From patchwork Fri Oct 18 06:44:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "yuan.gao" X-Patchwork-Id: 13841252 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26A83D3C54C for ; Fri, 18 Oct 2024 06:45:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AA8A06B00A3; Fri, 18 Oct 2024 02:45:42 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A5A006B00A4; Fri, 18 Oct 2024 02:45:42 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 91FCD6B00A5; Fri, 18 Oct 2024 02:45:42 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 6E4086B00A3 for ; Fri, 18 Oct 2024 02:45:42 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 01CEE1A16EE for ; Fri, 18 Oct 2024 06:45:20 +0000 (UTC) X-FDA: 82685786820.03.5F3376E Received: from mail-m21473.qiye.163.com (mail-m21473.qiye.163.com [117.135.214.73]) by imf29.hostedemail.com (Postfix) with ESMTP id EA95F12000B for ; Fri, 18 Oct 2024 06:45:24 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=ucloud.cn header.s=default header.b=gN7FOh57; spf=pass (imf29.hostedemail.com: domain of yuan.gao@ucloud.cn designates 117.135.214.73 as permitted sender) smtp.mailfrom=yuan.gao@ucloud.cn; dmarc=pass (policy=quarantine) header.from=ucloud.cn ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1729233866; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=LQc6HXn+wjHk0Oggdf1vOfLNIfvlzBO+VXYNb+xy6Ms=; b=L7apiAQGHZtVLEP9rgDOb/oesLgrHWr4V9BN5k0EKlee6lPSjeWER/VYkUL7wjMsFHNgeO KM2s5yH8IN26hdBsmvFzJ3mNGcaHJSWNWSr1jTK2fyaD/RcFoTxr9MkjtEhPHRoh0CpTjd 4na/P0eDgQnPAtTeVwqZc5Nolc6on2U= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=ucloud.cn header.s=default header.b=gN7FOh57; spf=pass (imf29.hostedemail.com: domain of yuan.gao@ucloud.cn designates 117.135.214.73 as permitted sender) smtp.mailfrom=yuan.gao@ucloud.cn; dmarc=pass (policy=quarantine) header.from=ucloud.cn ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729233866; a=rsa-sha256; cv=none; b=gqIa1YO+SLpgMrOfqcGRhzaAWm2oSa6kCquVAxCEw55SjyXa9Ln3LAsXfbxwDL+zccfram Zg6W8rUzHFZyY7mW7p7XriXdncU2UtdITMXtDu/ihMZWGJ2NbQ274O+uHYEpZikVZQgjDg /jqsllKc0+bDOCC5sAwFfQ1EyxVTW1M= DKIM-Signature: a=rsa-sha256; b=gN7FOh57rzK1AuYQGKOim2D6mTbbp3R2c6iA4lXpM2aoKcx5jQdexJ1K2T3sY+vuJlpf5cVbszsADpqnmOBwp5bbOWh5UEOuwOL4sYXoOnUtx3GFdIaVBhAiAyQGLyqMHZKQWw9Kw/BktCsGIggR7cvNhf5E8jpCTK51WMyaIFk=; s=default; c=relaxed/relaxed; d=ucloud.cn; v=1; bh=LQc6HXn+wjHk0Oggdf1vOfLNIfvlzBO+VXYNb+xy6Ms=; h=date:mime-version:subject:message-id:from; Received: from localhost.localdomain (unknown [106.75.220.2]) by smtp.qiye.163.com (Hmail) with ESMTPA id C84554C03DB; Fri, 18 Oct 2024 14:44:38 +0800 (CST) From: "yuan.gao" To: cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, vbabka@suse.cz, roman.gushchin@linux.dev, 42.hyeyoo@gmail.com Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, yuan.gao@ucloud.cn Subject: [PATCH v4] mm/slub: Avoid list corruption when removing a slab from the full list Date: Fri, 18 Oct 2024 14:44:35 +0800 Message-Id: <20241018064435.7695-1-yuan.gao@ucloud.cn> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFJQjdXWS1ZQUlXWQ8JGhUIEh9ZQVkZTRgZVkJMT00YGEhMTkxPHlYVFAkWGhdVGRETFh oSFyQUDg9ZV1kYEgtZQVlKS01VTE5VSUlLVUlZV1kWGg8SFR0UWUFZT0tIVUpLSU9PT0tVSktLVU tZBg++ X-HM-Tid: 0a929e5f0132022ekunmc84554c03db X-HM-MType: 1 X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6MzY6Nio*SzciNzQDDwkvHgkY NjFPFDpVSlVKTElCSUhIQ0NLSU1DVTMWGhIXVQIOGhVVHBoUOw4YFxQOH1UYFUVZV1kSC1lBWUpL TVVMTlVJSUtVSVlXWQgBWUFNQkNKNwY+ X-Rspamd-Server: rspam03 X-Rspam-User: X-Rspamd-Queue-Id: EA95F12000B X-Stat-Signature: rzi77iyio1en3sy7qhf41o7dcusujjjy X-HE-Tag: 1729233924-301495 X-HE-Meta: