel/amd_iommu_init.c
+++ b/arch/x86/kernel/amd_iommu_init.c
@@ -407,6 +407,10 @@ static u8 * __init alloc_command_buffer(struct amd_iommu *iommu)
        memcpy_toio(iommu->mmio_base + MMIO_CMD_BUF_OFFSET,
                        &entry, sizeof(entry));
 
+       /* set head and tail to zero manually */
+       writel(0x00, iommu->mmio_base + MMIO_CMD_HEAD_OFFSET);
+       writel(0x00, iommu->mmio_base + MMIO_CMD_TAIL_OFFSET);
+
        iommu_feature_enable(iommu, CONTROL_CMDBUF_EN);
 
        return cmd_buf;