diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2009-09-03 19:38:59 (GMT) |
---|---|---|
committer | Pekka Enberg <penberg@cs.helsinki.fi> | 2009-09-03 19:38:59 (GMT) |
commit | d76b1590e06a63a3d8697168cd0aabf1c4b3cb3a (patch) | |
tree | 276a0323e0b25192fdb837475b816db3b3052cad | |
parent | 326ba5010a5429a5a528b268b36a5900d4ab0eba (diff) | |
download | linux-d76b1590e06a63a3d8697168cd0aabf1c4b3cb3a.tar.xz |
slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU
kmem_cache_destroy() should call rcu_barrier() *after* kmem_cache_close() and
*before* sysfs_slab_remove() or risk rcu_free_slab() being called after
kmem_cache is deleted (kfreed).
rmmod nf_conntrack can crash the machine because it has to kmem_cache_destroy()
a SLAB_DESTROY_BY_RCU enabled cache.
Cc: <stable@kernel.org>
Reported-by: Zdenek Kabelac <zdenek.kabelac@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
-rw-r--r-- | mm/slub.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -2594,8 +2594,6 @@ static inline int kmem_cache_close(struct kmem_cache *s) */ void kmem_cache_destroy(struct kmem_cache *s) { - if (s->flags & SLAB_DESTROY_BY_RCU) - rcu_barrier(); down_write(&slub_lock); s->refcount--; if (!s->refcount) { @@ -2606,6 +2604,8 @@ void kmem_cache_destroy(struct kmem_cache *s) "still has objects.\n", s->name, __func__); dump_stack(); } + if (s->flags & SLAB_DESTROY_BY_RCU) + rcu_barrier(); sysfs_slab_remove(s); } else up_write(&slub_lock); |