From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Thu, 3 Sep 2009 19:38:59 +0000 (+0300)
Subject: slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU
X-Git-Tag: v2.6.30.7~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e8f23f08a0dbfbaf5e95fa77a12c8cb2b1bd97e7;p=thirdparty%2Fkernel%2Fstable.git

slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU

commit d76b1590e06a63a3d8697168cd0aabf1c4b3cb3a upstream.

kmem_cache_destroy() should call rcu_barrier() *after* kmem_cache_close() and
*before* sysfs_slab_remove() or risk rcu_free_slab() being called after
kmem_cache is deleted (kfreed).

rmmod nf_conntrack can crash the machine because it has to kmem_cache_destroy()
a SLAB_DESTROY_BY_RCU enabled cache.

Reported-by: Zdenek Kabelac <zdenek.kabelac@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/mm/slub.c b/mm/slub.c
index 253016d3cb4ce..0b95a6cc8a41b 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2490,8 +2490,6 @@ static inline int kmem_cache_close(struct kmem_cache *s)
  */
 void kmem_cache_destroy(struct kmem_cache *s)
 {
-	if (s->flags & SLAB_DESTROY_BY_RCU)
-		rcu_barrier();
 	down_write(&slub_lock);
 	s->refcount--;
 	if (!s->refcount) {
@@ -2502,6 +2500,8 @@ void kmem_cache_destroy(struct kmem_cache *s)
 				"still has objects.\n", s->name, __func__);
 			dump_stack();
 		}
+		if (s->flags & SLAB_DESTROY_BY_RCU)
+			rcu_barrier();
 		sysfs_slab_remove(s);
 	} else
 		up_write(&slub_lock);