1 // SPDX-License-Identifier: GPL-2.0
3 * SLUB: A slab allocator that limits cache line use instead of queuing
4 * objects in per cpu and per node lists.
6 * The allocator synchronizes using per slab locks or atomic operations
7 * and only uses a centralized lock to manage a pool of partial slabs.
9 * (C) 2007 SGI, Christoph Lameter
10 * (C) 2011 Linux Foundation, Christoph Lameter
14 #include <linux/swap.h> /* struct reclaim_state */
15 #include <linux/module.h>
16 #include <linux/bit_spinlock.h>
17 #include <linux/interrupt.h>
18 #include <linux/swab.h>
19 #include <linux/bitops.h>
20 #include <linux/slab.h>
22 #include <linux/proc_fs.h>
23 #include <linux/seq_file.h>
24 #include <linux/kasan.h>
25 #include <linux/cpu.h>
26 #include <linux/cpuset.h>
27 #include <linux/mempolicy.h>
28 #include <linux/ctype.h>
29 #include <linux/debugobjects.h>
30 #include <linux/kallsyms.h>
31 #include <linux/kfence.h>
32 #include <linux/memory.h>
33 #include <linux/math64.h>
34 #include <linux/fault-inject.h>
35 #include <linux/stacktrace.h>
36 #include <linux/prefetch.h>
37 #include <linux/memcontrol.h>
38 #include <linux/random.h>
39 #include <kunit/test.h>
41 #include <linux/debugfs.h>
42 #include <trace/events/kmem.h>
48 * 1. slab_mutex (Global Mutex)
50 * 3. slab_lock(page) (Only on some arches and for debugging)
54 * The role of the slab_mutex is to protect the list of all the slabs
55 * and to synchronize major metadata changes to slab cache structures.
57 * The slab_lock is only used for debugging and on arches that do not
58 * have the ability to do a cmpxchg_double. It only protects:
59 * A. page->freelist -> List of object free in a page
60 * B. page->inuse -> Number of objects in use
61 * C. page->objects -> Number of objects in page
62 * D. page->frozen -> frozen state
64 * If a slab is frozen then it is exempt from list management. It is not
65 * on any list except per cpu partial list. The processor that froze the
66 * slab is the one who can perform list operations on the page. Other
67 * processors may put objects onto the freelist but the processor that
68 * froze the slab is the only one that can retrieve the objects from the
71 * The list_lock protects the partial and full list on each node and
72 * the partial slab counter. If taken then no new slabs may be added or
73 * removed from the lists nor make the number of partial slabs be modified.
74 * (Note that the total number of slabs is an atomic value that may be
75 * modified without taking the list lock).
77 * The list_lock is a centralized lock and thus we avoid taking it as
78 * much as possible. As long as SLUB does not have to handle partial
79 * slabs, operations can continue without any centralized lock. F.e.
80 * allocating a long series of objects that fill up slabs does not require
82 * Interrupts are disabled during allocation and deallocation in order to
83 * make the slab allocator safe to use in the context of an irq. In addition
84 * interrupts are disabled to ensure that the processor does not change
85 * while handling per_cpu slabs, due to kernel preemption.
87 * SLUB assigns one slab for allocation to each processor.
88 * Allocations only occur from these slabs called cpu slabs.
90 * Slabs with free elements are kept on a partial list and during regular
91 * operations no list for full slabs is used. If an object in a full slab is
92 * freed then the slab will show up again on the partial lists.
93 * We track full slabs for debugging purposes though because otherwise we
94 * cannot scan all objects.
96 * Slabs are freed when they become empty. Teardown and setup is
97 * minimal so we rely on the page allocators per cpu caches for
98 * fast frees and allocs.
100 * page->frozen The slab is frozen and exempt from list processing.
101 * This means that the slab is dedicated to a purpose
102 * such as satisfying allocations for a specific
103 * processor. Objects may be freed in the slab while
104 * it is frozen but slab_free will then skip the usual
105 * list operations. It is up to the processor holding
106 * the slab to integrate the slab into the slab lists
107 * when the slab is no longer needed.
109 * One use of this flag is to mark slabs that are
110 * used for allocations. Then such a slab becomes a cpu
111 * slab. The cpu slab may be equipped with an additional
112 * freelist that allows lockless access to
113 * free objects in addition to the regular freelist
114 * that requires the slab lock.
116 * SLAB_DEBUG_FLAGS Slab requires special handling due to debug
117 * options set. This moves slab handling out of
118 * the fast path and disables lockless freelists.
121 #ifdef CONFIG_SLUB_DEBUG
122 #ifdef CONFIG_SLUB_DEBUG_ON
123 DEFINE_STATIC_KEY_TRUE(slub_debug_enabled);
125 DEFINE_STATIC_KEY_FALSE(slub_debug_enabled);
127 #endif /* CONFIG_SLUB_DEBUG */
129 static inline bool kmem_cache_debug(struct kmem_cache *s)
131 return kmem_cache_debug_flags(s, SLAB_DEBUG_FLAGS);
134 void *fixup_red_left(struct kmem_cache *s, void *p)
136 if (kmem_cache_debug_flags(s, SLAB_RED_ZONE))
137 p += s->red_left_pad;
142 static inline bool kmem_cache_has_cpu_partial(struct kmem_cache *s)
144 #ifdef CONFIG_SLUB_CPU_PARTIAL
145 return !kmem_cache_debug(s);
152 * Issues still to be resolved:
154 * - Support PAGE_ALLOC_DEBUG. Should be easy to do.
156 * - Variable sizing of the per node arrays
159 /* Enable to log cmpxchg failures */
160 #undef SLUB_DEBUG_CMPXCHG
163 * Minimum number of partial slabs. These will be left on the partial
164 * lists even if they are empty. kmem_cache_shrink may reclaim them.
166 #define MIN_PARTIAL 5
169 * Maximum number of desirable partial slabs.
170 * The existence of more partial slabs makes kmem_cache_shrink
171 * sort the partial list by the number of objects in use.
173 #define MAX_PARTIAL 10
175 #define DEBUG_DEFAULT_FLAGS (SLAB_CONSISTENCY_CHECKS | SLAB_RED_ZONE | \
176 SLAB_POISON | SLAB_STORE_USER)
179 * These debug flags cannot use CMPXCHG because there might be consistency
180 * issues when checking or reading debug information
182 #define SLAB_NO_CMPXCHG (SLAB_CONSISTENCY_CHECKS | SLAB_STORE_USER | \
187 * Debugging flags that require metadata to be stored in the slab. These get
188 * disabled when slub_debug=O is used and a cache's min order increases with
191 #define DEBUG_METADATA_FLAGS (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER)
194 #define OO_MASK ((1 << OO_SHIFT) - 1)
195 #define MAX_OBJS_PER_PAGE 32767 /* since page.objects is u15 */
197 /* Internal SLUB flags */
199 #define __OBJECT_POISON ((slab_flags_t __force)0x80000000U)
200 /* Use cmpxchg_double */
201 #define __CMPXCHG_DOUBLE ((slab_flags_t __force)0x40000000U)
204 * Tracking user of a slab.
206 #define TRACK_ADDRS_COUNT 16
208 unsigned long addr; /* Called from address */
209 #ifdef CONFIG_STACKTRACE
210 unsigned long addrs[TRACK_ADDRS_COUNT]; /* Called from address */
212 int cpu; /* Was running on cpu */
213 int pid; /* Pid context */
214 unsigned long when; /* When did the operation occur */
217 enum track_item { TRACK_ALLOC, TRACK_FREE };
220 static int sysfs_slab_add(struct kmem_cache *);
221 static int sysfs_slab_alias(struct kmem_cache *, const char *);
223 static inline int sysfs_slab_add(struct kmem_cache *s) { return 0; }
224 static inline int sysfs_slab_alias(struct kmem_cache *s, const char *p)
228 #if defined(CONFIG_DEBUG_FS) && defined(CONFIG_SLUB_DEBUG)
229 static void debugfs_slab_add(struct kmem_cache *);
231 static inline void debugfs_slab_add(struct kmem_cache *s) { }
234 static inline void stat(const struct kmem_cache *s, enum stat_item si)
236 #ifdef CONFIG_SLUB_STATS
238 * The rmw is racy on a preemptible kernel but this is acceptable, so
239 * avoid this_cpu_add()'s irq-disable overhead.
241 raw_cpu_inc(s->cpu_slab->stat[si]);
246 * Tracks for which NUMA nodes we have kmem_cache_nodes allocated.
247 * Corresponds to node_state[N_NORMAL_MEMORY], but can temporarily
248 * differ during memory hotplug/hotremove operations.
249 * Protected by slab_mutex.
251 static nodemask_t slab_nodes;
253 /********************************************************************
254 * Core slab cache functions
255 *******************************************************************/
258 * Returns freelist pointer (ptr). With hardening, this is obfuscated
259 * with an XOR of the address where the pointer is held and a per-cache
262 static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
263 unsigned long ptr_addr)
265 #ifdef CONFIG_SLAB_FREELIST_HARDENED
267 * When CONFIG_KASAN_SW/HW_TAGS is enabled, ptr_addr might be tagged.
268 * Normally, this doesn't cause any issues, as both set_freepointer()
269 * and get_freepointer() are called with a pointer with the same tag.
270 * However, there are some issues with CONFIG_SLUB_DEBUG code. For
271 * example, when __free_slub() iterates over objects in a cache, it
272 * passes untagged pointers to check_object(). check_object() in turns
273 * calls get_freepointer() with an untagged pointer, which causes the
274 * freepointer to be restored incorrectly.
276 return (void *)((unsigned long)ptr ^ s->random ^
277 swab((unsigned long)kasan_reset_tag((void *)ptr_addr)));
283 /* Returns the freelist pointer recorded at location ptr_addr. */
284 static inline void *freelist_dereference(const struct kmem_cache *s,
287 return freelist_ptr(s, (void *)*(unsigned long *)(ptr_addr),
288 (unsigned long)ptr_addr);
291 static inline void *get_freepointer(struct kmem_cache *s, void *object)
293 object = kasan_reset_tag(object);
294 return freelist_dereference(s, object + s->offset);
297 static void prefetch_freepointer(const struct kmem_cache *s, void *object)
299 prefetch(object + s->offset);
302 static inline void *get_freepointer_safe(struct kmem_cache *s, void *object)
304 unsigned long freepointer_addr;
307 if (!debug_pagealloc_enabled_static())
308 return get_freepointer(s, object);
310 object = kasan_reset_tag(object);
311 freepointer_addr = (unsigned long)object + s->offset;
312 copy_from_kernel_nofault(&p, (void **)freepointer_addr, sizeof(p));
313 return freelist_ptr(s, p, freepointer_addr);
316 static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp)
318 unsigned long freeptr_addr = (unsigned long)object + s->offset;
320 #ifdef CONFIG_SLAB_FREELIST_HARDENED
321 BUG_ON(object == fp); /* naive detection of double free or corruption */
324 freeptr_addr = (unsigned long)kasan_reset_tag((void *)freeptr_addr);
325 *(void **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr);
328 /* Loop over all objects in a slab */
329 #define for_each_object(__p, __s, __addr, __objects) \
330 for (__p = fixup_red_left(__s, __addr); \
331 __p < (__addr) + (__objects) * (__s)->size; \
334 static inline unsigned int order_objects(unsigned int order, unsigned int size)
336 return ((unsigned int)PAGE_SIZE << order) / size;
339 static inline struct kmem_cache_order_objects oo_make(unsigned int order,
342 struct kmem_cache_order_objects x = {
343 (order << OO_SHIFT) + order_objects(order, size)
349 static inline unsigned int oo_order(struct kmem_cache_order_objects x)
351 return x.x >> OO_SHIFT;
354 static inline unsigned int oo_objects(struct kmem_cache_order_objects x)
356 return x.x & OO_MASK;
360 * Per slab locking using the pagelock
362 static __always_inline void __slab_lock(struct page *page)
364 VM_BUG_ON_PAGE(PageTail(page), page);
365 bit_spin_lock(PG_locked, &page->flags);
368 static __always_inline void __slab_unlock(struct page *page)
370 VM_BUG_ON_PAGE(PageTail(page), page);
371 __bit_spin_unlock(PG_locked, &page->flags);
374 static __always_inline void slab_lock(struct page *page, unsigned long *flags)
376 if (IS_ENABLED(CONFIG_PREEMPT_RT))
377 local_irq_save(*flags);
381 static __always_inline void slab_unlock(struct page *page, unsigned long *flags)
384 if (IS_ENABLED(CONFIG_PREEMPT_RT))
385 local_irq_restore(*flags);
389 * Interrupts must be disabled (for the fallback code to work right), typically
390 * by an _irqsave() lock variant. Except on PREEMPT_RT where locks are different
391 * so we disable interrupts as part of slab_[un]lock().
393 static inline bool __cmpxchg_double_slab(struct kmem_cache *s, struct page *page,
394 void *freelist_old, unsigned long counters_old,
395 void *freelist_new, unsigned long counters_new,
398 if (!IS_ENABLED(CONFIG_PREEMPT_RT))
399 lockdep_assert_irqs_disabled();
400 #if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
401 defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
402 if (s->flags & __CMPXCHG_DOUBLE) {
403 if (cmpxchg_double(&page->freelist, &page->counters,
404 freelist_old, counters_old,
405 freelist_new, counters_new))
410 /* init to 0 to prevent spurious warnings */
411 unsigned long flags = 0;
413 slab_lock(page, &flags);
414 if (page->freelist == freelist_old &&
415 page->counters == counters_old) {
416 page->freelist = freelist_new;
417 page->counters = counters_new;
418 slab_unlock(page, &flags);
421 slab_unlock(page, &flags);
425 stat(s, CMPXCHG_DOUBLE_FAIL);
427 #ifdef SLUB_DEBUG_CMPXCHG
428 pr_info("%s %s: cmpxchg double redo ", n, s->name);
434 static inline bool cmpxchg_double_slab(struct kmem_cache *s, struct page *page,
435 void *freelist_old, unsigned long counters_old,
436 void *freelist_new, unsigned long counters_new,
439 #if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
440 defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
441 if (s->flags & __CMPXCHG_DOUBLE) {
442 if (cmpxchg_double(&page->freelist, &page->counters,
443 freelist_old, counters_old,
444 freelist_new, counters_new))
451 local_irq_save(flags);
453 if (page->freelist == freelist_old &&
454 page->counters == counters_old) {
455 page->freelist = freelist_new;
456 page->counters = counters_new;
458 local_irq_restore(flags);
462 local_irq_restore(flags);
466 stat(s, CMPXCHG_DOUBLE_FAIL);
468 #ifdef SLUB_DEBUG_CMPXCHG
469 pr_info("%s %s: cmpxchg double redo ", n, s->name);
475 #ifdef CONFIG_SLUB_DEBUG
476 static unsigned long object_map[BITS_TO_LONGS(MAX_OBJS_PER_PAGE)];
477 static DEFINE_RAW_SPINLOCK(object_map_lock);
479 static void __fill_map(unsigned long *obj_map, struct kmem_cache *s,
482 void *addr = page_address(page);
485 bitmap_zero(obj_map, page->objects);
487 for (p = page->freelist; p; p = get_freepointer(s, p))
488 set_bit(__obj_to_index(s, addr, p), obj_map);
491 #if IS_ENABLED(CONFIG_KUNIT)
492 static bool slab_add_kunit_errors(void)
494 struct kunit_resource *resource;
496 if (likely(!current->kunit_test))
499 resource = kunit_find_named_resource(current->kunit_test, "slab_errors");
503 (*(int *)resource->data)++;
504 kunit_put_resource(resource);
508 static inline bool slab_add_kunit_errors(void) { return false; }
512 * Determine a map of object in use on a page.
514 * Node listlock must be held to guarantee that the page does
515 * not vanish from under us.
517 static unsigned long *get_map(struct kmem_cache *s, struct page *page)
518 __acquires(&object_map_lock)
520 VM_BUG_ON(!irqs_disabled());
522 raw_spin_lock(&object_map_lock);
524 __fill_map(object_map, s, page);
529 static void put_map(unsigned long *map) __releases(&object_map_lock)
531 VM_BUG_ON(map != object_map);
532 raw_spin_unlock(&object_map_lock);
535 static inline unsigned int size_from_object(struct kmem_cache *s)
537 if (s->flags & SLAB_RED_ZONE)
538 return s->size - s->red_left_pad;
543 static inline void *restore_red_left(struct kmem_cache *s, void *p)
545 if (s->flags & SLAB_RED_ZONE)
546 p -= s->red_left_pad;
554 #if defined(CONFIG_SLUB_DEBUG_ON)
555 static slab_flags_t slub_debug = DEBUG_DEFAULT_FLAGS;
557 static slab_flags_t slub_debug;
560 static char *slub_debug_string;
561 static int disable_higher_order_debug;
564 * slub is about to manipulate internal object metadata. This memory lies
565 * outside the range of the allocated object, so accessing it would normally
566 * be reported by kasan as a bounds error. metadata_access_enable() is used
567 * to tell kasan that these accesses are OK.
569 static inline void metadata_access_enable(void)
571 kasan_disable_current();
574 static inline void metadata_access_disable(void)
576 kasan_enable_current();
583 /* Verify that a pointer has an address that is valid within a slab page */
584 static inline int check_valid_pointer(struct kmem_cache *s,
585 struct page *page, void *object)
592 base = page_address(page);
593 object = kasan_reset_tag(object);
594 object = restore_red_left(s, object);
595 if (object < base || object >= base + page->objects * s->size ||
596 (object - base) % s->size) {
603 static void print_section(char *level, char *text, u8 *addr,
606 metadata_access_enable();
607 print_hex_dump(level, text, DUMP_PREFIX_ADDRESS,
608 16, 1, kasan_reset_tag((void *)addr), length, 1);
609 metadata_access_disable();
613 * See comment in calculate_sizes().
615 static inline bool freeptr_outside_object(struct kmem_cache *s)
617 return s->offset >= s->inuse;
621 * Return offset of the end of info block which is inuse + free pointer if
622 * not overlapping with object.
624 static inline unsigned int get_info_end(struct kmem_cache *s)
626 if (freeptr_outside_object(s))
627 return s->inuse + sizeof(void *);
632 static struct track *get_track(struct kmem_cache *s, void *object,
633 enum track_item alloc)
637 p = object + get_info_end(s);
639 return kasan_reset_tag(p + alloc);
642 static void set_track(struct kmem_cache *s, void *object,
643 enum track_item alloc, unsigned long addr)
645 struct track *p = get_track(s, object, alloc);
648 #ifdef CONFIG_STACKTRACE
649 unsigned int nr_entries;
651 metadata_access_enable();
652 nr_entries = stack_trace_save(kasan_reset_tag(p->addrs),
653 TRACK_ADDRS_COUNT, 3);
654 metadata_access_disable();
656 if (nr_entries < TRACK_ADDRS_COUNT)
657 p->addrs[nr_entries] = 0;
660 p->cpu = smp_processor_id();
661 p->pid = current->pid;
664 memset(p, 0, sizeof(struct track));
668 static void init_tracking(struct kmem_cache *s, void *object)
670 if (!(s->flags & SLAB_STORE_USER))
673 set_track(s, object, TRACK_FREE, 0UL);
674 set_track(s, object, TRACK_ALLOC, 0UL);
677 static void print_track(const char *s, struct track *t, unsigned long pr_time)
682 pr_err("%s in %pS age=%lu cpu=%u pid=%d\n",
683 s, (void *)t->addr, pr_time - t->when, t->cpu, t->pid);
684 #ifdef CONFIG_STACKTRACE
687 for (i = 0; i < TRACK_ADDRS_COUNT; i++)
689 pr_err("\t%pS\n", (void *)t->addrs[i]);
696 void print_tracking(struct kmem_cache *s, void *object)
698 unsigned long pr_time = jiffies;
699 if (!(s->flags & SLAB_STORE_USER))
702 print_track("Allocated", get_track(s, object, TRACK_ALLOC), pr_time);
703 print_track("Freed", get_track(s, object, TRACK_FREE), pr_time);
706 static void print_page_info(struct page *page)
708 pr_err("Slab 0x%p objects=%u used=%u fp=0x%p flags=%#lx(%pGp)\n",
709 page, page->objects, page->inuse, page->freelist,
710 page->flags, &page->flags);
714 static void slab_bug(struct kmem_cache *s, char *fmt, ...)
