From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EC2FD2FFF2 for ; Fri, 18 Oct 2024 11:12:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7F5BD6B0083; Fri, 18 Oct 2024 07:12:49 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7A5A36B008C; Fri, 18 Oct 2024 07:12:49 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 66CA96B0092; Fri, 18 Oct 2024 07:12:49 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 496B36B0083 for ; Fri, 18 Oct 2024 07:12:49 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 29364C06BC for ; Fri, 18 Oct 2024 11:12:36 +0000 (UTC) X-FDA: 82686460332.28.8A8776C Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) by imf07.hostedemail.com (Postfix) with ESMTP id CC0D740009 for ; Fri, 18 Oct 2024 11:12:31 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=bStTCqaP; spf=pass (imf07.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.167.48 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1729249820; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=3wMrIqcIO3asGG/JG/6XWJDUY49KVWLwXoH76P6xDGg=; b=CD/qiAoqOGzzyWaXsLkm5EHk4SVjdggHQULK4sXjln/IBCufJS4xNHBhamQ6o3jkliY6Dm ai/bnID+Kn7LPRlT6yTUyvmXCGgWXFKDee/WwTmIjQctaz6g0gN2XtO9nrS1QeO+ie+a/i 6sxpDLIJuTLZRGrynXddTVNG6+PRlwY= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729249820; a=rsa-sha256; cv=none; b=T1oRzNmGLzHnblKInkf5U2Hh61ytlkhvRHGsbfdLq4z0bGz884do/HxTAL2qP/IPCiviLP X4f69p0ukKGlbpzCjFx2eFU+n2sPzOetQmSZtYSwycP9Z53G+kSxGN9C5mfHLdWXEy9Q04 taWVPcTcVLc2QIDk2p/ESofGrPocoa4= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=bStTCqaP; spf=pass (imf07.hostedemail.com: domain of 42.hyeyoo@gmail.com designates 209.85.167.48 as permitted sender) smtp.mailfrom=42.hyeyoo@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-lf1-f48.google.com with SMTP id 2adb3069b0e04-539e1543ab8so3530798e87.2 for ; Fri, 18 Oct 2024 04:12:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729249965; x=1729854765; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3wMrIqcIO3asGG/JG/6XWJDUY49KVWLwXoH76P6xDGg=; b=bStTCqaPwrZMifinjYlxGMXIpS4s7YaEATAHyx7gMhC5GT6+EKoQQvjvTr6suJAqjo rySpUW7IzjfNS5Fip/TuoGrS4k8C3pKP1TJ0t6DOFLhVqoBUHuel7AINla29FQgjZokU 4f7wb7yGfKs+dtV3kMjBdRVCZlG5qsAoR4YKOkplTsGwyjJi1PXsd6Bdg/IcFWM0aipk j3M1E32a4tktMt7PObW4vH1OLmteYypOhaToVeAmONn8+nd3veF+8FM2OnhOu7+xLwkm BmEceZZZlxJHm1CM5uW6tpnSmOqD0WVML5D2r7CmzFleHETm1bNVUetuGwn4+JiGvJ0I 4hug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729249965; x=1729854765; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3wMrIqcIO3asGG/JG/6XWJDUY49KVWLwXoH76P6xDGg=; b=fC3rULyHZ5QXTUhk9Gxe3ap5K5Tz4DvFS4/GAbmTOoqIEjac/ru18WXg8k03YZUm8/ 8hqQ7rihdj7wbc0Td4OESSLN9lO2QJW9DxxhgVVwQsA7fX4wBuHPuuiTBqa6jncTuw+B DyIby2eZh9oZWVh/dgV2e3o8fXenuUE+qeMHNOh2bzI5JvPzJ4RPsRq05C3hkabBRnMM AuYFjL2vxAQAYYN13bxviTRpR7J6Nm277QCqS0S+vcsv5cNxDLTm2TeLfNzsi2xhymQC