From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Date: Thu, 25 Jun 2009 19:31:37 +0000 (-0700)
Subject: fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b
X-Git-Tag: v2.6.27.29~37
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=c6e23180eed05084ec631b2d2de0e94df8b48c74;p=karo-tx-linux.git

fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b

commit 7ed9f7e5db58c6e8c2b4b738a75d5dcd8e17aad5 upstream.

Jesper noted that kmem_cache_destroy() invokes synchronize_rcu() rather than
rcu_barrier() in the SLAB_DESTROY_BY_RCU case, which could result in RCU
callbacks accessing a kmem_cache after it had been destroyed.

Acked-by: Matt Mackall <mpm@selenic.com>
Reported-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/mm/slab.c b/mm/slab.c
index e76eee466886..600e8649629e 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -2580,7 +2580,7 @@ void kmem_cache_destroy(struct kmem_cache *cachep)
 	}
 
 	if (unlikely(cachep->flags & SLAB_DESTROY_BY_RCU))
-		synchronize_rcu();
+		rcu_barrier();
 
 	__kmem_cache_destroy(cachep);
 	mutex_unlock(&cache_chain_mutex);
diff --git a/mm/slob.c b/mm/slob.c
index cb675d126791..ed04252cba58 100644
--- a/mm/slob.c
+++ b/mm/slob.c
@@ -561,6 +561,8 @@ EXPORT_SYMBOL(kmem_cache_create);
 
 void kmem_cache_destroy(struct kmem_cache *c)
 {
+	if (c->flags & SLAB_DESTROY_BY_RCU)
+		rcu_barrier();
 	slob_free(c, sizeof(struct kmem_cache));
 }
 EXPORT_SYMBOL(kmem_cache_destroy);
diff --git a/mm/slub.c b/mm/slub.c
index 0c83e6afe7b2..f0175b454c74 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2447,6 +2447,8 @@ static inline int kmem_cache_close(struct kmem_cache *s)
  */
 void kmem_cache_destroy(struct kmem_cache *s)
 {
+	if (s->flags & SLAB_DESTROY_BY_RCU)
+		rcu_barrier();
 	down_write(&slub_lock);
 	s->refcount--;
 	if (!s->refcount) {