releases/2.6.30.4/fix-rcu-callback-after-kmem_cache_destroy-problem-in-slb.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 7ed9f7e5db58c6e8c2b4b738a75d5dcd8e17aad5 Mon Sep 17 00:00:00 2001
 From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
 Date: Thu, 25 Jun 2009 12:31:37 -0700
 Subject: fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b

 From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>

 commit 7ed9f7e5db58c6e8c2b4b738a75d5dcd8e17aad5 upstream.

 Jesper noted that kmem_cache_destroy() invokes synchronize_rcu() rather than
 rcu_barrier() in the SLAB_DESTROY_BY_RCU case, which could result in RCU
 callbacks accessing a kmem_cache after it had been destroyed.

 Acked-by: Matt Mackall <mpm@selenic.com>
 Reported-by: Jesper Dangaard Brouer <hawk@comx.dk>
 Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
 Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  mm/slab.c |    2 +-
  mm/slob.c |    2 ++
  mm/slub.c |    2 ++
  3 files changed, 5 insertions(+), 1 deletion(-)

 --- a/mm/slab.c
 +++ b/mm/slab.c
 @@ -2592,7 +2592,7 @@ void kmem_cache_destroy(struct kmem_cach
  	}

  	if (unlikely(cachep->flags & SLAB_DESTROY_BY_RCU))
 -		synchronize_rcu();
 +		rcu_barrier();

  	__kmem_cache_destroy(cachep);
  	mutex_unlock(&cache_chain_mutex);
 --- a/mm/slob.c
 +++ b/mm/slob.c
 @@ -590,6 +590,8 @@ EXPORT_SYMBOL(kmem_cache_create);

  void kmem_cache_destroy(struct kmem_cache *c)
  {
 +	if (c->flags & SLAB_DESTROY_BY_RCU)
 +		rcu_barrier();
  	slob_free(c, sizeof(struct kmem_cache));
  }
  EXPORT_SYMBOL(kmem_cache_destroy);
 --- a/mm/slub.c
 +++ b/mm/slub.c
 @@ -2490,6 +2490,8 @@ static inline int kmem_cache_close(struc
   */
  void kmem_cache_destroy(struct kmem_cache *s)
  {
 +	if (s->flags & SLAB_DESTROY_BY_RCU)
 +		rcu_barrier();
  	down_write(&slub_lock);
  	s->refcount--;
  	if (!s->refcount) {
	From 7ed9f7e5db58c6e8c2b4b738a75d5dcd8e17aad5 Mon Sep 17 00:00:00 2001
	From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
	Date: Thu, 25 Jun 2009 12:31:37 -0700
	Subject: fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b

	From: Paul E. McKenney <paulmck@linux.vnet.ibm.com>

	commit 7ed9f7e5db58c6e8c2b4b738a75d5dcd8e17aad5 upstream.

	Jesper noted that kmem_cache_destroy() invokes synchronize_rcu() rather than
	rcu_barrier() in the SLAB_DESTROY_BY_RCU case, which could result in RCU
	callbacks accessing a kmem_cache after it had been destroyed.

	Acked-by: Matt Mackall <mpm@selenic.com>
	Reported-by: Jesper Dangaard Brouer <hawk@comx.dk>
	Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
	Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	mm/slab.c \| 2 +-
	mm/slob.c \| 2 ++
	mm/slub.c \| 2 ++
	3 files changed, 5 insertions(+), 1 deletion(-)

	--- a/mm/slab.c
	+++ b/mm/slab.c
	@@ -2592,7 +2592,7 @@ void kmem_cache_destroy(struct kmem_cach
	}

	if (unlikely(cachep->flags & SLAB_DESTROY_BY_RCU))
	- synchronize_rcu();
	+ rcu_barrier();

	__kmem_cache_destroy(cachep);
	mutex_unlock(&cache_chain_mutex);
	--- a/mm/slob.c
	+++ b/mm/slob.c
	@@ -590,6 +590,8 @@ EXPORT_SYMBOL(kmem_cache_create);

	void kmem_cache_destroy(struct kmem_cache *c)
	{
	+ if (c->flags & SLAB_DESTROY_BY_RCU)
	+ rcu_barrier();
	slob_free(c, sizeof(struct kmem_cache));
	}
	EXPORT_SYMBOL(kmem_cache_destroy);
	--- a/mm/slub.c
	+++ b/mm/slub.c
	@@ -2490,6 +2490,8 @@ static inline int kmem_cache_close(struc
	*/
	void kmem_cache_destroy(struct kmem_cache *s)
	{
	+ if (s->flags & SLAB_DESTROY_BY_RCU)
	+ rcu_barrier();
	down_write(&slub_lock);
	s->refcount--;
	if (!s->refcount) {