SXcUHeeISNgsQA7J4ajd8UwKUHp6ki4SXoYYBBeRMRogPXLGSyzXk/ioowLV8J5P6LM7 x1Dw== X-Forwarded-Encrypted: i=1; AJvYcCXxvJ/y56vu1pdjbTP8XEYJ1hgQLD2xXLRdWRkLVBplOBbKdqoMzxcAYdPr+wjJipEIKlBxrF2kAg==@kvack.org X-Gm-Message-State: AOJu0Yzi5Ctksh1tsl81nGYIBANZPR5usVNEvj2AiezSFykNe/Eh1Yj9 KT5TTy8A9vgiDGeupaO4s+Opnr6YJQhXLUC97nv0rnTSg1ewGY4LPF9S3EhcalzQeGBUEeF/Uke yURy4Nq0wTMGYJBW6H4DcuWF8f4s= X-Google-Smtp-Source: AGHT+IEwVMfCsuv4hFswLze6aFcyRvFehCYXreVL2ktl0KrjZ57F9JgaqyUTm8NtBn6zrPpbg6gCwaK5leTxaufNQP8= X-Received: by 2002:a05:6512:3a82:b0:53a:7e:bcc5 with SMTP id 2adb3069b0e04-53a1533f6f9mr2082549e87.9.1729249964912; Fri, 18 Oct 2024 04:12:44 -0700 (PDT) MIME-Version: 1.0 References: <20241018064435.7695-1-yuan.gao@ucloud.cn> In-Reply-To: <20241018064435.7695-1-yuan.gao@ucloud.cn> From: Hyeonggon Yoo <42.hyeyoo@gmail.com> Date: Fri, 18 Oct 2024 20:12:32 +0900 Message-ID: Subject: Re: [PATCH v4] mm/slub: Avoid list corruption when removing a slab from the full list To: "yuan.gao" Cc: cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, vbabka@suse.cz, roman.gushchin@linux.dev, linux-mm@kvack.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: dhe9mq5crzqegeui74brgwuy6mx81xzo X-Rspamd-Queue-Id: CC0D740009 X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1729249951-983230 X-HE-Meta: U2FsdGVkX1/Tx4sTjqCQOSxUFLwE/YyxhK1gZAm3Nfy3OJCDPx4wexjA+OQMR8Sm1ljT9QQZu2Rv9/uoFnk2AbqfM+OmdKArt88YVUPeRMp1UFmDbUe3Zq++WxVHNaChEN5nu0zsUrXsAo01l4gHUYKBWmDoGRDsc8FTsohCkaQwYampCvh5fsvf8nRiocuo1h04hmPVW44tgMa17dibA3FgbNdZYdBswPb2cWT6yXcjFTWsyg/b0z6HkomE8Awg3bnf/vuiyCMoyceELPmCFXvHSLc0uo4s8OHnYTRQwi6nb19dX2Fd636VdolV+ZzOh2EmRQAZtb+GPHWj1z6BqyIPCjdkKbdPmmOSsvIXg4nPMvrB3mPpcdVD29elTT0+K/GnECo3bVkVSq6oO4ZeXq/CK+To/3mi51GpGe0Qh0j7pXf86TAWsGx0m1Wb6UWB5IyXgqv4PX1la137xtaP5um1rNRkVKHQlHEGSFEbMD8W595+m/fEbeahcIrzaZxl+HlhlbDGFaVG/w9wiuk2accpJHaHwCcoTWlW5UJalDsVNvRdYIOmUhbmm9tFqcHUD5a72/KNp+I0PKZyuPdcNOLbvykbACI6uY05r3D0QMXx6vtrRTOSopFBJq2Uf223sUx8IwRuWkXIbAV55HFqJ0nJkq3UabujX2DsTYm57809rTTEpyEc7WE0fFx0wCxG71oGfY1cjAKNEGVP2PmwJpeV3lcb2wEX4szYsjsB3FfOCgFNG/w4gd8qwy+3OsXgLSy2Wy8MC8R0K92sfzCmWBVoQ6tqqd0D3Cmps7QG+tBHVdqfH1goj80B8P7xGVQu76rLB7hdcIRJ0nMdPwTOz48nLeTgCpdeUE0RYRHFIwbMMYTzcRy8/fs+887EbYWCmrHko0Vk9lKH6Z2T4qMSOV2D48cMefNHrCcOxNAhtbdfuzQbVEphGARjdeH5fuTyvGoyfEpGRiT4GlI6SzZ 7nrAoAa4 0T+ogPi1YcdIhYEO8Yco6BUtW/30HuNUMinY+1owTDCo+2EMejn5uiVAZgPPSFtNV4mh8k6YCe3m2Nrunxq5VD98LCqsNTP9aNv3kDcbxH6H6kHrjpc6jyMvcjkOyRPVuXU7Ge+4GDoY9C7dXjHV7JPRMObq/uSRXV8JcDf6eOOoQd5Co7ddfBkQ5ZF3JJpl5JGLG+nHIaHbpVSdFcY/9fZ+z7hFZ72rw6ekswRzxSYTCfPah/5zeQI6d+FfOdRCbx6UgWeheqs5dsMMUeN/v8dgHQet4vfHAtkeYaJG9FzcTF1NmsANxUB1t6+3ZQdX80eunIxmuU2oj1sShK7f7NyYzbPwUT5rFFjNGMlaQelnJssr2j1cKxfSLDhQxID5Z90HqlTCk8kDpKHY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Oct 18, 2024 at 3:45=E2=80=AFPM yuan.gao wrote= : > > Boot with slub_debug=3DUFPZ. > > If allocated object failed in alloc_consistency_checks, all