Windows 9x TLB Invalidation Bug
In processor architectures that support paging, there are usually one or more TLBs or pagewalk caches to cache address translations. On x86, these translation caches are not coherent with memory accesses that modify the page tables. Add in prefetching, out-of-order speculative execution, and a desire to minimize the software overhead, and you end up with very tricky rules regarding when and how the various paging caches need to be invalidated.
Sections 4.10.4.2 and 4.10.4.3 of Intel’s manual details the recommended invalidations and specific cases where invalidations may be omitted.
The case relevant here involves changing a page table mapping from one valid mapping to another, then using it without invalidation. Because a processor can prefetch anything at any time, it is impossible to guarantee that the old mapping is not cached in the TLB without invalidating after the page table update.
An example of this type of a situation is a page-table update followed by accesses to the physical pages referenced by the updated page tables. The following sequence of events shows what can happen when software changes the translation of virtual-page A from physical-page M to physical-page N:
/cdn.vox-cdn.com/uploads/chorus_asset/file/25831586/STKB310_REDNOTE_XIAOHONGSHU_B.jpg)
