From: Peter Zijlstra <peterz@infradead.org> To: Will Deacon <will@kernel.org>, "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>, Andrew Morton <akpm@linux-foundation.org>, Nick Piggin <npiggin@gmail.com>, Peter Zijlstra <peterz@infradead.org> Cc: linux-arch@vger.kernel.org, linux-sh@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Yoshinori Sato <ysato@users.sourceforge.jp>, Rich Felker <dalias@libc.org>, "David S. Miller" <davem@davemloft.net>, Helge Deller <deller@gmx.de>, Geert Uytterhoeven <geert@linux-m68k.org>, Paul Burton <paulburton@kernel.org>, Tony Luck <tony.luck@intel.com>, Richard Henderson <rth@twiddle.net>, Nick Hu <nickhu@andestech.com>, Paul Walmsley <paul.walmsley@sifive.com>, John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, Christoph Hellwig <hch@lst.de> Subject: [PATCH v2 00/11] Fixup page directory freeing Date: Fri, 17 Jul 2020 11:10:05 +0000 [thread overview] Message-ID: <20200717111005.024867618@infradead.org> (raw) Hi All, While fixing a silly bug on SH (patch #1), I realized that even with the trivial patch to restore prior behaviour, page directory freeing was still broken. The thing is, on anything SMP, freeing page directories should observe the exact same order as normal page freeing: 1) unhook page/directory 2) TLB invalidate 3) free page/directory Without this any concurrent page-table walk could end up with a Use-after-Free. This is esp. trivial for anything that has software page-table walkers (HAVE_FAST_GUP / software TLB fill) or the hardware caches partial page-walks (ie. caches page directories). Even on UP this might give issues, since mmu_gather is preemptible these days. An interrupt or preempted task accessing user pages might stumble into the free page if the hardware caches page directories. So I've converted everything to always observe the above order, simply so we don't have to worry about it. If however I've been over zealous and your arch/mmu really doesn't need this and you're offended by this potentially superfluous code, please let me know and I'll replace the patch with one that adds a comment describing your rationale for why it is not needed. v1: https://lkml.kernel.org/r/20191211120713.360281197@infradead.org
WARNING: multiple messages have this Message-ID (diff)
From: Peter Zijlstra <peterz@infradead.org> To: Will Deacon <will@kernel.org>, "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>, Andrew Morton <akpm@linux-foundation.org>, Nick Piggin <npiggin@gmail.com>, Peter Zijlstra <peterz@infradead.org> Cc: linux-arch@vger.kernel.org, linux-sh@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Yoshinori Sato <ysato@users.sourceforge.jp>, Rich Felker <dalias@libc.org>, "David S. Miller" <davem@davemloft.net>, Helge Deller <deller@gmx.de>, Geert Uytterhoeven <geert@linux-m68k.org>, Paul Burton <paulburton@kernel.org>, Tony Luck <tony.luck@intel.com>, Richard Henderson <rth@twiddle.net>, Nick Hu <nickhu@andestech.com>, Paul Walmsley <paul.walmsley@sifive.com>, John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, Christoph Hellwig <hch@lst.de> Subject: [PATCH v2 00/11] Fixup page directory freeing Date: Fri, 17 Jul 2020 13:10:05 +0200 [thread overview] Message-ID: <20200717111005.024867618@infradead.org> (raw) Hi All, While fixing a silly bug on SH (patch #1), I realized that even with the trivial patch to restore prior behaviour, page directory freeing was still broken. The thing is, on anything SMP, freeing page directories should observe the exact same order as normal page freeing: 1) unhook page/directory 2) TLB invalidate 3) free page/directory Without this any concurrent page-table walk could end up with a Use-after-Free. This is esp. trivial for anything that has software page-table walkers (HAVE_FAST_GUP / software TLB fill) or the hardware caches partial page-walks (ie. caches page directories). Even on UP this might give issues, since mmu_gather is preemptible these days. An interrupt or preempted task accessing user pages might stumble into the free page if the hardware caches page directories. So I've converted everything to always observe the above order, simply so we don't have to worry about it. If however I've been over zealous and your arch/mmu really doesn't need this and you're offended by this potentially superfluous code, please let me know and I'll replace the patch with one that adds a comment describing your rationale for why it is not needed. v1: https://lkml.kernel.org/r/20191211120713.360281197@infradead.org
next reply other threads:[~2020-07-17 11:10 UTC|newest] Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-07-17 11:10 Peter Zijlstra [this message] 2020-07-17 11:10 ` [PATCH v2 00/11] Fixup page directory freeing Peter Zijlstra 2020-07-17 11:10 ` [PATCH v2 01/11] asm-generic/tlb: Fix MMU_GATHER_TABLE_FREE Peter Zijlstra 2020-07-17 11:10 ` Peter Zijlstra 2020-09-21 12:01 ` Will Deacon 2020-09-21 12:01 ` Will Deacon 2020-07-17 11:10 ` [PATCH v2 02/11] sh/tlb: Fix PGTABLE_LEVELS > 2 Peter Zijlstra 2020-07-17 11:10 ` Peter Zijlstra 2020-07-17 11:10 ` [PATCH v2 03/11] sh/tlb: Fix __pmd_free_tlb() Peter Zijlstra 2020-07-17 11:10 ` Peter Zijlstra 2020-07-17 11:10 ` [PATCH v2 04/11] sparc32/tlb: Fix __p*_free_tlb() Peter Zijlstra 2020-07-17 11:10 ` Peter Zijlstra 2020-07-17 11:10 ` [PATCH v2 05/11] parisc/tlb: " Peter Zijlstra 2020-07-17 11:10 ` Peter Zijlstra 2020-07-17 11:10 ` [PATCH v2 06/11] mips/tlb: " Peter Zijlstra 2020-07-17 11:10 ` Peter Zijlstra 2020-07-17 11:10 ` [PATCH v2 07/11] ia64/tlb: " Peter Zijlstra 2020-07-17 11:10 ` Peter Zijlstra 2020-07-17 11:10 ` [PATCH v2 08/11] alpha/tlb: " Peter Zijlstra 2020-07-17 11:10 ` Peter Zijlstra 2020-07-17 11:10 ` [PATCH v2 09/11] nds32/tlb: " Peter Zijlstra 2020-07-17 11:10 ` Peter Zijlstra 2020-07-17 11:10 ` [PATCH v2 10/11] riscv/tlb: " Peter Zijlstra 2020-07-17 11:10 ` Peter Zijlstra 2020-07-17 11:10 ` [PATCH v2 11/11] m68k/tlb: " Peter Zijlstra 2020-07-17 11:10 ` Peter Zijlstra 2020-07-17 11:22 ` [PATCH v2 00/11] Fixup page directory freeing Peter Zijlstra 2020-07-17 11:22 ` Peter Zijlstra
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200717111005.024867618@infradead.org \ --to=peterz@infradead.org \ --cc=akpm@linux-foundation.org \ --cc=aneesh.kumar@linux.ibm.com \ --cc=dalias@libc.org \ --cc=davem@davemloft.net \ --cc=deller@gmx.de \ --cc=geert@linux-m68k.org \ --cc=glaubitz@physik.fu-berlin.de \ --cc=hch@lst.de \ --cc=linux-arch@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=linux-sh@vger.kernel.org \ --cc=nickhu@andestech.com \ --cc=npiggin@gmail.com \ --cc=paul.walmsley@sifive.com \ --cc=paulburton@kernel.org \ --cc=rth@twiddle.net \ --cc=tony.luck@intel.com \ --cc=will@kernel.org \ --cc=ysato@users.sourceforge.jp \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.