From: kanoj@google.engr.sgi.com (Kanoj Sarcar)
To: Manfred Spraul <manfreds@colorfullife.com>
Cc: linux-kernel@vger.rutgers.edu, linux-mm@kvack.org
Subject: Re: zap_page_range(): TLB flush race
Date: Sat, 8 Apr 2000 14:11:05 -0700 (PDT) [thread overview]
Message-ID: <200004082111.OAA73647@google.engr.sgi.com> (raw)
In-Reply-To: <38EF9135.2A42DC6E@colorfullife.com> from "Manfred Spraul" at Apr 08, 2000 10:06:13 PM
>
> it seems we have a smp race in zap_page_range():
>
> When we remove a page from the page tables, we must call:
>
> flush_cache_page();
> pte_clear();
> flush_tlb_page();
> free_page();
>
> We must not free the page before we have called flush_tlb_xy(),
> otherwise the second cpu could access memory that already freed.
>
> but zap_page_range() calls free_page() before the flush_tlb() call.
>
> Is that really a bug, has anyone a good idea how to fix that?
Why do you think this is a bug? After the pte_clear, we need to flush
tlb, so that if anyone wants to drag in the mapping (by accessing the
virtual address), he will fault (since translation is not in tlb) and
wait on mmap_sem. After that, when zap_page_range has freed the page,
and released the mmap_sem, the faulter will find he was trying to access
what is now invalid memory and get a signal/killed.
But a race does exist in establish_pte(), when the flush_tlb happens
_before_ the set_pte(), another thread might drag in the old translation
on a different cpu.
>
> filemap_sync() calls flush_tlb_page() for each page, but IMHO this is a
> really bad idea, the performance will suck with multi-threaded apps on
> SMP.
The best you can do probably is a flush_tlb_range?
Kanoj
>
> Perhaps build a linked list, and free later?
> We could abuse the next pointer from "struct page".
> --
> Manfred
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@kvack.org. For more info on Linux MM,
> see: http://www.linux.eu.org/Linux-MM/
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux.eu.org/Linux-MM/
next prev parent reply other threads:[~2000-04-08 21:11 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2000-04-08 20:06 Manfred Spraul
2000-04-08 21:11 ` Kanoj Sarcar [this message]
2000-04-08 22:46 ` Manfred Spraul
2000-04-08 23:31 ` Kanoj Sarcar
2000-04-08 23:37 ` Alan Cox
2000-04-08 23:54 ` Kanoj Sarcar
2000-04-09 9:10 ` Manfred Spraul
2000-04-09 9:19 ` David S. Miller
2000-04-10 22:21 ` Stephen C. Tweedie
2000-04-10 23:12 ` David S. Miller
2000-04-11 9:14 ` Stephen C. Tweedie
2000-04-11 14:41 ` Manfred Spraul
2000-04-11 16:40 ` Andrea Arcangeli
2000-04-11 17:45 ` Manfred Spraul
2000-04-11 18:14 ` Kanoj Sarcar
2000-04-12 10:02 ` Jamie Lokier
2000-04-11 11:56 ` Alan Cox
2000-04-08 23:44 ` David S. Miller
2000-04-09 0:20 ` Kanoj Sarcar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200004082111.OAA73647@google.engr.sgi.com \
--to=kanoj@google.engr.sgi.com \
--cc=linux-kernel@vger.rutgers.edu \
--cc=linux-mm@kvack.org \
--cc=manfreds@colorfullife.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox