Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1131804imu; Tue, 20 Nov 2018 12:13:23 -0800 (PST) X-Google-Smtp-Source: AJdET5ckjqoNh0NP44RezrpkMMCkPUAKx8plWNHcNQcPQ25rnoN/uNNMb52bOiOPFXEqQFpPsSMg X-Received: by 2002:a62:5e83:: with SMTP id s125-v6mr3615534pfb.232.1542744803776; Tue, 20 Nov 2018 12:13:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542744803; cv=none; d=google.com; s=arc-20160816; b=xVdHgN1zHZ+6KbJYaPPuzk+LBYePlTi9FNalS7E914jQKrjXpRg/enMpxoW9C4hRTP FQK7iU6gwdeTm55rRXTzw4sYClg/JpD3AMjmsG/iqijmBMG7OIMfkadAaHzwqF1v8g5g MFto/BBYn4hN2IN61xXXBBV1MgRLDPG9vVe8joEIwfbD3M/sedkUIX9fHio8pQNrJT27 xAf5Y/lvUL21LNyMkfRG5fU/9sduWhOnQWtDq/T7P/FM0uamDGmQTgdBeyT1NGTHq04R IRvk/Sv3JX4QaVs0g7OYhpdSYecqnb0oLwhYxpGHaOHiY+IeHffkbcasjK0cC9OwvcAs D2Vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:organization:from:references:cc:to:subject :dkim-signature; bh=+FleD2jvplUQTK4dXnc9yuaVF9SlYpamG9qgytQMyDY=; b=IchBzxQ/lb7BIsCKsbxSF/TuAaUTIiPCS/xYug67ANy0thshazApTxlApXVvsQPdCC rODxcD3B1nKYQ1Nt3U3SjPtwkMfoGsz4vY0nHVW5Z+QwC7gyKLkMBZdkEXiCNnlwsH3X qPzE/JdiHPiXSBJSF4VMKvhGkytU+haD4cQPIZkKCQs1nfUqbRkdVmw8xotNIJodUsLb upRi/K4aHxn2Lp+SmClkdZ7amOwrPBuYW2isxvHmNOJBOXh/XKng2TzNd5A4bhyqz4iO ZoHTWz9jN9PJ0UYu9gqgpnfCgimK/roETuYDYRFV1Rp8DhhNd+GNh1BnOFb9T47kZa0K Anfg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=Xjc3wQtB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i13si17823324pgg.100.2018.11.20.12.13.07; Tue, 20 Nov 2018 12:13:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=Xjc3wQtB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728291AbeKUEla (ORCPT + 99 others); Tue, 20 Nov 2018 23:41:30 -0500 Received: from userp2130.oracle.com ([156.151.31.86]:47782 "EHLO userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726136AbeKUEla (ORCPT ); Tue, 20 Nov 2018 23:41:30 -0500 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wAKI41an173962; Tue, 20 Nov 2018 18:10:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=+FleD2jvplUQTK4dXnc9yuaVF9SlYpamG9qgytQMyDY=; b=Xjc3wQtB0u4lTRh1dAyn2wyYvVGLBqK8a5qEEh6GBpbBIKIzBTsSRDuP/uryWkokfKvs URxOUGkH4oVRCWo2SolahgW2bYdjIhaFKL/p5adwwRhLD3RssTMVvYfa+K3Ltupk5lEY M0VZncZwuCloFSd02wC7pLDLEQSoxfBl8nxnk1+WNIYqxA7IkNbkDEZNIrxhreMcljwz DCdgZhJbklL44s7iIR/lze2I03RN8jfvhyvUlIK6/bdR8GUqhxIWiJjWfEO5olYL2/8x nywF1ZMWoOkuxzXCqYjEZ3nTehsroqd56wQC4BBJ5oOu7ycF3IKIvjDfvgh9NKnMNESJ 3g== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2130.oracle.com with ESMTP id 2ntadtwg9h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Nov 2018 18:10:42 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id wAKIAZuo015246 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Nov 2018 18:10:35 GMT Received: from abhmp0004.oracle.com (abhmp0004.oracle.com [141.146.116.10]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id wAKIAXRC029232; Tue, 20 Nov 2018 18:10:34 GMT Received: from [10.159.138.59] (/10.159.138.59) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 20 Nov 2018 10:10:33 -0800 Subject: Re: [PATCH] mm: use this_cpu_cmpxchg_double in put_cpu_partial To: zhong jiang Cc: cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20181117013335.32220-1-wen.gang.wang@oracle.com> <5BF36EE9.9090808@huawei.com> From: Wengang Wang Organization: Oracle Corporation Message-ID: <86571591-473f-0d05-58c8-ba5e592cc551@oracle.com> Date: Tue, 20 Nov 2018 10:10:31 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <5BF36EE9.9090808@huawei.