On 13/12/19, 11:13 PM, "Steven Rostedt" <srostedt@xxxxxxxxxx> wrote:
> On Tue, 2019-12-10 at 23:12 +0530, Ajay Kaher wrote:
>> The x86 version of get_user_pages_fast() relies on disabled interrupts to
>> synchronize gup_pte_range() between gup_get_pte(ptep); and get_page() against
>> a parallel munmap. The munmap side nulls the pte, then flushes TLBs, then
>> releases the page. As TLB flush is done synchronously via IPI disabling
>> interrupts blocks the page release, and get_page(), which assumes existing
>> reference on page, is thus safe.
>> However when TLB flush is done by a hypercall, e.g. in a Xen PV guest, there is
>> no blocking thanks to disabled interrupts, and get_page() can succeed on a page
>> that was already freed or even reused.
>
> That must have been hell to debug!
>
> Anyway, the rest looks good.
>
> -- Steve
Thanks Steve for review.
I will move page_ref_count() from 3rd patch to 5th patch and send globally.
- Ajay
