Subject: Re: i386 pmap bug
To: Stephan Uphoff <ups@stups.com>
From: Frank van der Linden <fvdl@wasabisystems.com>
List: port-i386
Date: 02/01/2003 14:41:36 
[redirected to port-i386]

On Fri, Jan 31, 2003 at 11:02:50PM -0500, Stephan Uphoff wrote:
> 
> If a (user space) Page Table Page (PTP) is no longer used, because the last
> valid Page Table Entry (PTE) has been removed, the associated page structure 
> is put on the free page list before the associated TLB for the PTP 
> (TLB that caches the PDE) is flushed.
> 
> Any modification of the freed page (interrupt, multiprocessor) might cause 
> loading of invalid TLB entries that could:
> 	- cause immediate problems for multiprocessor systems.
> 	- stay in the TLB even after the call to pmap_tlb_shootnow().
>           (and as such cause problems later).
> 
> This is not only a problem for multiprocessor systems as Intel states
> in one of their "Pentium II Processor Application Notes":
> 	Memory Ordering On Dynamic Execution (Pentium Pro Family) Processors
>  	2.7. Page Table Walking Accesses:
>   	     [...]
>   	  *  Page table walks can occur at any time, randomly
>    	     [...]
> 		Page table walking to satisfy TLB (Translation Lookaside
> 		Buffer) misses can be performed speculatively and out-of-order;
>  		page table walks are subject to speculative cacheability.
>   	     [...]

I don't quite see how a problem could occur here:

	* When a PTP is freed, it means that it is no longer used
	  in the page table. When it is freed, the pmap is locked,
	  so other CPUs won't enter any mappings that would make the
	  page needed again.
	* uvm_pagefree returns the physical memory to the freelist,
	  which is fine; the physical memory can be re-used, as the
	  PDE entry referencing it has been zapped.

You seem to be saying that somehow a page table lookup can occur
that would still reference the physical memory of the PTP. I
don't see how that could happen, as virtual memory addresses that
would cause the PTP to be referenced are all invalid. I also
don't see how the CPU could ever set a referenced bit in a PTE
entry in the PTP. "out of order" and "speculative", sure, but
this would be more like "out of the blue and uncalled for"..
I really don't think the CPU is going to do that.

What would be, in your opinion, a scenario which would cause
a problem?

- Frank

-- 
Frank van der Linden                                    fvdl@wasabisystems.com
==============================================================================
Quality NetBSD Development, Support & Service.   http://www.wasabisystems.com/