Any indirect branch can be (and will be) predicted using the BTB. The
speculation starts before the BTB contents have actually been verified,
resulting in iTLB speculation.
Since the BTB can (and does) contain mostly user addresses (from previous
execution in user land), it's apparently quite common to speculatively
fetch user TLB entries even when you're in kernel mode.
(This is also, btw, probably anothre reason why you only see this bug in
practice on a P4: much bigger BTB)
> see below.
>
> > .. TLB looks up pgd entry ..
> > clear pgd entry
> > free pmd
> >
> > alloc page - get old pmd
> > scribble on page
> >
> > .. TLB looks up pmd entry ..
> > .. tlb fill ends ...
> > invalidate_tlb
> ^^^^^^^^^^^^^^
>
> I assume the userspace access could be imagined right after the
> invalidate_tlb in the above example, and that's the one supposed to
> trigger the speculative tlb fill but how can it pass the invalidate_tlb?
> see below.
It doesn't pass the invalidate_tlb.
By the time the invalidate_tlb happens, the TLB fill has already finished,
and has already picked up garbage.
READ my explanation. The garbage can (and does) contain the Global bit, so
even though we then flush the TLB, the garbage remains.
> In all cases either the 2.4 fix is wrong,
No. Understand the patch, _then_ complain.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/