[patch 01/37] fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b
From: Greg KH
Date: Tue Jul 28 2009 - 19:03:52 EST
2.6.27-stable review patch. If anyone has any objections, please let us know.
------------------
From: Paul E. McKenney <paulmck@xxxxxxxxxxxxxxxxxx>
commit 7ed9f7e5db58c6e8c2b4b738a75d5dcd8e17aad5 upstream.
Jesper noted that kmem_cache_destroy() invokes synchronize_rcu() rather than
rcu_barrier() in the SLAB_DESTROY_BY_RCU case, which could result in RCU
callbacks accessing a kmem_cache after it had been destroyed.
Acked-by: Matt Mackall <mpm@xxxxxxxxxxx>
Reported-by: Jesper Dangaard Brouer <hawk@xxxxxxx>
Signed-off-by: Paul E. McKenney <paulmck@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Pekka Enberg <penberg@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
mm/slab.c | 2 +-
mm/slob.c | 2 ++
mm/slub.c | 2 ++
3 files changed, 5 insertions(+), 1 deletion(-)
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -2580,7 +2580,7 @@ void kmem_cache_destroy(struct kmem_cach
}
if (unlikely(cachep->flags & SLAB_DESTROY_BY_RCU))
- synchronize_rcu();
+ rcu_barrier();
__kmem_cache_destroy(cachep);
mutex_unlock(&cache_chain_mutex);
--- a/mm/slob.c
+++ b/mm/slob.c
@@ -561,6 +561,8 @@ EXPORT_SYMBOL(kmem_cache_create);
void kmem_cache_destroy(struct kmem_cache *c)
{
+ if (c->flags & SLAB_DESTROY_BY_RCU)
+ rcu_barrier();
slob_free(c, sizeof(struct kmem_cache));
}
EXPORT_SYMBOL(kmem_cache_destroy);
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2447,6 +2447,8 @@ static inline int kmem_cache_close(struc
*/
void kmem_cache_destroy(struct kmem_cache *s)
{
+ if (s->flags & SLAB_DESTROY_BY_RCU)
+ rcu_barrier();
down_write(&slub_lock);
s->refcount--;
if (!s->refcount) {
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/