On Wed, Jun 27, 2012 at 4:23 PM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > > But the branch prediction tables are obviously just predictions, and > they easily contain user addresses etc in them. So the kernel may well > end up speculatively doing a TLB fill on a user access. That should be ".. on a user *address*", hopefully that was clear from the context, if not from the text. IOW, the point I'm trying to make is that even if there are zero *actual* accesses of user space (because user space is dead, and the kernel hopefully does no "get_user()/put_user()" stuff at this point any more), the CPU may speculatively use user addresses for the bog-standard kernel addresses that happen. Taking a user address from the BTB is just one example. Speculative memory accesses might happen after a mis-predicted branch, where we test a pointer against NULL, and after the branch we access it. So doing a speculative TLB walk of the NULL address would not necessarily even be unusual. Obviously normally nothing is actually mapped there, but these kinds of things can *easily* result in the page tables themselves being cached, even if the final page doesn't exist. Also, all of this obviously depends on how aggressive the speculation is. It's entirely possible that effects like these are really hard to see in practice, and you'll almost never hit it. But stale TLB contents (or stale page directory caches) are *really* nasty when they do happen, and almost impossible to debug. So we want to be insanely anal in this area. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-arch" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html