716 struct va_format vaf;
722 pr_err("=============================================================================\n");
723 pr_err("BUG %s (%s): %pV\n", s->name, print_tainted(), &vaf);
724 pr_err("-----------------------------------------------------------------------------\n\n");
729 static void slab_fix(struct kmem_cache *s, char *fmt, ...)
731 struct va_format vaf;
734 if (slab_add_kunit_errors())
740 pr_err("FIX %s: %pV\n", s->name, &vaf);
744 static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
745 void **freelist, void *nextfree)
747 if ((s->flags & SLAB_CONSISTENCY_CHECKS) &&
748 !check_valid_pointer(s, page, nextfree) && freelist) {
749 object_err(s, page, *freelist, "Freechain corrupt");
751 slab_fix(s, "Isolate corrupted freechain");
758 static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p)
760 unsigned int off; /* Offset of last byte */
761 u8 *addr = page_address(page);
763 print_tracking(s, p);
765 print_page_info(page);
767 pr_err("Object 0x%p @offset=%tu fp=0x%p\n\n",
768 p, p - addr, get_freepointer(s, p));
770 if (s->flags & SLAB_RED_ZONE)
771 print_section(KERN_ERR, "Redzone ", p - s->red_left_pad,
773 else if (p > addr + 16)
774 print_section(KERN_ERR, "Bytes b4 ", p - 16, 16);
776 print_section(KERN_ERR, "Object ", p,
777 min_t(unsigned int, s->object_size, PAGE_SIZE));
778 if (s->flags & SLAB_RED_ZONE)
779 print_section(KERN_ERR, "Redzone ", p + s->object_size,
780 s->inuse - s->object_size);
782 off = get_info_end(s);
784 if (s->flags & SLAB_STORE_USER)
785 off += 2 * sizeof(struct track);
787 off += kasan_metadata_size(s);
789 if (off != size_from_object(s))
790 /* Beginning of the filler is the free pointer */
791 print_section(KERN_ERR, "Padding ", p + off,
792 size_from_object(s) - off);
797 void object_err(struct kmem_cache *s, struct page *page,
798 u8 *object, char *reason)
800 if (slab_add_kunit_errors())
803 slab_bug(s, "%s", reason);
804 print_trailer(s, page, object);
805 add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
808 static __printf(3, 4) void slab_err(struct kmem_cache *s, struct page *page,
809 const char *fmt, ...)
814 if (slab_add_kunit_errors())
818 vsnprintf(buf, sizeof(buf), fmt, args);
820 slab_bug(s, "%s", buf);
821 print_page_info(page);
823 add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
826 static void init_object(struct kmem_cache *s, void *object, u8 val)
828 u8 *p = kasan_reset_tag(object);
830 if (s->flags & SLAB_RED_ZONE)
831 memset(p - s->red_left_pad, val, s->red_left_pad);
833 if (s->flags & __OBJECT_POISON) {
834 memset(p, POISON_FREE, s->object_size - 1);
835 p[s->object_size - 1] = POISON_END;
838 if (s->flags & SLAB_RED_ZONE)
839 memset(p + s->object_size, val, s->inuse - s->object_size);
842 static void restore_bytes(struct kmem_cache *s, char *message, u8 data,
843 void *from, void *to)
845 slab_fix(s, "Restoring %s 0x%p-0x%p=0x%x", message, from, to - 1, data);
846 memset(from, data, to - from);
849 static int check_bytes_and_report(struct kmem_cache *s, struct page *page,
850 u8 *object, char *what,
851 u8 *start, unsigned int value, unsigned int bytes)
855 u8 *addr = page_address(page);
857 metadata_access_enable();
858 fault = memchr_inv(kasan_reset_tag(start), value, bytes);
859 metadata_access_disable();
864 while (end > fault && end[-1] == value)
867 if (slab_add_kunit_errors())
870 slab_bug(s, "%s overwritten", what);
871 pr_err("0x%p-0x%p @offset=%tu. First byte 0x%x instead of 0x%x\n",
872 fault, end - 1, fault - addr,
874 print_trailer(s, page, object);
875 add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
878 restore_bytes(s, what, value, fault, end);
886 * Bytes of the object to be managed.
887 * If the freepointer may overlay the object then the free
888 * pointer is at the middle of the object.
890 * Poisoning uses 0x6b (POISON_FREE) and the last byte is
893 * object + s->object_size
894 * Padding to reach word boundary. This is also used for Redzoning.
895 * Padding is extended by another word if Redzoning is enabled and
896 * object_size == inuse.
898 * We fill with 0xbb (RED_INACTIVE) for inactive objects and with
899 * 0xcc (RED_ACTIVE) for objects in use.
902 * Meta data starts here.
904 * A. Free pointer (if we cannot overwrite object on free)
905 * B. Tracking data for SLAB_STORE_USER
906 * C. Padding to reach required alignment boundary or at minimum
907 * one word if debugging is on to be able to detect writes
908 * before the word boundary.
910 * Padding is done using 0x5a (POISON_INUSE)
913 * Nothing is used beyond s->size.
915 * If slabcaches are merged then the object_size and inuse boundaries are mostly
916 * ignored. And therefore no slab options that rely on these boundaries
917 * may be used with merged slabcaches.
920 static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p)
922 unsigned long off = get_info_end(s); /* The end of info */
924 if (s->flags & SLAB_STORE_USER)
925 /* We also have user information there */
926 off += 2 * sizeof(struct track);
928 off += kasan_metadata_size(s);
930 if (size_from_object(s) == off)
933 return check_bytes_and_report(s, page, p, "Object padding",
934 p + off, POISON_INUSE, size_from_object(s) - off);
937 /* Check the pad bytes at the end of a slab page */
938 static int slab_pad_check(struct kmem_cache *s, struct page *page)
947 if (!(s->flags & SLAB_POISON))
950 start = page_address(page);
951 length = page_size(page);
952 end = start + length;
953 remainder = length % s->size;
957 pad = end - remainder;
958 metadata_access_enable();
959 fault = memchr_inv(kasan_reset_tag(pad), POISON_INUSE, remainder);
960 metadata_access_disable();
963 while (end > fault && end[-1] == POISON_INUSE)
966 slab_err(s, page, "Padding overwritten. 0x%p-0x%p @offset=%tu",
967 fault, end - 1, fault - start);
968 print_section(KERN_ERR, "Padding ", pad, remainder);
970 restore_bytes(s, "slab padding", POISON_INUSE, fault, end);
974 static int check_object(struct kmem_cache *s, struct page *page,
975 void *object, u8 val)
978 u8 *endobject = object + s->object_size;
980 if (s->flags & SLAB_RED_ZONE) {
981 if (!check_bytes_and_report(s, page, object, "Left Redzone",
982 object - s->red_left_pad, val, s->red_left_pad))
985 if (!check_bytes_and_report(s, page, object, "Right Redzone",
986 endobject, val, s->inuse - s->object_size))
989 if ((s->flags & SLAB_POISON) && s->object_size < s->inuse) {
990 check_bytes_and_report(s, page, p, "Alignment padding",
991 endobject, POISON_INUSE,
992 s->inuse - s->object_size);
996 if (s->flags & SLAB_POISON) {
997 if (val != SLUB_RED_ACTIVE && (s->flags & __OBJECT_POISON) &&
998 (!check_bytes_and_report(s, page, p, "Poison", p,
999 POISON_FREE, s->object_size - 1) ||
1000 !check_bytes_and_report(s, page, p, "End Poison",
1001 p + s->object_size - 1, POISON_END, 1)))
1004 * check_pad_bytes cleans up on its own.
1006 check_pad_bytes(s, page, p);
1009 if (!freeptr_outside_object(s) && val == SLUB_RED_ACTIVE)
1011 * Object and freepointer overlap. Cannot check
1012 * freepointer while object is allocated.
1016 /* Check free pointer validity */
1017 if (!check_valid_pointer(s, page, get_freepointer(s, p))) {
1018 object_err(s, page, p, "Freepointer corrupt");
1020 * No choice but to zap it and thus lose the remainder
1021 * of the free objects in this slab. May cause
1022 * another error because the object count is now wrong.
1024 set_freepointer(s, p, NULL);
1030 static int check_slab(struct kmem_cache *s, struct page *page)
1034 if (!PageSlab(page)) {
1035 slab_err(s, page, "Not a valid slab page");
1039 maxobj = order_objects(compound_order(page), s->size);
1040 if (page->objects > maxobj) {
1041 slab_err(s, page, "objects %u > max %u",
1042 page->objects, maxobj);
1045 if (page->inuse > page->objects) {
1046 slab_err(s, page, "inuse %u > max %u",
1047 page->inuse, page->objects);
1050 /* Slab_pad_check fixes things up after itself */
1051 slab_pad_check(s, page);
1056 * Determine if a certain object on a page is on the freelist. Must hold the
1057 * slab lock to guarantee that the chains are in a consistent state.
1059 static int on_freelist(struct kmem_cache *s, struct page *page, void *search)
1063 void *object = NULL;
1066 fp = page->freelist;
1067 while (fp && nr <= page->objects) {
1070 if (!check_valid_pointer(s, page, fp)) {
1072 object_err(s, page, object,
1073 "Freechain corrupt");
1074 set_freepointer(s, object, NULL);
1076 slab_err(s, page, "Freepointer corrupt");
1077 page->freelist = NULL;
1078 page->inuse = page->objects;
1079 slab_fix(s, "Freelist cleared");
1085 fp = get_freepointer(s, object);
1089 max_objects = order_objects(compound_order(page), s->size);
1090 if (max_objects > MAX_OBJS_PER_PAGE)
1091 max_objects = MAX_OBJS_PER_PAGE;
1093 if (page->objects != max_objects) {
1094 slab_err(s, page, "Wrong number of objects. Found %d but should be %d",
1095 page->objects, max_objects);
1096 page->objects = max_objects;
1097 slab_fix(s, "Number of objects adjusted");
1099 if (page->inuse != page->objects - nr) {
1100 slab_err(s, page, "Wrong object count. Counter is %d but counted were %d",
1101 page->inuse, page->objects - nr);
1102 page->inuse = page->objects - nr;
1103 slab_fix(s, "Object count adjusted");
1105 return search == NULL;
1108 static void trace(struct kmem_cache *s, struct page *page, void *object,
1111 if (s->flags & SLAB_TRACE) {
1112 pr_info("TRACE %s %s 0x%p inuse=%d fp=0x%p\n",
1114 alloc ? "alloc" : "free",
1115 object, page->inuse,
1119 print_section(KERN_INFO, "Object ", (void *)object,
1127 * Tracking of fully allocated slabs for debugging purposes.
1129 static void add_full(struct kmem_cache *s,
1130 struct kmem_cache_node *n, struct page *page)
1132 if (!(s->flags & SLAB_STORE_USER))
1135 lockdep_assert_held(&n->list_lock);
1136 list_add(&page->slab_list, &n->full);
1139 static void remove_full(struct kmem_cache *s, struct kmem_cache_node *n, struct page *page)
1141 if (!(s->flags & SLAB_STORE_USER))
1144 lockdep_assert_held(&n->list_lock);
1145 list_del(&page->slab_list);
1148 /* Tracking of the number of slabs for debugging purposes */
1149 static inline unsigned long slabs_node(struct kmem_cache *s, int node)
1151 struct kmem_cache_node *n = get_node(s, node);
1153 return atomic_long_read(&n->nr_slabs);
1156 static inline unsigned long node_nr_slabs(struct kmem_cache_node *n)
1158 return atomic_long_read(&n->nr_slabs);
1161 static inline void inc_slabs_node(struct kmem_cache *s, int node, int objects)
1163 struct kmem_cache_node *n = get_node(s, node);
1166 * May be called early in order to allocate a slab for the
1167 * kmem_cache_node structure. Solve the chicken-egg
1168 * dilemma by deferring the increment of the count during
1169 * bootstrap (see early_kmem_cache_node_alloc).
1172 atomic_long_inc(&n->nr_slabs);
1173 atomic_long_add(objects, &n->total_objects);
1176 static inline void dec_slabs_node(struct kmem_cache *s, int node, int objects)
1178 struct kmem_cache_node *n = get_node(s, node);
1180 atomic_long_dec(&n->nr_slabs);
1181 atomic_long_sub(objects, &n->total_objects);
1184 /* Object debug checks for alloc/free paths */
1185 static void setup_object_debug(struct kmem_cache *s, struct page *page,
1188 if (!kmem_cache_debug_flags(s, SLAB_STORE_USER|SLAB_RED_ZONE|__OBJECT_POISON))
1191 init_object(s, object, SLUB_RED_INACTIVE);
1192 init_tracking(s, object);
1196 void setup_page_debug(struct kmem_cache *s, struct page *page, void *addr)
1198 if (!kmem_cache_debug_flags(s, SLAB_POISON))
1201 metadata_access_enable();
1202 memset(kasan_reset_tag(addr), POISON_INUSE, page_size(page));
1203 metadata_access_disable();
1206 static inline int alloc_consistency_checks(struct kmem_cache *s,
1207 struct page *page, void *object)
1209 if (!check_slab(s, page))
1212 if (!check_valid_pointer(s, page, object)) {
1213 object_err(s, page, object, "Freelist Pointer check fails");
1217 if (!check_object(s, page, object, SLUB_RED_INACTIVE))
1223 static noinline int alloc_debug_processing(struct kmem_cache *s,
1225 void *object, unsigned long addr)
1227 if (s->flags & SLAB_CONSISTENCY_CHECKS) {
1228 if (!alloc_consistency_checks(s, page, object))
1232 /* Success perform special debug activities for allocs */
1233 if (s->flags & SLAB_STORE_USER)
1234 set_track(s, object, TRACK_ALLOC, addr);
1235 trace(s, page, object, 1);
1236 init_object(s, object, SLUB_RED_ACTIVE);
1240 if (PageSlab(page)) {
1242 * If this is a slab page then lets do the best we can
1243 * to avoid issues in the future. Marking all objects
1244 * as used avoids touching the remaining objects.
1246 slab_fix(s, "Marking all objects used");
1247 page->inuse = page->objects;
1248 page->freelist = NULL;
1253 static inline int free_consistency_checks(struct kmem_cache *s,
1254 struct page *page, void *object, unsigned long addr)
1256 if (!check_valid_pointer(s, page, object)) {
1257 slab_err(s, page, "Invalid object pointer 0x%p", object);
1261 if (on_freelist(s, page, object)) {
1262 object_err(s, page, object, "Object already free");
1266 if (!check_object(s, page, object, SLUB_RED_ACTIVE))
1269 if (unlikely(s != page->slab_cache)) {
1270 if (!PageSlab(page)) {
1271 slab_err(s, page, "Attempt to free object(0x%p) outside of slab",
1273 } else if (!page->slab_cache) {
1274 pr_err("SLUB <none>: no slab for object 0x%p.\n",
1278 object_err(s, page, object,
1279 "page slab pointer corrupt.");
1285 /* Supports checking bulk free of a constructed freelist */
1286 static noinline int free_debug_processing(
1287 struct kmem_cache *s, struct page *page,
1288 void *head, void *tail, int bulk_cnt,
1291 struct kmem_cache_node *n = get_node(s, page_to_nid(page));
1292 void *object = head;
1294 unsigned long flags, flags2;
1297 spin_lock_irqsave(&n->list_lock, flags);
1298 slab_lock(page, &flags2);
1300 if (s->flags & SLAB_CONSISTENCY_CHECKS) {
1301 if (!check_slab(s, page))
1308 if (s->flags & SLAB_CONSISTENCY_CHECKS) {
1309 if (!free_consistency_checks(s, page, object, addr))
1313 if (s->flags & SLAB_STORE_USER)
1314 set_track(s, object, TRACK_FREE, addr);
1315 trace(s, page, object, 0);
1316 /* Freepointer not overwritten by init_object(), SLAB_POISON moved it */
1317 init_object(s, object, SLUB_RED_INACTIVE);
1319 /* Reached end of constructed freelist yet? */
1320 if (object != tail) {
1321 object = get_freepointer(s, object);
1327 if (cnt != bulk_cnt)
1328 slab_err(s, page, "Bulk freelist count(%d) invalid(%d)\n",
1331 slab_unlock(page, &flags2);
1332 spin_unlock_irqrestore(&n->list_lock, flags);
1334 slab_fix(s, "Object at 0x%p not freed", object);
1339 * Parse a block of slub_debug options. Blocks are delimited by ';'
1341 * @str: start of block
1342 * @flags: returns parsed flags, or DEBUG_DEFAULT_FLAGS if none specified
1343 * @slabs: return start of list of slabs, or NULL when there's no list
1344 * @init: assume this is initial parsing and not per-kmem-create parsing
1346 * returns the start of next block if there's any, or NULL
1349 parse_slub_debug_flags(char *str, slab_flags_t *flags, char **slabs, bool init)
1351 bool higher_order_disable = false;
1353 /* Skip any completely empty blocks */
1354 while (*str && *str == ';')
1359 * No options but restriction on slabs. This means full
1360 * debugging for slabs matching a pattern.
1362 *flags = DEBUG_DEFAULT_FLAGS;
1367 /* Determine which debug features should be switched on */
1368 for (; *str && *str != ',' && *str != ';'; str++) {
1369 switch (tolower(*str)) {
1374 *flags |= SLAB_CONSISTENCY_CHECKS;
1377 *flags |= SLAB_RED_ZONE;
1380 *flags |= SLAB_POISON;
1383 *flags |= SLAB_STORE_USER;
1386 *flags |= SLAB_TRACE;
1389 *flags |= SLAB_FAILSLAB;
1393 * Avoid enabling debugging on caches if its minimum
1394 * order would increase as a result.
1396 higher_order_disable = true;
1400 pr_err("slub_debug option '%c' unknown. skipped\n", *str);
1409 /* Skip over the slab list */
1410 while (*str && *str != ';')
1413 /* Skip any completely empty blocks */
1414 while (*str && *str == ';')
1417 if (init && higher_order_disable)
1418 disable_higher_order_debug = 1;
1426 static int __init setup_slub_debug(char *str)
1429 slab_flags_t global_flags;
1432 bool global_slub_debug_changed = false;
1433 bool slab_list_specified = false;
1435 global_flags = DEBUG_DEFAULT_FLAGS;
1436 if (*str++ != '=' || !*str)
1438 * No options specified. Switch on full debugging.
1444 str = parse_slub_debug_flags(str, &flags, &slab_list, true);
1447 global_flags = flags;
1448 global_slub_debug_changed = true;
1450 slab_list_specified = true;
1455 * For backwards compatibility, a single list of flags with list of
1456 * slabs means debugging is only changed for those slabs, so the global
1457 * slub_debug should be unchanged (0 or DEBUG_DEFAULT_FLAGS, depending
1458 * on CONFIG_SLUB_DEBUG_ON). We can extended that to multiple lists as
1459 * long as there is no option specifying flags without a slab list.
1461 if (slab_list_specified) {
1462 if (!global_slub_debug_changed)
1463 global_flags = slub_debug;
1464 slub_debug_string = saved_str;
1467 slub_debug = global_flags;
1468 if (slub_debug != 0 || slub_debug_string)
1469 static_branch_enable(&slub_debug_enabled);
1471 static_branch_disable(&slub_debug_enabled);
1472 if ((static_branch_unlikely(&init_on_alloc) ||
1473 static_branch_unlikely(&init_on_free)) &&
1474 (slub_debug & SLAB_POISON))
1475 pr_info("mem auto-init: SLAB_POISON will take precedence over init_on_alloc/init_on_free\n");
1479 __setup("slub_debug", setup_slub_debug);
1482 * kmem_cache_flags - apply debugging options to the cache
1483 * @object_size: the size of an object without meta data
1484 * @flags: flags to set
1485 * @name: name of the cache
1487 * Debug option(s) are applied to @flags. In addition to the debug
1488 * option(s), if a slab name (or multiple) is specified i.e.
1489 * slub_debug=<Debug-Options>,<slab name1>,<slab name2> ...
1490 * then only the select slabs will receive the debug option(s).
1492 slab_flags_t kmem_cache_flags(unsigned int object_size,
1493 slab_flags_t flags, const char *name)
1498 slab_flags_t block_flags;
1499 slab_flags_t slub_debug_local = slub_debug;
1502 * If the slab cache is for debugging (e.g. kmemleak) then
1503 * don't store user (stack trace) information by default,
1504 * but let the user enable it via the command line below.
