diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2009-09-03 15:38:59 -0400 |
---|---|---|
committer | Pekka Enberg <penberg@cs.helsinki.fi> | 2009-09-03 15:38:59 -0400 |
commit | d76b1590e06a63a3d8697168cd0aabf1c4b3cb3a (patch) | |
tree | 276a0323e0b25192fdb837475b816db3b3052cad | |
parent | 326ba5010a5429a5a528b268b36a5900d4ab0eba (diff) |
slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU
kmem_cache_destroy() should call rcu_barrier() *after* kmem_cache_close() and
*before* sysfs_slab_remove() or risk rcu_free_slab() being called after
kmem_cache is deleted (kfreed).
rmmod nf_conntrack can crash the machine because it has to kmem_cache_destroy()
a SLAB_DESTROY_BY_RCU enabled cache.
Cc: <stable@kernel.org>
Reported-by: Zdenek Kabelac <zdenek.kabelac@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
-rw-r--r-- | mm/slub.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -2594,8 +2594,6 @@ static inline int kmem_cache_close(struct kmem_cache *s) | |||
2594 | */ | 2594 | */ |
2595 | void kmem_cache_destroy(struct kmem_cache *s) | 2595 | void kmem_cache_destroy(struct kmem_cache *s) |
2596 | { | 2596 | { |
2597 | if (s->flags & SLAB_DESTROY_BY_RCU) | ||
2598 | rcu_barrier(); | ||
2599 | down_write(&slub_lock); | 2597 | down_write(&slub_lock); |
2600 | s->refcount--; | 2598 | s->refcount--; |
2601 | if (!s->refcount) { | 2599 | if (!s->refcount) { |
@@ -2606,6 +2604,8 @@ void kmem_cache_destroy(struct kmem_cache *s) | |||
2606 | "still has objects.\n", s->name, __func__); | 2604 | "still has objects.\n", s->name, __func__); |
2607 | dump_stack(); | 2605 | dump_stack(); |
2608 | } | 2606 | } |
2607 | if (s->flags & SLAB_DESTROY_BY_RCU) | ||
2608 | rcu_barrier(); | ||
2609 | sysfs_slab_remove(s); | 2609 | sysfs_slab_remove(s); |
2610 | } else | 2610 | } else |
2611 | up_write(&slub_lock); | 2611 | up_write(&slub_lock); |