xen/arm: flush_tlb_domain: Disable IRQ when flushing TLB of another domain

When Xen is flushing the TLB for another domain than current, it has to
switch temporarily to the P2M of this domain. If IRQs are enabled, it may
be possible to receive an interrupt that requires the use the P2M of the current
domain, or even temporarily switch to another P2M.
For the former case, the translation would be wrong. For the latter one,
as the handler would restore the current P2M, Xen would flush the wrong domain
TLB.

Thankfully we don't have such interrupt handler, but it may be necessary
in the future to do that during when the user asks to dump domain stack via
a keystroke.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
[ ijc -- spelling in the commit log ]

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index 69191b9f4c13a647f2680198cc9e995ff501f4a0..76d236935a096b7dde9ff9d0bcb53effd503adbd 100644 (file)
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -112,17 +112,25 @@ void p2m_restore_state(struct vcpu *n)
 
 void flush_tlb_domain(struct domain *d)
 {
+    unsigned long flags = 0;
+
     /* Update the VTTBR if necessary with the domain d. In this case,
      * it's only necessary to flush TLBs on every CPUs with the current VMID
      * (our domain).
      */
     if ( d != current->domain )
+    {
+        local_irq_save(flags);
         p2m_load_VTTBR(d);
+    }
 
     flush_tlb();
 
     if ( d != current->domain )
+    {
         p2m_load_VTTBR(current->domain);
+        local_irq_restore(flags);
+    }
 }
 
 /*