From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2577ACFB441
	for <linux-mm@archiver.kernel.org>; Mon,  7 Oct 2024 15:03:20 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id A3F326B00AC; Mon,  7 Oct 2024 11:03:19 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 9EE626B00AD; Mon,  7 Oct 2024 11:03:19 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 869996B00AE; Mon,  7 Oct 2024 11:03:19 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id 6925F6B00AC
	for <linux-mm@kvack.org>; Mon,  7 Oct 2024 11:03:19 -0400 (EDT)
Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id 30FEE1C3199
	for <linux-mm@kvack.org>; Mon,  7 Oct 2024 15:03:19 +0000 (UTC)
X-FDA: 82647124518.16.5C4A30F
Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41])
	by imf04.hostedemail.com (Postfix) with ESMTP id 61FFE4001E
	for <linux-mm@kvack.org>; Mon,  7 Oct 2024 15:03:15 +0000 (UTC)
Authentication-Results: imf04.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=F915d6ej;
	spf=pass (imf04.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.167.41 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728313327; a=rsa-sha256;
	cv=none;
	b=vMgnpZ6khypNsKWcAu/3UP1RxbMhGa1lL4l4EvFD7x9YPwAlxQBFmfJRxyU42mszoT3Nlz
	TwkquYrGAY7/nMRxCRDVCCK7WyVejuSAELXQnIygHK3nteB36LN/v0PaIeuQQ8X1W6Z+j+
	KC+45QLNPqWjLTIr2hZPkDKkIONm6w4=
ARC-Authentication-Results: i=1;
	imf04.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=F915d6ej;
	spf=pass (imf04.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.167.41 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1728313327;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=4dE19RGwHF6XzzdyDx3E87QFadsqnO5aqjuR8kuDC10=;
	b=U+HvOcswV6tJheIqRAKEWO/lSIB7FQKX5GHguxC+3fO0fzoebEVwORXk0K8vl1TJctLChj
	AY3UtkG5Lpnerga6loVWPMm50Xf8FKU6XwyLL1rXaYAAQE8Fgwxo6DhHh9o43XY5w9b6mj
	XNv2xv/AXZBZ3fbBNhQdP+z62r2StOw=
Received: by mail-lf1-f41.google.com with SMTP id 2adb3069b0e04-53991d05416so5312546e87.2
        for <linux-mm@kvack.org>; Mon, 07 Oct 2024 08:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1728313393; x=1728918193; darn=kvack.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=4dE19RGwHF6XzzdyDx3E87QFadsqnO5aqjuR8kuDC10=;
        b=F915d6ejQdK/5bYSm5Ya/zUNiGrfVbxTGUEO4A6nKYKj91L/+n7NJUCBiKsBhC0uSW
         edXWjJRsjwBLGlm02BgKRTKhaO52oJR3Dnk6AsbcmHzNyCl8xE/OK56QbTm21PhsIRMA
         sVFA9bYmxbwlnI8aRFqgEcv/xEBPZc4DDHjvNGmtzfc62t/AwStT59Aohm1dt+mVqlOw
         DIZ5Z+uIguso9noKc1ud/cSJW/TwIipStzm76sY2q1DXiCc74Bod0oUDTtytDn1D6lfJ
         l+1X5CRwT/lyg/T3USpCGHx3dtHZupoByOhUXSSDEFLr6AAWdP6zaQcGg6BaKt5R8+lF
         /1gA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1728313393; x=1728918193;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=4dE19RGwHF6XzzdyDx3E87QFadsqnO5aqjuR8kuDC10=;
        b=aIAdPfBb1f+DdJ4s75mMbqZeieUcPFt6GQ96fAlZjzXN5ZTa7LipwtalkM+as8DSgW
         /YPOvsJmFceHM7itGche9DHiO0kqw1OVjqAvVDoSRfWqTwmvSW7MXxrkXpnX7zvxcbTb
         e8SmCGE71WH0FYEr2ZWFv/qkLjE9v3DaY+CTdwqfPDGf3R5P40yU3Q2EQgoXOPENKIe+
         rWy+fjTLMwOg80hEe0g7l8dYjh+7t3U/1XoH84U8hhlRf4bSOm8ndTI5NdpWv13c/TN8
         5TnB2I/GggFBRdMijZ3t+475Cy7rz/olnXTeDhus23KOGCSpr62BnYjU7p+0zMhjS7ls
         tixA==
X-Forwarded-Encrypted: i=1; AJvYcCXxfCiw+UYs5JYftNQ7DPze78H+eG1AIFpFdfKCgyqjse2Ap5RA4hRCg04Fo49Fj6b6ftlcTjOGCQ==@kvack.org
