pmap-v6.c has a bug?

Kohji Okuno okuno.kohji at jp.panasonic.com
Sat Mar 21 23:14:02 UTC 2015


Hi Olivier,

From: Olivier Houchard <mlfbsd at ci0.org>
Subject: Re: pmap-v6.c has a bug?
Date: Sat, 21 Mar 2015 16:33:22 +0100
> On Sat, Mar 21, 2015 at 08:58:07AM +0900, Kohji Okuno wrote:
>> Hi All,
>> 
> 
> Hi, 
> 
>> We think that pmap_alloc_l2_bucket() in pmap-v6.c has a bug for a
>> race-condition.
>> 
>> Would you refer to the following "(***)" lines?
>> 
>> When a context(called A) decides to allocate pte after A checks l2
>> and l2b->kva, A releases locks while A is allocating pte. In this
>> timing, another context(called B) may free the same l2 from
>> pmap_free_l2_bucket(). If this situation happens, l2b which is
>> allocated by A will be lost since this l2b isn't able to trace from
>> pmap.
>> 
>> In this result, pmap_get_l2_bucket(pvchunk->pc_pmap, pventry->pv_va)
>> will return NULL, then it will cause a kernel panic by NULL access.
>> We saw this kind of panic in pmap_clearbits() and pmap_remove_all().
>> 
>> We add count-up l2_occupancy before unloking and count-down it after
>> locking. We think that this change can prevent wrong release of l2.
>> 
>> What do you think about this?
> 
> I think you're right !
> 
> I committed a variation of this as r280324.
> Thanks a lot !

Thank you for your comment and commitment.

Regards,
 Kohji Okuno


More information about the freebsd-arm mailing list