SH violates the freeing order for it's PMD page directories. It's __pmd_free_tlb() does not ensure there is a TLB invalidation between itself and the eventualy freeing of the page. Further complicating the situation is that SH uses non page based allocation for it's PMDs. Use the shiny new HAVE_TABLE_FREE option to enable a custom page table freeer. (SuperH uses IPI based TLB invalidation and therefore doesn't need HAVE_RCU_TABLE_FREE for its HAVE_FAST_GUP). Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx> --- arch/sh/Kconfig | 1 + arch/sh/include/asm/pgalloc.h | 3 ++- arch/sh/mm/pgtable.c | 6 ++++++ 3 files changed, 9 insertions(+), 1 deletion(-) --- a/arch/sh/Kconfig +++ b/arch/sh/Kconfig @@ -15,6 +15,7 @@ config SUPERH select HAVE_PERF_EVENTS select HAVE_DEBUG_BUGVERBOSE select HAVE_FAST_GUP if MMU + select MMU_GATHER_TABLE_FREE if X2TLB select ARCH_HAVE_CUSTOM_GPIO_H select ARCH_HAVE_NMI_SAFE_CMPXCHG if (GUSA_RB || CPU_SH4A) select ARCH_HAS_GCOV_PROFILE_ALL --- a/arch/sh/include/asm/pgalloc.h +++ b/arch/sh/include/asm/pgalloc.h @@ -12,7 +12,8 @@ extern void pgd_free(struct mm_struct *m extern void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd); extern pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address); extern void pmd_free(struct mm_struct *mm, pmd_t *pmd); -#define __pmd_free_tlb(tlb, pmdp, addr) pmd_free((tlb)->mm, (pmdp)) +extern void __tlb_remove_table(void *table); +#define __pmd_free_tlb(tlb, pmdp, addr) tlb_remove_table((tlb), (pmdp)) #endif static inline void pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmd, --- a/arch/sh/mm/pgtable.c +++ b/arch/sh/mm/pgtable.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/mm.h> #include <linux/slab.h> +#include <asm/pgalloc.h> #define PGALLOC_GFP GFP_KERNEL | __GFP_ZERO @@ -55,4 +56,9 @@ void pmd_free(struct mm_struct *mm, pmd_ { kmem_cache_free(pmd_cachep, pmd); } + +void __tlb_remove_table(void *table) +{ + pmd_free(NULL, table); +} #endif /* PAGETABLE_LEVELS > 2 */