| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <937b6cb3-27d5-4416-8152-df12b45979be@suse.cz>
Date: Wed, 29 Oct 2025 22:31:33 +0100
From: Vlastimil Babka <vbabka@...e.cz>
To: Chris Mason <clm@...a.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Christoph Lameter <cl@...two.org>, David Rientjes <rientjes@...gle.com>,
Roman Gushchin <roman.gushchin@...ux.dev>, Harry Yoo <harry.yoo@...cle.com>,
Uladzislau Rezki <urezki@...il.com>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>,
Suren Baghdasaryan <surenb@...gle.com>,
Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
Alexei Starovoitov <ast@...nel.org>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, linux-rt-devel@...ts.linux.dev,
bpf@...r.kernel.org, kasan-dev@...glegroups.com
Subject: Re: [PATCH RFC 10/19] slab: remove cpu (partial) slabs usage from
allocation paths
On 10/24/25 16:29, Chris Mason wrote:
>> else if (!spin_trylock_irqsave(&n->list_lock, flags))
>> return NULL;
>> list_for_each_entry_safe(slab, slab2, &n->partial, slab_list) {
>> +
>> + unsigned long counters;
>> + struct slab new;
>> +
>> if (!pfmemalloc_match(slab, pc->flags))
>> continue;
>
> Can get_partial_node() return an uninitialized pointer? The variable
> 'object' is declared but never initialized. If all slabs in the partial
> list fail the pfmemalloc_match() check, the loop completes without
> setting 'object', then returns it at the end of the function.
>
> In the previous version, the equivalent 'partial' variable was explicitly
> initialized to NULL. When all slabs were skipped, NULL was returned.
Indeed, this can happen. Thanks!
>>
>> if (IS_ENABLED(CONFIG_SLUB_TINY) || kmem_cache_debug(s)) {
>> - void *object = alloc_single_from_partial(s, n, slab,
>> + object = alloc_single_from_partial(s, n, slab,
>> pc->orig_size);
>> - if (object) {
>> - partial = slab;
>> - pc->object = object;
>> + if (object)
>> break;
>> - }
>> continue;
>> }
>>
>> - remove_partial(n, slab);
>> -
>> - if (!partial) {
>> - partial = slab;
>> - stat(s, ALLOC_FROM_PARTIAL);
>> -
>> - if ((slub_get_cpu_partial(s) == 0)) {
>> - break;
>> - }
>> - } else {
>> - put_cpu_partial(s, slab, 0);
>> - stat(s, CPU_PARTIAL_NODE);
>> -
>> - if (++partial_slabs > slub_get_cpu_partial(s) / 2) {
>> - break;
>> - }
>> - }
>> + /*
>> + * get a single object from the slab. This might race against
>> + * __slab_free(), which however has to take the list_lock if
>> + * it's about to make the slab fully free.
>> + */
>> + do {
>> + object = slab->freelist;
>> + counters = slab->counters;
>> + new.freelist = get_freepointer(s, object);
>> + new.counters = counters;
>> + new.inuse++;
>> + } while (!__slab_update_freelist(s, slab,
>> + object, counters,
>> + new.freelist, new.counters,
>> + "get_partial_node"));
>> +
>> + if (!new.freelist)
>> + remove_partial(n, slab);
>> }
>> spin_unlock_irqrestore(&n->list_lock, flags);
>> - return partial;
>> + return object;
>> }
>
> [ ... ]
>
>
Powered by blists - more mailing lists