aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorNeil Horman <nhorman@tuxdriver.com>2010-01-17 12:16:12 -0500
committerDavid S. Miller <davem@davemloft.net>2010-01-19 04:59:01 -0500
commitde4ef86cfce60d2250111f34f8a084e769f23b16 (patch)
tree097eb01bbe375ab3a14f6f7135901b160206f602 /net
parent0a931acfd19faf13129a22a46c06f330ecc2a4a3 (diff)
dccp: fix dccp rmmod when kernel configured to use slub
Hey all- I was tinkering with dccp recently and noticed that I BUG halted the kernel when I rmmod-ed the dccp module. The bug halt occured because the page that I passed to kfree failed the PageCompound and PageSlab test in the slub implementation of kfree. I tracked the problem down to the following set of events: 1) dccp, unlike all other uses of kmem_cache_create, allocates a string dynamically when registering a slab cache. This allocated string is freed when the cache is destroyed. 2) Normally, (1) is not an issue, but when Slub is in use, it is possible that caches are 'merged'. This process causes multiple caches of simmilar configuration to use the same cache data structure. When this happens, the new name of the cache is effectively dropped. 3) (2) results in kmem_cache_name returning an ambigous value (i.e. ccid_kmem_cache_destroy, which uses this fuction to retrieve the name pointer for freeing), is no longer guaranteed that the string it assigned is what is returned. 4) If such merge event occurs, ccid_kmem_cache_destroy frees the wrong pointer, which trips over the BUG in the slub implementation of kfree (since its likely not a slab allocation, but rather a pointer into the static string table section. So, what to do about this. At first blush this is pretty clearly a leak in the information that slub owns, and as such a slub bug. Unfortunately, theres no really good way to fix it, without exposing slub specific implementation details to the generic slab interface. Also, even if we could fix this in slub cleanly, I think the RCU free option would force us to do lots of string duplication, not only in slub, but in every slab allocator. As such, I'd like to propose this solution. Basically, I just move the storage for the kmem cache name to the ccid_operations structure. In so doing, we don't have to do the kstrdup or kfree when we allocate/free the various caches for dccp, and so we avoid the problem, by storing names with static memory, rather than heap, the way all other calls to kmem_cache_create do. I've tested this out myself here, and it solves the problem quite well. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/dccp/ccid.c18
-rw-r--r--net/dccp/ccid.h2
2 files changed, 7 insertions, 13 deletions
diff --git a/net/dccp/ccid.c b/net/dccp/ccid.c
index f3e9ba1cfd01..57dfb9c8c4f2 100644
--- a/net/dccp/ccid.c
+++ b/net/dccp/ccid.c
@@ -77,34 +77,24 @@ int ccid_getsockopt_builtin_ccids(struct sock *sk, int len,
77 return err; 77 return err;
78} 78}
79 79
80static struct kmem_cache *ccid_kmem_cache_create(int obj_size, const char *fmt,...) 80static struct kmem_cache *ccid_kmem_cache_create(int obj_size, char *slab_name_fmt, const char *fmt,...)
81{ 81{
82 struct kmem_cache *slab; 82 struct kmem_cache *slab;
83 char slab_name_fmt[32], *slab_name;
84 va_list args; 83 va_list args;
85 84
86 va_start(args, fmt); 85 va_start(args, fmt);
87 vsnprintf(slab_name_fmt, sizeof(slab_name_fmt), fmt, args); 86 vsnprintf(slab_name_fmt, sizeof(slab_name_fmt), fmt, args);
88 va_end(args); 87 va_end(args);
89 88
90 slab_name = kstrdup(slab_name_fmt, GFP_KERNEL); 89 slab = kmem_cache_create(slab_name_fmt, sizeof(struct ccid) + obj_size, 0,
91 if (slab_name == NULL)
92 return NULL;
93 slab = kmem_cache_create(slab_name, sizeof(struct ccid) + obj_size, 0,
94 SLAB_HWCACHE_ALIGN, NULL); 90 SLAB_HWCACHE_ALIGN, NULL);
95 if (slab == NULL)
96 kfree(slab_name);
97 return slab; 91 return slab;
98} 92}
99 93
100static void ccid_kmem_cache_destroy(struct kmem_cache *slab) 94static void ccid_kmem_cache_destroy(struct kmem_cache *slab)
101{ 95{
102 if (slab != NULL) { 96 if (slab != NULL)
103 const char *name = kmem_cache_name(slab);
104
105 kmem_cache_destroy(slab); 97 kmem_cache_destroy(slab);
106 kfree(name);
107 }
108} 98}
109 99
110static int ccid_activate(struct ccid_operations *ccid_ops) 100static int ccid_activate(struct ccid_operations *ccid_ops)
@@ -113,6 +103,7 @@ static int ccid_activate(struct ccid_operations *ccid_ops)
113 103
114 ccid_ops->ccid_hc_rx_slab = 104 ccid_ops->ccid_hc_rx_slab =
115 ccid_kmem_cache_create(ccid_ops->ccid_hc_rx_obj_size, 105 ccid_kmem_cache_create(ccid_ops->ccid_hc_rx_obj_size,
106 ccid_ops->ccid_hc_rx_slab_name,
116 "ccid%u_hc_rx_sock", 107 "ccid%u_hc_rx_sock",
117 ccid_ops->ccid_id); 108 ccid_ops->ccid_id);
118 if (ccid_ops->ccid_hc_rx_slab == NULL) 109 if (ccid_ops->ccid_hc_rx_slab == NULL)
@@ -120,6 +111,7 @@ static int ccid_activate(struct ccid_operations *ccid_ops)
120 111
121 ccid_ops->ccid_hc_tx_slab = 112 ccid_ops->ccid_hc_tx_slab =
122 ccid_kmem_cache_create(ccid_ops->ccid_hc_tx_obj_size, 113 ccid_kmem_cache_create(ccid_ops->ccid_hc_tx_obj_size,
114 ccid_ops->ccid_hc_tx_slab_name,
123 "ccid%u_hc_tx_sock", 115 "ccid%u_hc_tx_sock",
124 ccid_ops->ccid_id); 116 ccid_ops->ccid_id);
125 if (ccid_ops->ccid_hc_tx_slab == NULL) 117 if (ccid_ops->ccid_hc_tx_slab == NULL)
diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
index facedd20b531..269958bf7fe9 100644
--- a/net/dccp/ccid.h
+++ b/net/dccp/ccid.h
@@ -49,6 +49,8 @@ struct ccid_operations {
49 const char *ccid_name; 49 const char *ccid_name;
50 struct kmem_cache *ccid_hc_rx_slab, 50 struct kmem_cache *ccid_hc_rx_slab,
51 *ccid_hc_tx_slab; 51 *ccid_hc_tx_slab;
52 char ccid_hc_rx_slab_name[32];
53 char ccid_hc_tx_slab_name[32];
52 __u32 ccid_hc_rx_obj_size, 54 __u32 ccid_hc_rx_obj_size,
53 ccid_hc_tx_obj_size; 55 ccid_hc_tx_obj_size;
54 /* Interface Routines */ 56 /* Interface Routines */