From owner-freebsd-arm@FreeBSD.ORG  Sat Mar 21 15:33:47 2015
Return-Path: <owner-freebsd-arm@FreeBSD.ORG>
Delivered-To: freebsd-arm@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 13CC5F03
 for <freebsd-arm@freebsd.org>; Sat, 21 Mar 2015 15:33:47 +0000 (UTC)
Received: from kanar.ci0.org (kanar.ci0.org [IPv6:2001:bc8:35e6::1])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id ABC91311
 for <freebsd-arm@freebsd.org>; Sat, 21 Mar 2015 15:33:46 +0000 (UTC)
Received: from kanar.ci0.org (pluxor@localhost [127.0.0.1])
 by kanar.ci0.org (8.14.8/8.14.8) with ESMTP id t2LFXM6A024055;
 Sat, 21 Mar 2015 16:33:22 +0100 (CET)
 (envelope-from mlfbsd@kanar.ci0.org)
Received: (from mlfbsd@localhost)
 by kanar.ci0.org (8.14.8/8.14.8/Submit) id t2LFXMVV024054;
 Sat, 21 Mar 2015 16:33:22 +0100 (CET) (envelope-from mlfbsd)
Date: Sat, 21 Mar 2015 16:33:22 +0100
From: Olivier Houchard <mlfbsd@ci0.org>
To: Kohji Okuno <okuno.kohji@jp.panasonic.com>
Subject: Re: pmap-v6.c has a bug?
Message-ID: <20150321153322.GA22296@ci0.org>
References: <20150321.085807.1477684572929578361.okuno.kohji@jp.panasonic.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20150321.085807.1477684572929578361.okuno.kohji@jp.panasonic.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: freebsd-arm@freebsd.org
X-BeenThere: freebsd-arm@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Porting FreeBSD to ARM processors." <freebsd-arm.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-arm>,
 <mailto:freebsd-arm-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arm/>
List-Post: <mailto:freebsd-arm@freebsd.org>
List-Help: <mailto:freebsd-arm-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arm>,
 <mailto:freebsd-arm-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Mar 2015 15:33:47 -0000

On Sat, Mar 21, 2015 at 08:58:07AM +0900, Kohji Okuno wrote:
> Hi All,
> 

Hi, 

> We think that pmap_alloc_l2_bucket() in pmap-v6.c has a bug for a
> race-condition.
> 
> Would you refer to the following "(***)" lines?
> 
> When a context(called A) decides to allocate pte after A checks l2
> and l2b->kva, A releases locks while A is allocating pte. In this
> timing, another context(called B) may free the same l2 from
> pmap_free_l2_bucket(). If this situation happens, l2b which is
> allocated by A will be lost since this l2b isn't able to trace from
> pmap.
> 
> In this result, pmap_get_l2_bucket(pvchunk->pc_pmap, pventry->pv_va)
> will return NULL, then it will cause a kernel panic by NULL access.
> We saw this kind of panic in pmap_clearbits() and pmap_remove_all().
> 
> We add count-up l2_occupancy before unloking and count-down it after
> locking. We think that this change can prevent wrong release of l2.
> 
> What do you think about this?

I think you're right !

I committed a variation of this as r280324.
Thanks a lot !

Olivier