Frank van der Linden wrote:
> 
> Sorry about the slow response. Anyway, it seems to come down to "will
> a PDE that has been cached in the TLB be referenced while it's
> queued for shootdown, but hasn't been invalidated yet".
> 
> Another CPU shouldn't reference it; the pmap should be locked at this
> point.

The pmap lock only prevents another CPU from allocating a former pmap
page (PDE or PTE) and modifying it for use as a new pmap page?  A couple
situations left that could use a quick explanation:

Thread 1, on CPU 1, unmaps a 4MB memory region.  At the same time, thread
2 of the same process, running on CPU 2, is in a loop writing one byte to
each page in the region in a non-random attempt to generate table walks
using the cached PDE.

The former PTE page, which is still pointed to by the PDE in the TLB, is
allocated from the free list by a process or interrupt running on CPU 3,
for internal use by any kernel subsystem other than pmap.

TIA,
-Neil

> As for 'random table walks'.. I guess the manual text you quoted doesn't
> rule that out 100%, but it would seem very unlikely. If this really would
> be a problem, you'd have to wait with freeing the page until the shootdown
> has been handled. Which might not be hard to implement. Though I really
> don't see this happening.. I think I need to be convinced by actual
> occurences of the problem :-) Or maybe an Intel engineer who will
> confirm that this can happen.
> 
> - Frank