aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSiddha, Suresh B <suresh.b.siddha@intel.com>2006-09-29 04:58:42 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2006-09-29 12:18:03 -0400
commit4ce072f1faf29d24df4600f53db8cdd62d400a8f (patch)
treeb56ac328eb4542d6a05b0d35aef95ed3834127d3
parent2dcea57ae19275451a756a2d5bf96b329487b0e0 (diff)
[PATCH] mm: fix a race condition under SMC + COW
Failing context is a multi threaded process context and the failing sequence is as follows. One thread T0 doing self modifying code on page X on processor P0 and another thread T1 doing COW (breaking the COW setup as part of just happened fork() in another thread T2) on the same page X on processor P1. T0 doing SMC can endup modifying the new page Y (allocated by the T1 doing COW on P1) but because of different I/D TLB's, P0 ITLB will not see the new mapping till the flush TLB IPI from P1 is received. During this interval, if T0 executes the code created by SMC it can result in an app error (as ITLB still points to old page X and endup executing the content in page X rather than using the content in page Y). Fix this issue by first clearing the PTE and flushing it, before updating it with new entry. Hugh sayeth: I was a bit sceptical, in the habit of thinking that Self Modifying Code must look such issues itself: but I guess there's nothing it can do to avoid this one. Fair enough, what you're changing it to is pretty much what powerpc and s390 were already doing, and is a more robust way of proceeding, consistent with how ptes are set everywhere else. The ptep_clear_flush is a bit heavy-handed (it's anxious to return the pte that was atomically cleared), but we'd have to wander through lots of arches to get the right minimal behaviour. It'd also be nice to eliminate ptep_establish completely, now only used to define other macros/inlines: it always seemed obfuscation to me, what you've got there now is clearer. Let's put those cleanups on a TODO list. Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com> Acked-by: "David S. Miller" <davem@davemloft.net> Acked-by: Hugh Dickins <hugh@veritas.com> Cc: Nick Piggin <nickpiggin@yahoo.com.au> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--mm/memory.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/mm/memory.c b/mm/memory.c
index 601159a46ab..160f5b503ea 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1577,7 +1577,14 @@ gotten:
1577 entry = mk_pte(new_page, vma->vm_page_prot); 1577 entry = mk_pte(new_page, vma->vm_page_prot);
1578 entry = maybe_mkwrite(pte_mkdirty(entry), vma); 1578 entry = maybe_mkwrite(pte_mkdirty(entry), vma);
1579 lazy_mmu_prot_update(entry); 1579 lazy_mmu_prot_update(entry);
1580 ptep_establish(vma, address, page_table, entry); 1580 /*
1581 * Clear the pte entry and flush it first, before updating the
1582 * pte with the new entry. This will avoid a race condition
1583 * seen in the presence of one thread doing SMC and another
1584 * thread doing COW.
1585 */
1586 ptep_clear_flush(vma, address, page_table);
1587 set_pte_at(mm, address, page_table, entry);
1581 update_mmu_cache(vma, address, entry); 1588 update_mmu_cache(vma, address, entry);
1582 lru_cache_add_active(new_page); 1589 lru_cache_add_active(new_page);
1583 page_add_new_anon_rmap(new_page, vma, address); 1590 page_add_new_anon_rmap(new_page, vma, address);