diff options
author | David S. Miller <davem@davemloft.net> | 2009-03-27 04:09:17 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-03-27 04:09:17 -0400 |
commit | f9384d41c02408dd404aa64d66d0ef38adcf6479 (patch) | |
tree | 3eba745ae1cd20ae2b14dcdbe21efd05cd33fd27 /arch/sparc/kernel | |
parent | 86ee79c3dbd48d7430fd81edc1da3516c9f6dabc (diff) |
sparc64: Fix MM refcount check in smp_flush_tlb_pending().
As explained by Benjamin Herrenschmidt:
> CPU 0 is running the context, task->mm == task->active_mm == your
> context. The CPU is in userspace happily churning things.
>
> CPU 1 used to run it, not anymore, it's now running fancyfsd which
> is a kernel thread, but current->active_mm still points to that
> same context.
>
> Because there's only one "real" user, mm_users is 1 (but mm_count is
> elevated, it's just that the presence on CPU 1 as active_mm has no
> effect on mm_count().
>
> At this point, fancyfsd decides to invalidate a mapping currently mapped
> by that context, for example because a networked file has changed
> remotely or something like that, using unmap_mapping_ranges().
>
> So CPU 1 goes into the zapping code, which eventually ends up calling
> flush_tlb_pending(). Your test will succeed, as current->active_mm is
> indeed the target mm for the flush, and mm_users is indeed 1. So you
> will -not- send an IPI to the other CPU, and CPU 0 will continue happily
> accessing the pages that should have been unmapped.
To fix this problem, check ->mm instead of ->active_mm, and this
means:
> So if you test current->mm, you effectively account for mm_users == 1,
> so the only way the mm can be active on another processor is as a lazy
> mm for a kernel thread. So your test should work properly as long
> as you don't have a HW that will do speculative TLB reloads into the
> TLB on that other CPU (and even if you do, you flush-on-switch-in should
> get rid of any crap here).
And therefore we should be OK.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'arch/sparc/kernel')
-rw-r--r-- | arch/sparc/kernel/smp_64.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c index 6cd1a5b65067..79457f682b5a 100644 --- a/arch/sparc/kernel/smp_64.c +++ b/arch/sparc/kernel/smp_64.c | |||
@@ -1031,7 +1031,7 @@ void smp_fetch_global_regs(void) | |||
1031 | * If the address space is non-shared (ie. mm->count == 1) we avoid | 1031 | * If the address space is non-shared (ie. mm->count == 1) we avoid |
1032 | * cross calls when we want to flush the currently running process's | 1032 | * cross calls when we want to flush the currently running process's |
1033 | * tlb state. This is done by clearing all cpu bits except the current | 1033 | * tlb state. This is done by clearing all cpu bits except the current |
1034 | * processor's in current->active_mm->cpu_vm_mask and performing the | 1034 | * processor's in current->mm->cpu_vm_mask and performing the |
1035 | * flush locally only. This will force any subsequent cpus which run | 1035 | * flush locally only. This will force any subsequent cpus which run |
1036 | * this task to flush the context from the local tlb if the process | 1036 | * this task to flush the context from the local tlb if the process |
1037 | * migrates to another cpu (again). | 1037 | * migrates to another cpu (again). |
@@ -1074,7 +1074,7 @@ void smp_flush_tlb_pending(struct mm_struct *mm, unsigned long nr, unsigned long | |||
1074 | u32 ctx = CTX_HWBITS(mm->context); | 1074 | u32 ctx = CTX_HWBITS(mm->context); |
1075 | int cpu = get_cpu(); | 1075 | int cpu = get_cpu(); |
1076 | 1076 | ||
1077 | if (mm == current->active_mm && atomic_read(&mm->mm_users) == 1) | 1077 | if (mm == current->mm && atomic_read(&mm->mm_users) == 1) |
1078 | mm->cpu_vm_mask = cpumask_of_cpu(cpu); | 1078 | mm->cpu_vm_mask = cpumask_of_cpu(cpu); |
1079 | else | 1079 | else |
1080 | smp_cross_call_masked(&xcall_flush_tlb_pending, | 1080 | smp_cross_call_masked(&xcall_flush_tlb_pending, |