objects of > the slab will be marked as used, and then the slab will be removed from > the partial list. > > When an object belonging to the slab got freed later, the remove_full() > function is called. Because the slab is neither on the partial list nor > on the full list, it eventually lead to a list corruption (actually a > list poison being detected). > > So we need to mark and isolate the slab page with metadata corruption, > do not put it back in circulation. > > Because the debug caches avoid all the fastpaths, reusing the frozen bit > to mark slab page with metadata corruption seems to be fine. Looks good to me, Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> > [ 4277.385669] list_del corruption, ffffea00044b3e50->next is LIST_POISON= 1 (dead000000000100) > [ 4277.387023] ------------[ cut here ]------------ > [ 4277.387880] kernel BUG at lib/list_debug.c:56! > [ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI > [ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G = OE 6.6.1-1 #1 > [ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs] > [ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0 > [ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 4= 9 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91 > [ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082 > [ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 000000000= 0000000 > [ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000f= fffffff > [ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc9000= 03339f0 > [ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff88811= 2cf9910 > [ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff88810= 00424c0 > [ 4277.404049] FS: 0000000000000000(0000) GS:ffff88842fd40000(0000) knlG= S:0000000000000000 > [ 4277.405357] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 000000000= 07706e0 > [ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 000000000= 0000000 > [ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 000000000= 0000400 > [ 4277.410000] PKRU: 55555554 > [ 4277.410645] Call Trace: > [ 4277.411234] > [ 4277.411777] ? die+0x32/0x80 > [ 4277.412439] ? do_trap+0xd6/0x100 > [ 4277.413150] ? __list_del_entry_valid_or_report+0x7b/0xc0 > [ 4277.414158] ? do_error_trap+0x6a/0x90 > [ 4277.414948] ? __list_del_entry_valid_or_report+0x7b/0xc0 > [ 4277.415915] ? exc_invalid_op+0x4c/0x60 > [ 4277.416710] ? __list_del_entry_valid_or_report+0x7b/0xc0 > [ 4277.417675] ? asm_exc_invalid_op+0x16/0x20 > [ 4277.418482] ? __list_del_entry_valid_or_report+0x7b/0xc0 > [ 4277.419466] ? __list_del_entry_valid_or_report+0x7b/0xc0 > [ 4277.420410] free_to_partial_list+0x515/0x5e0 > [ 4277.421242] ? xfs_iext_remove+0x41a/0xa10 [xfs] > [ 4277.422298] xfs_iext_remove+0x41a/0xa10 [xfs] > [ 4277.423316] ? xfs_inodegc_worker+0xb4/0x1a0 [xfs] > [ 4277.424383] xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs] > [ 