[RFC] SLUB: list_slab_objects() looks like a miss-merge

[RFC] SLUB: list_slab_objects() looks like a miss-merge

[Sebastian Andrzej Siewior]

Hi,

I stumbled over the following:

| static void free_partial(struct kmem_cache *s, struct kmem_cache_node *n)
| {
…
|         unsigned long *map = NULL;
| 
| #ifdef CONFIG_SLUB_DEBUG
|         map = bitmap_alloc(oo_objects(s->max), GFP_KERNEL);
| #endif
…
|                 } else {
|                         list_slab_objects(s, page,
|                           "Objects remaining in %s on __kmem_cache_shutdown()",
|                           map);
|                 }
|         }
…
| #ifdef CONFIG_SLUB_DEBUG
|         bitmap_free(map);
| #endif
…
| }


so map gets allocated, passed to list_slab_objects() and then freed at
end. Haven't notices where `map' is set but maybe it is just a buffer
used in list_slab_objects().
And then there is this:

| static void list_slab_objects(struct kmem_cache *s, struct page *page,
|                               const char *text, unsigned long *map)
| {
| #ifdef CONFIG_SLUB_DEBUG
|         void *addr = page_address(page);
|         void *p;
| 
|         if (!map)
|                 return;

No map, return. Okay.

|         slab_err(s, page, text, s->name);
|         slab_lock(page);
| 
|         map = get_map(s, page);

and here `map' gets overwritten, correct? But it gets initialized. And it also
acquires `object_map_lock'.

|         for_each_object(p, s, addr, page->objects) {
| 
|                 if (!test_bit(slab_index(p, s, addr), map)) {
|                         pr_err("INFO: Object 0x%p @offset=%tu\n", p, p - addr);
|                         print_tracking(s, p);
|                 }
|         }

and here I would expect to unlock `object_map_lock'.

|         slab_unlock(page);
| #endif
| }   

Is this a miss-merge of some kind? I would revert commit
   aa456c7aebb14 ("slub: remove kmalloc under list_lock from list_slab_objects() V2")

by doing this:

diff --git a/kernel/locking/rwsem.h b/kernel/locking/rwsem.h
deleted file mode 100644
index e69de29bb2d1d..0000000000000
diff --git a/mm/slub.c b/mm/slub.c
index b8f798b50d44d..72195cafbb503 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3766,15 +3766,13 @@ static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags)
 }
 
 static void list_slab_objects(struct kmem_cache *s, struct page *page,
-			      const char *text, unsigned long *map)
+			      const char *text)
 {
 #ifdef CONFIG_SLUB_DEBUG
 	void *addr = page_address(page);
+	unsigned long *map;
 	void *p;
 
-	if (!map)
-		return;
-
 	slab_err(s, page, text, s->name);
 	slab_lock(page);
 
@@ -3786,6 +3784,7 @@ static void list_slab_objects(struct kmem_cache *s, struct page *page,
 			print_tracking(s, p);
 		}
 	}
+	put_map(map);
 	slab_unlock(page);
 #endif
 }
@@ -3799,11 +3798,6 @@ static void free_partial(struct kmem_cache *s, struct kmem_cache_node *n)
 {
 	LIST_HEAD(discard);
 	struct page *page, *h;
-	unsigned long *map = NULL;
-
-#ifdef CONFIG_SLUB_DEBUG
-	map = bitmap_alloc(oo_objects(s->max), GFP_KERNEL);
-#endif
 
 	BUG_ON(irqs_disabled());
 	spin_lock_irq(&n->list_lock);
@@ -3813,16 +3807,11 @@ static void free_partial(struct kmem_cache *s, struct kmem_cache_node *n)
 			list_add(&page->slab_list, &discard);
 		} else {
 			list_slab_objects(s, page,
-			  "Objects remaining in %s on __kmem_cache_shutdown()",
-			  map);
+			  "Objects remaining in %s on __kmem_cache_shutdown()");
 		}
 	}
 	spin_unlock_irq(&n->list_lock);
 
-#ifdef CONFIG_SLUB_DEBUG
-	bitmap_free(map);
-#endif
-
 	list_for_each_entry_safe(page, h, &discard, slab_list)
 		discard_slab(s, page);
 }


Is there something I'm missing? This is completely untested of course.