X-Gm-Message-State: AOJu0Yx43rrRdxGEA9386Yc0A69HTMa5IZGamGRXlods76d5WfwuuS+9
	BsiePzOoJu1UfFlyhU27P7eEV2ioPoy/+VByNOuMgGP/+VYxXPnl+jODcC0AR2prjv56SpYTbEL
	WKjbp+7Xe6U4K6fhCIKmVcbXTkgs=
X-Google-Smtp-Source: AGHT+IEEE7nkl2gCkPc/HtFigcAUq77KgjbUoCg1RhOHQMJskxTdr7EDwpnp5MBxv6Kh3ASTHn/3I7ZVF0GDt8WSoAU=
X-Received: by 2002:a05:6512:68a:b0:539:8d2c:c01a with SMTP id
 2adb3069b0e04-539ab87daf5mr9163155e87.29.1728313392914; Mon, 07 Oct 2024
 08:03:12 -0700 (PDT)
MIME-Version: 1.0
References: <20241007091850.16959-1-yuan.gao@ucloud.cn> <b304fe39-4fcc-4b2b-a95f-1bb476c94a01@suse.cz>
In-Reply-To: <b304fe39-4fcc-4b2b-a95f-1bb476c94a01@suse.cz>
From: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Date: Tue, 8 Oct 2024 00:03:00 +0900
Message-ID: <CAB=+i9T4nGJAQGpYSbAvyyfgceLmO6ih=gS7bPpvCdMMetTurw@mail.gmail.com>
Subject: Re: [PATCH v2] mm/slub: Avoid list corruption when removing a slab
 from the full list
To: Vlastimil Babka <vbabka@suse.cz>
Cc: "yuan.gao" <yuan.gao@ucloud.cn>, cl@linux.com, penberg@kernel.org, 
	rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, 
	roman.gushchin@linux.dev, linux-mm@kvack.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Stat-Signature: ywjqed71k1kr9ocdm1i8tw46r5tea481
X-Rspamd-Queue-Id: 61FFE4001E
X-Rspam-User: 
X-Rspamd-Server: rspam10
X-HE-Tag: 1728313395-53139
X-HE-Meta: U2FsdGVkX1+8vwqF2i5lieNbREl8NwO5/78ILY4rwXL2Ijlen00IAgaYr+IwIvFXQ6tnGkLFpFHv5BAxhlF59+ZXMCZJV89h2liOJGdpGRfv/nHOlEkwVAfKrHVeXsIzRC2ifU/b2UMtI9mZY9fdBr2NbIyXI0Nyr657OQl+DhKidgRqbA8XmiAkBo/wKC4Xoq8DHG0gJ0cYrheiPuFkXYNFG7KRSbhrA58tFSu+82B0Gxgzr0R2UeNiuinSJ3Ggm/5iNodxN2a3E6TiCE6+3OCXLPp4dGMEuRAgt0OVkkyYxxCAYnKzFK1VK59M2XYL9OkwB9GZOB7kAiOxlS6/hRyk3CD2PV5VXA0Cu9hq2/hBam5xMPtvgqWIscPVp64Y2yZVmapWxG82q93TE4Fh38dk4AWF3FWrz3Zp+Ew+j1E00L6WQ/nWZP+9LIhddveaStq+GPxUYzkFoY8c7+qb/cD2ZbVarQqcbFfYc9D8e4VFKmWXNrBXLOyOtk1AA0r25f8L9LH9THj01ZmJjVEGMyBbd61iywIod4vp2KuVB1hfJDR8HkpijOtPy9KusEsy3RfjmUhPprPu3ptIO9Qjd1RYp5/l7QFHOX8m76au1xiUVCipUoGWQcx24T3Rluu5GzDD2kFhCM35G8/SLuS0hzGm9bMPC3DcIGlnEtp4modL4Mpf3cNqVm+JFaL8T7MCTzCjmjDeTwhbu460NmvG4HbUa8Jbrp6HwiHKENl4eTlz2biLu1uzdj0iaVqJU94UqHgk9krxD31PnEfD5zY27zfNsgb/Lf7NdtySIZb9BprdvZgmaV4TP1OdPpd3R/ttuWFffybok00CsfPUQHiWBJ55GY5og7nCKeMUEzH4/0T6pMSY7CwMEYu8yHUhXrE6pcMELvcdzceM59Hi4vfIb7xQ/74UNH4Akt1mss4s7mApRfkt4eEDkf/Bu+z5OEBYtslKFLOzTm8ZmCvbiKw
 ckbSQChL
 lYDPVkJfoNprliuqRHSN2eBkvY5sZZ3lnX2b0VcxNNcDnRIjQfj6MruzOQZN9wD5fnaLXeLbN+wNwX3XIyaKsRVJKj9oBFBeeI8QvT6b+Zt5wFs2l++BylXdiIUsSQb0jVv534sBpby8rBglXjzO5vPnElqrNbITeFrRdGPAzmOd8m3LdvoSoH3S17l/DK8RDB2bO9JAfAi4KEI4/sZv/+74wZdujnYOLleNZiQscAuX8td1NToP1nAhcKtfGWCUaizOgIvgci3/Wmd6+cVGK/B6mTEFha/+ppGzzcdhpcaOtaZRXQv3u8bDX4hmOPc5od4srzmiXOv/9detL8CEAAae+Is35W76rHsz4B8q8DrtriVArVxrmhPnUxBnfURb4Rm/kTfV2ez+PMTtd+PYsZlFBZg==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Mon, Oct 7, 2024 at 11:29=E2=80=AFPM Vlastimil Babka <vbabka@suse.cz> wr=
ote:
>
> On 10/7/24 11:18 AM, yuan.gao wrote:
> > boot with slub_debug=3DUFPZ.
> >
> > If allocated object failed in alloc_consistency_checks, all objects of
> > the slab will be marked as used, and then the slab will be removed from
> > the partial list.
> >
> > When an object belonging to the slab got freed later, the remove_full()
> > function is called. Because the slab is neither on the partial list nor
> > on the full list, it eventually lead to a list corruption.
> >
