diff options
| author | David Daney <david.daney@cavium.com> | 2012-12-03 15:44:26 -0500 |
|---|---|---|
| committer | Ralf Baechle <ralf@linux-mips.org> | 2012-12-04 10:57:54 -0500 |
| commit | ac53c4fca42c394d8a06c7a470ae2d1d50503717 (patch) | |
| tree | 4f40ff8ce55356ec23f0bf0c1306d3d2f58d0f59 /arch | |
| parent | 9489e9dcae718d5fde988e4a684a0f55b5f94d17 (diff) | |
MIPS: Avoid mcheck by flushing page range in huge_ptep_set_access_flags()
Problem:
1) Huge page mapping of anonymous memory is initially invalid. Will be
faulted in by copy-on-write mechanism.
2) Userspace attempts store at the end of the huge mapping.
3) TLB Refill exception handler fill TLB with a normal (4K sized)
invalid page at the end of the huge mapping virtual address range.
4) Userspace restarted, and re-attempts the store at the end of the
huge mapping.
5) Page from #3 is invalid, we get a fault and go to the hugepage
fault handler. This tries to map a huge page and calls
huge_ptep_set_access_flags() to install the mapping.
6) We just call the generic ptep_set_access_flags() to set up the page
tables, but the flush there assumes a normal (4K sized) page and
only tries to flush the first part of the huge page virtual address
out of the TLB, since the existing entry from step #3 doesn't
conflict, nothing is flushed.
7) We attempt to load the mapping into the TLB, but because it
conflicts with the entry from step #3, we get a Machine Check
exception.
The fix: Flush the entire rage covered by the huge page in
huge_ptep_set_access_flags(), and remove the optimization in
local_flush_tlb_range() so that the flush actually does the correct
thing.
Signed-off-by: David Daney <david.daney@cavium.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: Hillf Danton <dhillf@gmail.com>
Patchwork: https://patchwork.linux-mips.org/patch/4661/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
(cherry picked from commit dd617f258cc39d36be26afee9912624a2d23112c)
Diffstat (limited to 'arch')
| -rw-r--r-- | arch/mips/include/asm/hugetlb.h | 12 | ||||
| -rw-r--r-- | arch/mips/mm/tlb-r4k.c | 18 |
2 files changed, 15 insertions, 15 deletions
diff --git a/arch/mips/include/asm/hugetlb.h b/arch/mips/include/asm/hugetlb.h index bd94946a18f3..ef99db994c2f 100644 --- a/arch/mips/include/asm/hugetlb.h +++ b/arch/mips/include/asm/hugetlb.h | |||
| @@ -95,7 +95,17 @@ static inline int huge_ptep_set_access_flags(struct vm_area_struct *vma, | |||
| 95 | pte_t *ptep, pte_t pte, | 95 | pte_t *ptep, pte_t pte, |
| 96 | int dirty) | 96 | int dirty) |
| 97 | { | 97 | { |
| 98 | return ptep_set_access_flags(vma, addr, ptep, pte, dirty); | 98 | int changed = !pte_same(*ptep, pte); |
| 99 | |||
| 100 | if (changed) { | ||
| 101 | set_pte_at(vma->vm_mm, addr, ptep, pte); | ||
| 102 | /* | ||
| 103 | * There could be some standard sized pages in there, | ||
| 104 | * get them all. | ||
| 105 | */ | ||
| 106 | flush_tlb_range(vma, addr, addr + HPAGE_SIZE); | ||
| 107 | } | ||
| 108 | return changed; | ||
| 99 | } | 109 | } |
| 100 | 110 | ||
| 101 | static inline pte_t huge_ptep_get(pte_t *ptep) | 111 | static inline pte_t huge_ptep_get(pte_t *ptep) |
diff --git a/arch/mips/mm/tlb-r4k.c b/arch/mips/mm/tlb-r4k.c index 4b9b935a070e..88e79ad6f811 100644 --- a/arch/mips/mm/tlb-r4k.c +++ b/arch/mips/mm/tlb-r4k.c | |||
| @@ -120,18 +120,11 @@ void local_flush_tlb_range(struct vm_area_struct *vma, unsigned long start, | |||
| 120 | 120 | ||
| 121 | if (cpu_context(cpu, mm) != 0) { | 121 | if (cpu_context(cpu, mm) != 0) { |
| 122 | unsigned long size, flags; | 122 | unsigned long size, flags; |
| 123 | int huge = is_vm_hugetlb_page(vma); | ||
| 124 | 123 | ||
| 125 | ENTER_CRITICAL(flags); | 124 | ENTER_CRITICAL(flags); |
| 126 | if (huge) { | 125 | start = round_down(start, PAGE_SIZE << 1); |
| 127 | start = round_down(start, HPAGE_SIZE); | 126 | end = round_up(end, PAGE_SIZE << 1); |
| 128 | end = round_up(end, HPAGE_SIZE); | 127 | size = (end - start) >> (PAGE_SHIFT + 1); |
| 129 | size = (end - start) >> HPAGE_SHIFT; | ||
| 130 | } else { | ||
| 131 | start = round_down(start, PAGE_SIZE << 1); | ||
| 132 | end = round_up(end, PAGE_SIZE << 1); | ||
| 133 | size = (end - start) >> (PAGE_SHIFT + 1); | ||
| 134 | } | ||
| 135 | if (size <= current_cpu_data.tlbsize/2) { | 128 | if (size <= current_cpu_data.tlbsize/2) { |
| 136 | int oldpid = read_c0_entryhi(); | 129 | int oldpid = read_c0_entryhi(); |
| 137 | int newpid = cpu_asid(cpu, mm); | 130 | int newpid = cpu_asid(cpu, mm); |
| @@ -140,10 +133,7 @@ void local_flush_tlb_range(struct vm_area_struct *vma, unsigned long start, | |||
| 140 | int idx; | 133 | int idx; |
| 141 | 134 | ||
| 142 | write_c0_entryhi(start | newpid); | 135 | write_c0_entryhi(start | newpid); |
| 143 | if (huge) | 136 | start += (PAGE_SIZE << 1); |
| 144 | start += HPAGE_SIZE; | ||
| 145 | else | ||
| 146 | start += (PAGE_SIZE << 1); | ||
| 147 | mtc0_tlbw_hazard(); | 137 | mtc0_tlbw_hazard(); |
| 148 | tlb_probe(); | 138 | tlb_probe(); |
| 149 | tlb_probe_hazard(); | 139 | tlb_probe_hazard(); |