| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <kp7fvhxxjyyzk47n67m4xwzgm7gxoqmgglqdvzpkcxqb26sjc4@bu4lil75nc3c>
Date: Fri, 16 Jan 2026 14:27:28 +0800
From: Hao Li <hao.li@...ux.dev>
To: Vlastimil Babka <vbabka@...e.cz>
Cc: Harry Yoo <harry.yoo@...cle.com>, Petr Tesarik <ptesarik@...e.com>,
Christoph Lameter <cl@...two.org>, David Rientjes <rientjes@...gle.com>,
Roman Gushchin <roman.gushchin@...ux.dev>, Andrew Morton <akpm@...ux-foundation.org>,
Uladzislau Rezki <urezki@...il.com>, "Liam R. Howlett" <Liam.Howlett@...cle.com>,
Suren Baghdasaryan <surenb@...gle.com>, Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
Alexei Starovoitov <ast@...nel.org>, linux-mm@...ck.org, linux-kernel@...r.kernel.org,
linux-rt-devel@...ts.linux.dev, bpf@...r.kernel.org, kasan-dev@...glegroups.com
Subject: Re: [PATCH RFC v2 08/20] slab: add optimized sheaf refill from
partial list
On Thu, Jan 15, 2026 at 03:25:59PM +0100, Vlastimil Babka wrote:
> On 1/12/26 16:17, Vlastimil Babka wrote:
> > At this point we have sheaves enabled for all caches, but their refill
> > is done via __kmem_cache_alloc_bulk() which relies on cpu (partial)
> > slabs - now a redundant caching layer that we are about to remove.
> >
> > The refill will thus be done from slabs on the node partial list.
> > Introduce new functions that can do that in an optimized way as it's
> > easier than modifying the __kmem_cache_alloc_bulk() call chain.
> >
> > Extend struct partial_context so it can return a list of slabs from the
> > partial list with the sum of free objects in them within the requested
> > min and max.
> >
> > Introduce get_partial_node_bulk() that removes the slabs from freelist
> > and returns them in the list.
> >
> > Introduce get_freelist_nofreeze() which grabs the freelist without
> > freezing the slab.
> >
> > Introduce alloc_from_new_slab() which can allocate multiple objects from
> > a newly allocated slab where we don't need to synchronize with freeing.
> > In some aspects it's similar to alloc_single_from_new_slab() but assumes
> > the cache is a non-debug one so it can avoid some actions.
> >
> > Introduce __refill_objects() that uses the functions above to fill an
> > array of objects. It has to handle the possibility that the slabs will
> > contain more objects that were requested, due to concurrent freeing of
> > objects to those slabs. When no more slabs on partial lists are
> > available, it will allocate new slabs. It is intended to be only used
> > in context where spinning is allowed, so add a WARN_ON_ONCE check there.
> >
> > Finally, switch refill_sheaf() to use __refill_objects(). Sheaves are
> > only refilled from contexts that allow spinning, or even blocking.
> >
> > Signed-off-by: Vlastimil Babka <vbabka@...e.cz>
>
> ...
>
> > +static unsigned int alloc_from_new_slab(struct kmem_cache *s, struct slab *slab,
> > + void **p, unsigned int count, bool allow_spin)
> > +{
> > + unsigned int allocated = 0;
> > + struct kmem_cache_node *n;
> > + unsigned long flags;
> > + void *object;
> > +
> > + if (!allow_spin && (slab->objects - slab->inuse) > count) {
> > +
> > + n = get_node(s, slab_nid(slab));
> > +
> > + if (!spin_trylock_irqsave(&n->list_lock, flags)) {
> > + /* Unlucky, discard newly allocated slab */
> > + defer_deactivate_slab(slab, NULL);
>
> This actually does dec_slabs_node() only with slab->frozen which we don't set.
Hi, I think I follow the intent, but I got a little tripped up here: patch 08
(current patch) seems to assume "slab->frozen = 1" is already gone. That's true
after the whole series, but the removal only happens in patch 09.
Would it make sense to avoid relying on that assumption when looking at patch 08
in isolation?
