From owner-freebsd-hackers@FreeBSD.ORG  Tue Jan 20 01:35:44 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 624FF16A4CE
	for <freebsd-hackers@freebsd.org>;
	Tue, 20 Jan 2004 01:35:44 -0800 (PST)
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 85A1C43D1D
	for <freebsd-hackers@freebsd.org>;
	Tue, 20 Jan 2004 01:35:43 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	i0K9Ze82007091	for <freebsd-hackers@freebsd.org>;
	Tue, 20 Jan 2004 01:35:43 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.12.9p2/8.12.9/Submit) id i0K9Zedb007090;
	Tue, 20 Jan 2004 01:35:40 -0800 (PST)
	(envelope-from dillon)
Date: Tue, 20 Jan 2004 01:35:40 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200401200935.i0K9Zedb007090@apollo.backplane.com>
To: freebsd-hackers@freebsd.org
Subject: Possible sequencing bug in vmspace_exec() and vmspace_unshare().
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jan 2004 09:35:44 -0000

    This is the code:

        p->p_vmspace = newvmspace;
        pmap_pinit2(vmspace_pmap(newvmspace));
        vmspace_free(oldvmspace);
        if (p == curthread->td_proc)            /* XXXKSE ? */
                pmap_activate(curthread);

    What I don't understand is how the old vmspace can possibly be freed
    before the new map is activated.  Wouldn't that clear out the pte's in
    the active MMU mapping?  There seems to be a small window of opportunity
    where a TLB load could blow the kernel up.

    Shouldn't the vmspace_free() call occur after the pmap_activate()?

						-Matt