glink_smem_rx_peek() reads the RX FIFO payload after the caller has
determined data is available via glink_smem_rx_avail(), which reads the
remote-updated head index. A control dependency between the head read
and the subsequent payload read does not order the two loads, so the
CPU may speculatively read the FIFO before observing the head update
and consume stale data the remote has not yet published.
Add rmb() in glink_smem_rx_peek() before the memcpy_fromio() so the
availability (head) read is ordered ahead of the FIFO payload read,
matching the consumer pattern in
Documentation/core-api/circular-buffers.rst.
Fixes: caf989c350e8 ("rpmsg: glink: Introduce glink smem based transport")
Cc: [email protected]
Signed-off-by: Chunkai Deng <[email protected]>
---
drivers/rpmsg/qcom_glink_smem.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/rpmsg/qcom_glink_smem.c b/drivers/rpmsg/qcom_glink_smem.c
index 62adc4db2317..35bb03e67ae8 100644
--- a/drivers/rpmsg/qcom_glink_smem.c
+++ b/drivers/rpmsg/qcom_glink_smem.c
@@ -103,6 +103,13 @@ static void glink_smem_rx_peek(struct qcom_glink_pipe *np,
if (tail >= pipe->native.length)
tail -= pipe->native.length;
+ /*
+ * Order the availability (head) read in glink_smem_rx_avail()
+ * against the FIFO payload read below, so APPS never consumes
+ * stale data the remote has not yet published.
+ */
+ rmb();
+
len = min_t(size_t, count, pipe->native.length - tail);
if (len)
memcpy_fromio(data, pipe->fifo + tail, len);
---
base-commit: a225caacc36546a09586e3ece36c0313146e7da9
change-id: 20260610-rpmsg-glink-smem-mb-3b63dc278358
Best regards,
--
Chunkai Deng <[email protected]>
