* powerpc: Fix possible access to free pages
@ 2007-05-27 5:17 Benjamin Herrenschmidt
0 siblings, 0 replies; 2+ messages in thread
From: Benjamin Herrenschmidt @ 2007-05-27 5:17 UTC (permalink / raw)
To: Paul Mackerras; +Cc: linuxppc-dev list
I think whe have a subtle race on ppc64 with the tlb batching. The
common code expects tlb_flush() to actually flush any pending TLB
batch. In does that because it delays all page freeing until after
tlb_flush() is called, in order to ensure no stale reference to
those pages exist in any TLB, thus causing potential access to
the freed data.
However, our tlb_flush only triggers the RCU for freeing page
table pages, it does not currently trigger a flush of a pending
TLB/hash batch, which is, I think, an error. This fixes it.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Index: linux-work/include/asm-powerpc/tlb.h
===================================================================
--- linux-work.orig/include/asm-powerpc/tlb.h 2007-05-27 15:09:01.000000000 +1000
+++ linux-work/include/asm-powerpc/tlb.h 2007-05-27 15:09:12.000000000 +1000
@@ -38,6 +38,15 @@
static inline void tlb_flush(struct mmu_gather *tlb)
{
+ struct ppc64_tlb_batch *tlbbatch = &__get_cpu_var(ppc64_tlb_batch);
+
+ /* If there's a TLB batch pending, then we must flush it because the
+ * pages are going to be freed and we really don't want to have a CPU
+ * access a freed page because it has a stale TLB
+ */
+ if (tlbbatch->index)
+ __flush_tlb_pending(tlbbatch);
+
pte_free_finish();
}
^ permalink raw reply [flat|nested] 2+ messages in thread
* powerpc: Fix possible access to free pages
@ 2007-05-27 5:18 Benjamin Herrenschmidt
0 siblings, 0 replies; 2+ messages in thread
From: Benjamin Herrenschmidt @ 2007-05-27 5:18 UTC (permalink / raw)
To: Paul Mackerras; +Cc: linuxppc-dev list
I think whe have a subtle race on ppc64 with the tlb batching. The
common code expects tlb_flush() to actually flush any pending TLB
batch. In does that because it delays all page freeing until after
tlb_flush() is called, in order to ensure no stale reference to
those pages exist in any TLB, thus causing potential access to
the freed data.
However, our tlb_flush only triggers the RCU for freeing page
table pages, it does not currently trigger a flush of a pending
TLB/hash batch, which is, I think, an error. This fixes it.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Index: linux-work/include/asm-powerpc/tlb.h
===================================================================
--- linux-work.orig/include/asm-powerpc/tlb.h 2007-05-27 15:09:01.000000000 +1000
+++ linux-work/include/asm-powerpc/tlb.h 2007-05-27 15:09:12.000000000 +1000
@@ -38,6 +38,15 @@
static inline void tlb_flush(struct mmu_gather *tlb)
{
+ struct ppc64_tlb_batch *tlbbatch = &__get_cpu_var(ppc64_tlb_batch);
+
+ /* If there's a TLB batch pending, then we must flush it because the
+ * pages are going to be freed and we really don't want to have a CPU
+ * access a freed page because it has a stale TLB
+ */
+ if (tlbbatch->index)
+ __flush_tlb_pending(tlbbatch);
+
pte_free_finish();
}
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-05-27 5:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-27 5:17 powerpc: Fix possible access to free pages Benjamin Herrenschmidt
-- strict thread matches above, loose matches on Subject: below --
2007-05-27 5:18 Benjamin Herrenschmidt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).