fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b

Jesper noted that kmem_cache_destroy() invokes synchronize_rcu() rather than
rcu_barrier() in the SLAB_DESTROY_BY_RCU case, which could result in RCU
callbacks accessing a kmem_cache after it had been destroyed.

Cc: <stable@kernel.org>
Acked-by: Matt Mackall <mpm@selenic.com>
Reported-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>

3 files changed, 5 insertions, 1 deletions

diff --git a/mm/slab.c b/mm/slab.c
index e74a16e4ced6..5241b6598ba3 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -2547,7 +2547,7 @@ void kmem_cache_destroy(struct kmem_cache *cachep)
         }
 
         if (unlikely(cachep->flags & SLAB_DESTROY_BY_RCU))
-                synchronize_rcu();
+                rcu_barrier();
 
         __kmem_cache_destroy(cachep);
         mutex_unlock(&cache_chain_mutex);
diff --git a/mm/slob.c b/mm/slob.c
index c78742defdc6..9641da3d5e58 100644
--- a/mm/slob.c
+++ b/mm/slob.c
@@ -595,6 +595,8 @@ EXPORT_SYMBOL(kmem_cache_create);
 void kmem_cache_destroy(struct kmem_cache *c)
 {
         kmemleak_free(c);
+        if (c->flags & SLAB_DESTROY_BY_RCU)
+                rcu_barrier();
         slob_free(c, sizeof(struct kmem_cache));
 }
 EXPORT_SYMBOL(kmem_cache_destroy);
diff --git a/mm/slub.c b/mm/slub.c
index 819f056b39c6..a9201d83178b 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2595,6 +2595,8 @@ static inline int kmem_cache_close(struct kmem_cache *s)
  */
 void kmem_cache_destroy(struct kmem_cache *s)
 {
+        if (s->flags & SLAB_DESTROY_BY_RCU)
+                rcu_barrier();
         down_write(&slub_lock);
         s->refcount--;
         if (!s->refcount) {