lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU

Browse Source 
kmem_cache_destroy() should call rcu_barrier() *after* kmem_cache_close() and
*before* sysfs_slab_remove() or risk rcu_free_slab() being called after
kmem_cache is deleted (kfreed).

rmmod nf_conntrack can crash the machine because it has to kmem_cache_destroy()
a SLAB_DESTROY_BY_RCU enabled cache.

Cc: <stable@kernel.org>
Reported-by: Zdenek Kabelac <zdenek.kabelac@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
This commit is contained in:
Eric Dumazet
2009-09-03 22:38:59 +03:00
committed by Pekka Enberg
parent 326ba5010a
commit d76b1590e0
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
mm/slub.c
View File

@@ -2594,8 +2594,6 @@ static inline int kmem_cache_close(struct kmem_cache *s)
*/ */
void kmem_cache_destroy(struct kmem_cache *s) void kmem_cache_destroy(struct kmem_cache *s)
{ {
if (s->flags & SLAB_DESTROY_BY_RCU)
rcu_barrier();
down_write(&slub_lock); down_write(&slub_lock);
s->refcount--; s->refcount--;
if (!s->refcount) { if (!s->refcount) {
@@ -2606,6 +2604,8 @@ void kmem_cache_destroy(struct kmem_cache *s)
"still has objects.\n", s->name, __func__); "still has objects.\n", s->name, __func__);
dump_stack(); dump_stack();
} }
if (s->flags & SLAB_DESTROY_BY_RCU)
rcu_barrier();
sysfs_slab_remove(s); sysfs_slab_remove(s);
} else } else
up_write(&slub_lock); up_write(&slub_lock);