| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aW7dUeoDALhJI0Ic@hyeyoo>
Date: Tue, 20 Jan 2026 10:41:37 +0900
From: Harry Yoo <harry.yoo@...cle.com>
To: Vlastimil Babka <vbabka@...e.cz>
Cc: Petr Tesarik <ptesarik@...e.com>, Christoph Lameter <cl@...two.org>,
David Rientjes <rientjes@...gle.com>,
Roman Gushchin <roman.gushchin@...ux.dev>, Hao Li <hao.li@...ux.dev>,
Andrew Morton <akpm@...ux-foundation.org>,
Uladzislau Rezki <urezki@...il.com>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>,
Suren Baghdasaryan <surenb@...gle.com>,
Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
Alexei Starovoitov <ast@...nel.org>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, linux-rt-devel@...ts.linux.dev,
bpf@...r.kernel.org, kasan-dev@...glegroups.com
Subject: Re: [PATCH v3 09/21] slab: add optimized sheaf refill from partial
list
On Mon, Jan 19, 2026 at 11:54:18AM +0100, Vlastimil Babka wrote:
> On 1/19/26 07:41, Harry Yoo wrote:
> > On Fri, Jan 16, 2026 at 03:40:29PM +0100, Vlastimil Babka wrote:
> >> At this point we have sheaves enabled for all caches, but their refill
> >> is done via __kmem_cache_alloc_bulk() which relies on cpu (partial)
> >> slabs - now a redundant caching layer that we are about to remove.
> >>
> >> The refill will thus be done from slabs on the node partial list.
> >> Introduce new functions that can do that in an optimized way as it's
> >> easier than modifying the __kmem_cache_alloc_bulk() call chain.
> >>
> >> Extend struct partial_context so it can return a list of slabs from the
> >> partial list with the sum of free objects in them within the requested
> >> min and max.
> >>
> >> Introduce get_partial_node_bulk() that removes the slabs from freelist
> >> and returns them in the list.
> >>
> >> Introduce get_freelist_nofreeze() which grabs the freelist without
> >> freezing the slab.
> >>
> >> Introduce alloc_from_new_slab() which can allocate multiple objects from
> >> a newly allocated slab where we don't need to synchronize with freeing.
> >> In some aspects it's similar to alloc_single_from_new_slab() but assumes
> >> the cache is a non-debug one so it can avoid some actions.
> >>
> >> Introduce __refill_objects() that uses the functions above to fill an
> >> array of objects. It has to handle the possibility that the slabs will
> >> contain more objects that were requested, due to concurrent freeing of
> >> objects to those slabs. When no more slabs on partial lists are
> >> available, it will allocate new slabs. It is intended to be only used
> >> in context where spinning is allowed, so add a WARN_ON_ONCE check there.
> >>
> >> Finally, switch refill_sheaf() to use __refill_objects(). Sheaves are
> >> only refilled from contexts that allow spinning, or even blocking.
> >>
> >> Signed-off-by: Vlastimil Babka <vbabka@...e.cz>
> >> ---
> >> mm/slub.c | 284 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
> >> 1 file changed, 264 insertions(+), 20 deletions(-)
> >>
> >> diff --git a/mm/slub.c b/mm/slub.c
> >> index 9bea8a65e510..dce80463f92c 100644
> >> --- a/mm/slub.c
> >> +++ b/mm/slub.c
> >> @@ -3522,6 +3525,63 @@ static inline void put_cpu_partial(struct kmem_cache *s, struct slab *slab,
> >> #endif
> >> static inline bool pfmemalloc_match(struct slab *slab, gfp_t gfpflags);
> >>
> >> +static bool get_partial_node_bulk(struct kmem_cache *s,
> >> + struct kmem_cache_node *n,
> >> + struct partial_context *pc)
> >> +{
> >> + struct slab *slab, *slab2;
> >> + unsigned int total_free = 0;
> >> + unsigned long flags;
> >> +
> >> + /* Racy check to avoid taking the lock unnecessarily. */
> >> + if (!n || data_race(!n->nr_partial))
> >> + return false;
> >> +
> >> + INIT_LIST_HEAD(&pc->slabs);
> >> +
> >> + spin_lock_irqsave(&n->list_lock, flags);
> >> +
> >> + list_for_each_entry_safe(slab, slab2, &n->partial, slab_list) {
> >> + struct freelist_counters flc;
> >> + unsigned int slab_free;
> >> +
> >> + if (!pfmemalloc_match(slab, pc->flags))
> >> + continue;
> >> + /*
> >> + * determine the number of free objects in the slab racily
> >> + *
> >> + * due to atomic updates done by a racing free we should not
> >> + * read an inconsistent value here, but do a sanity check anyway
> >> + *
> >> + * slab_free is a lower bound due to subsequent concurrent
> >> + * freeing, the caller might get more objects than requested and
> >> + * must deal with it
> >> + */
> >> + flc.counters = data_race(READ_ONCE(slab->counters));
> >> + slab_free = flc.objects - flc.inuse;
> >> +
> >> + if (unlikely(slab_free > oo_objects(s->oo)))
> >> + continue;
> >
> > When is this condition supposed to be true?
