|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] xen mmu: fix a race window causing leave_mm BUG()
xen mmu: fix a race window causing leave_mm BUG()
there's a race window in xen_drop_mm_ref, where remote cpu may exit
dirty bitmap between the check on this cpu and the point where remote
cpu handles drop request. So in drop_other_mm_ref we need check
whether TLB state is still lazy before calling into leave_mm. This
bug is rarely observed in earlier kernel, but exaggerated by the
commit 831d52bc153971b70e64eccfbed2b232394f22f8 which clears bitmap
after changing the TLB state.
thanks for Maxiaoyun<tinnycloud@xxxxxxxxxxx> to verify it.
Signed-off-by: Kevin Tian <kevin.tian@xxxxxxxxx>
diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
index 4e5a611..74c6e4a 100644
--- a/arch/x86/xen/mmu.c
+++ b/arch/x86/xen/mmu.c
@@ -1260,7 +1260,7 @@ static void drop_other_mm_ref(void *info)
active_mm = percpu_read(cpu_tlbstate.active_mm);
- if (active_mm == mm)
+ if (active_mm == mm && percpu_read(cpu_tlbstate.state) != TLBSTATE_OK)
leave_mm(smp_processor_id());
/* If this cpu still has a stale cr3 reference, then make sure
Attachment:
20100429_fix_leave_mm_bug.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |