svn commit: r266464 - in head/sys: kern sys vm

Konstantin Belousov kostikbel at
Tue May 20 15:44:19 UTC 2014

On Tue, May 20, 2014 at 11:35:01PM +0800, Julian Elischer wrote:
> On 5/20/14, 5:19 PM, Konstantin Belousov wrote:
> > Author: kib
> > Date: Tue May 20 09:19:35 2014
> > New Revision: 266464
> > URL:
> >
> > Log:
> >    When exec_new_vmspace() decides that current vmspace cannot be reused
> >    on execve(2), it calls vmspace_exec(), which frees the current
> >    vmspace.  The thread executing an exec syscall gets new vmspace
> >    assigned, and old vmspace is freed if only referenced by the current
> >    process.  The free operation includes pmap_release(), which
> >    de-constructs the paging structures used by hardware.
> >    
> >    If the calling process is multithreaded, other threads are suspended
> >    in the thread_suspend_check(), and need to be unsuspended and run to
> >    be able to exit on successfull exec.  Now, since the old vmspace is
> >    destroyed, paging structures are invalid, threads are resumed on the
> >    non-existent pmaps (page tables), which leads to triple fault on x86.
> >    
> >    To fix, postpone the free of old vmspace until the threads are resumed
> >    and exited.  To avoid modifications to all image activators all of
> >    which use exec_new_vmspace(), memoize the current (old) vmspace in
> >    kern_execve(), and notify it about the need to call vmspace_free()
> >    with a thread-private flag TDP_EXECVMSPC.
> I was sure that we covered this case at some time in the past..
> I think all threads but the caller were killed at the kernel boundary 
> and exec waited for that to happen.

No, what you describe cannot be done. Threads cannot be killed until
we are committed for exec to either success, or we do not have any
other route except killing the process. If we return in the context
of the image executing execve(2), then we must return an error, and
other threads must survive. Threads are gracefully terminated after the
kern_exec() committed to something. This is correctly handled in the
code, except the glitch fixed in the commit.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <>

More information about the svn-src-head mailing list