Please ignore my last two mails, I just learnt that Current is meanless in irq context.
 
Just come up one whole assumption:
 
In my opinion:
 
1) CPU running in switch_mm has the possiblity of receiving IPI message and enter interrupt
2) Before revert that patch, not matter the if statement is true or not, the cpu_tlbstate.state
could be changed to TLBSTATE_OK, right before enter irq routhine
3) Since the cpu_tlbstate is per CPU variable, before calling leave_mm(), test cpu_tlbstate.state
in drop_other_mm_ref is feasible and nessary
4) If I am right, strange thing is the code of 2.6.32.36 is same as 2.6.31.x, which we never met tlb bug before.
 
any comments?
 
Many thanks.