Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 17 Nov 2007 19:11:14 +0100
From:      Olivier Houchard <mlfbsd@ci0.org>
To:        Mark Tinguely <tinguely@casselton.net>
Cc:        freebsd-arm@freebsd.org
Subject:   Re: rare pmap.c bug
Message-ID:  <20071117181114.GA52582@ci0.org>
In-Reply-To: <200711142226.lAEMQvjv014802@casselton.net>
References:  <200711142226.lAEMQvjv014802@casselton.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Nov 14, 2007 at 04:26:57PM -0600, Mark Tinguely wrote:
> 
> I think there is a small bug in the allocation of the L1 domain numbers ARM
> pmap.c BUT it is my guess that no one should ever see in real life.
> why? because you have to reuse the L1 9 times AT ONE TIME to trigger the
> bug. My gut thinks reusing the L1 twice AT ONE TIME is rare.
> 
> pmap_init_l1() allocates the array l1->l1_domain_free to equal:
> 
>  {2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 0 }
>  l1->l1_domain_free[15] is the initial value.
> 
>   l1->l1_domain_first = 1
> 
> pmap_alloc_l1() allocated the odd domain numbers.
> 
> 	domain = l1->l1_domain_first (1)
> 	l1->l1_domain_first = l1->l1_domain_free[domain] (3)
> 	
> next pmap_alloc_l1() **without calling pmap_free_l1()**:
> 
> 	domain = l1->l1_domain_first (3)
> 	l1->l1_domain_first = l1->l1_domain_free[domain] (5)
> 	
> next pmap_alloc_l1() **without calling pmap_free_l1()**:
> 
> 	domain = l1->l1_domain_first (5)
> 	l1->l1_domain_first = l1->l1_domain_free[domain] (7)
> 	
> 		...
> 
> 	domain = l1->l1_domain_first (15)
> 	l1->l1_domain_first = l1->l1_domain_free[domain] (0)
> 
> on the 9th pmap_alloc_l1() **without calling pmap_free_l1()**:
> 
> 	domain = l1->l1_domain_first (0) 	<- Kernel domain!
> 	l1->l1_domain_first = l1->l1_domain_free[domain] (2)
> 	
> It is extremely unlikely that people are running enough processes on an ARM
> machine to ever trigger the bug. A simple fix would be to increment the
> l1->l1_domain_free array by 1. But the 15th call to pmap_alloc_l1() will
> leave the l1->l1_domain_first wrong with could cause problems with the next
> pmap_free_l1(). A zero value could be given a special meaning to pmap_free_l1().
> 
> I find it even more interesting idea to just pull the preallocated L1s out;
> preallocate a couple L1 in an idleloop for perfomance; implement pmap_copy()
> to decrease page faults after a fork ...
> 

Hi,

Indeed it can be a problem. I'll see how easy it would be to allocate the L1
tables when we need it.
Thanks for reporting !

Olivier

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071117181114.GA52582>