powerpc: Fix possible access to free pages
Benjamin Herrenschmidt
benh at au1.ibm.com
Sun May 27 15:17:34 EST 2007
I think whe have a subtle race on ppc64 with the tlb batching. The
common code expects tlb_flush() to actually flush any pending TLB
batch. In does that because it delays all page freeing until after
tlb_flush() is called, in order to ensure no stale reference to
those pages exist in any TLB, thus causing potential access to
the freed data.
However, our tlb_flush only triggers the RCU for freeing page
table pages, it does not currently trigger a flush of a pending
TLB/hash batch, which is, I think, an error. This fixes it.
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Index: linux-work/include/asm-powerpc/tlb.h
===================================================================
--- linux-work.orig/include/asm-powerpc/tlb.h 2007-05-27 15:09:01.000000000 +1000
+++ linux-work/include/asm-powerpc/tlb.h 2007-05-27 15:09:12.000000000 +1000
@@ -38,6 +38,15 @@
static inline void tlb_flush(struct mmu_gather *tlb)
{
+ struct ppc64_tlb_batch *tlbbatch = &__get_cpu_var(ppc64_tlb_batch);
+
+ /* If there's a TLB batch pending, then we must flush it because the
+ * pages are going to be freed and we really don't want to have a CPU
+ * access a freed page because it has a stale TLB
+ */
+ if (tlbbatch->index)
+ __flush_tlb_pending(tlbbatch);
+
pte_free_finish();
}
More information about the Linuxppc-dev
mailing list