188.8.131.52. 794073: Speculative Instruction Fetches with MMU Disabled Might Not Comply with Architectural Requirements
When the MMU is disabled, an ARMv7 processor must follow some architectural rules regarding speculative fetches and the addresses to which these fetches can be initiated. These rules avoid potential read accesses to read-sensitive areas. For more information about these rules, see the description of “Behavior of Instruction Fetches When All Associated MMUs Are Disabled” in the ARM Architecture Reference Manual, ARMv7-A and ARMv7-R edition.
A Cortex* -A9 processor usually operates with both the MMU and branch prediction enabled. If the processor operates in this condition for any significant amount of time, the BTAC (branch target address cache) will contain branch predictions. If the MMU is then disabled, but branch prediction remains enabled, these stale BTAC entries can cause the processor to violate the rules for speculative fetches.
This erratum can occur only if the following sequence of conditions is met:
- The MMU and branch prediction are enabled.
- Branches are executed.
- The MMU is disabled, and branch prediction remains enabled.
If the above conditions occur, it is possible that after the MMU is disabled, speculative instruction fetches might occur to read-sensitive locations.
The recommended workaround is to invalidate all entries in the BTAC by executing a BPIALL (invalidate entire branch prediction array) operation, followed by a DSB, before disabling the MMU. Another possible workaround is to disable branch prediction when disabling the MMU, and keep branch prediction disabled until the MMU is re-enabled.