diff options
author | Paul E. McKenney <paulmck@linux.vnet.ibm.com> | 2009-06-25 12:31:37 -0700 |
---|---|---|
committer | Pekka Enberg <penberg@cs.helsinki.fi> | 2009-06-26 12:10:47 +0300 |
commit | 7ed9f7e5db58c6e8c2b4b738a75d5dcd8e17aad5 (patch) | |
tree | c8ee9b63e1e8d3925b8a08a2b21a331434d183b5 /mm | |
parent | 28d0325ce6e0a52f53d8af687e6427fee59004d3 (diff) | |
download | kernel_samsung_aries-7ed9f7e5db58c6e8c2b4b738a75d5dcd8e17aad5.zip kernel_samsung_aries-7ed9f7e5db58c6e8c2b4b738a75d5dcd8e17aad5.tar.gz kernel_samsung_aries-7ed9f7e5db58c6e8c2b4b738a75d5dcd8e17aad5.tar.bz2 |
fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b
Jesper noted that kmem_cache_destroy() invokes synchronize_rcu() rather than
rcu_barrier() in the SLAB_DESTROY_BY_RCU case, which could result in RCU
callbacks accessing a kmem_cache after it had been destroyed.
Cc: <stable@kernel.org>
Acked-by: Matt Mackall <mpm@selenic.com>
Reported-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
Diffstat (limited to 'mm')
-rw-r--r-- | mm/slab.c | 2 | ||||
-rw-r--r-- | mm/slob.c | 2 | ||||
-rw-r--r-- | mm/slub.c | 2 |
3 files changed, 5 insertions, 1 deletions
@@ -2547,7 +2547,7 @@ void kmem_cache_destroy(struct kmem_cache *cachep) } if (unlikely(cachep->flags & SLAB_DESTROY_BY_RCU)) - synchronize_rcu(); + rcu_barrier(); __kmem_cache_destroy(cachep); mutex_unlock(&cache_chain_mutex); @@ -595,6 +595,8 @@ EXPORT_SYMBOL(kmem_cache_create); void kmem_cache_destroy(struct kmem_cache *c) { kmemleak_free(c); + if (c->flags & SLAB_DESTROY_BY_RCU) + rcu_barrier(); slob_free(c, sizeof(struct kmem_cache)); } EXPORT_SYMBOL(kmem_cache_destroy); @@ -2595,6 +2595,8 @@ static inline int kmem_cache_close(struct kmem_cache *s) */ void kmem_cache_destroy(struct kmem_cache *s) { + if (s->flags & SLAB_DESTROY_BY_RCU) + rcu_barrier(); down_write(&slub_lock); s->refcount--; if (!s->refcount) { |