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9083 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=2 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1811200160 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Zhong, On 2018/11/19 18:18, zhong jiang wrote: > On 2018/11/17 9:33, Wengang Wang wrote: >> The this_cpu_cmpxchg makes the do-while loop pass as long as the >> s->cpu_slab->partial as the same value. It doesn't care what happened to >> that slab. Interrupt is not disabled, and new alloc/free can happen in the >> interrupt handlers. Theoretically, after we have a reference to the it, >> stored in _oldpage_, the first slab on the partial list on this CPU can be >> moved to kmem_cache_node and then moved to different kmem_cache_cpu and >> then somehow can be added back as head to partial list of current >> kmem_cache_cpu, though that is a very rare case. If that rare case really >> happened, the reading of oldpage->pobjects may get a 0xdead0000 >> unexpectedly, stored in _pobjects_, if the reading happens just after >> another CPU removed the slab from kmem_cache_node, setting lru.prev to >> LIST_POISON2 (0xdead000000000200). The wrong _pobjects_(negative) then >> prevents slabs from being moved to kmem_cache_node and being finally freed. >> >> We see in a vmcore, there are 375210 slabs kept in the partial list of one >> kmem_cache_cpu, but only 305 in-use objects in the same list for >> kmalloc-2048 cache. We see negative values for page.pobjects, the last page >> with negative _pobjects_ has the value of 0xdead0004, the next page looks >> good (_pobjects is 1). >> >> For the fix, I wanted to call this_cpu_cmpxchg_double with >> oldpage->pobjects, but failed due to size difference between >> oldpage->pobjects and cpu_slab->partial. So I changed to call >> this_cpu_cmpxchg_double with _tid_. I don't really want no alloc/free >> happen in between, but just want to make sure the first slab did expereince >> a remove and re-add. This patch is more to call for ideas. > Have you hit the really issue or just review the code ? Yup, I hit the real issue. The root cause is out by reviewing the code. > I did hit the issue and fixed in the upstream patch unpredictably by the following patch. > e5d9998f3e09 ("slub: make ->cpu_partial unsigned int") I am not sure if the patch you mentioned intended to fix the problem here. With that patch the negative page->pobjects would become a large positive value, it will win the compare with s->cpu_partial and go ahead to unfreeze the partial slabs. Though it may be not a perfect fix for this issue, it really fixes (or workarounds) the issue here. I'd like to skip my patch.. thanks, wengang > Thanks, > zhong jiang >> Signed-off-by: Wengang Wang >> --- >> mm/slub.c | 20 +++++++++++++++++--- >> 1 file changed, 17 insertions(+), 3 deletions(-) >> >> diff --git a/mm/slub.c b/mm/slub.c >> index e3629cd..26539e6 100644 >> --- a/mm/slub.c >> +++ b/mm/slub.c >> @@ -2248,6 +2248,7 @@ static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain) >> { >> #ifdef CONFIG_SLUB_CPU_PARTIAL >> struct page *oldpage; >> + unsigned long tid; >> int pages; >> int pobjects; >> >> @@ -2255,8 +2256,12 @@ static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain) >> do { >> pages = 0; >> pobjects = 0; >> - oldpage = this_cpu_read(s->cpu_slab->partial); >> >> + tid = this_cpu_read(s->cpu_slab->tid); >> + /* read tid before reading oldpage */ >> + barrier(); >> + >> + oldpage = this_cpu_read(s->cpu_slab->partial); >> if (oldpage) { >> pobjects = oldpage->pobjects; >> pages = oldpage->pages; >> @@ -2283,8 +2288,17 @@ static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain) >> page->pobjects = pobjects; >> page->next = oldpage; >> >> - } while (this_cpu_cmpxchg(s->cpu_slab->partial, oldpage, page) >> - != oldpage); >> + /* we dont' change tid, but want to make sure it didn't change >> + * in between. We don't really hope alloc/free not happen on >> + * this CPU, but don't want the first slab be removed from and >> + * then re-added as head to this partial list. If that case >> + * happened, pobjects may read 0xdead0000 when this slab is just >> + * removed from kmem_cache_node by other CPU setting lru.prev >> + * to LIST_POISON2. >> + */ >> + } while (this_cpu_cmpxchg_double(s->cpu_slab->partial, s->cpu_slab->tid, >> + oldpage, tid, page, tid) == 0); >> + >> if (unlikely(!s->cpu_partial)) { >> unsigned long flags; >> >