>
> > + return 0;
> > + }
> > + }
> > +
> > + object = slab->freelist;
> > + while (object && allocated < count) {
> > + p[allocated] = object;
> > + object = get_freepointer(s, object);
> > + maybe_wipe_obj_freeptr(s, p[allocated]);
> > +
> > + slab->inuse++;
> > + allocated++;
> > + }
> > + slab->freelist = object;
> > +
> > + if (slab->freelist) {
> > +
> > + if (allow_spin) {
> > + n = get_node(s, slab_nid(slab));
> > + spin_lock_irqsave(&n->list_lock, flags);
> > + }
> > + add_partial(n, slab, DEACTIVATE_TO_HEAD);
> > + spin_unlock_irqrestore(&n->list_lock, flags);
> > + }
>
> So we should only do inc_slabs_node() here.
> This also addresses the problem in 9/20 that Hao Li pointed out...
Yes, thanks,
Looking at the patchset as a whole, I think this part - together with the later
removal of inc_slabs_node() - does address the issue.
>
> > + return allocated;
> > +}
> > +
>
> ...
>
> > +static unsigned int
> > +__refill_objects(struct kmem_cache *s, void **p, gfp_t gfp, unsigned int min,
> > + unsigned int max)
> > +{
> > + struct slab *slab, *slab2;
> > + struct partial_context pc;
> > + unsigned int refilled = 0;
> > + unsigned long flags;
> > + void *object;
> > + int node;
> > +
> > + pc.flags = gfp;
> > + pc.min_objects = min;
> > + pc.max_objects = max;
> > +
> > + node = numa_mem_id();
> > +
> > + if (WARN_ON_ONCE(!gfpflags_allow_spinning(gfp)))
> > + return 0;
> > +
> > + /* TODO: consider also other nodes? */
> > + if (!get_partial_node_bulk(s, get_node(s, node), &pc))
> > + goto new_slab;
> > +
> > + list_for_each_entry_safe(slab, slab2, &pc.slabs, slab_list) {
> > +
> > + list_del(&slab->slab_list);
> > +
> > + object = get_freelist_nofreeze(s, slab);
> > +
> > + while (object && refilled < max) {
> > + p[refilled] = object;
> > + object = get_freepointer(s, object);
> > + maybe_wipe_obj_freeptr(s, p[refilled]);
> > +
> > + refilled++;
> > + }
> > +
> > + /*
> > + * Freelist had more objects than we can accomodate, we need to
> > + * free them back. We can treat it like a detached freelist, just
> > + * need to find the tail object.
> > + */
> > + if (unlikely(object)) {
> > + void *head = object;
> > + void *tail;
> > + int cnt = 0;
> > +
> > + do {
> > + tail = object;
> > + cnt++;
> > + object = get_freepointer(s, object);
> > + } while (object);
> > + do_slab_free(s, slab, head, tail, cnt, _RET_IP_);
> > + }
> > +
> > + if (refilled >= max)
> > + break;
> > + }
> > +
> > + if (unlikely(!list_empty(&pc.slabs))) {
> > + struct kmem_cache_node *n = get_node(s, node);
> > +
> > + spin_lock_irqsave(&n->list_lock, flags);
> > +
> > + list_for_each_entry_safe(slab, slab2, &pc.slabs, slab_list) {
> > +
> > + if (unlikely(!slab->inuse && n->nr_partial >= s->min_partial))
> > + continue;
> > +
> > + list_del(&slab->slab_list);
> > + add_partial(n, slab, DEACTIVATE_TO_HEAD);
> > + }
> > +
> > + spin_unlock_irqrestore(&n->list_lock, flags);
> > +
> > + /* any slabs left are completely free and for discard */
> > + list_for_each_entry_safe(slab, slab2, &pc.slabs, slab_list) {
> > +
> > + list_del(&slab->slab_list);
> > + discard_slab(s, slab);
> > + }
> > + }
> > +
> > +
> > + if (likely(refilled >= min))
> > + goto out;
> > +
> > +new_slab:
> > +
> > + slab = new_slab(s, pc.flags, node);
> > + if (!slab)
> > + goto out;
> > +
> > + stat(s, ALLOC_SLAB);
> > + inc_slabs_node(s, slab_nid(slab), slab->objects);
>
> And remove it from here.
>
> > +
> > + /*
> > + * TODO: possible optimization - if we know we will consume the whole
> > + * slab we might skip creating the freelist?
> > + */
> > + refilled += alloc_from_new_slab(s, slab, p + refilled, max - refilled,
> > + /* allow_spin = */ true);
> > +
> > + if (refilled < min)
> > + goto new_slab;
> > +out:
> > +
> > + return refilled;
> > +}
> > +
> > static inline
> > int __kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size,
> > void **p)
> >
>
Powered by blists - more mailing lists