On Thu, Oct 22, 2020 at 3:50 AM tip-bot2 for Juergen Gross
<tip-bot2@xxxxxxxxxxxxx> wrote:
>
> The following commit has been merged into the x86/urgent branch of tip:
>
> Commit-ID: abee7c494d8c41bb388839bccc47e06247f0d7de
> Gitweb: https://git.kernel.org/tip/abee7c494d8c41bb388839bccc47e06247f0d7de
> Author: Juergen Gross <jgross@xxxxxxxx>
> AuthorDate: Fri, 09 Oct 2020 16:42:25 +02:00
> Committer: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> CommitterDate: Thu, 22 Oct 2020 12:37:23 +02:00
>
> x86/alternative: Don't call text_poke() in lazy TLB mode
>
> When running in lazy TLB mode the currently active page tables might
> be the ones of a previous process, e.g. when running a kernel thread.
>
> This can be problematic in case kernel code is being modified via
> text_poke() in a kernel thread, and on another processor exit_mmap()
> is active for the process which was running on the first cpu before
> the kernel thread.
>
> As text_poke() is using a temporary address space and the former
> address space (obtained via cpu_tlbstate.loaded_mm) is restored
> afterwards, there is a race possible in case the cpu on which
> exit_mmap() is running wants to make sure there are no stale
> references to that address space on any cpu active (this e.g. is
> required when running as a Xen PV guest, where this problem has been
> observed and analyzed).
>
> In order to avoid that, drop off TLB lazy mode before switching to the
> temporary address space.
Now that I'm actually awake:
Acked-by: Andy Lutomirski <luto@xxxxxxxxxx>
although it might be nice to at least have a comment that there's some
performance being left on the table.
PeterZ, I like your version except that, if we do that, I also think
we should move this whole mess into tlb.c instead of alternative.c.
--Andy
>
> Fixes: cefa929c034eb5d ("x86/mm: Introduce temporary mm structs")
> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
> Link: https://lkml.kernel.org/r/20201009144225.12019-1-jgross@xxxxxxxx
> ---
> arch/x86/kernel/alternative.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> index cdaab30..cd6be6f 100644
> --- a/arch/x86/kernel/alternative.c
> +++ b/arch/x86/kernel/alternative.c
> @@ -807,6 +807,15 @@ static inline temp_mm_state_t use_temporary_mm(struct mm_struct *mm)
> temp_mm_state_t temp_state;
>
> lockdep_assert_irqs_disabled();
> +
> + /*
> + * Make sure not to be in TLB lazy mode, as otherwise we'll end up
> + * with a stale address space WITHOUT being in lazy mode after
> + * restoring the previous mm.
> + */
> + if (this_cpu_read(cpu_tlbstate.is_lazy))
> + leave_mm(smp_processor_id());
> +
> temp_state.mm = this_cpu_read(cpu_tlbstate.loaded_mm);
> switch_mm_irqs_off(NULL, mm, current);
>
--
Andy Lutomirski
AMA Capital Management, LLC
|