• Suresh Siddha's avatar
    x86, mm: avoid possible bogus tlb entries by clearing prev mm_cpumask after switching mm · 831d52bc
    Suresh Siddha authored
    Clearing the cpu in prev's mm_cpumask early will avoid the flush tlb
    IPI's while the cr3 is still pointing to the prev mm.  And this window
    can lead to the possibility of bogus TLB fills resulting in strange
    failures.  One such problematic scenario is mentioned below.
    
     T1. CPU-1 is context switching from mm1 to mm2 context and got a NMI
         etc between the point of clearing the cpu from the mm_cpumask(mm1)
         and before reloading the cr3 with the new mm2.
    
     T2. CPU-2 is tearing down a specific vma for mm1 and will proceed with
         flushing the TLB for mm1.  It doesn't send the flush TLB to CPU-1
         as it doesn't see that cpu listed in the mm_cpumask(mm1).
    
     T3. After the TLB flush is complete, CPU-2 goes ahead and frees the
         page-table pages associated with the removed vma mapping.
    
     T4. CPU-2 now allocates those freed page-table pages for something
         else.
    
     T5. As the CR3 and TLB caches for mm1 is still active on CPU-1, CPU-1
         can potentially speculate and walk through the page-table caches
         and can insert new TLB entries.  As the page-table pages are
         already freed and being used on CPU-2, this page walk can
         potentially insert a bogus global TLB entry depending on the
         (random) contents of the page that is being used on CPU-2.
    
     T6. This bogus TLB entry being global will be active across future CR3
         changes and can result in weird memory corruption etc.
    
    To avoid this issue, for the prev mm that is handing over the cpu to
    another mm, clear the cpu from the mm_cpumask(prev) after the cr3 is
    changed.
    
    Marking it for -stable, though we haven't seen any reported failure that
    can be attributed to this.
    Signed-off-by: default avatarSuresh Siddha <suresh.b.siddha@intel.com>
    Acked-by: default avatarIngo Molnar <mingo@elte.hu>
    Cc: stable@kernel.org	[v2.6.32+]
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    831d52bc
mmu_context.h 2.15 KB