1506 if (flags & SLAB_NOLEAKTRACE)
1507 slub_debug_local &= ~SLAB_STORE_USER;
1510 next_block = slub_debug_string;
1511 /* Go through all blocks of debug options, see if any matches our slab's name */
1512 while (next_block) {
1513 next_block = parse_slub_debug_flags(next_block, &block_flags, &iter, false);
1516 /* Found a block that has a slab list, search it */
1521 end = strchrnul(iter, ',');
1522 if (next_block && next_block < end)
1523 end = next_block - 1;
1525 glob = strnchr(iter, end - iter, '*');
1527 cmplen = glob - iter;
1529 cmplen = max_t(size_t, len, (end - iter));
1531 if (!strncmp(name, iter, cmplen)) {
1532 flags |= block_flags;
1536 if (!*end || *end == ';')
1542 return flags | slub_debug_local;
1544 #else /* !CONFIG_SLUB_DEBUG */
1545 static inline void setup_object_debug(struct kmem_cache *s,
1546 struct page *page, void *object) {}
1548 void setup_page_debug(struct kmem_cache *s, struct page *page, void *addr) {}
1550 static inline int alloc_debug_processing(struct kmem_cache *s,
1551 struct page *page, void *object, unsigned long addr) { return 0; }
1553 static inline int free_debug_processing(
1554 struct kmem_cache *s, struct page *page,
1555 void *head, void *tail, int bulk_cnt,
1556 unsigned long addr) { return 0; }
1558 static inline int slab_pad_check(struct kmem_cache *s, struct page *page)
1560 static inline int check_object(struct kmem_cache *s, struct page *page,
1561 void *object, u8 val) { return 1; }
1562 static inline void add_full(struct kmem_cache *s, struct kmem_cache_node *n,
1563 struct page *page) {}
1564 static inline void remove_full(struct kmem_cache *s, struct kmem_cache_node *n,
1565 struct page *page) {}
1566 slab_flags_t kmem_cache_flags(unsigned int object_size,
1567 slab_flags_t flags, const char *name)
1571 #define slub_debug 0
1573 #define disable_higher_order_debug 0
1575 static inline unsigned long slabs_node(struct kmem_cache *s, int node)
1577 static inline unsigned long node_nr_slabs(struct kmem_cache_node *n)
1579 static inline void inc_slabs_node(struct kmem_cache *s, int node,
1581 static inline void dec_slabs_node(struct kmem_cache *s, int node,
1584 static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
1585 void **freelist, void *nextfree)
1589 #endif /* CONFIG_SLUB_DEBUG */
1592 * Hooks for other subsystems that check memory allocations. In a typical
1593 * production configuration these hooks all should produce no code at all.
1595 static inline void *kmalloc_large_node_hook(void *ptr, size_t size, gfp_t flags)
1597 ptr = kasan_kmalloc_large(ptr, size, flags);
1598 /* As ptr might get tagged, call kmemleak hook after KASAN. */
1599 kmemleak_alloc(ptr, size, 1, flags);
1603 static __always_inline void kfree_hook(void *x)
1606 kasan_kfree_large(x);
1609 static __always_inline bool slab_free_hook(struct kmem_cache *s,
1612 kmemleak_free_recursive(x, s->flags);
1614 debug_check_no_locks_freed(x, s->object_size);
1616 if (!(s->flags & SLAB_DEBUG_OBJECTS))
1617 debug_check_no_obj_freed(x, s->object_size);
1619 /* Use KCSAN to help debug racy use-after-free. */
1620 if (!(s->flags & SLAB_TYPESAFE_BY_RCU))
1621 __kcsan_check_access(x, s->object_size,
1622 KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT);
1625 * As memory initialization might be integrated into KASAN,
1626 * kasan_slab_free and initialization memset's must be
1627 * kept together to avoid discrepancies in behavior.
1629 * The initialization memset's clear the object and the metadata,
1630 * but don't touch the SLAB redzone.
1635 if (!kasan_has_integrated_init())
1636 memset(kasan_reset_tag(x), 0, s->object_size);
1637 rsize = (s->flags & SLAB_RED_ZONE) ? s->red_left_pad : 0;
1638 memset((char *)kasan_reset_tag(x) + s->inuse, 0,
1639 s->size - s->inuse - rsize);
1641 /* KASAN might put x into memory quarantine, delaying its reuse. */
1642 return kasan_slab_free(s, x, init);
1645 static inline bool slab_free_freelist_hook(struct kmem_cache *s,
1646 void **head, void **tail)
1651 void *old_tail = *tail ? *tail : *head;
1653 if (is_kfence_address(next)) {
1654 slab_free_hook(s, next, false);
1658 /* Head and tail of the reconstructed freelist */
1664 next = get_freepointer(s, object);
1666 /* If object's reuse doesn't have to be delayed */
1667 if (!slab_free_hook(s, object, slab_want_init_on_free(s))) {
1668 /* Move object to the new freelist */
1669 set_freepointer(s, object, *head);
1674 } while (object != old_tail);
1679 return *head != NULL;
1682 static void *setup_object(struct kmem_cache *s, struct page *page,
1685 setup_object_debug(s, page, object);
1686 object = kasan_init_slab_obj(s, object);
1687 if (unlikely(s->ctor)) {
1688 kasan_unpoison_object_data(s, object);
1690 kasan_poison_object_data(s, object);
1696 * Slab allocation and freeing
1698 static inline struct page *alloc_slab_page(struct kmem_cache *s,
1699 gfp_t flags, int node, struct kmem_cache_order_objects oo)
1702 unsigned int order = oo_order(oo);
1704 if (node == NUMA_NO_NODE)
1705 page = alloc_pages(flags, order);
1707 page = __alloc_pages_node(node, flags, order);
1712 #ifdef CONFIG_SLAB_FREELIST_RANDOM
1713 /* Pre-initialize the random sequence cache */
1714 static int init_cache_random_seq(struct kmem_cache *s)
1716 unsigned int count = oo_objects(s->oo);
1719 /* Bailout if already initialised */
1723 err = cache_random_seq_create(s, count, GFP_KERNEL);
1725 pr_err("SLUB: Unable to initialize free list for %s\n",
1730 /* Transform to an offset on the set of pages */
1731 if (s->random_seq) {
1734 for (i = 0; i < count; i++)
1735 s->random_seq[i] *= s->size;
1740 /* Initialize each random sequence freelist per cache */
1741 static void __init init_freelist_randomization(void)
1743 struct kmem_cache *s;
1745 mutex_lock(&slab_mutex);
1747 list_for_each_entry(s, &slab_caches, list)
1748 init_cache_random_seq(s);
1750 mutex_unlock(&slab_mutex);
1753 /* Get the next entry on the pre-computed freelist randomized */
1754 static void *next_freelist_entry(struct kmem_cache *s, struct page *page,
1755 unsigned long *pos, void *start,
1756 unsigned long page_limit,
1757 unsigned long freelist_count)
1762 * If the target page allocation failed, the number of objects on the
1763 * page might be smaller than the usual size defined by the cache.
1766 idx = s->random_seq[*pos];
1768 if (*pos >= freelist_count)
1770 } while (unlikely(idx >= page_limit));
1772 return (char *)start + idx;
1775 /* Shuffle the single linked freelist based on a random pre-computed sequence */
1776 static bool shuffle_freelist(struct kmem_cache *s, struct page *page)
1781 unsigned long idx, pos, page_limit, freelist_count;
1783 if (page->objects < 2 || !s->random_seq)
1786 freelist_count = oo_objects(s->oo);
1787 pos = get_random_int() % freelist_count;
1789 page_limit = page->objects * s->size;
1790 start = fixup_red_left(s, page_address(page));
1792 /* First entry is used as the base of the freelist */
1793 cur = next_freelist_entry(s, page, &pos, start, page_limit,
1795 cur = setup_object(s, page, cur);
1796 page->freelist = cur;
1798 for (idx = 1; idx < page->objects; idx++) {
1799 next = next_freelist_entry(s, page, &pos, start, page_limit,
1801 next = setup_object(s, page, next);
1802 set_freepointer(s, cur, next);
1805 set_freepointer(s, cur, NULL);
1810 static inline int init_cache_random_seq(struct kmem_cache *s)
1814 static inline void init_freelist_randomization(void) { }
1815 static inline bool shuffle_freelist(struct kmem_cache *s, struct page *page)
1819 #endif /* CONFIG_SLAB_FREELIST_RANDOM */
1821 static struct page *allocate_slab(struct kmem_cache *s, gfp_t flags, int node)
1824 struct kmem_cache_order_objects oo = s->oo;
1826 void *start, *p, *next;
1830 flags &= gfp_allowed_mask;
1832 flags |= s->allocflags;
1835 * Let the initial higher-order allocation fail under memory pressure
1836 * so we fall-back to the minimum order allocation.
1838 alloc_gfp = (flags | __GFP_NOWARN | __GFP_NORETRY) & ~__GFP_NOFAIL;
1839 if ((alloc_gfp & __GFP_DIRECT_RECLAIM) && oo_order(oo) > oo_order(s->min))
1840 alloc_gfp = (alloc_gfp | __GFP_NOMEMALLOC) & ~(__GFP_RECLAIM|__GFP_NOFAIL);
1842 page = alloc_slab_page(s, alloc_gfp, node, oo);
1843 if (unlikely(!page)) {
1847 * Allocation may have failed due to fragmentation.
1848 * Try a lower order alloc if possible
1850 page = alloc_slab_page(s, alloc_gfp, node, oo);
1851 if (unlikely(!page))
1853 stat(s, ORDER_FALLBACK);
1856 page->objects = oo_objects(oo);
1858 account_slab_page(page, oo_order(oo), s, flags);
1860 page->slab_cache = s;
1861 __SetPageSlab(page);
1862 if (page_is_pfmemalloc(page))
1863 SetPageSlabPfmemalloc(page);
1865 kasan_poison_slab(page);
1867 start = page_address(page);
1869 setup_page_debug(s, page, start);
1871 shuffle = shuffle_freelist(s, page);
1874 start = fixup_red_left(s, start);
1875 start = setup_object(s, page, start);
1876 page->freelist = start;
1877 for (idx = 0, p = start; idx < page->objects - 1; idx++) {
1879 next = setup_object(s, page, next);
1880 set_freepointer(s, p, next);
1883 set_freepointer(s, p, NULL);
1886 page->inuse = page->objects;
1893 inc_slabs_node(s, page_to_nid(page), page->objects);
1898 static struct page *new_slab(struct kmem_cache *s, gfp_t flags, int node)
1900 if (unlikely(flags & GFP_SLAB_BUG_MASK))
1901 flags = kmalloc_fix_flags(flags);
1903 WARN_ON_ONCE(s->ctor && (flags & __GFP_ZERO));
1905 return allocate_slab(s,
1906 flags & (GFP_RECLAIM_MASK | GFP_CONSTRAINT_MASK), node);
1909 static void __free_slab(struct kmem_cache *s, struct page *page)
1911 int order = compound_order(page);
1912 int pages = 1 << order;
1914 if (kmem_cache_debug_flags(s, SLAB_CONSISTENCY_CHECKS)) {
1917 slab_pad_check(s, page);
1918 for_each_object(p, s, page_address(page),
1920 check_object(s, page, p, SLUB_RED_INACTIVE);
1923 __ClearPageSlabPfmemalloc(page);
1924 __ClearPageSlab(page);
1925 /* In union with page->mapping where page allocator expects NULL */
1926 page->slab_cache = NULL;
1927 if (current->reclaim_state)
1928 current->reclaim_state->reclaimed_slab += pages;
1929 unaccount_slab_page(page, order, s);
1930 __free_pages(page, order);
1933 static void rcu_free_slab(struct rcu_head *h)
1935 struct page *page = container_of(h, struct page, rcu_head);
1937 __free_slab(page->slab_cache, page);
1940 static void free_slab(struct kmem_cache *s, struct page *page)
1942 if (unlikely(s->flags & SLAB_TYPESAFE_BY_RCU)) {
1943 call_rcu(&page->rcu_head, rcu_free_slab);
1945 __free_slab(s, page);
1948 static void discard_slab(struct kmem_cache *s, struct page *page)
1950 dec_slabs_node(s, page_to_nid(page), page->objects);
1955 * Management of partially allocated slabs.
1958 __add_partial(struct kmem_cache_node *n, struct page *page, int tail)
1961 if (tail == DEACTIVATE_TO_TAIL)
1962 list_add_tail(&page->slab_list, &n->partial);
1964 list_add(&page->slab_list, &n->partial);
1967 static inline void add_partial(struct kmem_cache_node *n,
1968 struct page *page, int tail)
1970 lockdep_assert_held(&n->list_lock);
1971 __add_partial(n, page, tail);
1974 static inline void remove_partial(struct kmem_cache_node *n,
1977 lockdep_assert_held(&n->list_lock);
1978 list_del(&page->slab_list);
1983 * Remove slab from the partial list, freeze it and
1984 * return the pointer to the freelist.
1986 * Returns a list of objects or NULL if it fails.
1988 static inline void *acquire_slab(struct kmem_cache *s,
1989 struct kmem_cache_node *n, struct page *page,
1990 int mode, int *objects)
1993 unsigned long counters;
1996 lockdep_assert_held(&n->list_lock);
1999 * Zap the freelist and set the frozen bit.
2000 * The old freelist is the list of objects for the
2001 * per cpu allocation list.
2003 freelist = page->freelist;
2004 counters = page->counters;
2005 new.counters = counters;
2006 *objects = new.objects - new.inuse;
2008 new.inuse = page->objects;
2009 new.freelist = NULL;
2011 new.freelist = freelist;
2014 VM_BUG_ON(new.frozen);
2017 if (!__cmpxchg_double_slab(s, page,
2019 new.freelist, new.counters,
2023 remove_partial(n, page);
2028 static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain);
2029 static inline bool pfmemalloc_match(struct page *page, gfp_t gfpflags);
2032 * Try to allocate a partial slab from a specific node.
2034 static void *get_partial_node(struct kmem_cache *s, struct kmem_cache_node *n,
2035 struct page **ret_page, gfp_t gfpflags)
2037 struct page *page, *page2;
2038 void *object = NULL;
2039 unsigned int available = 0;
2040 unsigned long flags;
2044 * Racy check. If we mistakenly see no partial slabs then we
2045 * just allocate an empty slab. If we mistakenly try to get a
2046 * partial slab and there is none available then get_partial()
2049 if (!n || !n->nr_partial)
2052 spin_lock_irqsave(&n->list_lock, flags);
2053 list_for_each_entry_safe(page, page2, &n->partial, slab_list) {
2056 if (!pfmemalloc_match(page, gfpflags))
2059 t = acquire_slab(s, n, page, object == NULL, &objects);
2063 available += objects;
2066 stat(s, ALLOC_FROM_PARTIAL);
2069 put_cpu_partial(s, page, 0);
2070 stat(s, CPU_PARTIAL_NODE);
2072 if (!kmem_cache_has_cpu_partial(s)
2073 || available > slub_cpu_partial(s) / 2)
2077 spin_unlock_irqrestore(&n->list_lock, flags);
2082 * Get a page from somewhere. Search in increasing NUMA distances.
2084 static void *get_any_partial(struct kmem_cache *s, gfp_t flags,
2085 struct page **ret_page)
2088 struct zonelist *zonelist;
2091 enum zone_type highest_zoneidx = gfp_zone(flags);
2093 unsigned int cpuset_mems_cookie;
2096 * The defrag ratio allows a configuration of the tradeoffs between
2097 * inter node defragmentation and node local allocations. A lower
2098 * defrag_ratio increases the tendency to do local allocations
2099 * instead of attempting to obtain partial slabs from other nodes.
2101 * If the defrag_ratio is set to 0 then kmalloc() always
2102 * returns node local objects. If the ratio is higher then kmalloc()
2103 * may return off node objects because partial slabs are obtained
2104 * from other nodes and filled up.
2106 * If /sys/kernel/slab/xx/remote_node_defrag_ratio is set to 100
2107 * (which makes defrag_ratio = 1000) then every (well almost)
2108 * allocation will first attempt to defrag slab caches on other nodes.
2109 * This means scanning over all nodes to look for partial slabs which
2110 * may be expensive if we do it every time we are trying to find a slab
2111 * with available objects.
2113 if (!s->remote_node_defrag_ratio ||
2114 get_cycles() % 1024 > s->remote_node_defrag_ratio)
2118 cpuset_mems_cookie = read_mems_allowed_begin();
2119 zonelist = node_zonelist(mempolicy_slab_node(), flags);
2120 for_each_zone_zonelist(zone, z, zonelist, highest_zoneidx) {
2121 struct kmem_cache_node *n;
2123 n = get_node(s, zone_to_nid(zone));
2125 if (n && cpuset_zone_allowed(zone, flags) &&
2126 n->nr_partial > s->min_partial) {
2127 object = get_partial_node(s, n, ret_page, flags);
2130 * Don't check read_mems_allowed_retry()
2131 * here - if mems_allowed was updated in
2132 * parallel, that was a harmless race
2133 * between allocation and the cpuset
2140 } while (read_mems_allowed_retry(cpuset_mems_cookie));
2141 #endif /* CONFIG_NUMA */
2146 * Get a partial page, lock it and return it.
2148 static void *get_partial(struct kmem_cache *s, gfp_t flags, int node,
2149 struct page **ret_page)
2152 int searchnode = node;
2154 if (node == NUMA_NO_NODE)
2155 searchnode = numa_mem_id();
2157 object = get_partial_node(s, get_node(s, searchnode), ret_page, flags);
2158 if (object || node != NUMA_NO_NODE)
2161 return get_any_partial(s, flags, ret_page);
2164 #ifdef CONFIG_PREEMPTION
2166 * Calculate the next globally unique transaction for disambiguation
2167 * during cmpxchg. The transactions start with the cpu number and are then
2168 * incremented by CONFIG_NR_CPUS.
2170 #define TID_STEP roundup_pow_of_two(CONFIG_NR_CPUS)
2173 * No preemption supported therefore also no need to check for
2179 static inline unsigned long next_tid(unsigned long tid)
2181 return tid + TID_STEP;
2184 #ifdef SLUB_DEBUG_CMPXCHG
2185 static inline unsigned int tid_to_cpu(unsigned long tid)
2187 return tid % TID_STEP;
2190 static inline unsigned long tid_to_event(unsigned long tid)
2192 return tid / TID_STEP;
2196 static inline unsigned int init_tid(int cpu)
2201 static inline void note_cmpxchg_failure(const char *n,
2202 const struct kmem_cache *s, unsigned long tid)
2204 #ifdef SLUB_DEBUG_CMPXCHG
2205 unsigned long actual_tid = __this_cpu_read(s->cpu_slab->tid);
2207 pr_info("%s %s: cmpxchg redo ", n, s->name);
2209 #ifdef CONFIG_PREEMPTION
2210 if (tid_to_cpu(tid) != tid_to_cpu(actual_tid))
2211 pr_warn("due to cpu change %d -> %d\n",
2212 tid_to_cpu(tid), tid_to_cpu(actual_tid));
2215 if (tid_to_event(tid) != tid_to_event(actual_tid))
2216 pr_warn("due to cpu running other code. Event %ld->%ld\n",
2217 tid_to_event(tid), tid_to_event(actual_tid));
2219 pr_warn("for unknown reason: actual=%lx was=%lx target=%lx\n",
2220 actual_tid, tid, next_tid(tid));
2222 stat(s, CMPXCHG_DOUBLE_CPU_FAIL);
2225 static void init_kmem_cache_cpus(struct kmem_cache *s)
2229 for_each_possible_cpu(cpu)
2230 per_cpu_ptr(s->cpu_slab, cpu)->tid = init_tid(cpu);
2234 * Finishes removing the cpu slab. Merges cpu's freelist with page's freelist,
2235 * unfreezes the slabs and puts it on the proper list.
2236 * Assumes the slab has been already safely taken away from kmem_cache_cpu
2239 static void deactivate_slab(struct kmem_cache *s, struct page *page,
2242 enum slab_modes { M_NONE, M_PARTIAL, M_FULL, M_FREE };
2243 struct kmem_cache_node *n = get_node(s, page_to_nid(page));
2244 int lock = 0, free_delta = 0;
2245 enum slab_modes l = M_NONE, m = M_NONE;
2246 void *nextfree, *freelist_iter, *freelist_tail;
2247 int tail = DEACTIVATE_TO_HEAD;
2248 unsigned long flags = 0;
2252 if (page->freelist) {
2253 stat(s, DEACTIVATE_REMOTE_FREES);
2254 tail = DEACTIVATE_TO_TAIL;
2258 * Stage one: Count the objects on cpu's freelist as free_delta and
2259 * remember the last object in freelist_tail for later splicing.
