linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Williams, Dan J" <dan.j.williams@intel.com>
To: "Lutomirski, Andy" <luto@kernel.org>,
	"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
	"x86@kernel.org" <x86@kernel.org>, "bp@alien8.de" <bp@alien8.de>,
	"peterz@infradead.org" <peterz@infradead.org>,
	"hpa@zytor.com" <hpa@zytor.com>,
	"mingo@redhat.com" <mingo@redhat.com>,
	"tglx@linutronix.de" <tglx@linutronix.de>,
	"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"wency@cn.fujitsu.com" <wency@cn.fujitsu.com>
Subject: Re: [PATCH] x86/mm: Flush before free in remove_pagetable()
Date: Tue, 24 Aug 2021 16:45:04 +0000	[thread overview]
Message-ID: <9b9a99da3f68cf11197f2035515f1d441c0d1565.camel@intel.com> (raw)
In-Reply-To: <20210818221026.10794-1-rick.p.edgecombe@intel.com>

On Wed, 2021-08-18 at 15:10 -0700, Rick Edgecombe wrote:
> 
> In remove_pagetable(), page tables may be freed before the TLB is
> flushed. The upper page tables are zapped before freeing the lower
> levels. However, without the flush the lower tables can still remain in
> paging-structure caches and so data that is written to the re-allocated
> page can control these mappings. For some reason there is only a flush
> lower down in remove_pte_table(), however, this will not be hit in the
> case of large pages on the direct map which is common.

It's also common for device-dax reconfiguration which we are in the
process of adding udev automation to replug devices from ZONE_DEVICE to
ZONE_{NORMAL,MOVABLE} automatically depending on what setup was
estabished on the previous boot. So even if unpriveleged userspace
can't force this, there may be more opportunities to find this gap in
the future.

> 
> Currently remove_pagetable() is called from a few places in the
> hot unplug codepath and memremap unmapping operations.
> 
> To properly tear down these mappings, gather the page tables using a
> simple linked list based in the table's struct page. Then flush the TLB
> before actually freeing the pages.
> 
> Cc: stable@vger.kernel.org
> Fixes: ae9aae9eda2d ("memory-hotplug: common APIs to support page tables hot-remove")
> Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>

Acked-by: Dan Williams <dan.j.williams@intel.com>


      reply	other threads:[~2021-08-24 16:45 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-18 22:10 [PATCH] x86/mm: Flush before free in remove_pagetable() Rick Edgecombe
2021-08-24 16:45 ` Williams, Dan J [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9b9a99da3f68cf11197f2035515f1d441c0d1565.camel@intel.com \
    --to=dan.j.williams@intel.com \
    --cc=bp@alien8.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=rick.p.edgecombe@intel.com \
    --cc=tglx@linutronix.de \
    --cc=wency@cn.fujitsu.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).