Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp5653522ybf; Thu, 5 Mar 2020 04:42:24 -0800 (PST) X-Google-Smtp-Source: ADFU+vvVwiKR4vAYDXsA1aFDbzo84BLNc8Q/hxzjFoGJ4R9E3F94aRLlyDETqLCAwvw9L7BKck3c X-Received: by 2002:a9d:6744:: with SMTP id w4mr6361625otm.163.1583412144464; Thu, 05 Mar 2020 04:42:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583412144; cv=none; d=google.com; s=arc-20160816; b=oRKNSPyt5uo/meUCt+KQvhPUVckzRhplYbxyAKwDVF63kF6Ba1cKpkywxIleSBc7xB iX6kKKRMLPGDpq9EsfMYvtcZlpOZdogtMdFhFXjxSOvLkMW+909uZ5WadhQsnSi68dJH UHAjztATMIFJMjYFH5UwgLGAJQQihp/ao/jPas0YvOyGX2bJ6LjQCVk+PHrgt3i9TvIm hDwbNjQnzvQU8BAMryOjrNOk1YNss1S9W3VE+cw9WZtp6JvDAAcwD++0+ZtpnkTsUl3A 0p7B9sdE9323URY5MptL6AHN5eVSF57fD30f9u5RP9d6LCwYkHHaIQBq9btycc7sxQyc GaPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=DaozsmoMFaeJg50FsFQpn1G4itVEugoYzJw6zuARhrM=; b=Tr8WPN+27uk8gpEQuBh8nsFM8GPZVqjggZ+s8N/AbFWS4dTKX7zy1Fn/fkrFJmyTxj pfR/d7k30IxCVfAo80HdedNOgapZWHfupaTQ27U+stBBfbN+nGtpgXyZDzzRPizzY8j7 BXdjmhkpyjg9vA0cax5cFH1F5g5GBisFN5ll/wBwoiygGrHlNWlBC5cofXJdXgYRiO0C nXLefZD1XYr750AUCYXb/PMwg82cfCsB1WzS+bex/PJa4L1NO41wWitSDCyuBuWiY8Eh PzBaLRDNAdSdfMRYP0uieBr20327+8XdpwAggkmOnSiFiuoGbY/UE2TZbUkIrxn5zfEm w7Mg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d7si3657139ote.131.2020.03.05.04.42.12; Thu, 05 Mar 2020 04:42:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726049AbgCEMkW (ORCPT + 99 others); Thu, 5 Mar 2020 07:40:22 -0500 Received: from mx2.suse.de ([195.135.220.15]:54154 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725880AbgCEMkV (ORCPT ); Thu, 5 Mar 2020 07:40:21 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id AEEB9AE8C; Thu, 5 Mar 2020 12:40:18 +0000 (UTC) Subject: Re: [PATCH] mm: slub: reinitialize random sequence cache on slab object update To: vjitta@codeaurora.org Cc: cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, vinmenon@codeaurora.org, kernel-team@android.com, Jann Horn References: <1580379523-32272-1-git-send-email-vjitta@codeaurora.org> <1580383064-16536-1-git-send-email-vjitta@codeaurora.org> From: Vlastimil Babka Message-ID: <23b443b5-1748-28ed-7d8e-654115047b14@suse.cz> Date: Thu, 5 Mar 2020 13:40:17 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/5/20 6:48 AM, vjitta@codeaurora.org wrote: > On 2020-02-27 22:23, Vlastimil Babka wrote: >> >> This is even more nasty as it doesn't seem to require that no objects >> exist. >> Also there is no synchronization against concurrent allocations/frees? >> Gasp. > > Since, random sequence cache is only used to update the freelist in > shuffle_freelist > which is done only when a new slab is created incase if objects > allocations are > done without a need of new slab creation they will use the existing > freelist which > should be fine as object size doesn't change after order_store() and > incase if a new > slab is created we will get the updated freelist. so in both cases i > think it should > be fine. I have some doubts. With reinit_cache_random_seq() for SLUB, s->random_seq will in turn: cache_random_seq_destroy() - point to an object that's been kfree'd - point to NULL init_cache_random_seq() cache_random_seq_create() - point to freshly allocated zeroed out object freelist_randomize() - the object is gradually initialized - the indices are gradually transformed to page offsets At any point of this, new slab can be allocated in parallel and observe s->random_seq in shuffle_freelist(), and it's only ok if it's currently NULL. Could it be fixed? In the reinit part you would need to - atomically update a valid s->random_seq to another valid s->random_seq (perhaps with NULL in between which means some freelist won't be perhaps randomized) - write barrier - call calculate_sizes() with updated flags / new order, make sure all the fields of s-> are updated in a safe order and with write barries (i.e. update s->oo and s->flags would be probably last, but maybe that's not all) so that anyone allocating a new slab will always get something valid (maybe that path would need also new read barriers?) No, I don't think it's worth the trouble?