> > So we need to add the slab to full list in this case.
> >
> > [ 4277.385669] list_del corruption, ffffea00044b3e50->next is LIST_POIS=
ON1 (dead000000000100)
> > [ 4277.387023] ------------[ cut here ]------------
> > [ 4277.387880] kernel BUG at lib/list_debug.c:56!
> > [ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI
> > [ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: =
G           OE      6.6.1-1 #1
> > [ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs]
> > [ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0
> > [ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28=
 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91
> > [ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082
> > [ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000=
000000000
> > [ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 0000000=
0ffffffff
> > [ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc90=
0003339f0
> > [ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888=
112cf9910
> > [ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff888=
1000424c0
> > [ 4277.404049] FS:  0000000000000000(0000) GS:ffff88842fd40000(0000) kn=
lGS:0000000000000000
> > [ 4277.405357] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 0000000=
0007706e0
> > [ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000=
000000000
> > [ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000=
000000400
> > [ 4277.410000] PKRU: 55555554
> > [ 4277.410645] Call Trace:
> > [ 4277.411234]  <TASK>
> > [ 4277.411777]  ? die+0x32/0x80
> > [ 4277.412439]  ? do_trap+0xd6/0x100
> > [ 4277.413150]  ? __list_del_entry_valid_or_report+0x7b/0xc0
> > [ 4277.414158]  ? do_error_trap+0x6a/0x90
> > [ 4277.414948]  ? __list_del_entry_valid_or_report+0x7b/0xc0
> > [ 4277.415915]  ? exc_invalid_op+0x4c/0x60
> > [ 4277.416710]  ? __list_del_entry_valid_or_report+0x7b/0xc0
> > [ 4277.417675]  ? asm_exc_invalid_op+0x16/0x20
> > [ 4277.418482]  ? __list_del_entry_valid_or_report+0x7b/0xc0
> > [ 4277.419466]  ? __list_del_entry_valid_or_report+0x7b/0xc0
> > [ 4277.420410]  free_to_partial_list+0x515/0x5e0
> > [ 4277.421242]  ? xfs_iext_remove+0x41a/0xa10 [xfs]
> > [ 4277.422298]  xfs_iext_remove+0x41a/0xa10 [xfs]
> > [ 4277.423316]  ? xfs_inodegc_worker+0xb4/0x1a0 [xfs]
> > [ 4277.424383]  xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs]
> > [ 4277.425490]  __xfs_bunmapi+0x50d/0x840 [xfs]
> > [ 4277.426445]  xfs_itruncate_extents_flags+0x13a/0x490 [xfs]
> > [ 4277.427553]  xfs_inactive_truncate+0xa3/0x120 [xfs]
> > [ 4277.428567]  xfs_inactive+0x22d/0x290 [xfs]
> > [ 4277.429500]  xfs_inodegc_worker+0xb4/0x1a0 [xfs]
> > [ 4277.430479]  process_one_work+0x171/0x340
> > [ 4277.431227]  worker_thread+0x277/0x390
> > [ 4277.431962]  ? __pfx_worker_thread+0x10/0x10
> > [ 4277.432752]  kthread+0xf0/0x120
> > [ 4277.433382]  ? __pfx_kthread+0x10/0x10
> > [ 4277.434134]  ret_from_fork+0x2d/0x50
> > [ 4277.434837]  ? __pfx_kthread+0x10/0x10
> > [ 4277.435566]  ret_from_fork_asm+0x1b/0x30
> > [ 4277.436280]  </TASK>
> >
> > v2:
> > * Call remove_partial() and add_full() only for slab folios.
> >
> > v1:
> > https://lore.kernel.org/linux-mm/20241006044755.79634-1-yuan.gao@ucloud=
.cn/
> >
> > Signed-off-by: yuan.gao <yuan.gao@ucloud.cn>
>
> Is it possible to determine which commit introduced this issue, for a
> stable cc?

