Re: [PATCH v2 00/22] mm: Add __GFP_UNMAPPED

Next message: Stanislav Kinsburskii: "Re: [PATCH v4 08/18] mshv: Fix level-triggered check on uninitialized data"
Previous message: Andy Shevchenko: "Re: [PATCH v2 0/3] serial: 8250: fix BREAK+SysRq dispatch on guard()-locked IRQ handlers"
In reply to: Gregory Price: "Re: [PATCH v2 00/22] mm: Add __GFP_UNMAPPED"
Next in thread: Gregory Price: "Re: [PATCH v2 00/22] mm: Add __GFP_UNMAPPED"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vlastimil Babka (SUSE)

Date: Wed May 13 2026 - 13:52:00 EST

On 5/13/26 19:28, Gregory Price wrote:
>
> Hm. I'm not quite wrapping my head around the TLB issue fully.
>
> If there's no kernel direct mapping, and there's no userland mapping,
> the stale TLB entry comes from... the page formerly being present in the
> page tables and a stale TLB entry lying about after the page is freed?

It's the direct mapping, we assume it's always there and unchanged, and only
kernel can access the contents through it. So nobody flushes it when freeing
any pages. Userspace processes can't exploit anything stale there, in
absence of kernel's UAF bugs (or e.g. Meltdown like cpu bugs).

> If that's the case, that sounds more like someone isn't flushing the TLB
> entry correctly when the page is freed or unmapped (for a transient
> mermap situation), rather than an issue to be handled by the allocator.
>
> I think I just need to spend a little more time understanding the TLB
> issue.
>