Memory Protection Unit
ARM DDI 0337G
Copyright © 2005-2008 ARM Limited. All rights reserved.
9-19
Unrestricted Access
Non-Confidential
9.6
Interrupts and updating the MPU
An MPU region can contain critical data. This is because it takes more than one bus
transaction to update. This is normally two words. As a result, it is not thread safe. That
is, an interrupt can split the two words, leaving the region with incoherent information.
There are two different issues:
•
An interrupt can come in that would also update the MPU. This is not only a
read-modify-write issue, it also affects cases where the interrupt routine is
guaranteed not to modify the same region. This is because the programming relies
on the region number being written into a register so that it knows which region
to update. So in this case, you must disable interrupts around each update routine.
•
An interrupt can come in that would use the region being updated or would be
affected because only the base or size fields had been updated. If the new size field
is changed, but the base is not, the base+new_size might overlap into an area
normally handled by another region. In this case, the disable-modify-enable
approach is required.
But for standard OS context switch code, which would change user regions, there is no
risk, because these regions would be preset to user privilege and a user area address.
This means that even an interrupt would cause no side effect. Therefore the
disable/enable code is not required nor is interrupt disable.
The most common approach is to only program the MPU from boot code and context
switcher. If these are the only two places, and the context switcher is only updating user
regions, then disable is not required because the context switcher is already a critical
region and the boot code runs with interrupts disabled.