By code inspection I suspect it's around when SLUB's first introduced in 20=
07,
more specifically commit 643b113849d8 ("slub: enable tracking of full slabs=
").
Even v2.6 kernels do not seem to handle this case correctly.

> Also in addition to what Hyeonggon proposed, we should perhaps mark
> these consistency-failed slabs in a way that further freeing of objects
> in them will also don't actually free anything, and thus not move the
> slab back from full to partial list for further reuse.

Yeah I was thinking of that too.

If that is feasible Yuan you may use one bit from (in mm/slab.h)
struct slab's 'inuse' field
and change it to 15 bits to mark consistency-failed slabs.

IIUC 'inuse' doesn't have to be 16 bits and 'objects' is already 15
bits, so I think it should be fine.

> Right now the
> (understandable) attempt to not use the corrupted slab further is only
> partially successful.

Best,
Hyeonggon

> > ---
> >  mm/slub.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/mm/slub.c b/mm/slub.c
> > index 21f71cb6cc06..2992388c00f4 100644
> > --- a/mm/slub.c
> > +++ b/mm/slub.c
> > @@ -2745,7 +2745,10 @@ static void *alloc_single_from_partial(struct km=
em_cache *s,
> >       slab->inuse++;
> >
> >       if (!alloc_debug_processing(s, slab, object, orig_size)) {
> > -             remove_partial(n, slab);
> > +             if (folio_test_slab(slab_folio(slab))) {
> > +                     remove_partial(n, slab);
> > +                     add_full(s, n, slab);
> > +             }
> >               return NULL;
> >       }
> >