> >
> > I guess it's when __update_freelist_slow() doesn't update
> > slab->counters atomically?
>
> Yeah. Probably could be solvable with WRITE_ONCE() there, as this is only
> about hypothetical read/write tearing, not seeing stale values.
Ok. That's less confusing than "we should not read an inconsistent value
here, but do a sanity check anyway".
> >> +
> >> + /* we have already min and this would get us over the max */
> >> + if (total_free >= pc->min_objects
> >> + && total_free + slab_free > pc->max_objects)
> >> + break;
> >> +
> >> + remove_partial(n, slab);
> >> +
> >> + list_add(&slab->slab_list, &pc->slabs);
> >> +
> >> + total_free += slab_free;
> >> + if (total_free >= pc->max_objects)
> >> + break;
> >> + }
> >> +
> >> + spin_unlock_irqrestore(&n->list_lock, flags);
> >> + return total_free > 0;
> >> +}
> >> +
> >> /*
> >> * Try to allocate a partial slab from a specific node.
> >> */
> >> +static unsigned int alloc_from_new_slab(struct kmem_cache *s, struct slab *slab,
> >> + void **p, unsigned int count, bool allow_spin)
> >> +{
> >> + unsigned int allocated = 0;
> >> + struct kmem_cache_node *n;
> >> + unsigned long flags;
> >> + void *object;
> >> +
> >> + if (!allow_spin && (slab->objects - slab->inuse) > count) {
> >> +
> >> + n = get_node(s, slab_nid(slab));
> >> +
> >> + if (!spin_trylock_irqsave(&n->list_lock, flags)) {
> >> + /* Unlucky, discard newly allocated slab */
> >> + defer_deactivate_slab(slab, NULL);
> >> + return 0;
> >> + }
> >> + }
> >> +
> >> + object = slab->freelist;
> >> + while (object && allocated < count) {
> >> + p[allocated] = object;
> >> + object = get_freepointer(s, object);
> >> + maybe_wipe_obj_freeptr(s, p[allocated]);
> >> +
> >> + slab->inuse++;
> >> + allocated++;
> >> + }
> >> + slab->freelist = object;
> >> +
> >> + if (slab->freelist) {
> >> +
> >> + if (allow_spin) {
> >> + n = get_node(s, slab_nid(slab));
> >> + spin_lock_irqsave(&n->list_lock, flags);
> >> + }
> >> + add_partial(n, slab, DEACTIVATE_TO_HEAD);
> >> + spin_unlock_irqrestore(&n->list_lock, flags);
> >> + }
> >> +
> >> + inc_slabs_node(s, slab_nid(slab), slab->objects);
> >
> > Maybe add a comment explaining why inc_slabs_node() doesn't need to be
> > called under n->list_lock?
>
> Hm, we might not even be holding it. The old code also did the inc with no
> comment. If anything could use one, it would be in
> alloc_single_from_new_slab()? But that's outside the scope here.
Ok. Perhaps worth adding something like this later, but yeah it's outside
the scope here.
diff --git a/mm/slub.c b/mm/slub.c
index 698c0d940f06..c5a1e47dfe16 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1633,6 +1633,9 @@ static inline void inc_slabs_node(struct kmem_cache *s, int node, int objects)
{
struct kmem_cache_node *n = get_node(s, node);
+ if (kmem_cache_debug(s))
+ /* slab validation may generate false errors without the lock */
+ lockdep_assert_held(&n->list_lock);
atomic_long_inc(&n->nr_slabs);
atomic_long_add(objects, &n->total_objects);
}
--
Cheers,
Harry / Hyeonggon
Powered by blists - more mailing lists