From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pandora.armlinux.org.uk (pandora.armlinux.org.uk [78.32.30.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C58F3B52E7 for ; Thu, 9 Apr 2026 14:21:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=78.32.30.218 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775744475; cv=none; b=fN7cCpNy74VyGYF7B2hcIGejexLGjsv9Vmkl8NgH2z6HDovvrqo17kDEoGlMcdhSmRXfb22BlqZvmqmJY1YQiatT2XpA7Ei3OU9lBspqNv6ABaM32I4pWsdi+WLsRulFyRzGlNMVlJu5EVZm4BQapALeru/kKoGMf/eGbkhkdnY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775744475; c=relaxed/simple; bh=j6NHdjDvznfzdim8lRPJNE+duKjOxARBbNsPD93e8ns=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=BxG5VWbj+8zfXudZ/iTHPfD803mKiB/ZE+W5E1jjGMWT7eA8ROtjKXDsNczNYyRE8lS/FkoE9iW4g+ryZDHcLaL3L+3N0ln45o5xpEzULEoJXHZWtr9peutmDfEEOTO8BA5lTzLKVmgULr78DoGHlL4mxFgNn95W78eVIu2N/As= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk; spf=none smtp.mailfrom=armlinux.org.uk; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b=RrhOlAbw; arc=none smtp.client-ip=78.32.30.218 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=armlinux.org.uk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=armlinux.org.uk header.i=@armlinux.org.uk header.b="RrhOlAbw" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2019; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=9C+NpEKos04qPELYWWqTjo60xTv/UJSaxtWUp97Wxog=; b=RrhOlAbwPvZR/LsA2IHp9I2pnU ItnDtGi8y4npn4wzlm+PE6o+cCwWsHI3L9Rumy/YjLsyuHrzYgH1lUsknw4HHJceXjJPcnxdvb4Ih 7pbSsiYsB2EuHWmkdEVHjvvzm5ffw66zipyN4Km86ifUbMsQj9qGRP0GXQkuJ800qNbwbuT9UT//V qkmcEhpRfjFdUBqFNfgZRfhsI/bipGMbri/9KGyDoJM/M6kMNnXnH6ooizs/vDPJ3ei1tNJqMusYx 6vUUCW1KzJ/kT++/V+O69VXv+eIctNGVZ0AYxRciHenNG2k6E3qnIanH5KB7p+wgs5z5UqpEj2EcM wN0CPBZg==; Received: from shell.armlinux.org.uk ([fd8f:7570:feb6:1:5054:ff:fe00:4ec]:60924) by pandora.armlinux.org.uk with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wAqFo-000000003hw-0TBl; Thu, 09 Apr 2026 15:21:08 +0100 Received: from linux by shell.armlinux.org.uk with local (Exim 4.98.2) (envelope-from ) id 1wAqFm-000000004Sy-2bp8; Thu, 09 Apr 2026 15:21:06 +0100 Date: Thu, 9 Apr 2026 15:21:06 +0100 From: "Russell King (Oracle)" To: Will Deacon Cc: Brian Ruley , Steve Capper , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] mm/arm: pgtable: remove young bit check for pte_valid_user Message-ID: References: <20260409125446.981747-1-brian.ruley@gehealthcare.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Russell King (Oracle) On Thu, Apr 09, 2026 at 02:56:53PM +0100, Will Deacon wrote: > On Thu, Apr 09, 2026 at 03:54:45PM +0300, Brian Ruley wrote: > > Fixes cache desync, which can cause undefined instruction, > > translation and permission faults under heavy memory use. > > > > This is an old bug introduced in commit 1971188aa196 ("ARM: 7985/1: mm: > > implement pte_accessible for faulting mappings"), which included a check > > for the young bit of a PTE. The underlying assumption was that old pages > > are not cached, therefore, `__sync_icache_dcache' could be skipped > > entirely. > > > > However, under extreme memory pressure, page migrations happen > > frequently and the assumption of uncached "old" pages does not hold. > > Especially for systems that do not have swap, the migrated pages are > > unequivocally marked old. This presents a problem, as it is possible > > for the original page to be immediately mapped to another VA that > > happens to share the same cache index in VIPT I-cache (we found this > > bug on Cortex-A9). Without cache invalidation, the CPU will see the > > old mapping whose physical page can now be used for a different > > purpose, as illustrated below: > > > > Core Physical Memory > > +-------------------------------+ +------------------+ > > | TLB | | | > > | VA_A 0xb6e6f -> pfn_q | | pfn_q: code | > > +-------------------------------+ +------------------+ > > | I-cache | > > | set[VA_A bits] | tag=pfn_q | > > +-------------------------------+ > > > > migrate (kcompactd): > > 1. copy pfn_q --> pfn_r > > 2. free pfn_q > > 3. pte: VA_a -> pfn_r > > 4. pte_mkold(pte) --> !young > > 5. ICIALLUIS skipped (because !young) > > > > pfn_src reused (OOM pressure): > > pte: VA_B -> pfn_q (different code) > > > > bug: > > Core Physical Memory > > +-------------------------------+ +------------------+ > > | TLB (empty) | | pfn_r: old code | > > +-------------------------------+ | pfn_q: new code | > > | I-cache | +------------------+ > > | set[VA_A bits] | tag=pfn_q |<--- wrong instructions > > +-------------------------------+ > > (nit: Do you have pfn_r and pfn_q mixed up in the "Physical Memory" box?) > > > This was verified on ba16-based board (i.MX6Quad/Dual, Cortex-A9) by > > instrumenting the migration code to track recently migrated pages in a > > ring buffer and then dumping them in the undefined instruction fault > > handler. The bug can be triggered with `stress-ng': > > > > stress-ng --vm 4 --vm-bytes 2G --vm-method zero-one --verify > > > > Note that the system we tested on has only 2G of memory, so the test > > triggered the OOM-killer in our case. > > > > Fixes: 1971188aa196 ("ARM: 7985/1: mm: implement pte_accessible for faulting mappings") > > Signed-off-by: Brian Ruley > > --- > > arch/arm/include/asm/pgtable.h | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h > > index 6fa9acd6a7f5..e3a5b4a9a65f 100644 > > --- a/arch/arm/include/asm/pgtable.h > > +++ b/arch/arm/include/asm/pgtable.h > > @@ -185,7 +185,7 @@ static inline pte_t *pmd_page_vaddr(pmd_t pmd) > > #define pte_exec(pte) (pte_isclear((pte), L_PTE_XN)) > > > > #define pte_valid_user(pte) \ > > - (pte_valid(pte) && pte_isset((pte), L_PTE_USER) && pte_young(pte)) > > + (pte_valid(pte) && pte_isset((pte), L_PTE_USER)) > > This patch is from twelve years ago, so please forgive me for having > forgotten all of the details. However, my recollection is that when using > the classic/!lpae format (as you will be on Cortex-A9), page aging is > implemented by using invalid (translation faulting) ptes for 'old' > mappings. It is. > So in the case you describe, we may well elide the I-cache maintenance, > but won't we also put down an invalid pte? Correct. > If we later take a fault > on that, we should then perform the cache maintenance when installing > the young entry (via ptep_set_access_flags()). Correct again. > The more interesting part > is probably when the mapping for 'VA_B' is installed to map 'pfn_q' but, > again, I would've expected the cache maintenance to happen just prior to > installing the valid (young) mapping. Also correct - for the new PTE to become accessible in userspace, we would need to establish a young PTE, which will result in set_ptes() being called, and that should trigger __flush_icache_all() which will flush the _entire_ instruction cache, which will remove any stale entries for the old mapping that is no longer accessible. -- RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!