Sebastian

Re: [RFC] SLUB: list_slab_objects() looks like a miss-merge

[Christopher Lameter]

On Thu, 18 Jun 2020, Sebastian Andrzej Siewior wrote:

> Is this a miss-merge of some kind? I would revert commit
>    aa456c7aebb14 ("slub: remove kmalloc under list_lock from list_slab_objects() V2")

Seems that two fixes to the same problem were merged?

[PATCH 1/2] slub: Cure list_slab_objects() from double fix

[Sebastian Andrzej Siewior]

According to Christopher Lameter two fixes have been merged for the same
problem. As far as I can tell, the code does not acquire the list_lock and
invoke kmalloc().
list_slab_objects() misses an unlock (the counterpart to get_map()) and
the memory allocated in free_partial() isn't used.

Revert the mentioned commit.

Fixes: aa456c7aebb14 ("slub: remove kmalloc under list_lock from list_slab_objects() V2")
Link: https://lkml.kernel.org/r/alpine.DEB.2.22.394.2006181501480.12014@www.lameter.com
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 mm/slub.c | 19 ++++---------------
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/mm/slub.c b/mm/slub.c
index b8f798b50d44d..72195cafbb503 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3766,15 +3766,13 @@ static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags)
 }
 
 static void list_slab_objects(struct kmem_cache *s, struct page *page,
-			      const char *text, unsigned long *map)
+			      const char *text)
 {
 #ifdef CONFIG_SLUB_DEBUG
 	void *addr = page_address(page);
+	unsigned long *map;
 	void *p;
 
-	if (!map)
-		return;
-
 	slab_err(s, page, text, s->name);
 	slab_lock(page);
 
@@ -3786,6 +3784,7 @@ static void list_slab_objects(struct kmem_cache *s, struct page *page,
 			print_tracking(s, p);
 		}
 	}
+	put_map(map);
 	slab_unlock(page);
 #endif
 }
@@ -3799,11 +3798,6 @@ static void free_partial(struct kmem_cache *s, struct kmem_cache_node *n)
 {
 	LIST_HEAD(discard);
 	struct page *page, *h;
-	unsigned long *map = NULL;
-
-#ifdef CONFIG_SLUB_DEBUG
-	map = bitmap_alloc(oo_objects(s->max), GFP_KERNEL);
-#endif
 
 	BUG_ON(irqs_disabled());
 	spin_lock_irq(&n->list_lock);
@@ -3813,16 +3807,11 @@ static void free_partial(struct kmem_cache *s, struct kmem_cache_node *n)
 			list_add(&page->slab_list, &discard);
 		} else {
 			list_slab_objects(s, page,
-			  "Objects remaining in %s on __kmem_cache_shutdown()",
-			  map);
+			  "Objects remaining in %s on __kmem_cache_shutdown()");
 		}
 	}
 	spin_unlock_irq(&n->list_lock);
 
-#ifdef CONFIG_SLUB_DEBUG
-	bitmap_free(map);
-#endif
-
 	list_for_each_entry_safe(page, h, &discard, slab_list)
 		discard_slab(s, page);
 }
-- 
2.27.0

[PATCH 2/2] slub: Drop lockdep_assert_held() from put_map()

[Sebastian Andrzej Siewior]

There is no point in using lockdep_assert_held() unlock that is about to be
unlocked. It works only with lockdep and lockdep will complain if
spin_unlock() is used on a lock that has not been locked.

Remove superfluous lockdep_assert_held().

Cc: Yu Zhao <yuzhao@google.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 mm/slub.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/mm/slub.c b/mm/slub.c
index 72195cafbb503..5a43ad225427f 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -469,8 +469,6 @@ static unsigned long *get_map(struct kmem_cache *s, struct page *page)
 static void put_map(unsigned long *map) __releases(&object_map_lock)
 {
 	VM_BUG_ON(map != object_map);
-	lockdep_assert_held(&object_map_lock);
-
 	spin_unlock(&object_map_lock);
 }
 
-- 
2.27.0

Re: [RFC] SLUB: list_slab_objects() looks like a miss-merge

[Yu Zhao]

On Thu, Jun 18, 2020 at 03:03:25PM +0000, Christopher Lameter wrote:
> On Thu, 18 Jun 2020, Sebastian Andrzej Siewior wrote:
> 
> > Is this a miss-merge of some kind? I would revert commit
> >    aa456c7aebb14 ("slub: remove kmalloc under list_lock from list_slab_objects() V2")
> 
> Seems that two fixes to the same problem were merged?

Sorry, I assumed the previous fix had been dropped when this one was
taken. I'm fine with reverting the previous fix if this one is deemed
more appropriate.