4277.425490] __xfs_bunmapi+0x50d/0x840 [xfs] > [ 4277.426445] xfs_itruncate_extents_flags+0x13a/0x490 [xfs] > [ 4277.427553] xfs_inactive_truncate+0xa3/0x120 [xfs] > [ 4277.428567] xfs_inactive+0x22d/0x290 [xfs] > [ 4277.429500] xfs_inodegc_worker+0xb4/0x1a0 [xfs] > [ 4277.430479] process_one_work+0x171/0x340 > [ 4277.431227] worker_thread+0x277/0x390 > [ 4277.431962] ? __pfx_worker_thread+0x10/0x10 > [ 4277.432752] kthread+0xf0/0x120 > [ 4277.433382] ? __pfx_kthread+0x10/0x10 > [ 4277.434134] ret_from_fork+0x2d/0x50 > [ 4277.434837] ? __pfx_kthread+0x10/0x10 > [ 4277.435566] ret_from_fork_asm+0x1b/0x30 > [ 4277.436280] > > v4: > - Rephrase wording. > - Remove a useless add_full(). > > v3: > - Reuse slab->fronzen bit as a corrupted marker. > - https://lore.kernel.org/all/20241011102020.58087-1-yuan.gao@ucloud.cn/ > > v2: > - Call remove_partial() and add_full() only for slab folios. > - https://lore.kernel.org/linux-mm/20241007091850.16959-1-yuan.gao@uclou= d.cn/ > > v1: > - https://lore.kernel.org/linux-mm/20241006044755.79634-1-yuan.gao@uclou= d.cn/ > > Signed-off-by: yuan.gao > Fixes: 643b113849d8 ("slub: enable tracking of full slabs") > Suggested-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> > Suggested-by: Vlastimil Babka > --- > mm/slab.h | 5 +++++ > mm/slub.c | 9 ++++++++- > 2 files changed, 13 insertions(+), 1 deletion(-) > > diff --git a/mm/slab.h b/mm/slab.h > index 6c6fe6d630ce..8d7caf50ef96 100644 > --- a/mm/slab.h > +++ b/mm/slab.h > @@ -73,6 +73,11 @@ struct slab { > struct { > unsigned inuse:16= ; > unsigned objects:= 15; > + /* > + * If slab debugg= ing is enabled then the > + * frozen bi= t can be reused to indicate > + * that the = slab was corrupted > + */ > unsigned frozen:1= ; > }; > }; > diff --git a/mm/slub.c b/mm/slub.c > index 5b832512044e..15ba89fef89a 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -1423,6 +1423,11 @@ static int check_slab(struct kmem_cache *s, struct= slab *slab) > slab->inuse, slab->objects); > return 0; > } > + if (slab->frozen) { > + slab_err(s, slab, "Slab disabled since SLUB metadata cons= istency check failed"); > + return 0; > + } > + > /* Slab_pad_check fixes things up after itself */ > slab_pad_check(s, slab); > return 1; > @@ -1603,6 +1608,7 @@ static noinline bool alloc_debug_processing(struct = kmem_cache *s, > slab_fix(s, "Marking all objects used"); > slab->inuse =3D slab->objects; > slab->freelist =3D NULL; > + slab->frozen =3D 1; /* mark consistency-failed slab as fr= ozen */ > } > return false; > } > @@ -2744,7 +2750,8 @@ static void *alloc_single_from_partial(struct kmem_= cache *s, > slab->inuse++; > > if (!alloc_debug_processing(s, slab, object, orig_size)) { > - remove_partial(n, slab); > + if (folio_test_slab(slab_folio(slab))) > + remove_partial(n, slab); > return NULL; > } > > -- > 2.32.0 >