Commit d76b1590 authored by Eric Dumazet's avatar Eric Dumazet Committed by Pekka Enberg

slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU

kmem_cache_destroy() should call rcu_barrier() *after* kmem_cache_close() and
*before* sysfs_slab_remove() or risk rcu_free_slab() being called after
kmem_cache is deleted (kfreed).

rmmod nf_conntrack can crash the machine because it has to kmem_cache_destroy()
a SLAB_DESTROY_BY_RCU enabled cache.

Cc: <stable@kernel.org>
Reported-by: default avatarZdenek Kabelac <zdenek.kabelac@gmail.com>
Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
Acked-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: default avatarPekka Enberg <penberg@cs.helsinki.fi>
parent 326ba501
...@@ -2594,8 +2594,6 @@ static inline int kmem_cache_close(struct kmem_cache *s) ...@@ -2594,8 +2594,6 @@ static inline int kmem_cache_close(struct kmem_cache *s)
*/ */
void kmem_cache_destroy(struct kmem_cache *s) void kmem_cache_destroy(struct kmem_cache *s)
{ {
if (s->flags & SLAB_DESTROY_BY_RCU)
rcu_barrier();
down_write(&slub_lock); down_write(&slub_lock);
s->refcount--; s->refcount--;
if (!s->refcount) { if (!s->refcount) {
...@@ -2606,6 +2604,8 @@ void kmem_cache_destroy(struct kmem_cache *s) ...@@ -2606,6 +2604,8 @@ void kmem_cache_destroy(struct kmem_cache *s)
"still has objects.\n", s->name, __func__); "still has objects.\n", s->name, __func__);
dump_stack(); dump_stack();
} }
if (s->flags & SLAB_DESTROY_BY_RCU)
rcu_barrier();
sysfs_slab_remove(s); sysfs_slab_remove(s);
} else } else
up_write(&slub_lock); up_write(&slub_lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment