Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7ed9f7e5 authored Jun 25, 2009 by Paul E. McKenney Committed by Pekka Enberg Jun 26, 2009

fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b



Jesper noted that kmem_cache_destroy() invokes synchronize_rcu() rather than
rcu_barrier() in the SLAB_DESTROY_BY_RCU case, which could result in RCU
callbacks accessing a kmem_cache after it had been destroyed.

Cc: <stable@kernel.org>
Acked-by: Matt Mackall <mpm@selenic.com>
Reported-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>

parent 28d0325c

mm/slab.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2547,7 +2547,7 @@ void kmem_cache_destroy(struct kmem_cache *cachep)
		}

		if (unlikely(cachep->flags & SLAB_DESTROY_BY_RCU))
		synchronize_rcu();
		rcu_barrier();

		__kmem_cache_destroy(cachep);
		mutex_unlock(&cache_chain_mutex);

mm/slob.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -595,6 +595,8 @@ EXPORT_SYMBOL(kmem_cache_create);
		void kmem_cache_destroy(struct kmem_cache *c)
		{
		kmemleak_free(c);
		if (c->flags & SLAB_DESTROY_BY_RCU)
		rcu_barrier();
		slob_free(c, sizeof(struct kmem_cache));
		}
		EXPORT_SYMBOL(kmem_cache_destroy);

mm/slub.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -2595,6 +2595,8 @@ static inline int kmem_cache_close(struct kmem_cache *s)
		*/
		void kmem_cache_destroy(struct kmem_cache *s)
		{
		if (s->flags & SLAB_DESTROY_BY_RCU)
		rcu_barrier();
		down_write(&slub_lock);
		s->refcount--;
		if (!s->refcount) {