2261 freelist_tail = NULL;
2262 freelist_iter = freelist;
2263 while (freelist_iter) {
2264 nextfree = get_freepointer(s, freelist_iter);
2267 * If 'nextfree' is invalid, it is possible that the object at
2268 * 'freelist_iter' is already corrupted. So isolate all objects
2269 * starting at 'freelist_iter' by skipping them.
2271 if (freelist_corrupted(s, page, &freelist_iter, nextfree))
2274 freelist_tail = freelist_iter;
2277 freelist_iter = nextfree;
2281 * Stage two: Unfreeze the page while splicing the per-cpu
2282 * freelist to the head of page's freelist.
2284 * Ensure that the page is unfrozen while the list presence
2285 * reflects the actual number of objects during unfreeze.
2287 * We setup the list membership and then perform a cmpxchg
2288 * with the count. If there is a mismatch then the page
2289 * is not unfrozen but the page is on the wrong list.
2291 * Then we restart the process which may have to remove
2292 * the page from the list that we just put it on again
2293 * because the number of objects in the slab may have
2298 old.freelist = READ_ONCE(page->freelist);
2299 old.counters = READ_ONCE(page->counters);
2300 VM_BUG_ON(!old.frozen);
2302 /* Determine target state of the slab */
2303 new.counters = old.counters;
2304 if (freelist_tail) {
2305 new.inuse -= free_delta;
2306 set_freepointer(s, freelist_tail, old.freelist);
2307 new.freelist = freelist;
2309 new.freelist = old.freelist;
2313 if (!new.inuse && n->nr_partial >= s->min_partial)
2315 else if (new.freelist) {
2320 * Taking the spinlock removes the possibility
2321 * that acquire_slab() will see a slab page that
2324 spin_lock_irqsave(&n->list_lock, flags);
2328 if (kmem_cache_debug_flags(s, SLAB_STORE_USER) && !lock) {
2331 * This also ensures that the scanning of full
2332 * slabs from diagnostic functions will not see
2335 spin_lock_irqsave(&n->list_lock, flags);
2341 remove_partial(n, page);
2342 else if (l == M_FULL)
2343 remove_full(s, n, page);
2346 add_partial(n, page, tail);
2347 else if (m == M_FULL)
2348 add_full(s, n, page);
2352 if (!cmpxchg_double_slab(s, page,
2353 old.freelist, old.counters,
2354 new.freelist, new.counters,
2359 spin_unlock_irqrestore(&n->list_lock, flags);
2363 else if (m == M_FULL)
2364 stat(s, DEACTIVATE_FULL);
2365 else if (m == M_FREE) {
2366 stat(s, DEACTIVATE_EMPTY);
2367 discard_slab(s, page);
2372 #ifdef CONFIG_SLUB_CPU_PARTIAL
2373 static void __unfreeze_partials(struct kmem_cache *s, struct page *partial_page)
2375 struct kmem_cache_node *n = NULL, *n2 = NULL;
2376 struct page *page, *discard_page = NULL;
2377 unsigned long flags = 0;
2379 while (partial_page) {
2383 page = partial_page;
2384 partial_page = page->next;
2386 n2 = get_node(s, page_to_nid(page));
2389 spin_unlock_irqrestore(&n->list_lock, flags);
2392 spin_lock_irqsave(&n->list_lock, flags);
2397 old.freelist = page->freelist;
2398 old.counters = page->counters;
2399 VM_BUG_ON(!old.frozen);
2401 new.counters = old.counters;
2402 new.freelist = old.freelist;
2406 } while (!__cmpxchg_double_slab(s, page,
2407 old.freelist, old.counters,
2408 new.freelist, new.counters,
2409 "unfreezing slab"));
2411 if (unlikely(!new.inuse && n->nr_partial >= s->min_partial)) {
2412 page->next = discard_page;
2413 discard_page = page;
2415 add_partial(n, page, DEACTIVATE_TO_TAIL);
2416 stat(s, FREE_ADD_PARTIAL);
2421 spin_unlock_irqrestore(&n->list_lock, flags);
2423 while (discard_page) {
2424 page = discard_page;
2425 discard_page = discard_page->next;
2427 stat(s, DEACTIVATE_EMPTY);
2428 discard_slab(s, page);
2434 * Unfreeze all the cpu partial slabs.
2436 static void unfreeze_partials(struct kmem_cache *s)
2438 struct page *partial_page;
2439 unsigned long flags;
2441 local_irq_save(flags);
2442 partial_page = this_cpu_read(s->cpu_slab->partial);
2443 this_cpu_write(s->cpu_slab->partial, NULL);
2444 local_irq_restore(flags);
2447 __unfreeze_partials(s, partial_page);
2450 static void unfreeze_partials_cpu(struct kmem_cache *s,
2451 struct kmem_cache_cpu *c)
2453 struct page *partial_page;
2455 partial_page = slub_percpu_partial(c);
2459 __unfreeze_partials(s, partial_page);
2462 #else /* CONFIG_SLUB_CPU_PARTIAL */
2464 static inline void unfreeze_partials(struct kmem_cache *s) { }
2465 static inline void unfreeze_partials_cpu(struct kmem_cache *s,
2466 struct kmem_cache_cpu *c) { }
2468 #endif /* CONFIG_SLUB_CPU_PARTIAL */
2471 * Put a page that was just frozen (in __slab_free|get_partial_node) into a
2472 * partial page slot if available.
2474 * If we did not find a slot then simply move all the partials to the
2475 * per node partial list.
2477 static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain)
2479 #ifdef CONFIG_SLUB_CPU_PARTIAL
2480 struct page *oldpage;
2488 oldpage = this_cpu_read(s->cpu_slab->partial);
2491 pobjects = oldpage->pobjects;
2492 pages = oldpage->pages;
2493 if (drain && pobjects > slub_cpu_partial(s)) {
2495 * partial array is full. Move the existing
2496 * set to the per node partial list.
2498 unfreeze_partials(s);
2502 stat(s, CPU_PARTIAL_DRAIN);
2507 pobjects += page->objects - page->inuse;
2509 page->pages = pages;
2510 page->pobjects = pobjects;
2511 page->next = oldpage;
2513 } while (this_cpu_cmpxchg(s->cpu_slab->partial, oldpage, page)
2516 #endif /* CONFIG_SLUB_CPU_PARTIAL */
2519 static inline void flush_slab(struct kmem_cache *s, struct kmem_cache_cpu *c)
2521 unsigned long flags;
2525 local_irq_save(flags);
2528 freelist = c->freelist;
2532 c->tid = next_tid(c->tid);
2534 local_irq_restore(flags);
2537 deactivate_slab(s, page, freelist);
2538 stat(s, CPUSLAB_FLUSH);
2542 static inline void __flush_cpu_slab(struct kmem_cache *s, int cpu)
2544 struct kmem_cache_cpu *c = per_cpu_ptr(s->cpu_slab, cpu);
2545 void *freelist = c->freelist;
2546 struct page *page = c->page;
2550 c->tid = next_tid(c->tid);
2553 deactivate_slab(s, page, freelist);
2554 stat(s, CPUSLAB_FLUSH);
2557 unfreeze_partials_cpu(s, c);
2560 struct slub_flush_work {
2561 struct work_struct work;
2562 struct kmem_cache *s;
2569 * Called from CPU work handler with migration disabled.
2571 static void flush_cpu_slab(struct work_struct *w)
2573 struct kmem_cache *s;
2574 struct kmem_cache_cpu *c;
2575 struct slub_flush_work *sfw;
2577 sfw = container_of(w, struct slub_flush_work, work);
2580 c = this_cpu_ptr(s->cpu_slab);
2585 unfreeze_partials(s);
2588 static bool has_cpu_slab(int cpu, struct kmem_cache *s)
2590 struct kmem_cache_cpu *c = per_cpu_ptr(s->cpu_slab, cpu);
2592 return c->page || slub_percpu_partial(c);
2595 static DEFINE_MUTEX(flush_lock);
2596 static DEFINE_PER_CPU(struct slub_flush_work, slub_flush);
2598 static void flush_all_cpus_locked(struct kmem_cache *s)
2600 struct slub_flush_work *sfw;
2603 lockdep_assert_cpus_held();
2604 mutex_lock(&flush_lock);
2606 for_each_online_cpu(cpu) {
2607 sfw = &per_cpu(slub_flush, cpu);
2608 if (!has_cpu_slab(cpu, s)) {
2612 INIT_WORK(&sfw->work, flush_cpu_slab);
2615 schedule_work_on(cpu, &sfw->work);
2618 for_each_online_cpu(cpu) {
2619 sfw = &per_cpu(slub_flush, cpu);
2622 flush_work(&sfw->work);
2625 mutex_unlock(&flush_lock);
2628 static void flush_all(struct kmem_cache *s)
2631 flush_all_cpus_locked(s);
2636 * Use the cpu notifier to insure that the cpu slabs are flushed when
2639 static int slub_cpu_dead(unsigned int cpu)
2641 struct kmem_cache *s;
2643 mutex_lock(&slab_mutex);
2644 list_for_each_entry(s, &slab_caches, list)
2645 __flush_cpu_slab(s, cpu);
2646 mutex_unlock(&slab_mutex);
2651 * Check if the objects in a per cpu structure fit numa
2652 * locality expectations.
2654 static inline int node_match(struct page *page, int node)
2657 if (node != NUMA_NO_NODE && page_to_nid(page) != node)
2663 #ifdef CONFIG_SLUB_DEBUG
2664 static int count_free(struct page *page)
2666 return page->objects - page->inuse;
2669 static inline unsigned long node_nr_objs(struct kmem_cache_node *n)
2671 return atomic_long_read(&n->total_objects);
2673 #endif /* CONFIG_SLUB_DEBUG */
2675 #if defined(CONFIG_SLUB_DEBUG) || defined(CONFIG_SYSFS)
2676 static unsigned long count_partial(struct kmem_cache_node *n,
2677 int (*get_count)(struct page *))
2679 unsigned long flags;
2680 unsigned long x = 0;
2683 spin_lock_irqsave(&n->list_lock, flags);
2684 list_for_each_entry(page, &n->partial, slab_list)
2685 x += get_count(page);
2686 spin_unlock_irqrestore(&n->list_lock, flags);
2689 #endif /* CONFIG_SLUB_DEBUG || CONFIG_SYSFS */
2691 static noinline void
2692 slab_out_of_memory(struct kmem_cache *s, gfp_t gfpflags, int nid)
2694 #ifdef CONFIG_SLUB_DEBUG
2695 static DEFINE_RATELIMIT_STATE(slub_oom_rs, DEFAULT_RATELIMIT_INTERVAL,
2696 DEFAULT_RATELIMIT_BURST);
2698 struct kmem_cache_node *n;
2700 if ((gfpflags & __GFP_NOWARN) || !__ratelimit(&slub_oom_rs))
2703 pr_warn("SLUB: Unable to allocate memory on node %d, gfp=%#x(%pGg)\n",
2704 nid, gfpflags, &gfpflags);
2705 pr_warn(" cache: %s, object size: %u, buffer size: %u, default order: %u, min order: %u\n",
2706 s->name, s->object_size, s->size, oo_order(s->oo),
2709 if (oo_order(s->min) > get_order(s->object_size))
2710 pr_warn(" %s debugging increased min order, use slub_debug=O to disable.\n",
2713 for_each_kmem_cache_node(s, node, n) {
2714 unsigned long nr_slabs;
2715 unsigned long nr_objs;
2716 unsigned long nr_free;
2718 nr_free = count_partial(n, count_free);
2719 nr_slabs = node_nr_slabs(n);
2720 nr_objs = node_nr_objs(n);
2722 pr_warn(" node %d: slabs: %ld, objs: %ld, free: %ld\n",
2723 node, nr_slabs, nr_objs, nr_free);
2728 static inline bool pfmemalloc_match(struct page *page, gfp_t gfpflags)
2730 if (unlikely(PageSlabPfmemalloc(page)))
2731 return gfp_pfmemalloc_allowed(gfpflags);
2737 * A variant of pfmemalloc_match() that tests page flags without asserting
2738 * PageSlab. Intended for opportunistic checks before taking a lock and
2739 * rechecking that nobody else freed the page under us.
2741 static inline bool pfmemalloc_match_unsafe(struct page *page, gfp_t gfpflags)
2743 if (unlikely(__PageSlabPfmemalloc(page)))
2744 return gfp_pfmemalloc_allowed(gfpflags);
2750 * Check the page->freelist of a page and either transfer the freelist to the
2751 * per cpu freelist or deactivate the page.
2753 * The page is still frozen if the return value is not NULL.
2755 * If this function returns NULL then the page has been unfrozen.
2757 * This function must be called with interrupt disabled.
2759 static inline void *get_freelist(struct kmem_cache *s, struct page *page)
2762 unsigned long counters;
2766 freelist = page->freelist;
2767 counters = page->counters;
2769 new.counters = counters;
2770 VM_BUG_ON(!new.frozen);
2772 new.inuse = page->objects;
2773 new.frozen = freelist != NULL;
2775 } while (!__cmpxchg_double_slab(s, page,
2784 * Slow path. The lockless freelist is empty or we need to perform
2787 * Processing is still very fast if new objects have been freed to the
2788 * regular freelist. In that case we simply take over the regular freelist
2789 * as the lockless freelist and zap the regular freelist.
2791 * If that is not working then we fall back to the partial lists. We take the
2792 * first element of the freelist as the object to allocate now and move the
2793 * rest of the freelist to the lockless freelist.
2795 * And if we were unable to get a new slab from the partial slab lists then
2796 * we need to allocate a new slab. This is the slowest path since it involves
2797 * a call to the page allocator and the setup of a new slab.
2799 * Version of __slab_alloc to use when we know that preemption is
2800 * already disabled (which is the case for bulk allocation).
2802 static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
2803 unsigned long addr, struct kmem_cache_cpu *c)
2807 unsigned long flags;
2809 stat(s, ALLOC_SLOWPATH);
2813 page = READ_ONCE(c->page);
2816 * if the node is not online or has no normal memory, just
2817 * ignore the node constraint
2819 if (unlikely(node != NUMA_NO_NODE &&
2820 !node_isset(node, slab_nodes)))
2821 node = NUMA_NO_NODE;
2826 if (unlikely(!node_match(page, node))) {
2828 * same as above but node_match() being false already
2829 * implies node != NUMA_NO_NODE
2831 if (!node_isset(node, slab_nodes)) {
2832 node = NUMA_NO_NODE;
2835 stat(s, ALLOC_NODE_MISMATCH);
2836 goto deactivate_slab;
2841 * By rights, we should be searching for a slab page that was
2842 * PFMEMALLOC but right now, we are losing the pfmemalloc
2843 * information when the page leaves the per-cpu allocator
2845 if (unlikely(!pfmemalloc_match_unsafe(page, gfpflags)))
2846 goto deactivate_slab;
2848 /* must check again c->page in case IRQ handler changed it */
2849 local_irq_save(flags);
2850 if (unlikely(page != c->page)) {
2851 local_irq_restore(flags);
2854 freelist = c->freelist;
2858 freelist = get_freelist(s, page);
2862 local_irq_restore(flags);
2863 stat(s, DEACTIVATE_BYPASS);
2867 stat(s, ALLOC_REFILL);
2871 lockdep_assert_irqs_disabled();
2874 * freelist is pointing to the list of objects to be used.
2875 * page is pointing to the page from which the objects are obtained.
2876 * That page must be frozen for per cpu allocations to work.
2878 VM_BUG_ON(!c->page->frozen);
2879 c->freelist = get_freepointer(s, freelist);
2880 c->tid = next_tid(c->tid);
2881 local_irq_restore(flags);
2886 local_irq_save(flags);
2887 if (page != c->page) {
2888 local_irq_restore(flags);
2891 freelist = c->freelist;
2894 local_irq_restore(flags);
2895 deactivate_slab(s, page, freelist);
2899 if (slub_percpu_partial(c)) {
2900 local_irq_save(flags);
2901 if (unlikely(c->page)) {
2902 local_irq_restore(flags);
2905 if (unlikely(!slub_percpu_partial(c))) {
2906 local_irq_restore(flags);
2907 goto new_objects; /* stolen by an IRQ handler */
2910 page = c->page = slub_percpu_partial(c);
2911 slub_set_percpu_partial(c, page);
2912 local_irq_restore(flags);
2913 stat(s, CPU_PARTIAL_ALLOC);
2919 freelist = get_partial(s, gfpflags, node, &page);
2921 goto check_new_page;
2923 put_cpu_ptr(s->cpu_slab);
2924 page = new_slab(s, gfpflags, node);
2925 c = get_cpu_ptr(s->cpu_slab);
2927 if (unlikely(!page)) {
2928 slab_out_of_memory(s, gfpflags, node);
2933 * No other reference to the page yet so we can
2934 * muck around with it freely without cmpxchg
2936 freelist = page->freelist;
2937 page->freelist = NULL;
2939 stat(s, ALLOC_SLAB);
2943 if (kmem_cache_debug(s)) {
2944 if (!alloc_debug_processing(s, page, freelist, addr)) {
2945 /* Slab failed checks. Next slab needed */
2949 * For debug case, we don't load freelist so that all
2950 * allocations go through alloc_debug_processing()
2956 if (unlikely(!pfmemalloc_match(page, gfpflags)))
2958 * For !pfmemalloc_match() case we don't load freelist so that
2959 * we don't make further mismatched allocations easier.
2965 local_irq_save(flags);
2966 if (unlikely(c->page)) {
2967 void *flush_freelist = c->freelist;
2968 struct page *flush_page = c->page;
2972 c->tid = next_tid(c->tid);
2974 local_irq_restore(flags);
2976 deactivate_slab(s, flush_page, flush_freelist);
2978 stat(s, CPUSLAB_FLUSH);
2980 goto retry_load_page;
2988 deactivate_slab(s, page, get_freepointer(s, freelist));
2993 * A wrapper for ___slab_alloc() for contexts where preemption is not yet
2994 * disabled. Compensates for possible cpu changes by refetching the per cpu area
2997 static void *__slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
2998 unsigned long addr, struct kmem_cache_cpu *c)
3002 #ifdef CONFIG_PREEMPT_COUNT
3004 * We may have been preempted and rescheduled on a different
3005 * cpu before disabling preemption. Need to reload cpu area
3008 c = get_cpu_ptr(s->cpu_slab);
3011 p = ___slab_alloc(s, gfpflags, node, addr, c);
3012 #ifdef CONFIG_PREEMPT_COUNT
3013 put_cpu_ptr(s->cpu_slab);
3019 * If the object has been wiped upon free, make sure it's fully initialized by
3020 * zeroing out freelist pointer.
3022 static __always_inline void maybe_wipe_obj_freeptr(struct kmem_cache *s,
3025 if (unlikely(slab_want_init_on_free(s)) && obj)
3026 memset((void *)((char *)kasan_reset_tag(obj) + s->offset),
3031 * Inlined fastpath so that allocation functions (kmalloc, kmem_cache_alloc)
3032 * have the fastpath folded into their functions. So no function call
3033 * overhead for requests that can be satisfied on the fastpath.
3035 * The fastpath works by first checking if the lockless freelist can be used.
3036 * If not then __slab_alloc is called for slow processing.
3038 * Otherwise we can simply pick the next object from the lockless free list.
3040 static __always_inline void *slab_alloc_node(struct kmem_cache *s,
3041 gfp_t gfpflags, int node, unsigned long addr, size_t orig_size)
3044 struct kmem_cache_cpu *c;
3047 struct obj_cgroup *objcg = NULL;
3050 s = slab_pre_alloc_hook(s, &objcg, 1, gfpflags);
3054 object = kfence_alloc(s, orig_size, gfpflags);
3055 if (unlikely(object))
3060 * Must read kmem_cache cpu data via this cpu ptr. Preemption is
3061 * enabled. We may switch back and forth between cpus while
3062 * reading from one cpu area. That does not matter as long
3063 * as we end up on the original cpu again when doing the cmpxchg.
3065 * We must guarantee that tid and kmem_cache_cpu are retrieved on the
3066 * same cpu. We read first the kmem_cache_cpu pointer and use it to read
3067 * the tid. If we are preempted and switched to another cpu between the
3068 * two reads, it's OK as the two are still associated with the same cpu
3069 * and cmpxchg later will validate the cpu.
