mm->cpu_vm_mask: speculative TLB reads could cause random memory

Manfred Spraul (manfreds@colorfullife.com)
Sat, 23 Oct 1999 09:56:07 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: CHANDRIKA H V: "What is a cookie?"
Previous message: David L. Parsley: "Re: FTP Masquerading - unable to finish ftp transfer"

I think the new lazy TLB flushing code is too optimistic:
The CPU carries out speculative read operations, and I assume that it
could carry out speculative TLB reads.
This means that the CPU could load TLB entries for user mode pages
although there are no intentional accesses to user mode.

CPU1: thread A
CPU2: kernel thread, lazy mm context A
start: mmA->cpu_vm_mask=3;
<page in page 1234>
flush_tlb_mm()
__local_flush_tlb()
mmA->cpu_vm_mask=1
<IPI>
__local_flush_tlb()
<mmA->cpu_vm_mask remains 1>

<a speculative read operation load
the TLB entry for page4321>
<page out page 4321>
flush_tlb_mm()
__local_flush_tlb()
mmA->cpu_vm_mask=1
<no IPI>
<thread switch to a thread with mmA>
<no TLB flush, because newMM==active_mm>
<access page4321>
<uses the wrong pte from the TLB>
<boom>

I think the TLB flush could be postponed until switch_mm().
[but for flush_tlb_all(), it must be carried out immediately]

-- Manfred

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: CHANDRIKA H V: "What is a cookie?"
Previous message: David L. Parsley: "Re: FTP Masquerading - unable to finish ftp transfer"