On 28 May 2013 16:16, Michal Hocko <mhocko@xxxxxxx> wrote:
> On Sun 26-05-13 06:50:46, Max Filippov wrote:
>> Is it intentional that threads of a process that invoked munmap syscall
>> can see TLB entries pointing to already freed pages, or it is a bug?
>>
>> I'm talking about zap_pmd_range and zap_pte_range:
>>
>> zap_pmd_range
>> zap_pte_range
>> arch_enter_lazy_mmu_mode
>> ptep_get_and_clear_full
>> tlb_remove_tlb_entry
>> __tlb_remove_page
>> arch_leave_lazy_mmu_mode
>> cond_resched
>>
>> With the default arch_{enter,leave}_lazy_mmu_mode, tlb_remove_tlb_entry
>> and __tlb_remove_page there is a loop in the zap_pte_range that clears
>> PTEs and frees corresponding pages,
>
> The page is not freed at that time (at least not for the generic
> mmu_gather implementation). It is stored into mmu_gather and then freed
> along with the tlb flush in tlb_flush_mmu.
Actually for the UP case, the page gets freed in __tlb_remove_page()
since tlb_fast_mode() is 1.
--
Catalin
--
To unsubscribe from this list: send the line "unsubscribe linux-arch" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
