pmap-v6.c has a bug?
Olivier Houchard
mlfbsd at ci0.org
Sat Mar 21 15:33:47 UTC 2015
On Sat, Mar 21, 2015 at 08:58:07AM +0900, Kohji Okuno wrote:
> Hi All,
>
Hi,
> We think that pmap_alloc_l2_bucket() in pmap-v6.c has a bug for a
> race-condition.
>
> Would you refer to the following "(***)" lines?
>
> When a context(called A) decides to allocate pte after A checks l2
> and l2b->kva, A releases locks while A is allocating pte. In this
> timing, another context(called B) may free the same l2 from
> pmap_free_l2_bucket(). If this situation happens, l2b which is
> allocated by A will be lost since this l2b isn't able to trace from
> pmap.
>
> In this result, pmap_get_l2_bucket(pvchunk->pc_pmap, pventry->pv_va)
> will return NULL, then it will cause a kernel panic by NULL access.
> We saw this kind of panic in pmap_clearbits() and pmap_remove_all().
>
> We add count-up l2_occupancy before unloking and count-down it after
> locking. We think that this change can prevent wrong release of l2.
>
> What do you think about this?
I think you're right !
I committed a variation of this as r280324.
Thanks a lot !
Olivier
More information about the freebsd-arm
mailing list