3071 c = raw_cpu_ptr(s->cpu_slab);
3072 tid = READ_ONCE(c->tid);
3075 * Irqless object alloc/free algorithm used here depends on sequence
3076 * of fetching cpu_slab's data. tid should be fetched before anything
3077 * on c to guarantee that object and page associated with previous tid
3078 * won't be used with current tid. If we fetch tid first, object and
3079 * page could be one associated with next tid and our alloc/free
3080 * request will be failed. In this case, we will retry. So, no problem.
3085 * The transaction ids are globally unique per cpu and per operation on
3086 * a per cpu queue. Thus they can be guarantee that the cmpxchg_double
3087 * occurs on the right processor and that there was no operation on the
3088 * linked list in between.
3091 object = c->freelist;
3093 if (unlikely(!object || !page || !node_match(page, node))) {
3094 object = __slab_alloc(s, gfpflags, node, addr, c);
3096 void *next_object = get_freepointer_safe(s, object);
3099 * The cmpxchg will only match if there was no additional
3100 * operation and if we are on the right processor.
3102 * The cmpxchg does the following atomically (without lock
3104 * 1. Relocate first pointer to the current per cpu area.
3105 * 2. Verify that tid and freelist have not been changed
3106 * 3. If they were not changed replace tid and freelist
3108 * Since this is without lock semantics the protection is only
3109 * against code executing on this cpu *not* from access by
3112 if (unlikely(!this_cpu_cmpxchg_double(
3113 s->cpu_slab->freelist, s->cpu_slab->tid,
3115 next_object, next_tid(tid)))) {
3117 note_cmpxchg_failure("slab_alloc", s, tid);
3120 prefetch_freepointer(s, next_object);
3121 stat(s, ALLOC_FASTPATH);
3124 maybe_wipe_obj_freeptr(s, object);
3125 init = slab_want_init_on_alloc(gfpflags, s);
3128 slab_post_alloc_hook(s, objcg, gfpflags, 1, &object, init);
3133 static __always_inline void *slab_alloc(struct kmem_cache *s,
3134 gfp_t gfpflags, unsigned long addr, size_t orig_size)
3136 return slab_alloc_node(s, gfpflags, NUMA_NO_NODE, addr, orig_size);
3139 void *kmem_cache_alloc(struct kmem_cache *s, gfp_t gfpflags)
3141 void *ret = slab_alloc(s, gfpflags, _RET_IP_, s->object_size);
3143 trace_kmem_cache_alloc(_RET_IP_, ret, s->object_size,
3148 EXPORT_SYMBOL(kmem_cache_alloc);
3150 #ifdef CONFIG_TRACING
3151 void *kmem_cache_alloc_trace(struct kmem_cache *s, gfp_t gfpflags, size_t size)
3153 void *ret = slab_alloc(s, gfpflags, _RET_IP_, size);
3154 trace_kmalloc(_RET_IP_, ret, size, s->size, gfpflags);
3155 ret = kasan_kmalloc(s, ret, size, gfpflags);
3158 EXPORT_SYMBOL(kmem_cache_alloc_trace);
3162 void *kmem_cache_alloc_node(struct kmem_cache *s, gfp_t gfpflags, int node)
3164 void *ret = slab_alloc_node(s, gfpflags, node, _RET_IP_, s->object_size);
3166 trace_kmem_cache_alloc_node(_RET_IP_, ret,
3167 s->object_size, s->size, gfpflags, node);
3171 EXPORT_SYMBOL(kmem_cache_alloc_node);
3173 #ifdef CONFIG_TRACING
3174 void *kmem_cache_alloc_node_trace(struct kmem_cache *s,
3176 int node, size_t size)
3178 void *ret = slab_alloc_node(s, gfpflags, node, _RET_IP_, size);
3180 trace_kmalloc_node(_RET_IP_, ret,
3181 size, s->size, gfpflags, node);
3183 ret = kasan_kmalloc(s, ret, size, gfpflags);
3186 EXPORT_SYMBOL(kmem_cache_alloc_node_trace);
3188 #endif /* CONFIG_NUMA */
3191 * Slow path handling. This may still be called frequently since objects
3192 * have a longer lifetime than the cpu slabs in most processing loads.
3194 * So we still attempt to reduce cache line usage. Just take the slab
3195 * lock and free the item. If there is no additional partial page
3196 * handling required then we can return immediately.
3198 static void __slab_free(struct kmem_cache *s, struct page *page,
3199 void *head, void *tail, int cnt,
3206 unsigned long counters;
3207 struct kmem_cache_node *n = NULL;
3208 unsigned long flags;
3210 stat(s, FREE_SLOWPATH);
3212 if (kfence_free(head))
3215 if (kmem_cache_debug(s) &&
3216 !free_debug_processing(s, page, head, tail, cnt, addr))
3221 spin_unlock_irqrestore(&n->list_lock, flags);
3224 prior = page->freelist;
3225 counters = page->counters;
3226 set_freepointer(s, tail, prior);
3227 new.counters = counters;
3228 was_frozen = new.frozen;
3230 if ((!new.inuse || !prior) && !was_frozen) {
3232 if (kmem_cache_has_cpu_partial(s) && !prior) {
3235 * Slab was on no list before and will be
3237 * We can defer the list move and instead
3242 } else { /* Needs to be taken off a list */
3244 n = get_node(s, page_to_nid(page));
3246 * Speculatively acquire the list_lock.
3247 * If the cmpxchg does not succeed then we may
3248 * drop the list_lock without any processing.
3250 * Otherwise the list_lock will synchronize with
3251 * other processors updating the list of slabs.
3253 spin_lock_irqsave(&n->list_lock, flags);
3258 } while (!cmpxchg_double_slab(s, page,
3265 if (likely(was_frozen)) {
3267 * The list lock was not taken therefore no list
3268 * activity can be necessary.
3270 stat(s, FREE_FROZEN);
3271 } else if (new.frozen) {
3273 * If we just froze the page then put it onto the
3274 * per cpu partial list.
3276 put_cpu_partial(s, page, 1);
3277 stat(s, CPU_PARTIAL_FREE);
3283 if (unlikely(!new.inuse && n->nr_partial >= s->min_partial))
3287 * Objects left in the slab. If it was not on the partial list before
3290 if (!kmem_cache_has_cpu_partial(s) && unlikely(!prior)) {
3291 remove_full(s, n, page);
3292 add_partial(n, page, DEACTIVATE_TO_TAIL);
3293 stat(s, FREE_ADD_PARTIAL);
3295 spin_unlock_irqrestore(&n->list_lock, flags);
3301 * Slab on the partial list.
3303 remove_partial(n, page);
3304 stat(s, FREE_REMOVE_PARTIAL);
3306 /* Slab must be on the full list */
3307 remove_full(s, n, page);
3310 spin_unlock_irqrestore(&n->list_lock, flags);
3312 discard_slab(s, page);
3316 * Fastpath with forced inlining to produce a kfree and kmem_cache_free that
3317 * can perform fastpath freeing without additional function calls.
3319 * The fastpath is only possible if we are freeing to the current cpu slab
3320 * of this processor. This typically the case if we have just allocated
3323 * If fastpath is not possible then fall back to __slab_free where we deal
3324 * with all sorts of special processing.
3326 * Bulk free of a freelist with several objects (all pointing to the
3327 * same page) possible by specifying head and tail ptr, plus objects
3328 * count (cnt). Bulk free indicated by tail pointer being set.
3330 static __always_inline void do_slab_free(struct kmem_cache *s,
3331 struct page *page, void *head, void *tail,
3332 int cnt, unsigned long addr)
3334 void *tail_obj = tail ? : head;
3335 struct kmem_cache_cpu *c;
3338 memcg_slab_free_hook(s, &head, 1);
3341 * Determine the currently cpus per cpu slab.
3342 * The cpu may change afterward. However that does not matter since
3343 * data is retrieved via this pointer. If we are on the same cpu
3344 * during the cmpxchg then the free will succeed.
3346 c = raw_cpu_ptr(s->cpu_slab);
3347 tid = READ_ONCE(c->tid);
3349 /* Same with comment on barrier() in slab_alloc_node() */
3352 if (likely(page == c->page)) {
3353 void **freelist = READ_ONCE(c->freelist);
3355 set_freepointer(s, tail_obj, freelist);
3357 if (unlikely(!this_cpu_cmpxchg_double(
3358 s->cpu_slab->freelist, s->cpu_slab->tid,
3360 head, next_tid(tid)))) {
3362 note_cmpxchg_failure("slab_free", s, tid);
3365 stat(s, FREE_FASTPATH);
3367 __slab_free(s, page, head, tail_obj, cnt, addr);
3371 static __always_inline void slab_free(struct kmem_cache *s, struct page *page,
3372 void *head, void *tail, int cnt,
3376 * With KASAN enabled slab_free_freelist_hook modifies the freelist
3377 * to remove objects, whose reuse must be delayed.
3379 if (slab_free_freelist_hook(s, &head, &tail))
3380 do_slab_free(s, page, head, tail, cnt, addr);
3383 #ifdef CONFIG_KASAN_GENERIC
3384 void ___cache_free(struct kmem_cache *cache, void *x, unsigned long addr)
3386 do_slab_free(cache, virt_to_head_page(x), x, NULL, 1, addr);
3390 void kmem_cache_free(struct kmem_cache *s, void *x)
3392 s = cache_from_obj(s, x);
3395 slab_free(s, virt_to_head_page(x), x, NULL, 1, _RET_IP_);
3396 trace_kmem_cache_free(_RET_IP_, x, s->name);
3398 EXPORT_SYMBOL(kmem_cache_free);
3400 struct detached_freelist {
3405 struct kmem_cache *s;
3408 static inline void free_nonslab_page(struct page *page, void *object)
3410 unsigned int order = compound_order(page);
3412 VM_BUG_ON_PAGE(!PageCompound(page), page);
3414 mod_lruvec_page_state(page, NR_SLAB_UNRECLAIMABLE_B, -(PAGE_SIZE << order));
3415 __free_pages(page, order);
3419 * This function progressively scans the array with free objects (with
3420 * a limited look ahead) and extract objects belonging to the same
3421 * page. It builds a detached freelist directly within the given
3422 * page/objects. This can happen without any need for
3423 * synchronization, because the objects are owned by running process.
3424 * The freelist is build up as a single linked list in the objects.
3425 * The idea is, that this detached freelist can then be bulk
3426 * transferred to the real freelist(s), but only requiring a single
3427 * synchronization primitive. Look ahead in the array is limited due
3428 * to performance reasons.
3431 int build_detached_freelist(struct kmem_cache *s, size_t size,
3432 void **p, struct detached_freelist *df)
3434 size_t first_skipped_index = 0;
3439 /* Always re-init detached_freelist */
3444 /* Do we need !ZERO_OR_NULL_PTR(object) here? (for kfree) */
3445 } while (!object && size);
3450 page = virt_to_head_page(object);
3452 /* Handle kalloc'ed objects */
3453 if (unlikely(!PageSlab(page))) {
3454 free_nonslab_page(page, object);
3455 p[size] = NULL; /* mark object processed */
3458 /* Derive kmem_cache from object */
3459 df->s = page->slab_cache;
3461 df->s = cache_from_obj(s, object); /* Support for memcg */
3464 if (is_kfence_address(object)) {
3465 slab_free_hook(df->s, object, false);
3466 __kfence_free(object);
3467 p[size] = NULL; /* mark object processed */
3471 /* Start new detached freelist */
3473 set_freepointer(df->s, object, NULL);
3475 df->freelist = object;
3476 p[size] = NULL; /* mark object processed */
3482 continue; /* Skip processed objects */
3484 /* df->page is always set at this point */
3485 if (df->page == virt_to_head_page(object)) {
3486 /* Opportunity build freelist */
3487 set_freepointer(df->s, object, df->freelist);
3488 df->freelist = object;
3490 p[size] = NULL; /* mark object processed */
3495 /* Limit look ahead search */
3499 if (!first_skipped_index)
3500 first_skipped_index = size + 1;
3503 return first_skipped_index;
3506 /* Note that interrupts must be enabled when calling this function. */
3507 void kmem_cache_free_bulk(struct kmem_cache *s, size_t size, void **p)
3512 memcg_slab_free_hook(s, p, size);
3514 struct detached_freelist df;
3516 size = build_detached_freelist(s, size, p, &df);
3520 slab_free(df.s, df.page, df.freelist, df.tail, df.cnt, _RET_IP_);
3521 } while (likely(size));
3523 EXPORT_SYMBOL(kmem_cache_free_bulk);
3525 /* Note that interrupts must be enabled when calling this function. */
3526 int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size,
3529 struct kmem_cache_cpu *c;
3531 struct obj_cgroup *objcg = NULL;
3533 /* memcg and kmem_cache debug support */
3534 s = slab_pre_alloc_hook(s, &objcg, size, flags);
3538 * Drain objects in the per cpu slab, while disabling local
3539 * IRQs, which protects against PREEMPT and interrupts
3540 * handlers invoking normal fastpath.
3542 c = get_cpu_ptr(s->cpu_slab);
3543 local_irq_disable();
3545 for (i = 0; i < size; i++) {
3546 void *object = kfence_alloc(s, s->object_size, flags);
3548 if (unlikely(object)) {
3553 object = c->freelist;
3554 if (unlikely(!object)) {
3556 * We may have removed an object from c->freelist using
3557 * the fastpath in the previous iteration; in that case,
3558 * c->tid has not been bumped yet.
3559 * Since ___slab_alloc() may reenable interrupts while
3560 * allocating memory, we should bump c->tid now.
3562 c->tid = next_tid(c->tid);
3567 * Invoking slow path likely have side-effect
3568 * of re-populating per CPU c->freelist
3570 p[i] = ___slab_alloc(s, flags, NUMA_NO_NODE,
3572 if (unlikely(!p[i]))
3575 c = this_cpu_ptr(s->cpu_slab);
3576 maybe_wipe_obj_freeptr(s, p[i]);
3578 local_irq_disable();
3580 continue; /* goto for-loop */
3582 c->freelist = get_freepointer(s, object);
3584 maybe_wipe_obj_freeptr(s, p[i]);
3586 c->tid = next_tid(c->tid);
3588 put_cpu_ptr(s->cpu_slab);
3591 * memcg and kmem_cache debug support and memory initialization.
3592 * Done outside of the IRQ disabled fastpath loop.
3594 slab_post_alloc_hook(s, objcg, flags, size, p,
3595 slab_want_init_on_alloc(flags, s));
3598 put_cpu_ptr(s->cpu_slab);
3599 slab_post_alloc_hook(s, objcg, flags, i, p, false);
3600 __kmem_cache_free_bulk(s, i, p);
3603 EXPORT_SYMBOL(kmem_cache_alloc_bulk);
3607 * Object placement in a slab is made very easy because we always start at
3608 * offset 0. If we tune the size of the object to the alignment then we can
3609 * get the required alignment by putting one properly sized object after
3612 * Notice that the allocation order determines the sizes of the per cpu
3613 * caches. Each processor has always one slab available for allocations.
3614 * Increasing the allocation order reduces the number of times that slabs
3615 * must be moved on and off the partial lists and is therefore a factor in
3620 * Minimum / Maximum order of slab pages. This influences locking overhead
3621 * and slab fragmentation. A higher order reduces the number of partial slabs
3622 * and increases the number of allocations possible without having to
3623 * take the list_lock.
3625 static unsigned int slub_min_order;
3626 static unsigned int slub_max_order = PAGE_ALLOC_COSTLY_ORDER;
3627 static unsigned int slub_min_objects;
3630 * Calculate the order of allocation given an slab object size.
3632 * The order of allocation has significant impact on performance and other
3633 * system components. Generally order 0 allocations should be preferred since
3634 * order 0 does not cause fragmentation in the page allocator. Larger objects
3635 * be problematic to put into order 0 slabs because there may be too much
3636 * unused space left. We go to a higher order if more than 1/16th of the slab
3639 * In order to reach satisfactory performance we must ensure that a minimum
3640 * number of objects is in one slab. Otherwise we may generate too much
3641 * activity on the partial lists which requires taking the list_lock. This is
3642 * less a concern for large slabs though which are rarely used.
3644 * slub_max_order specifies the order where we begin to stop considering the
3645 * number of objects in a slab as critical. If we reach slub_max_order then
3646 * we try to keep the page order as low as possible. So we accept more waste
3647 * of space in favor of a small page order.
3649 * Higher order allocations also allow the placement of more objects in a
3650 * slab and thereby reduce object handling overhead. If the user has
3651 * requested a higher minimum order then we start with that one instead of
3652 * the smallest order which will fit the object.
3654 static inline unsigned int slab_order(unsigned int size,
3655 unsigned int min_objects, unsigned int max_order,
3656 unsigned int fract_leftover)
3658 unsigned int min_order = slub_min_order;
3661 if (order_objects(min_order, size) > MAX_OBJS_PER_PAGE)
3662 return get_order(size * MAX_OBJS_PER_PAGE) - 1;
3664 for (order = max(min_order, (unsigned int)get_order(min_objects * size));
3665 order <= max_order; order++) {
3667 unsigned int slab_size = (unsigned int)PAGE_SIZE << order;
3670 rem = slab_size % size;
3672 if (rem <= slab_size / fract_leftover)
3679 static inline int calculate_order(unsigned int size)
3682 unsigned int min_objects;
3683 unsigned int max_objects;
3684 unsigned int nr_cpus;
3687 * Attempt to find best configuration for a slab. This
3688 * works by first attempting to generate a layout with
3689 * the best configuration and backing off gradually.
3691 * First we increase the acceptable waste in a slab. Then
3692 * we reduce the minimum objects required in a slab.
3694 min_objects = slub_min_objects;
3697 * Some architectures will only update present cpus when
3698 * onlining them, so don't trust the number if it's just 1. But
3699 * we also don't want to use nr_cpu_ids always, as on some other
3700 * architectures, there can be many possible cpus, but never
3701 * onlined. Here we compromise between trying to avoid too high
3702 * order on systems that appear larger than they are, and too
3703 * low order on systems that appear smaller than they are.
3705 nr_cpus = num_present_cpus();
3707 nr_cpus = nr_cpu_ids;
3708 min_objects = 4 * (fls(nr_cpus) + 1);
3710 max_objects = order_objects(slub_max_order, size);
3711 min_objects = min(min_objects, max_objects);
3713 while (min_objects > 1) {
3714 unsigned int fraction;
3717 while (fraction >= 4) {
3718 order = slab_order(size, min_objects,
3719 slub_max_order, fraction);
3720 if (order <= slub_max_order)
3728 * We were unable to place multiple objects in a slab. Now
3729 * lets see if we can place a single object there.
3731 order = slab_order(size, 1, slub_max_order, 1);
3732 if (order <= slub_max_order)
3736 * Doh this slab cannot be placed using slub_max_order.
3738 order = slab_order(size, 1, MAX_ORDER, 1);
3739 if (order < MAX_ORDER)
3745 init_kmem_cache_node(struct kmem_cache_node *n)
3748 spin_lock_init(&n->list_lock);
3749 INIT_LIST_HEAD(&n->partial);
3750 #ifdef CONFIG_SLUB_DEBUG
3751 atomic_long_set(&n->nr_slabs, 0);
3752 atomic_long_set(&n->total_objects, 0);
3753 INIT_LIST_HEAD(&n->full);
3757 static inline int alloc_kmem_cache_cpus(struct kmem_cache *s)
3759 BUILD_BUG_ON(PERCPU_DYNAMIC_EARLY_SIZE <
3760 KMALLOC_SHIFT_HIGH * sizeof(struct kmem_cache_cpu));
3763 * Must align to double word boundary for the double cmpxchg
3764 * instructions to work; see __pcpu_double_call_return_bool().
3766 s->cpu_slab = __alloc_percpu(sizeof(struct kmem_cache_cpu),
3767 2 * sizeof(void *));
3772 init_kmem_cache_cpus(s);
3777 static struct kmem_cache *kmem_cache_node;
3780 * No kmalloc_node yet so do it by hand. We know that this is the first
3781 * slab on the node for this slabcache. There are no concurrent accesses
3784 * Note that this function only works on the kmem_cache_node
3785 * when allocating for the kmem_cache_node. This is used for bootstrapping
3786 * memory on a fresh node that has no slab structures yet.
