On Sun, 2013-06-16 at 12:00 +1000, Benjamin Herrenschmidt wrote:

So at this point, hash_page might *still* see the old pmd. Unless I
missed something, you did nothing that will prevent that (the only way
to lock against hash_page is really an IPI & wait or to take the PTE's
busy and make them !present or something). So as far as I can tell,
a concurrent hash_page can still sneak into the hash some "small"
entries after you have supposedly flushed them.

Note that the _PAGE_PRESENT bit is removed eventually ... but much
later, in __collapse_huge_page_copy() which will also flush the hash, so
at least we will remove a stale hash entry that would have been added by
the race above I suppose...  but:

 - _PAGE_ACCESSED can still potentially be set after it was supposed to
be stable

 - The clearing happens *after* copy_user_highpage(), ie, unless I
missed something here, we potentially still have something writing to
the 4k page while it's being copied, which is BAD.

Now, let me know if I did miss something here :-)

Cheers,
Ben.