[PATCH 1/2] x86 tlb: fix overflow of flush_end in remote tlb flush

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>

If flush_end ends up being at or above 1 page before the end of
memory, the following calculation can overflow:

	f->flush_end = f->flush_start + PAGE_SIZE;

x86_64 has a 2MB hole at the end of memory, so we don't expect
this to be possible there.  On i386, I believe this page is in
the fixmap, and we never use this code there.  We only do _local_
tlb flushes.

Either way, just fall back to a full tlb flush and spit out a
warning if we ever run in to this.

Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
---

 b/arch/x86/mm/tlb.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff -puN arch/x86/mm/tlb.c~x86-tlb-fix-overflow arch/x86/mm/tlb.c
--- a/arch/x86/mm/tlb.c~x86-tlb-fix-overflow	2014-12-08 10:58:21.875765823 -0800
+++ b/arch/x86/mm/tlb.c	2014-12-08 10:58:21.878765959 -0800
@@ -109,8 +109,17 @@ static void flush_tlb_func(void *info)
 
 	if (f->flush_mm != this_cpu_read(cpu_tlbstate.active_mm))
 		return;
-	if (!f->flush_end)
+	if (!f->flush_end) {
 		f->flush_end = f->flush_start + PAGE_SIZE;
+		/*
+		 * Check for an overflow and just flush the whole
+		 * TLB in that case.
+		 */
+		if (f->flush_end < f->flush_start + PAGE_SIZE) {
+			f->flush_end = TLB_FLUSH_ALL;
+			VM_WARN_ON_ONCE(1);
+		}
+	}
 
 	count_vm_tlb_event(NR_TLB_REMOTE_FLUSH_RECEIVED);
 	if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK) {
_
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]