3788 static void early_kmem_cache_node_alloc(int node)
3791 struct kmem_cache_node *n;
3793 BUG_ON(kmem_cache_node->size < sizeof(struct kmem_cache_node));
3795 page = new_slab(kmem_cache_node, GFP_NOWAIT, node);
3798 if (page_to_nid(page) != node) {
3799 pr_err("SLUB: Unable to allocate memory from node %d\n", node);
3800 pr_err("SLUB: Allocating a useless per node structure in order to be able to continue\n");
3805 #ifdef CONFIG_SLUB_DEBUG
3806 init_object(kmem_cache_node, n, SLUB_RED_ACTIVE);
3807 init_tracking(kmem_cache_node, n);
3809 n = kasan_slab_alloc(kmem_cache_node, n, GFP_KERNEL, false);
3810 page->freelist = get_freepointer(kmem_cache_node, n);
3813 kmem_cache_node->node[node] = n;
3814 init_kmem_cache_node(n);
3815 inc_slabs_node(kmem_cache_node, node, page->objects);
3818 * No locks need to be taken here as it has just been
3819 * initialized and there is no concurrent access.
3821 __add_partial(n, page, DEACTIVATE_TO_HEAD);
3824 static void free_kmem_cache_nodes(struct kmem_cache *s)
3827 struct kmem_cache_node *n;
3829 for_each_kmem_cache_node(s, node, n) {
3830 s->node[node] = NULL;
3831 kmem_cache_free(kmem_cache_node, n);
3835 void __kmem_cache_release(struct kmem_cache *s)
3837 cache_random_seq_destroy(s);
3838 free_percpu(s->cpu_slab);
3839 free_kmem_cache_nodes(s);
3842 static int init_kmem_cache_nodes(struct kmem_cache *s)
3846 for_each_node_mask(node, slab_nodes) {
3847 struct kmem_cache_node *n;
3849 if (slab_state == DOWN) {
3850 early_kmem_cache_node_alloc(node);
3853 n = kmem_cache_alloc_node(kmem_cache_node,
3857 free_kmem_cache_nodes(s);
3861 init_kmem_cache_node(n);
3867 static void set_min_partial(struct kmem_cache *s, unsigned long min)
3869 if (min < MIN_PARTIAL)
3871 else if (min > MAX_PARTIAL)
3873 s->min_partial = min;
3876 static void set_cpu_partial(struct kmem_cache *s)
3878 #ifdef CONFIG_SLUB_CPU_PARTIAL
3880 * cpu_partial determined the maximum number of objects kept in the
3881 * per cpu partial lists of a processor.
3883 * Per cpu partial lists mainly contain slabs that just have one
3884 * object freed. If they are used for allocation then they can be
3885 * filled up again with minimal effort. The slab will never hit the
3886 * per node partial lists and therefore no locking will be required.
3888 * This setting also determines
3890 * A) The number of objects from per cpu partial slabs dumped to the
3891 * per node list when we reach the limit.
3892 * B) The number of objects in cpu partial slabs to extract from the
3893 * per node list when we run out of per cpu objects. We only fetch
3894 * 50% to keep some capacity around for frees.
3896 if (!kmem_cache_has_cpu_partial(s))
3897 slub_set_cpu_partial(s, 0);
3898 else if (s->size >= PAGE_SIZE)
3899 slub_set_cpu_partial(s, 2);
3900 else if (s->size >= 1024)
3901 slub_set_cpu_partial(s, 6);
3902 else if (s->size >= 256)
3903 slub_set_cpu_partial(s, 13);
3905 slub_set_cpu_partial(s, 30);
3910 * calculate_sizes() determines the order and the distribution of data within
3913 static int calculate_sizes(struct kmem_cache *s, int forced_order)
3915 slab_flags_t flags = s->flags;
3916 unsigned int size = s->object_size;
3920 * Round up object size to the next word boundary. We can only
3921 * place the free pointer at word boundaries and this determines
3922 * the possible location of the free pointer.
3924 size = ALIGN(size, sizeof(void *));
3926 #ifdef CONFIG_SLUB_DEBUG
3928 * Determine if we can poison the object itself. If the user of
3929 * the slab may touch the object after free or before allocation
3930 * then we should never poison the object itself.
3932 if ((flags & SLAB_POISON) && !(flags & SLAB_TYPESAFE_BY_RCU) &&
3934 s->flags |= __OBJECT_POISON;
3936 s->flags &= ~__OBJECT_POISON;
3940 * If we are Redzoning then check if there is some space between the
3941 * end of the object and the free pointer. If not then add an
3942 * additional word to have some bytes to store Redzone information.
3944 if ((flags & SLAB_RED_ZONE) && size == s->object_size)
3945 size += sizeof(void *);
3949 * With that we have determined the number of bytes in actual use
3950 * by the object and redzoning.
3954 if ((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||
3955 ((flags & SLAB_RED_ZONE) && s->object_size < sizeof(void *)) ||
3958 * Relocate free pointer after the object if it is not
3959 * permitted to overwrite the first word of the object on
3962 * This is the case if we do RCU, have a constructor or
3963 * destructor, are poisoning the objects, or are
3964 * redzoning an object smaller than sizeof(void *).
3966 * The assumption that s->offset >= s->inuse means free
3967 * pointer is outside of the object is used in the
3968 * freeptr_outside_object() function. If that is no
3969 * longer true, the function needs to be modified.
3972 size += sizeof(void *);
3975 * Store freelist pointer near middle of object to keep
3976 * it away from the edges of the object to avoid small
3977 * sized over/underflows from neighboring allocations.
3979 s->offset = ALIGN_DOWN(s->object_size / 2, sizeof(void *));
3982 #ifdef CONFIG_SLUB_DEBUG
3983 if (flags & SLAB_STORE_USER)
3985 * Need to store information about allocs and frees after
3988 size += 2 * sizeof(struct track);
3991 kasan_cache_create(s, &size, &s->flags);
3992 #ifdef CONFIG_SLUB_DEBUG
3993 if (flags & SLAB_RED_ZONE) {
3995 * Add some empty padding so that we can catch
3996 * overwrites from earlier objects rather than let
3997 * tracking information or the free pointer be
3998 * corrupted if a user writes before the start
4001 size += sizeof(void *);
4003 s->red_left_pad = sizeof(void *);
4004 s->red_left_pad = ALIGN(s->red_left_pad, s->align);
4005 size += s->red_left_pad;
4010 * SLUB stores one object immediately after another beginning from
4011 * offset 0. In order to align the objects we have to simply size
4012 * each object to conform to the alignment.
4014 size = ALIGN(size, s->align);
4016 s->reciprocal_size = reciprocal_value(size);
4017 if (forced_order >= 0)
4018 order = forced_order;
4020 order = calculate_order(size);
4027 s->allocflags |= __GFP_COMP;
4029 if (s->flags & SLAB_CACHE_DMA)
4030 s->allocflags |= GFP_DMA;
4032 if (s->flags & SLAB_CACHE_DMA32)
4033 s->allocflags |= GFP_DMA32;
4035 if (s->flags & SLAB_RECLAIM_ACCOUNT)
4036 s->allocflags |= __GFP_RECLAIMABLE;
4039 * Determine the number of objects per slab
4041 s->oo = oo_make(order, size);
4042 s->min = oo_make(get_order(size), size);
4043 if (oo_objects(s->oo) > oo_objects(s->max))
4046 return !!oo_objects(s->oo);
4049 static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags)
4051 s->flags = kmem_cache_flags(s->size, flags, s->name);
4052 #ifdef CONFIG_SLAB_FREELIST_HARDENED
4053 s->random = get_random_long();
4056 if (!calculate_sizes(s, -1))
4058 if (disable_higher_order_debug) {
4060 * Disable debugging flags that store metadata if the min slab
4063 if (get_order(s->size) > get_order(s->object_size)) {
4064 s->flags &= ~DEBUG_METADATA_FLAGS;
4066 if (!calculate_sizes(s, -1))
4071 #if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
4072 defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
4073 if (system_has_cmpxchg_double() && (s->flags & SLAB_NO_CMPXCHG) == 0)
4074 /* Enable fast mode */
4075 s->flags |= __CMPXCHG_DOUBLE;
4079 * The larger the object size is, the more pages we want on the partial
4080 * list to avoid pounding the page allocator excessively.
4082 set_min_partial(s, ilog2(s->size) / 2);
4087 s->remote_node_defrag_ratio = 1000;
4090 /* Initialize the pre-computed randomized freelist if slab is up */
4091 if (slab_state >= UP) {
4092 if (init_cache_random_seq(s))
4096 if (!init_kmem_cache_nodes(s))
4099 if (alloc_kmem_cache_cpus(s))
4102 free_kmem_cache_nodes(s);
4107 static void list_slab_objects(struct kmem_cache *s, struct page *page,
4110 #ifdef CONFIG_SLUB_DEBUG
4111 void *addr = page_address(page);
4112 unsigned long flags;
4116 slab_err(s, page, text, s->name);
4117 slab_lock(page, &flags);
4119 map = get_map(s, page);
4120 for_each_object(p, s, addr, page->objects) {
4122 if (!test_bit(__obj_to_index(s, addr, p), map)) {
4123 pr_err("Object 0x%p @offset=%tu\n", p, p - addr);
4124 print_tracking(s, p);
4128 slab_unlock(page, &flags);
4133 * Attempt to free all partial slabs on a node.
4134 * This is called from __kmem_cache_shutdown(). We must take list_lock
4135 * because sysfs file might still access partial list after the shutdowning.
4137 static void free_partial(struct kmem_cache *s, struct kmem_cache_node *n)
4140 struct page *page, *h;
4142 BUG_ON(irqs_disabled());
4143 spin_lock_irq(&n->list_lock);
4144 list_for_each_entry_safe(page, h, &n->partial, slab_list) {
4146 remove_partial(n, page);
4147 list_add(&page->slab_list, &discard);
4149 list_slab_objects(s, page,
4150 "Objects remaining in %s on __kmem_cache_shutdown()");
4153 spin_unlock_irq(&n->list_lock);
4155 list_for_each_entry_safe(page, h, &discard, slab_list)
4156 discard_slab(s, page);
4159 bool __kmem_cache_empty(struct kmem_cache *s)
4162 struct kmem_cache_node *n;
4164 for_each_kmem_cache_node(s, node, n)
4165 if (n->nr_partial || slabs_node(s, node))
4171 * Release all resources used by a slab cache.
4173 int __kmem_cache_shutdown(struct kmem_cache *s)
4176 struct kmem_cache_node *n;
4178 flush_all_cpus_locked(s);
4179 /* Attempt to free all objects */
4180 for_each_kmem_cache_node(s, node, n) {
4182 if (n->nr_partial || slabs_node(s, node))
4188 #ifdef CONFIG_PRINTK
4189 void kmem_obj_info(struct kmem_obj_info *kpp, void *object, struct page *page)
4192 int __maybe_unused i;
4196 struct kmem_cache *s = page->slab_cache;
4197 struct track __maybe_unused *trackp;
4199 kpp->kp_ptr = object;
4200 kpp->kp_page = page;
4201 kpp->kp_slab_cache = s;
4202 base = page_address(page);
4203 objp0 = kasan_reset_tag(object);
4204 #ifdef CONFIG_SLUB_DEBUG
4205 objp = restore_red_left(s, objp0);
4209 objnr = obj_to_index(s, page, objp);
4210 kpp->kp_data_offset = (unsigned long)((char *)objp0 - (char *)objp);
4211 objp = base + s->size * objnr;
4212 kpp->kp_objp = objp;
4213 if (WARN_ON_ONCE(objp < base || objp >= base + page->objects * s->size || (objp - base) % s->size) ||
4214 !(s->flags & SLAB_STORE_USER))
4216 #ifdef CONFIG_SLUB_DEBUG
4217 objp = fixup_red_left(s, objp);
4218 trackp = get_track(s, objp, TRACK_ALLOC);
4219 kpp->kp_ret = (void *)trackp->addr;
4220 #ifdef CONFIG_STACKTRACE
4221 for (i = 0; i < KS_ADDRS_COUNT && i < TRACK_ADDRS_COUNT; i++) {
4222 kpp->kp_stack[i] = (void *)trackp->addrs[i];
4223 if (!kpp->kp_stack[i])
4227 trackp = get_track(s, objp, TRACK_FREE);
4228 for (i = 0; i < KS_ADDRS_COUNT && i < TRACK_ADDRS_COUNT; i++) {
4229 kpp->kp_free_stack[i] = (void *)trackp->addrs[i];
4230 if (!kpp->kp_free_stack[i])
4238 /********************************************************************
4240 *******************************************************************/
4242 static int __init setup_slub_min_order(char *str)
4244 get_option(&str, (int *)&slub_min_order);
4249 __setup("slub_min_order=", setup_slub_min_order);
4251 static int __init setup_slub_max_order(char *str)
4253 get_option(&str, (int *)&slub_max_order);
4254 slub_max_order = min(slub_max_order, (unsigned int)MAX_ORDER - 1);
4259 __setup("slub_max_order=", setup_slub_max_order);
4261 static int __init setup_slub_min_objects(char *str)
4263 get_option(&str, (int *)&slub_min_objects);
4268 __setup("slub_min_objects=", setup_slub_min_objects);
4270 void *__kmalloc(size_t size, gfp_t flags)
4272 struct kmem_cache *s;
4275 if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
4276 return kmalloc_large(size, flags);
4278 s = kmalloc_slab(size, flags);
4280 if (unlikely(ZERO_OR_NULL_PTR(s)))
4283 ret = slab_alloc(s, flags, _RET_IP_, size);
4285 trace_kmalloc(_RET_IP_, ret, size, s->size, flags);
4287 ret = kasan_kmalloc(s, ret, size, flags);
4291 EXPORT_SYMBOL(__kmalloc);
4294 static void *kmalloc_large_node(size_t size, gfp_t flags, int node)
4298 unsigned int order = get_order(size);
4300 flags |= __GFP_COMP;
4301 page = alloc_pages_node(node, flags, order);
4303 ptr = page_address(page);
4304 mod_lruvec_page_state(page, NR_SLAB_UNRECLAIMABLE_B,
4305 PAGE_SIZE << order);
4308 return kmalloc_large_node_hook(ptr, size, flags);
4311 void *__kmalloc_node(size_t size, gfp_t flags, int node)
4313 struct kmem_cache *s;
4316 if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) {
4317 ret = kmalloc_large_node(size, flags, node);
4319 trace_kmalloc_node(_RET_IP_, ret,
4320 size, PAGE_SIZE << get_order(size),
4326 s = kmalloc_slab(size, flags);
4328 if (unlikely(ZERO_OR_NULL_PTR(s)))
4331 ret = slab_alloc_node(s, flags, node, _RET_IP_, size);
4333 trace_kmalloc_node(_RET_IP_, ret, size, s->size, flags, node);
4335 ret = kasan_kmalloc(s, ret, size, flags);
4339 EXPORT_SYMBOL(__kmalloc_node);
4340 #endif /* CONFIG_NUMA */
4342 #ifdef CONFIG_HARDENED_USERCOPY
4344 * Rejects incorrectly sized objects and objects that are to be copied
4345 * to/from userspace but do not fall entirely within the containing slab
4346 * cache's usercopy region.
4348 * Returns NULL if check passes, otherwise const char * to name of cache
4349 * to indicate an error.
4351 void __check_heap_object(const void *ptr, unsigned long n, struct page *page,
4354 struct kmem_cache *s;
4355 unsigned int offset;
4357 bool is_kfence = is_kfence_address(ptr);
4359 ptr = kasan_reset_tag(ptr);
4361 /* Find object and usable object size. */
4362 s = page->slab_cache;
4364 /* Reject impossible pointers. */
4365 if (ptr < page_address(page))
4366 usercopy_abort("SLUB object not in SLUB page?!", NULL,
4369 /* Find offset within object. */
4371 offset = ptr - kfence_object_start(ptr);
4373 offset = (ptr - page_address(page)) % s->size;
4375 /* Adjust for redzone and reject if within the redzone. */
4376 if (!is_kfence && kmem_cache_debug_flags(s, SLAB_RED_ZONE)) {
4377 if (offset < s->red_left_pad)
4378 usercopy_abort("SLUB object in left red zone",
4379 s->name, to_user, offset, n);
4380 offset -= s->red_left_pad;
4383 /* Allow address range falling entirely within usercopy region. */
4384 if (offset >= s->useroffset &&
4385 offset - s->useroffset <= s->usersize &&
4386 n <= s->useroffset - offset + s->usersize)
4390 * If the copy is still within the allocated object, produce
4391 * a warning instead of rejecting the copy. This is intended
4392 * to be a temporary method to find any missing usercopy
4395 object_size = slab_ksize(s);
4396 if (usercopy_fallback &&
4397 offset <= object_size && n <= object_size - offset) {
4398 usercopy_warn("SLUB object", s->name, to_user, offset, n);
4402 usercopy_abort("SLUB object", s->name, to_user, offset, n);
4404 #endif /* CONFIG_HARDENED_USERCOPY */
4406 size_t __ksize(const void *object)
4410 if (unlikely(object == ZERO_SIZE_PTR))
4413 page = virt_to_head_page(object);
4415 if (unlikely(!PageSlab(page))) {
4416 WARN_ON(!PageCompound(page));
4417 return page_size(page);
4420 return slab_ksize(page->slab_cache);
4422 EXPORT_SYMBOL(__ksize);
4424 void kfree(const void *x)
4427 void *object = (void *)x;
4429 trace_kfree(_RET_IP_, x);
4431 if (unlikely(ZERO_OR_NULL_PTR(x)))
4434 page = virt_to_head_page(x);
4435 if (unlikely(!PageSlab(page))) {
4436 free_nonslab_page(page, object);
4439 slab_free(page->slab_cache, page, object, NULL, 1, _RET_IP_);
4441 EXPORT_SYMBOL(kfree);
4443 #define SHRINK_PROMOTE_MAX 32
4446 * kmem_cache_shrink discards empty slabs and promotes the slabs filled
4447 * up most to the head of the partial lists. New allocations will then
4448 * fill those up and thus they can be removed from the partial lists.
4450 * The slabs with the least items are placed last. This results in them
4451 * being allocated from last increasing the chance that the last objects
4452 * are freed in them.
4454 static int __kmem_cache_do_shrink(struct kmem_cache *s)
4458 struct kmem_cache_node *n;
4461 struct list_head discard;
4462 struct list_head promote[SHRINK_PROMOTE_MAX];
4463 unsigned long flags;
4466 for_each_kmem_cache_node(s, node, n) {
4467 INIT_LIST_HEAD(&discard);
4468 for (i = 0; i < SHRINK_PROMOTE_MAX; i++)
4469 INIT_LIST_HEAD(promote + i);
4471 spin_lock_irqsave(&n->list_lock, flags);
4474 * Build lists of slabs to discard or promote.
4476 * Note that concurrent frees may occur while we hold the
4477 * list_lock. page->inuse here is the upper limit.
4479 list_for_each_entry_safe(page, t, &n->partial, slab_list) {
4480 int free = page->objects - page->inuse;
4482 /* Do not reread page->inuse */
4485 /* We do not keep full slabs on the list */
4488 if (free == page->objects) {
4489 list_move(&page->slab_list, &discard);
4491 } else if (free <= SHRINK_PROMOTE_MAX)
4492 list_move(&page->slab_list, promote + free - 1);
4496 * Promote the slabs filled up most to the head of the
4499 for (i = SHRINK_PROMOTE_MAX - 1; i >= 0; i--)
4500 list_splice(promote + i, &n->partial);
4502 spin_unlock_irqrestore(&n->list_lock, flags);
4504 /* Release empty slabs */
4505 list_for_each_entry_safe(page, t, &discard, slab_list)
4506 discard_slab(s, page);
4508 if (slabs_node(s, node))
4515 int __kmem_cache_shrink(struct kmem_cache *s)
4518 return __kmem_cache_do_shrink(s);
4521 static int slab_mem_going_offline_callback(void *arg)
4523 struct kmem_cache *s;
4525 mutex_lock(&slab_mutex);
4526 list_for_each_entry(s, &slab_caches, list) {
4527 flush_all_cpus_locked(s);
4528 __kmem_cache_do_shrink(s);
4530 mutex_unlock(&slab_mutex);
4535 static void slab_mem_offline_callback(void *arg)
4537 struct memory_notify *marg = arg;
4540 offline_node = marg->status_change_nid_normal;
4543 * If the node still has available memory. we need kmem_cache_node
4546 if (offline_node < 0)
4549 mutex_lock(&slab_mutex);
4550 node_clear(offline_node, slab_nodes);
4552 * We no longer free kmem_cache_node structures here, as it would be
4553 * racy with all get_node() users, and infeasible to protect them with
4556 mutex_unlock(&slab_mutex);
4559 static int slab_mem_going_online_callback(void *arg)
4561 struct kmem_cache_node *n;
4562 struct kmem_cache *s;
4563 struct memory_notify *marg = arg;
4564 int nid = marg->status_change_nid_normal;
4568 * If the node's memory is already available, then kmem_cache_node is
4569 * already created. Nothing to do.
