rare pmap.c bug

Olivier Houchard mlfbsd at ci0.org
Sat Nov 17 09:19:31 PST 2007 

On Wed, Nov 14, 2007 at 04:26:57PM -0600, Mark Tinguely wrote:
> 
> I think there is a small bug in the allocation of the L1 domain numbers ARM
> pmap.c BUT it is my guess that no one should ever see in real life.
> why? because you have to reuse the L1 9 times AT ONE TIME to trigger the
> bug. My gut thinks reusing the L1 twice AT ONE TIME is rare.
> 
> pmap_init_l1() allocates the array l1->l1_domain_free to equal:
> 
>  {2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 0 }
>  l1->l1_domain_free[15] is the initial value.
> 
>   l1->l1_domain_first = 1
> 
> pmap_alloc_l1() allocated the odd domain numbers.
> 
> 	domain = l1->l1_domain_first (1)
> 	l1->l1_domain_first = l1->l1_domain_free[domain] (3)
> 	
> next pmap_alloc_l1() **without calling pmap_free_l1()**:
> 
> 	domain = l1->l1_domain_first (3)
> 	l1->l1_domain_first = l1->l1_domain_free[domain] (5)
> 	
> next pmap_alloc_l1() **without calling pmap_free_l1()**:
> 
> 	domain = l1->l1_domain_first (5)
> 	l1->l1_domain_first = l1->l1_domain_free[domain] (7)
> 	
> 		...
> 
> 	domain = l1->l1_domain_first (15)
> 	l1->l1_domain_first = l1->l1_domain_free[domain] (0)
> 
> on the 9th pmap_alloc_l1() **without calling pmap_free_l1()**:
> 
> 	domain = l1->l1_domain_first (0) 	<- Kernel domain!
> 	l1->l1_domain_first = l1->l1_domain_free[domain] (2)
> 	
> It is extremely unlikely that people are running enough processes on an ARM
> machine to ever trigger the bug. A simple fix would be to increment the
> l1->l1_domain_free array by 1. But the 15th call to pmap_alloc_l1() will
> leave the l1->l1_domain_first wrong with could cause problems with the next
> pmap_free_l1(). A zero value could be given a special meaning to pmap_free_l1().
> 
> I find it even more interesting idea to just pull the preallocated L1s out;
> preallocate a couple L1 in an idleloop for perfomance; implement pmap_copy()
> to decrease page faults after a fork ...
> 

Hi,

Indeed it can be a problem. I'll see how easy it would be to allocate the L1
tables when we need it.
Thanks for reporting !

Olivier

More information about the freebsd-arm mailing list