This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] [PATCH] xen mmu: fix a race window causing leave_mm BUG()

To: xen devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] [PATCH] xen mmu: fix a race window causing leave_mm BUG()
From: "Tian, Kevin" <kevin.tian@xxxxxxxxx>
Date: Fri, 29 Apr 2011 12:10:57 +0800
Accept-language: en-US
Acceptlanguage: en-US
Cc: "jeremy@xxxxxxxx" <jeremy@xxxxxxxx>, MaoXiaoyun <tinnycloud@xxxxxxxxxxx>
Delivery-date: Thu, 28 Apr 2011 21:12:41 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcwGIzFlLg8Sn4E+S5OlsA3CusxR6A==
Thread-topic: [PATCH] xen mmu: fix a race window causing leave_mm BUG()
    xen mmu: fix a race window causing leave_mm BUG()
    there's a race window in xen_drop_mm_ref, where remote cpu may exit
    dirty bitmap between the check on this cpu and the point where remote
    cpu handles drop request. So in drop_other_mm_ref we need check
    whether TLB state is still lazy before calling into leave_mm. This
    bug is rarely observed in earlier kernel, but exaggerated by the
    commit 831d52bc153971b70e64eccfbed2b232394f22f8 which clears bitmap
    after changing the TLB state.
    thanks for Maxiaoyun<tinnycloud@xxxxxxxxxxx> to verify it.
    Signed-off-by: Kevin Tian <kevin.tian@xxxxxxxxx>

diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
index 4e5a611..74c6e4a 100644
--- a/arch/x86/xen/mmu.c
+++ b/arch/x86/xen/mmu.c
@@ -1260,7 +1260,7 @@ static void drop_other_mm_ref(void *info)
        active_mm = percpu_read(cpu_tlbstate.active_mm);
-       if (active_mm == mm)
+       if (active_mm == mm && percpu_read(cpu_tlbstate.state) != TLBSTATE_OK)
        /* If this cpu still has a stale cr3 reference, then make sure

Attachment: 20100429_fix_leave_mm_bug.patch
Description: 20100429_fix_leave_mm_bug.patch

Xen-devel mailing list
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] [PATCH] xen mmu: fix a race window causing leave_mm BUG(), Tian, Kevin <=