From: linux@arm.linux.org.uk (Russell King - ARM Linux)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC PATCH 2/2] ARMv7: Invalidate the TLB before freeing page tables
Date: Mon, 21 Feb 2011 10:30:18 +0000 [thread overview]
Message-ID: <20110221103018.GH14495@n2100.arm.linux.org.uk> (raw)
In-Reply-To: <AANLkTimpcQCjnfzT0R+Af+f38RwBg6DUBg_b85opJJnh@mail.gmail.com>
On Mon, Feb 21, 2011 at 09:39:32AM +0000, Catalin Marinas wrote:
> On 20 February 2011 12:12, Russell King - ARM Linux
> <linux@arm.linux.org.uk> wrote:
> > On Tue, Feb 15, 2011 at 02:42:06PM +0000, Catalin Marinas wrote:
> >> On Tue, 2011-02-15 at 12:14 +0000, Russell King - ARM Linux wrote:
> >> > On Tue, Feb 15, 2011 at 11:32:42AM +0000, Russell King - ARM Linux wrote:
> >> > > The point of TLB shootdown is that we unmap the entries from the page
> >> > > tables, then issue the TLB flushes, and then free the pages and page
> >> > > tables after that. ?All that Peter's patch tries to do is to get ARM to
> >> > > use the generic stuff.
> >> >
> >> > As Peter's patch preserves the current behaviour, that's not sufficient.
> >> > So, let's do this our own way and delay pages and page table frees on
> >> > ARMv6 and v7. ?Untested.
> >>
> >> ARMv7 should be enough, I'm not aware of any pre-v7 with this behaviour.
> >
> > ARM11MPCore. ?Any SMP system can access a page which was free'd by the
> > tlb code but hasn't been flushed from the hardware TLBs. ?So maybe we
> > want it to be "defined(CONFIG_SMP) || defined(CONFIG_CPU_32v7)" ?
>
> In practice, since the hardware TLB does not store higher level
> entries on existing v6 cores, there is no cached value pointing to the
> freed pte page.
It's not about cached values of PTE pointers.
> In theory, we first clear the pmd entry but another
> CPU could be doing a PTW at the same time and had already read the pmd
> before being cleared. But the timing constraints are difficult to
> reproduce in practice.
I don't think you properly understand the problem.
CPU#0 is unmapping page tables, eg due to munmap(), mremap(), etc.
CPU#1 is running a thread, and has TLB entries for the region being unmapped.
CPU#0 CPU#1
clear page table entry
frees page
loop continues
accesses page
...
sometime in the future
invalidates TLB
The point here is that user threads on CPU#1 should not have access to
a page which has been freed back into the pool, no matter how slim the
possibility of hitting such a condition. What if a thread on CPU#2 is
given that free page which CPU#1 still has access to, and CPU#2 stores
your SSH private key there?
next prev parent reply other threads:[~2011-02-21 10:30 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-14 17:39 [RFC PATCH 2/2] ARMv7: Invalidate the TLB before freeing page tables Catalin Marinas
2011-02-15 10:31 ` Russell King - ARM Linux
2011-02-15 11:02 ` Catalin Marinas
2011-02-15 11:32 ` Russell King - ARM Linux
2011-02-15 12:14 ` Russell King - ARM Linux
2011-02-15 14:42 ` Catalin Marinas
2011-02-20 12:12 ` Russell King - ARM Linux
2011-02-21 9:39 ` Catalin Marinas
2011-02-21 10:30 ` Russell King - ARM Linux [this message]
2011-02-21 11:04 ` Catalin Marinas
2011-02-21 11:17 ` Russell King - ARM Linux
2011-03-09 15:40 ` Catalin Marinas
2011-03-09 18:35 ` Russell King - ARM Linux
2011-03-11 17:32 ` Catalin Marinas
2011-03-11 19:24 ` Russell King - ARM Linux
2011-03-14 11:15 ` Catalin Marinas
2011-03-14 11:19 ` Russell King - ARM Linux
2011-02-15 12:29 ` Catalin Marinas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110221103018.GH14495@n2100.arm.linux.org.uk \
--to=linux@arm.linux.org.uk \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).