Message ID | 4A9FD047.9000002@gmail.com |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
On Thu, Sep 3, 2009 at 5:18 PM, Eric Dumazet<eric.dumazet@gmail.com> wrote: > Here is the second patch (RCU thing). Stable candidate > > [PATCH] slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU > > kmem_cache_destroy() should call rcu_barrier() *after* kmem_cache_close() > and *before* sysfs_slab_remove() or risk rcu_free_slab() > being called after kmem_cache is deleted (kfreed). > > rmmod nf_conntrack can crash the machine because it has to > kmem_cache_destroy() a SLAB_DESTROY_BY_RCU enabled cache. Do we have a bugzilla URL for this? > Reported-by: Zdenek Kabelac <zdenek.kabelac@gmail.com> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> > Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> OK, this is in for-next now and queued for 2.6.31. If you guys want to fix this in a different way, lets do that in 2.6.32. Pekka -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Pekka Enberg a écrit : > On Thu, Sep 3, 2009 at 5:18 PM, Eric Dumazet<eric.dumazet@gmail.com> wrote: >> Here is the second patch (RCU thing). Stable candidate >> >> [PATCH] slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU >> >> kmem_cache_destroy() should call rcu_barrier() *after* kmem_cache_close() >> and *before* sysfs_slab_remove() or risk rcu_free_slab() >> being called after kmem_cache is deleted (kfreed). >> >> rmmod nf_conntrack can crash the machine because it has to >> kmem_cache_destroy() a SLAB_DESTROY_BY_RCU enabled cache. > > Do we have a bugzilla URL for this? Well, I can crash my 2.6.30.5 machine just doing rmmod nf_conntrack (You'll need CONFIG_SLUB_DEBUG_ON or equivalent) Original Zdenek report : http://thread.gmane.org/gmane.linux.kernel/876016/focus=876086 > >> Reported-by: Zdenek Kabelac <zdenek.kabelac@gmail.com> >> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> >> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> > > OK, this is in for-next now and queued for 2.6.31. If you guys want to > fix this in a different way, lets do that in 2.6.32. Seems the right thing IMHO -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/mm/slub.c b/mm/slub.c index b9f1491..b627675 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -2594,8 +2594,6 @@ static inline int kmem_cache_close(struct kmem_cache *s) */ void kmem_cache_destroy(struct kmem_cache *s) { - if (s->flags & SLAB_DESTROY_BY_RCU) - rcu_barrier(); down_write(&slub_lock); s->refcount--; if (!s->refcount) { @@ -2606,6 +2604,8 @@ void kmem_cache_destroy(struct kmem_cache *s) "still has objects.\n", s->name, __func__); dump_stack(); } + if (s->flags & SLAB_DESTROY_BY_RCU) + rcu_barrier(); sysfs_slab_remove(s); } else up_write(&slub_lock);