From owner-freebsd-hackers@FreeBSD.ORG  Tue Jan 20 11:48:18 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C5D5A16A4CE
	for <freebsd-hackers@freebsd.org>;
	Tue, 20 Jan 2004 11:48:18 -0800 (PST)
Received: from mail3.speakeasy.net (mail3.speakeasy.net [216.254.0.203])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 25B5043D62
	for <freebsd-hackers@freebsd.org>;
	Tue, 20 Jan 2004 11:48:06 -0800 (PST)	(envelope-from jhb@FreeBSD.org)
Received: (qmail 9892 invoked from network); 20 Jan 2004 19:48:04 -0000
Received: from dsl027-160-063.atl1.dsl.speakeasy.net (HELO server.baldwin.cx)
	([216.27.160.63])          (envelope-sender <jhb@FreeBSD.org>)
	encrypted SMTP          for <freebsd-hackers@freebsd.org>;
	20 Jan 2004 19:48:04 -0000
Received: from 10.50.41.236 (gw1.twc.weather.com [216.133.140.1])
	by server.baldwin.cx (8.12.10/8.12.10) with ESMTP id i0KJieM8014221;
	Tue, 20 Jan 2004 14:47:54 -0500 (EST)
	(envelope-from jhb@FreeBSD.org)
From: John Baldwin <jhb@FreeBSD.org>
To: Matthew Dillon <dillon@apollo.backplane.com>,
	freebsd-hackers@freebsd.org
Date: Tue, 20 Jan 2004 13:59:51 -0500
User-Agent: KMail/1.5.4
References: <200401200935.i0K9Zedb007090@apollo.backplane.com>
In-Reply-To: <200401200935.i0K9Zedb007090@apollo.backplane.com>
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200401201356.08050.jhb@FreeBSD.org>
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
Subject: 
	Re: Possible sequencing bug in vmspace_exec() and vmspace_unshare().
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jan 2004 19:48:18 -0000

On Tuesday 20 January 2004 04:35 am, Matthew Dillon wrote:
>     This is the code:
>
>         p->p_vmspace = newvmspace;
>         pmap_pinit2(vmspace_pmap(newvmspace));
>         vmspace_free(oldvmspace);
>         if (p == curthread->td_proc)            /* XXXKSE ? */
>                 pmap_activate(curthread);
>
>     What I don't understand is how the old vmspace can possibly be freed
>     before the new map is activated.  Wouldn't that clear out the pte's in
>     the active MMU mapping?  There seems to be a small window of
> opportunity where a TLB load could blow the kernel up.
>
>     Shouldn't the vmspace_free() call occur after the pmap_activate()?

Looks like it.  It also seems that for vmspace_exec(), the operation is always 
done on the current proc, so that XXXKSE check should be a KASSERT() instead.
Hmm, seems I moved the vmspace_free()'s to where they are now in rev 1.201 
(they used to be before the pmap_init2() call) I just didn't move them far 
enough it seems.

-- 
John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve"  =  http://www.FreeBSD.org