4575 * We are bringing a node online. No memory is available yet. We must
4576 * allocate a kmem_cache_node structure in order to bring the node
4579 mutex_lock(&slab_mutex);
4580 list_for_each_entry(s, &slab_caches, list) {
4582 * The structure may already exist if the node was previously
4583 * onlined and offlined.
4585 if (get_node(s, nid))
4588 * XXX: kmem_cache_alloc_node will fallback to other nodes
4589 * since memory is not yet available from the node that
4592 n = kmem_cache_alloc(kmem_cache_node, GFP_KERNEL);
4597 init_kmem_cache_node(n);
4601 * Any cache created after this point will also have kmem_cache_node
4602 * initialized for the new node.
4604 node_set(nid, slab_nodes);
4606 mutex_unlock(&slab_mutex);
4610 static int slab_memory_callback(struct notifier_block *self,
4611 unsigned long action, void *arg)
4616 case MEM_GOING_ONLINE:
4617 ret = slab_mem_going_online_callback(arg);
4619 case MEM_GOING_OFFLINE:
4620 ret = slab_mem_going_offline_callback(arg);
4623 case MEM_CANCEL_ONLINE:
4624 slab_mem_offline_callback(arg);
4627 case MEM_CANCEL_OFFLINE:
4631 ret = notifier_from_errno(ret);
4637 static struct notifier_block slab_memory_callback_nb = {
4638 .notifier_call = slab_memory_callback,
4639 .priority = SLAB_CALLBACK_PRI,
4642 /********************************************************************
4643 * Basic setup of slabs
4644 *******************************************************************/
4647 * Used for early kmem_cache structures that were allocated using
4648 * the page allocator. Allocate them properly then fix up the pointers
4649 * that may be pointing to the wrong kmem_cache structure.
4652 static struct kmem_cache * __init bootstrap(struct kmem_cache *static_cache)
4655 struct kmem_cache *s = kmem_cache_zalloc(kmem_cache, GFP_NOWAIT);
4656 struct kmem_cache_node *n;
4658 memcpy(s, static_cache, kmem_cache->object_size);
4661 * This runs very early, and only the boot processor is supposed to be
4662 * up. Even if it weren't true, IRQs are not up so we couldn't fire
4665 __flush_cpu_slab(s, smp_processor_id());
4666 for_each_kmem_cache_node(s, node, n) {
4669 list_for_each_entry(p, &n->partial, slab_list)
4672 #ifdef CONFIG_SLUB_DEBUG
4673 list_for_each_entry(p, &n->full, slab_list)
4677 list_add(&s->list, &slab_caches);
4681 void __init kmem_cache_init(void)
4683 static __initdata struct kmem_cache boot_kmem_cache,
4684 boot_kmem_cache_node;
4687 if (debug_guardpage_minorder())
4690 /* Print slub debugging pointers without hashing */
4691 if (__slub_debug_enabled())
4692 no_hash_pointers_enable(NULL);
4694 kmem_cache_node = &boot_kmem_cache_node;
4695 kmem_cache = &boot_kmem_cache;
4698 * Initialize the nodemask for which we will allocate per node
4699 * structures. Here we don't need taking slab_mutex yet.
4701 for_each_node_state(node, N_NORMAL_MEMORY)
4702 node_set(node, slab_nodes);
4704 create_boot_cache(kmem_cache_node, "kmem_cache_node",
4705 sizeof(struct kmem_cache_node), SLAB_HWCACHE_ALIGN, 0, 0);
4707 register_hotmemory_notifier(&slab_memory_callback_nb);
4709 /* Able to allocate the per node structures */
4710 slab_state = PARTIAL;
4712 create_boot_cache(kmem_cache, "kmem_cache",
4713 offsetof(struct kmem_cache, node) +
4714 nr_node_ids * sizeof(struct kmem_cache_node *),
4715 SLAB_HWCACHE_ALIGN, 0, 0);
4717 kmem_cache = bootstrap(&boot_kmem_cache);
4718 kmem_cache_node = bootstrap(&boot_kmem_cache_node);
4720 /* Now we can use the kmem_cache to allocate kmalloc slabs */
4721 setup_kmalloc_cache_index_table();
4722 create_kmalloc_caches(0);
4724 /* Setup random freelists for each cache */
4725 init_freelist_randomization();
4727 cpuhp_setup_state_nocalls(CPUHP_SLUB_DEAD, "slub:dead", NULL,
4730 pr_info("SLUB: HWalign=%d, Order=%u-%u, MinObjects=%u, CPUs=%u, Nodes=%u\n",
4732 slub_min_order, slub_max_order, slub_min_objects,
4733 nr_cpu_ids, nr_node_ids);
4736 void __init kmem_cache_init_late(void)
4741 __kmem_cache_alias(const char *name, unsigned int size, unsigned int align,
4742 slab_flags_t flags, void (*ctor)(void *))
4744 struct kmem_cache *s;
4746 s = find_mergeable(size, align, flags, name, ctor);
4751 * Adjust the object sizes so that we clear
4752 * the complete object on kzalloc.
4754 s->object_size = max(s->object_size, size);
4755 s->inuse = max(s->inuse, ALIGN(size, sizeof(void *)));
4757 if (sysfs_slab_alias(s, name)) {
4766 int __kmem_cache_create(struct kmem_cache *s, slab_flags_t flags)
4770 err = kmem_cache_open(s, flags);
4774 /* Mutex is not taken during early boot */
4775 if (slab_state <= UP)
4778 err = sysfs_slab_add(s);
4780 __kmem_cache_release(s);
4782 if (s->flags & SLAB_STORE_USER)
4783 debugfs_slab_add(s);
4788 void *__kmalloc_track_caller(size_t size, gfp_t gfpflags, unsigned long caller)
4790 struct kmem_cache *s;
4793 if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
4794 return kmalloc_large(size, gfpflags);
4796 s = kmalloc_slab(size, gfpflags);
4798 if (unlikely(ZERO_OR_NULL_PTR(s)))
4801 ret = slab_alloc(s, gfpflags, caller, size);
4803 /* Honor the call site pointer we received. */
4804 trace_kmalloc(caller, ret, size, s->size, gfpflags);
4808 EXPORT_SYMBOL(__kmalloc_track_caller);
4811 void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags,
4812 int node, unsigned long caller)
4814 struct kmem_cache *s;
4817 if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) {
4818 ret = kmalloc_large_node(size, gfpflags, node);
4820 trace_kmalloc_node(caller, ret,
4821 size, PAGE_SIZE << get_order(size),
4827 s = kmalloc_slab(size, gfpflags);
4829 if (unlikely(ZERO_OR_NULL_PTR(s)))
4832 ret = slab_alloc_node(s, gfpflags, node, caller, size);
4834 /* Honor the call site pointer we received. */
4835 trace_kmalloc_node(caller, ret, size, s->size, gfpflags, node);
4839 EXPORT_SYMBOL(__kmalloc_node_track_caller);
4843 static int count_inuse(struct page *page)
4848 static int count_total(struct page *page)
4850 return page->objects;
4854 #ifdef CONFIG_SLUB_DEBUG
4855 static void validate_slab(struct kmem_cache *s, struct page *page,
4856 unsigned long *obj_map)
4859 void *addr = page_address(page);
4860 unsigned long flags;
4862 slab_lock(page, &flags);
4864 if (!check_slab(s, page) || !on_freelist(s, page, NULL))
4867 /* Now we know that a valid freelist exists */
4868 __fill_map(obj_map, s, page);
4869 for_each_object(p, s, addr, page->objects) {
4870 u8 val = test_bit(__obj_to_index(s, addr, p), obj_map) ?
4871 SLUB_RED_INACTIVE : SLUB_RED_ACTIVE;
4873 if (!check_object(s, page, p, val))
4877 slab_unlock(page, &flags);
4880 static int validate_slab_node(struct kmem_cache *s,
4881 struct kmem_cache_node *n, unsigned long *obj_map)
4883 unsigned long count = 0;
4885 unsigned long flags;
4887 spin_lock_irqsave(&n->list_lock, flags);
4889 list_for_each_entry(page, &n->partial, slab_list) {
4890 validate_slab(s, page, obj_map);
4893 if (count != n->nr_partial) {
4894 pr_err("SLUB %s: %ld partial slabs counted but counter=%ld\n",
4895 s->name, count, n->nr_partial);
4896 slab_add_kunit_errors();
4899 if (!(s->flags & SLAB_STORE_USER))
4902 list_for_each_entry(page, &n->full, slab_list) {
4903 validate_slab(s, page, obj_map);
4906 if (count != atomic_long_read(&n->nr_slabs)) {
4907 pr_err("SLUB: %s %ld slabs counted but counter=%ld\n",
4908 s->name, count, atomic_long_read(&n->nr_slabs));
4909 slab_add_kunit_errors();
4913 spin_unlock_irqrestore(&n->list_lock, flags);
4917 long validate_slab_cache(struct kmem_cache *s)
4920 unsigned long count = 0;
4921 struct kmem_cache_node *n;
4922 unsigned long *obj_map;
4924 obj_map = bitmap_alloc(oo_objects(s->oo), GFP_KERNEL);
4929 for_each_kmem_cache_node(s, node, n)
4930 count += validate_slab_node(s, n, obj_map);
4932 bitmap_free(obj_map);
4936 EXPORT_SYMBOL(validate_slab_cache);
4938 #ifdef CONFIG_DEBUG_FS
4940 * Generate lists of code addresses where slabcache objects are allocated
4945 unsigned long count;
4952 DECLARE_BITMAP(cpus, NR_CPUS);
4958 unsigned long count;
4959 struct location *loc;
4962 static struct dentry *slab_debugfs_root;
4964 static void free_loc_track(struct loc_track *t)
4967 free_pages((unsigned long)t->loc,
4968 get_order(sizeof(struct location) * t->max));
4971 static int alloc_loc_track(struct loc_track *t, unsigned long max, gfp_t flags)
4976 order = get_order(sizeof(struct location) * max);
4978 l = (void *)__get_free_pages(flags, order);
4983 memcpy(l, t->loc, sizeof(struct location) * t->count);
4991 static int add_location(struct loc_track *t, struct kmem_cache *s,
4992 const struct track *track)
4994 long start, end, pos;
4996 unsigned long caddr;
4997 unsigned long age = jiffies - track->when;
5003 pos = start + (end - start + 1) / 2;
5006 * There is nothing at "end". If we end up there
5007 * we need to add something to before end.
5012 caddr = t->loc[pos].addr;
5013 if (track->addr == caddr) {
5019 if (age < l->min_time)
5021 if (age > l->max_time)
5024 if (track->pid < l->min_pid)
5025 l->min_pid = track->pid;
5026 if (track->pid > l->max_pid)
5027 l->max_pid = track->pid;
5029 cpumask_set_cpu(track->cpu,
5030 to_cpumask(l->cpus));
5032 node_set(page_to_nid(virt_to_page(track)), l->nodes);
5036 if (track->addr < caddr)
5043 * Not found. Insert new tracking element.
5045 if (t->count >= t->max && !alloc_loc_track(t, 2 * t->max, GFP_ATOMIC))
5051 (t->count - pos) * sizeof(struct location));
5054 l->addr = track->addr;
5058 l->min_pid = track->pid;
5059 l->max_pid = track->pid;
5060 cpumask_clear(to_cpumask(l->cpus));
5061 cpumask_set_cpu(track->cpu, to_cpumask(l->cpus));
5062 nodes_clear(l->nodes);
5063 node_set(page_to_nid(virt_to_page(track)), l->nodes);
5067 static void process_slab(struct loc_track *t, struct kmem_cache *s,
5068 struct page *page, enum track_item alloc,
5069 unsigned long *obj_map)
5071 void *addr = page_address(page);
5074 __fill_map(obj_map, s, page);
5076 for_each_object(p, s, addr, page->objects)
5077 if (!test_bit(__obj_to_index(s, addr, p), obj_map))
5078 add_location(t, s, get_track(s, p, alloc));
5080 #endif /* CONFIG_DEBUG_FS */
5081 #endif /* CONFIG_SLUB_DEBUG */
5084 enum slab_stat_type {
5085 SL_ALL, /* All slabs */
5086 SL_PARTIAL, /* Only partially allocated slabs */
5087 SL_CPU, /* Only slabs used for cpu caches */
5088 SL_OBJECTS, /* Determine allocated objects not slabs */
5089 SL_TOTAL /* Determine object capacity not slabs */
5092 #define SO_ALL (1 << SL_ALL)
5093 #define SO_PARTIAL (1 << SL_PARTIAL)
5094 #define SO_CPU (1 << SL_CPU)
5095 #define SO_OBJECTS (1 << SL_OBJECTS)
5096 #define SO_TOTAL (1 << SL_TOTAL)
5098 static ssize_t show_slab_objects(struct kmem_cache *s,
5099 char *buf, unsigned long flags)
5101 unsigned long total = 0;
5104 unsigned long *nodes;
5107 nodes = kcalloc(nr_node_ids, sizeof(unsigned long), GFP_KERNEL);
5111 if (flags & SO_CPU) {
5114 for_each_possible_cpu(cpu) {
5115 struct kmem_cache_cpu *c = per_cpu_ptr(s->cpu_slab,
5120 page = READ_ONCE(c->page);
5124 node = page_to_nid(page);
5125 if (flags & SO_TOTAL)
5127 else if (flags & SO_OBJECTS)
5135 page = slub_percpu_partial_read_once(c);
5137 node = page_to_nid(page);
5138 if (flags & SO_TOTAL)
5140 else if (flags & SO_OBJECTS)
5151 * It is impossible to take "mem_hotplug_lock" here with "kernfs_mutex"
5152 * already held which will conflict with an existing lock order:
5154 * mem_hotplug_lock->slab_mutex->kernfs_mutex
5156 * We don't really need mem_hotplug_lock (to hold off
5157 * slab_mem_going_offline_callback) here because slab's memory hot
5158 * unplug code doesn't destroy the kmem_cache->node[] data.
5161 #ifdef CONFIG_SLUB_DEBUG
5162 if (flags & SO_ALL) {
5163 struct kmem_cache_node *n;
5165 for_each_kmem_cache_node(s, node, n) {
5167 if (flags & SO_TOTAL)
5168 x = atomic_long_read(&n->total_objects);
5169 else if (flags & SO_OBJECTS)
5170 x = atomic_long_read(&n->total_objects) -
5171 count_partial(n, count_free);
5173 x = atomic_long_read(&n->nr_slabs);
5180 if (flags & SO_PARTIAL) {
5181 struct kmem_cache_node *n;
5183 for_each_kmem_cache_node(s, node, n) {
5184 if (flags & SO_TOTAL)
5185 x = count_partial(n, count_total);
5186 else if (flags & SO_OBJECTS)
5187 x = count_partial(n, count_inuse);
5195 len += sysfs_emit_at(buf, len, "%lu", total);
5197 for (node = 0; node < nr_node_ids; node++) {
5199 len += sysfs_emit_at(buf, len, " N%d=%lu",
5203 len += sysfs_emit_at(buf, len, "\n");
5209 #define to_slab_attr(n) container_of(n, struct slab_attribute, attr)
5210 #define to_slab(n) container_of(n, struct kmem_cache, kobj)
5212 struct slab_attribute {
5213 struct attribute attr;
5214 ssize_t (*show)(struct kmem_cache *s, char *buf);
5215 ssize_t (*store)(struct kmem_cache *s, const char *x, size_t count);
5218 #define SLAB_ATTR_RO(_name) \
5219 static struct slab_attribute _name##_attr = \
5220 __ATTR(_name, 0400, _name##_show, NULL)
5222 #define SLAB_ATTR(_name) \
5223 static struct slab_attribute _name##_attr = \
5224 __ATTR(_name, 0600, _name##_show, _name##_store)
5226 static ssize_t slab_size_show(struct kmem_cache *s, char *buf)
5228 return sysfs_emit(buf, "%u\n", s->size);
5230 SLAB_ATTR_RO(slab_size);
5232 static ssize_t align_show(struct kmem_cache *s, char *buf)
5234 return sysfs_emit(buf, "%u\n", s->align);
5236 SLAB_ATTR_RO(align);
5238 static ssize_t object_size_show(struct kmem_cache *s, char *buf)
5240 return sysfs_emit(buf, "%u\n", s->object_size);
5242 SLAB_ATTR_RO(object_size);
5244 static ssize_t objs_per_slab_show(struct kmem_cache *s, char *buf)
5246 return sysfs_emit(buf, "%u\n", oo_objects(s->oo));
5248 SLAB_ATTR_RO(objs_per_slab);
5250 static ssize_t order_show(struct kmem_cache *s, char *buf)
5252 return sysfs_emit(buf, "%u\n", oo_order(s->oo));
5254 SLAB_ATTR_RO(order);
5256 static ssize_t min_partial_show(struct kmem_cache *s, char *buf)
5258 return sysfs_emit(buf, "%lu\n", s->min_partial);
5261 static ssize_t min_partial_store(struct kmem_cache *s, const char *buf,
5267 err = kstrtoul(buf, 10, &min);
5271 set_min_partial(s, min);
5274 SLAB_ATTR(min_partial);
5276 static ssize_t cpu_partial_show(struct kmem_cache *s, char *buf)
5278 return sysfs_emit(buf, "%u\n", slub_cpu_partial(s));
5281 static ssize_t cpu_partial_store(struct kmem_cache *s, const char *buf,
5284 unsigned int objects;
5287 err = kstrtouint(buf, 10, &objects);
5290 if (objects && !kmem_cache_has_cpu_partial(s))
5293 slub_set_cpu_partial(s, objects);
5297 SLAB_ATTR(cpu_partial);
5299 static ssize_t ctor_show(struct kmem_cache *s, char *buf)
5303 return sysfs_emit(buf, "%pS\n", s->ctor);
5307 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
5309 return sysfs_emit(buf, "%d\n", s->refcount < 0 ? 0 : s->refcount - 1);
5311 SLAB_ATTR_RO(aliases);
5313 static ssize_t partial_show(struct kmem_cache *s, char *buf)
5315 return show_slab_objects(s, buf, SO_PARTIAL);
5317 SLAB_ATTR_RO(partial);
5319 static ssize_t cpu_slabs_show(struct kmem_cache *s, char *buf)
5321 return show_slab_objects(s, buf, SO_CPU);
5323 SLAB_ATTR_RO(cpu_slabs);
5325 static ssize_t objects_show(struct kmem_cache *s, char *buf)
5327 return show_slab_objects(s, buf, SO_ALL|SO_OBJECTS);
5329 SLAB_ATTR_RO(objects);
5331 static ssize_t objects_partial_show(struct kmem_cache *s, char *buf)
5333 return show_slab_objects(s, buf, SO_PARTIAL|SO_OBJECTS);
5335 SLAB_ATTR_RO(objects_partial);
5337 static ssize_t slabs_cpu_partial_show(struct kmem_cache *s, char *buf)
5344 for_each_online_cpu(cpu) {
5347 page = slub_percpu_partial(per_cpu_ptr(s->cpu_slab, cpu));
5350 pages += page->pages;
5351 objects += page->pobjects;
5355 len += sysfs_emit_at(buf, len, "%d(%d)", objects, pages);
5358 for_each_online_cpu(cpu) {
5361 page = slub_percpu_partial(per_cpu_ptr(s->cpu_slab, cpu));
5363 len += sysfs_emit_at(buf, len, " C%d=%d(%d)",
5364 cpu, page->pobjects, page->pages);
5367 len += sysfs_emit_at(buf, len, "\n");
5371 SLAB_ATTR_RO(slabs_cpu_partial);
