Re: [PATCH] x86/mm: Don't reenter flush_tlb_func_common()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Jun 19, 2017 at 6:33 AM, zhong jiang <zhongjiang@xxxxxxxxxx> wrote:
> On 2017/6/19 12:48, Andy Lutomirski wrote:
>> It was historically possible to have two concurrent TLB flushes
>> targeting the same CPU: one initiated locally and one initiated
>> remotely.  This can now cause an OOPS in leave_mm() at
>> arch/x86/mm/tlb.c:47:
>>
>>         if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
>>                 BUG();
>>
>> with this call trace:
>>  flush_tlb_func_local arch/x86/mm/tlb.c:239 [inline]
>>  flush_tlb_mm_range+0x26d/0x370 arch/x86/mm/tlb.c:317
>>
>> Without reentrancy, this OOPS is impossible: leave_mm() is only
>> called if we're not in TLBSTATE_OK, but then we're unexpectedly
>> in TLBSTATE_OK in leave_mm().
>>
>> This can be caused by flush_tlb_func_remote() happening between
>> the two checks and calling leave_mm(), resulting in two consecutive
>> leave_mm() calls on the same CPU with no intervening switch_mm()
>> calls.
>>
>> We never saw this OOPS before because the old leave_mm()
>> implementation didn't put us back in TLBSTATE_OK, so the assertion
>> didn't fire.
>   HI, Andy
>
>   Today, I see same OOPS in linux 3.4 stable. It prove that it indeed has fired.
>    but It is rarely to appear.  I review the code. I found the a  issue.
>   when current->mm is NULL,  leave_mm will be called. but  it maybe in
>   TLBSTATE_OK,  eg: unuse_mm call after task->mm = NULL , but before enter_lazy_tlb.
>
>    therefore,  it will fire. is it right?

Is there a code path that does this?

Also, the IPI handler on 3.4 looks like this:

        if (f->flush_mm == percpu_read(cpu_tlbstate.active_mm)) {
                if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK) {
                        if (f->flush_va == TLB_FLUSH_ALL)
                                local_flush_tlb();
                        else
                                __flush_tlb_one(f->flush_va);
                } else
                        leave_mm(cpu);
        }

but leave_mm() checks the same condition (cpu_tlbstate.state, not
current->mm).  How is the BUG triggering?

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]
  Powered by Linux