From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
If flush_end ends up being at or above 1 page before the end of
memory, the following calculation can overflow:
f->flush_end = f->flush_start + PAGE_SIZE;
x86_64 has a 2MB hole at the end of memory, so we don't expect
this to be possible there. On i386, I believe this page is in
the fixmap, and we never use this code there. We only do _local_
tlb flushes.
Either way, just fall back to a full tlb flush and spit out a
warning if we ever run in to this.
Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
---
b/arch/x86/mm/tlb.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff -puN arch/x86/mm/tlb.c~x86-tlb-fix-overflow arch/x86/mm/tlb.c
--- a/arch/x86/mm/tlb.c~x86-tlb-fix-overflow 2014-12-08 10:58:21.875765823 -0800
+++ b/arch/x86/mm/tlb.c 2014-12-08 10:58:21.878765959 -0800
@@ -109,8 +109,17 @@ static void flush_tlb_func(void *info)
if (f->flush_mm != this_cpu_read(cpu_tlbstate.active_mm))
return;
- if (!f->flush_end)
+ if (!f->flush_end) {
f->flush_end = f->flush_start + PAGE_SIZE;
+ /*
+ * Check for an overflow and just flush the whole
+ * TLB in that case.
+ */
+ if (f->flush_end < f->flush_start + PAGE_SIZE) {
+ f->flush_end = TLB_FLUSH_ALL;
+ VM_WARN_ON_ONCE(1);
+ }
+ }
count_vm_tlb_event(NR_TLB_REMOTE_FLUSH_RECEIVED);
if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK) {
_
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html