5373 static ssize_t reclaim_account_show(struct kmem_cache *s, char *buf)
5375 return sysfs_emit(buf, "%d\n", !!(s->flags & SLAB_RECLAIM_ACCOUNT));
5377 SLAB_ATTR_RO(reclaim_account);
5379 static ssize_t hwcache_align_show(struct kmem_cache *s, char *buf)
5381 return sysfs_emit(buf, "%d\n", !!(s->flags & SLAB_HWCACHE_ALIGN));
5383 SLAB_ATTR_RO(hwcache_align);
5385 #ifdef CONFIG_ZONE_DMA
5386 static ssize_t cache_dma_show(struct kmem_cache *s, char *buf)
5388 return sysfs_emit(buf, "%d\n", !!(s->flags & SLAB_CACHE_DMA));
5390 SLAB_ATTR_RO(cache_dma);
5393 static ssize_t usersize_show(struct kmem_cache *s, char *buf)
5395 return sysfs_emit(buf, "%u\n", s->usersize);
5397 SLAB_ATTR_RO(usersize);
5399 static ssize_t destroy_by_rcu_show(struct kmem_cache *s, char *buf)
5401 return sysfs_emit(buf, "%d\n", !!(s->flags & SLAB_TYPESAFE_BY_RCU));
5403 SLAB_ATTR_RO(destroy_by_rcu);
5405 #ifdef CONFIG_SLUB_DEBUG
5406 static ssize_t slabs_show(struct kmem_cache *s, char *buf)
5408 return show_slab_objects(s, buf, SO_ALL);
5410 SLAB_ATTR_RO(slabs);
5412 static ssize_t total_objects_show(struct kmem_cache *s, char *buf)
5414 return show_slab_objects(s, buf, SO_ALL|SO_TOTAL);
5416 SLAB_ATTR_RO(total_objects);
5418 static ssize_t sanity_checks_show(struct kmem_cache *s, char *buf)
5420 return sysfs_emit(buf, "%d\n", !!(s->flags & SLAB_CONSISTENCY_CHECKS));
5422 SLAB_ATTR_RO(sanity_checks);
5424 static ssize_t trace_show(struct kmem_cache *s, char *buf)
5426 return sysfs_emit(buf, "%d\n", !!(s->flags & SLAB_TRACE));
5428 SLAB_ATTR_RO(trace);
5430 static ssize_t red_zone_show(struct kmem_cache *s, char *buf)
5432 return sysfs_emit(buf, "%d\n", !!(s->flags & SLAB_RED_ZONE));
5435 SLAB_ATTR_RO(red_zone);
5437 static ssize_t poison_show(struct kmem_cache *s, char *buf)
5439 return sysfs_emit(buf, "%d\n", !!(s->flags & SLAB_POISON));
5442 SLAB_ATTR_RO(poison);
5444 static ssize_t store_user_show(struct kmem_cache *s, char *buf)
5446 return sysfs_emit(buf, "%d\n", !!(s->flags & SLAB_STORE_USER));
5449 SLAB_ATTR_RO(store_user);
5451 static ssize_t validate_show(struct kmem_cache *s, char *buf)
5456 static ssize_t validate_store(struct kmem_cache *s,
5457 const char *buf, size_t length)
5461 if (buf[0] == '1') {
5462 ret = validate_slab_cache(s);
5468 SLAB_ATTR(validate);
5470 #endif /* CONFIG_SLUB_DEBUG */
5472 #ifdef CONFIG_FAILSLAB
5473 static ssize_t failslab_show(struct kmem_cache *s, char *buf)
5475 return sysfs_emit(buf, "%d\n", !!(s->flags & SLAB_FAILSLAB));
5477 SLAB_ATTR_RO(failslab);
5480 static ssize_t shrink_show(struct kmem_cache *s, char *buf)
5485 static ssize_t shrink_store(struct kmem_cache *s,
5486 const char *buf, size_t length)
5489 kmem_cache_shrink(s);
5497 static ssize_t remote_node_defrag_ratio_show(struct kmem_cache *s, char *buf)
5499 return sysfs_emit(buf, "%u\n", s->remote_node_defrag_ratio / 10);
5502 static ssize_t remote_node_defrag_ratio_store(struct kmem_cache *s,
5503 const char *buf, size_t length)
5508 err = kstrtouint(buf, 10, &ratio);
5514 s->remote_node_defrag_ratio = ratio * 10;
5518 SLAB_ATTR(remote_node_defrag_ratio);
5521 #ifdef CONFIG_SLUB_STATS
5522 static int show_stat(struct kmem_cache *s, char *buf, enum stat_item si)
5524 unsigned long sum = 0;
5527 int *data = kmalloc_array(nr_cpu_ids, sizeof(int), GFP_KERNEL);
5532 for_each_online_cpu(cpu) {
5533 unsigned x = per_cpu_ptr(s->cpu_slab, cpu)->stat[si];
5539 len += sysfs_emit_at(buf, len, "%lu", sum);
5542 for_each_online_cpu(cpu) {
5544 len += sysfs_emit_at(buf, len, " C%d=%u",
5549 len += sysfs_emit_at(buf, len, "\n");
5554 static void clear_stat(struct kmem_cache *s, enum stat_item si)
5558 for_each_online_cpu(cpu)
5559 per_cpu_ptr(s->cpu_slab, cpu)->stat[si] = 0;
5562 #define STAT_ATTR(si, text) \
5563 static ssize_t text##_show(struct kmem_cache *s, char *buf) \
5565 return show_stat(s, buf, si); \
5567 static ssize_t text##_store(struct kmem_cache *s, \
5568 const char *buf, size_t length) \
5570 if (buf[0] != '0') \
5572 clear_stat(s, si); \
5577 STAT_ATTR(ALLOC_FASTPATH, alloc_fastpath);
5578 STAT_ATTR(ALLOC_SLOWPATH, alloc_slowpath);
5579 STAT_ATTR(FREE_FASTPATH, free_fastpath);
5580 STAT_ATTR(FREE_SLOWPATH, free_slowpath);
5581 STAT_ATTR(FREE_FROZEN, free_frozen);
5582 STAT_ATTR(FREE_ADD_PARTIAL, free_add_partial);
5583 STAT_ATTR(FREE_REMOVE_PARTIAL, free_remove_partial);
5584 STAT_ATTR(ALLOC_FROM_PARTIAL, alloc_from_partial);
5585 STAT_ATTR(ALLOC_SLAB, alloc_slab);
5586 STAT_ATTR(ALLOC_REFILL, alloc_refill);
5587 STAT_ATTR(ALLOC_NODE_MISMATCH, alloc_node_mismatch);
5588 STAT_ATTR(FREE_SLAB, free_slab);
5589 STAT_ATTR(CPUSLAB_FLUSH, cpuslab_flush);
5590 STAT_ATTR(DEACTIVATE_FULL, deactivate_full);
5591 STAT_ATTR(DEACTIVATE_EMPTY, deactivate_empty);
5592 STAT_ATTR(DEACTIVATE_TO_HEAD, deactivate_to_head);
5593 STAT_ATTR(DEACTIVATE_TO_TAIL, deactivate_to_tail);
5594 STAT_ATTR(DEACTIVATE_REMOTE_FREES, deactivate_remote_frees);
5595 STAT_ATTR(DEACTIVATE_BYPASS, deactivate_bypass);
5596 STAT_ATTR(ORDER_FALLBACK, order_fallback);
5597 STAT_ATTR(CMPXCHG_DOUBLE_CPU_FAIL, cmpxchg_double_cpu_fail);
5598 STAT_ATTR(CMPXCHG_DOUBLE_FAIL, cmpxchg_double_fail);
5599 STAT_ATTR(CPU_PARTIAL_ALLOC, cpu_partial_alloc);
5600 STAT_ATTR(CPU_PARTIAL_FREE, cpu_partial_free);
5601 STAT_ATTR(CPU_PARTIAL_NODE, cpu_partial_node);
5602 STAT_ATTR(CPU_PARTIAL_DRAIN, cpu_partial_drain);
5603 #endif /* CONFIG_SLUB_STATS */
5605 static struct attribute *slab_attrs[] = {
5606 &slab_size_attr.attr,
5607 &object_size_attr.attr,
5608 &objs_per_slab_attr.attr,
5610 &min_partial_attr.attr,
5611 &cpu_partial_attr.attr,
5613 &objects_partial_attr.attr,
5615 &cpu_slabs_attr.attr,
5619 &hwcache_align_attr.attr,
5620 &reclaim_account_attr.attr,
5621 &destroy_by_rcu_attr.attr,
5623 &slabs_cpu_partial_attr.attr,
5624 #ifdef CONFIG_SLUB_DEBUG
5625 &total_objects_attr.attr,
5627 &sanity_checks_attr.attr,
5629 &red_zone_attr.attr,
5631 &store_user_attr.attr,
5632 &validate_attr.attr,
5634 #ifdef CONFIG_ZONE_DMA
5635 &cache_dma_attr.attr,
5638 &remote_node_defrag_ratio_attr.attr,
5640 #ifdef CONFIG_SLUB_STATS
5641 &alloc_fastpath_attr.attr,
5642 &alloc_slowpath_attr.attr,
5643 &free_fastpath_attr.attr,
5644 &free_slowpath_attr.attr,
5645 &free_frozen_attr.attr,
5646 &free_add_partial_attr.attr,
5647 &free_remove_partial_attr.attr,
5648 &alloc_from_partial_attr.attr,
5649 &alloc_slab_attr.attr,
5650 &alloc_refill_attr.attr,
5651 &alloc_node_mismatch_attr.attr,
5652 &free_slab_attr.attr,
5653 &cpuslab_flush_attr.attr,
5654 &deactivate_full_attr.attr,
5655 &deactivate_empty_attr.attr,
5656 &deactivate_to_head_attr.attr,
5657 &deactivate_to_tail_attr.attr,
5658 &deactivate_remote_frees_attr.attr,
5659 &deactivate_bypass_attr.attr,
5660 &order_fallback_attr.attr,
5661 &cmpxchg_double_fail_attr.attr,
5662 &cmpxchg_double_cpu_fail_attr.attr,
5663 &cpu_partial_alloc_attr.attr,
5664 &cpu_partial_free_attr.attr,
5665 &cpu_partial_node_attr.attr,
5666 &cpu_partial_drain_attr.attr,
5668 #ifdef CONFIG_FAILSLAB
5669 &failslab_attr.attr,
5671 &usersize_attr.attr,
5676 static const struct attribute_group slab_attr_group = {
5677 .attrs = slab_attrs,
5680 static ssize_t slab_attr_show(struct kobject *kobj,
5681 struct attribute *attr,
5684 struct slab_attribute *attribute;
5685 struct kmem_cache *s;
5688 attribute = to_slab_attr(attr);
5691 if (!attribute->show)
5694 err = attribute->show(s, buf);
5699 static ssize_t slab_attr_store(struct kobject *kobj,
5700 struct attribute *attr,
5701 const char *buf, size_t len)
5703 struct slab_attribute *attribute;
5704 struct kmem_cache *s;
5707 attribute = to_slab_attr(attr);
5710 if (!attribute->store)
5713 err = attribute->store(s, buf, len);
5717 static void kmem_cache_release(struct kobject *k)
5719 slab_kmem_cache_release(to_slab(k));
5722 static const struct sysfs_ops slab_sysfs_ops = {
5723 .show = slab_attr_show,
5724 .store = slab_attr_store,
5727 static struct kobj_type slab_ktype = {
5728 .sysfs_ops = &slab_sysfs_ops,
5729 .release = kmem_cache_release,
5732 static struct kset *slab_kset;
5734 static inline struct kset *cache_kset(struct kmem_cache *s)
5739 #define ID_STR_LENGTH 64
5741 /* Create a unique string id for a slab cache:
5743 * Format :[flags-]size
5745 static char *create_unique_id(struct kmem_cache *s)
5747 char *name = kmalloc(ID_STR_LENGTH, GFP_KERNEL);
5754 * First flags affecting slabcache operations. We will only
5755 * get here for aliasable slabs so we do not need to support
5756 * too many flags. The flags here must cover all flags that
5757 * are matched during merging to guarantee that the id is
5760 if (s->flags & SLAB_CACHE_DMA)
5762 if (s->flags & SLAB_CACHE_DMA32)
5764 if (s->flags & SLAB_RECLAIM_ACCOUNT)
5766 if (s->flags & SLAB_CONSISTENCY_CHECKS)
5768 if (s->flags & SLAB_ACCOUNT)
5772 p += sprintf(p, "%07u", s->size);
5774 BUG_ON(p > name + ID_STR_LENGTH - 1);
5778 static int sysfs_slab_add(struct kmem_cache *s)
5782 struct kset *kset = cache_kset(s);
5783 int unmergeable = slab_unmergeable(s);
5786 kobject_init(&s->kobj, &slab_ktype);
5790 if (!unmergeable && disable_higher_order_debug &&
5791 (slub_debug & DEBUG_METADATA_FLAGS))
5796 * Slabcache can never be merged so we can use the name proper.
5797 * This is typically the case for debug situations. In that
5798 * case we can catch duplicate names easily.
5800 sysfs_remove_link(&slab_kset->kobj, s->name);
5804 * Create a unique name for the slab as a target
5807 name = create_unique_id(s);
5810 s->kobj.kset = kset;
5811 err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name);
5815 err = sysfs_create_group(&s->kobj, &slab_attr_group);
5820 /* Setup first alias */
5821 sysfs_slab_alias(s, s->name);
5828 kobject_del(&s->kobj);
5832 void sysfs_slab_unlink(struct kmem_cache *s)
5834 if (slab_state >= FULL)
5835 kobject_del(&s->kobj);
5838 void sysfs_slab_release(struct kmem_cache *s)
5840 if (slab_state >= FULL)
5841 kobject_put(&s->kobj);
5845 * Need to buffer aliases during bootup until sysfs becomes
5846 * available lest we lose that information.
5848 struct saved_alias {
5849 struct kmem_cache *s;
5851 struct saved_alias *next;
5854 static struct saved_alias *alias_list;
5856 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
5858 struct saved_alias *al;
5860 if (slab_state == FULL) {
5862 * If we have a leftover link then remove it.
5864 sysfs_remove_link(&slab_kset->kobj, name);
5865 return sysfs_create_link(&slab_kset->kobj, &s->kobj, name);
5868 al = kmalloc(sizeof(struct saved_alias), GFP_KERNEL);
5874 al->next = alias_list;
5879 static int __init slab_sysfs_init(void)
5881 struct kmem_cache *s;
5884 mutex_lock(&slab_mutex);
5886 slab_kset = kset_create_and_add("slab", NULL, kernel_kobj);
5888 mutex_unlock(&slab_mutex);
5889 pr_err("Cannot register slab subsystem.\n");
5895 list_for_each_entry(s, &slab_caches, list) {
5896 err = sysfs_slab_add(s);
5898 pr_err("SLUB: Unable to add boot slab %s to sysfs\n",
5902 while (alias_list) {
5903 struct saved_alias *al = alias_list;
5905 alias_list = alias_list->next;
5906 err = sysfs_slab_alias(al->s, al->name);
5908 pr_err("SLUB: Unable to add boot slab alias %s to sysfs\n",
5913 mutex_unlock(&slab_mutex);
5917 __initcall(slab_sysfs_init);
5918 #endif /* CONFIG_SYSFS */
5920 #if defined(CONFIG_SLUB_DEBUG) && defined(CONFIG_DEBUG_FS)
5921 static int slab_debugfs_show(struct seq_file *seq, void *v)
5925 unsigned int idx = *(unsigned int *)v;
5926 struct loc_track *t = seq->private;
5928 if (idx < t->count) {
5931 seq_printf(seq, "%7ld ", l->count);
5934 seq_printf(seq, "%pS", (void *)l->addr);
5936 seq_puts(seq, "<not-available>");
5938 if (l->sum_time != l->min_time) {
5939 seq_printf(seq, " age=%ld/%llu/%ld",
5940 l->min_time, div_u64(l->sum_time, l->count),
5943 seq_printf(seq, " age=%ld", l->min_time);
5945 if (l->min_pid != l->max_pid)
5946 seq_printf(seq, " pid=%ld-%ld", l->min_pid, l->max_pid);
5948 seq_printf(seq, " pid=%ld",
5951 if (num_online_cpus() > 1 && !cpumask_empty(to_cpumask(l->cpus)))
5952 seq_printf(seq, " cpus=%*pbl",
5953 cpumask_pr_args(to_cpumask(l->cpus)));
5955 if (nr_online_nodes > 1 && !nodes_empty(l->nodes))
5956 seq_printf(seq, " nodes=%*pbl",
5957 nodemask_pr_args(&l->nodes));
5959 seq_puts(seq, "\n");
5962 if (!idx && !t->count)
5963 seq_puts(seq, "No data\n");
5968 static void slab_debugfs_stop(struct seq_file *seq, void *v)
5972 static void *slab_debugfs_next(struct seq_file *seq, void *v, loff_t *ppos)
5974 struct loc_track *t = seq->private;
5978 if (*ppos <= t->count)
5984 static void *slab_debugfs_start(struct seq_file *seq, loff_t *ppos)
5989 static const struct seq_operations slab_debugfs_sops = {
5990 .start = slab_debugfs_start,
5991 .next = slab_debugfs_next,
5992 .stop = slab_debugfs_stop,
5993 .show = slab_debugfs_show,
5996 static int slab_debug_trace_open(struct inode *inode, struct file *filep)
5999 struct kmem_cache_node *n;
6000 enum track_item alloc;
6002 struct loc_track *t = __seq_open_private(filep, &slab_debugfs_sops,
6003 sizeof(struct loc_track));
6004 struct kmem_cache *s = file_inode(filep)->i_private;
6005 unsigned long *obj_map;
6007 obj_map = bitmap_alloc(oo_objects(s->oo), GFP_KERNEL);
6011 if (strcmp(filep->f_path.dentry->d_name.name, "alloc_traces") == 0)
6012 alloc = TRACK_ALLOC;
6016 if (!alloc_loc_track(t, PAGE_SIZE / sizeof(struct location), GFP_KERNEL)) {
6017 bitmap_free(obj_map);
6021 for_each_kmem_cache_node(s, node, n) {
6022 unsigned long flags;
6025 if (!atomic_long_read(&n->nr_slabs))
6028 spin_lock_irqsave(&n->list_lock, flags);
6029 list_for_each_entry(page, &n->partial, slab_list)
6030 process_slab(t, s, page, alloc, obj_map);
6031 list_for_each_entry(page, &n->full, slab_list)
6032 process_slab(t, s, page, alloc, obj_map);
6033 spin_unlock_irqrestore(&n->list_lock, flags);
6036 bitmap_free(obj_map);
6040 static int slab_debug_trace_release(struct inode *inode, struct file *file)
6042 struct seq_file *seq = file->private_data;
6043 struct loc_track *t = seq->private;
6046 return seq_release_private(inode, file);
6049 static const struct file_operations slab_debugfs_fops = {
6050 .open = slab_debug_trace_open,
6052 .llseek = seq_lseek,
6053 .release = slab_debug_trace_release,
6056 static void debugfs_slab_add(struct kmem_cache *s)
6058 struct dentry *slab_cache_dir;
6060 if (unlikely(!slab_debugfs_root))
6063 slab_cache_dir = debugfs_create_dir(s->name, slab_debugfs_root);
6065 debugfs_create_file("alloc_traces", 0400,
6066 slab_cache_dir, s, &slab_debugfs_fops);
6068 debugfs_create_file("free_traces", 0400,
6069 slab_cache_dir, s, &slab_debugfs_fops);
6072 void debugfs_slab_release(struct kmem_cache *s)
6074 debugfs_remove_recursive(debugfs_lookup(s->name, slab_debugfs_root));
6077 static int __init slab_debugfs_init(void)
6079 struct kmem_cache *s;
6081 slab_debugfs_root = debugfs_create_dir("slab", NULL);
6083 list_for_each_entry(s, &slab_caches, list)
6084 if (s->flags & SLAB_STORE_USER)
6085 debugfs_slab_add(s);
6090 __initcall(slab_debugfs_init);
6093 * The /proc/slabinfo ABI
6095 #ifdef CONFIG_SLUB_DEBUG
6096 void get_slabinfo(struct kmem_cache *s, struct slabinfo *sinfo)
6098 unsigned long nr_slabs = 0;
6099 unsigned long nr_objs = 0;
6100 unsigned long nr_free = 0;
6102 struct kmem_cache_node *n;
6104 for_each_kmem_cache_node(s, node, n) {
6105 nr_slabs += node_nr_slabs(n);
6106 nr_objs += node_nr_objs(n);
6107 nr_free += count_partial(n, count_free);
6110 sinfo->active_objs = nr_objs - nr_free;
6111 sinfo->num_objs = nr_objs;
6112 sinfo->active_slabs = nr_slabs;
6113 sinfo->num_slabs = nr_slabs;
6114 sinfo->objects_per_slab = oo_objects(s->oo);
6115 sinfo->cache_order = oo_order(s->oo);
6118 void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *s)
6122 ssize_t slabinfo_write(struct file *file, const char __user *buffer,
6123 size_t count, loff_t *ppos)
6127 #endif /* CONFIG_SLUB_DEBUG */
projects / platform / kernel / linux-starfive.git / blob