aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Dumazet <eric.dumazet@gmail.com>2009-09-03 15:38:59 -0400
committerPekka Enberg <penberg@cs.helsinki.fi>2009-09-03 15:38:59 -0400
commitd76b1590e06a63a3d8697168cd0aabf1c4b3cb3a (patch)
tree276a0323e0b25192fdb837475b816db3b3052cad
parent326ba5010a5429a5a528b268b36a5900d4ab0eba (diff)
slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU
kmem_cache_destroy() should call rcu_barrier() *after* kmem_cache_close() and *before* sysfs_slab_remove() or risk rcu_free_slab() being called after kmem_cache is deleted (kfreed). rmmod nf_conntrack can crash the machine because it has to kmem_cache_destroy() a SLAB_DESTROY_BY_RCU enabled cache. Cc: <stable@kernel.org> Reported-by: Zdenek Kabelac <zdenek.kabelac@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
-rw-r--r--mm/slub.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/mm/slub.c b/mm/slub.c
index b9f1491a58a1..b6276753626e 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2594,8 +2594,6 @@ static inline int kmem_cache_close(struct kmem_cache *s)
2594 */ 2594 */
2595void kmem_cache_destroy(struct kmem_cache *s) 2595void kmem_cache_destroy(struct kmem_cache *s)
2596{ 2596{
2597 if (s->flags & SLAB_DESTROY_BY_RCU)
2598 rcu_barrier();
2599 down_write(&slub_lock); 2597 down_write(&slub_lock);
2600 s->refcount--; 2598 s->refcount--;
2601 if (!s->refcount) { 2599 if (!s->refcount) {
@@ -2606,6 +2604,8 @@ void kmem_cache_destroy(struct kmem_cache *s)
2606 "still has objects.\n", s->name, __func__); 2604 "still has objects.\n", s->name, __func__);
2607 dump_stack(); 2605 dump_stack();
2608 } 2606 }
2607 if (s->flags & SLAB_DESTROY_BY_RCU)
2608 rcu_barrier();
2609 sysfs_slab_remove(s); 2609 sysfs_slab_remove(s);
2610 } else 2610 } else
2611 up_write(&slub_lock); 2611 up_write(&slub_lock);