U2FsdGVkX19yisAXSVW/lkuKX0JmWs6u+PGJrrSB32I1FFAnfHx2wBEdmjiaiPVZIQi2c1++KImMN42y2sHojZmx7vCxn950ol0RNKb9Dd+Fmw4mvoVt4pIz9AXbx8sOIzmhcXdpaZXbHQZCjd/ghDgojDMeRB/cBhAj7XP4Cr+WX+YIyfZP4bg3pepGFde93IQXKkzgFk9CKJpDr/AWSZgOKN3Wxb09Pwh+uDVsZ+xrKSMDd42FaRb3FPHbbjKJAN3MhK7laSEFhdquTuaK9bKDxvLWaYYiuHF6KwlaJIrZ+y5hBiVWZK2rpmue+LQpz0KWaKXULOoAuNMUcQ3+gLeqjlgz0AEn5AC3ci2PmgSuUa0AhNtOyhpA8Q0nBbrXCh5Uk768Aht26zSzsbAhMDIhfNoo0iy4DQu+kSfYJzzgKOKC8KMpuKTQftNNsLADfWLU+nRejrwANelGrxI4zKjwCeqRxDZ+b41x6udnJaxR6I1oep/ntFYx0wMbX69xTMk7WIZ4tg0KAd9uXgSRD/iWfEPeAVOUpen8Vz7758cAAGqAL1wC3eNRzAHOs9i2dbU1X7gh9d5KhTpjcoFnVYPeggm7Dqt75YJE2dSGCXh6nqi6DfHLtGy9xDYLdJ9HBRyd/0Dgs3+Ly2Zrh4ofWjt5DEIlkVMXSNyRqXpnevvAfcSshTWU37eSYRcb7cUq1pDRSsGbnJcEWo4RU4M/BfyGC9bvYVKIh9hGdQqo0+uljnRp3/guWdKqmcjjzZJyaHazVD17mFfSECF518n+/X2BRL+QuJBkwYxDoLFS0a587T8GMW9dVCDEaJYskDMmiuOT5XG+/ZkyDWYf76Qnn7rAiArBYtNT6BOdnIZVttX/KqIr5sLvyAmpRx3jc28C6uheDUPimu/l19hmNFfd47y5I+zWDZ5qIvngOQp5z8SLhWoWiP8Q+i61Iu+iJJCp1SnvFWBbJLWDc19s1MV EiHGU5DL OlocZdaTR/vUH68STV2TYr9WhevokkpSF2kQW5jsYeKS/uo8NuYrRIzNFf8IAIIJxKZJ5mVv6DyxaEpSh4fVkGHuhn87zeyNe602KiykNX1CP8+BXi12//KhAXyBDZXgYU5o/p3riyFSPRQT1Hi7L+kIKlrGBdmrreKO1mzmf/6VSB8x9iHgEB1TDCmD6T2ZZ/AiE8V9rjd/k8rhU4OaIr4E2+r0G2sP7ZA/sLzhjtuksFKfG0jgIGXVXdoHeKMiYhD6xN4+QQfJfFeAWqvx1/VvR6utKVxXpszglsOBMMIt2fyFR47SVVJcgTqpt9eZcmN+KkzaOq8s5mfXWVl73SXLBdZ0hmqrQMwBk X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Boot with slub_debug=UFPZ. If allocated object failed in alloc_consistency_checks, all objects of the slab will be marked as used, and then the slab will be removed from the partial list. When an object belonging to the slab got freed later, the remove_full() function is called. Because the slab is neither on the partial list nor on the full list, it eventually lead to a list corruption (actually a list poison being detected). So we need to mark and isolate the slab page with metadata corruption, do not put it back in circulation. Because the debug caches avoid all the fastpaths, reusing the frozen bit to mark slab page with metadata corruption seems to be fine. [ 4277.385669] list_del corruption, ffffea00044b3e50->next is LIST_POISON1 (dead000000000100) [ 4277.387023] ------------[ cut here ]------------ [ 4277.387880] kernel BUG at lib/list_debug.c:56! [ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G OE 6.6.1-1 #1 [ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs] [ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91 [ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082 [ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000000000000 [ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000ffffffff [ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc900003339f0 [ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888112cf9910 [ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881000424c0 [ 4277.404049] FS: 0000000000000000(0000) GS:ffff88842fd40000(0000) knlGS:0000000000000000 [ 4277.405357] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 00000000007706e0 [ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4277.410000] PKRU: 55555554 [ 4277.410645] Call Trace: [ 4277.411234] [ 4277.411777] ? die+0x32/0x80 [ 4277.412439] ? do_trap+0xd6/0x100 [ 4277.413150] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.414158] ? do_error_trap+0x6a/0x90 [ 4277.414948] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.415915] ? exc_invalid_op+0x4c/0x60 [ 4277.416710] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.417675] ? asm_exc_invalid_op+0x16/0x20 [ 4277.418482] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.419466] ? __list_del_entry_valid_or_report+0x7b/0xc0 [ 4277.420410] free_to_partial_list+0x515/0x5e0 [ 4277.421242] ? xfs_iext_remove+0x41a/0xa10 [xfs] [ 4277.422298] xfs_iext_remove+0x41a/0xa10 [xfs] [ 4277.423316] ? xfs_inodegc_worker+0xb4/0x1a0 [xfs] [ 4277.424383] xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs] [ 4277.425490] __xfs_bunmapi+0x50d/0x840 [xfs] [ 4277.426445] xfs_itruncate_extents_flags+0x13a/0x490 [xfs] [ 4277.427553] xfs_inactive_truncate+0xa3/0x120 [xfs] [ 4277.428567] xfs_inactive+0x22d/0x290 [xfs] [ 4277.429500] xfs_inodegc_worker+0xb4/0x1a0 [xfs] [ 4277.430479] process_one_work+0x171/0x340 [ 4277.431227] worker_thread+0x277/0x390 [ 4277.431962] ? __pfx_worker_thread+0x10/0x10 [ 4277.432752] kthread+0xf0/0x120 [ 4277.433382] ? __pfx_kthread+0x10/0x10 [ 4277.434134] ret_from_fork+0x2d/0x50 [ 4277.434837] ? __pfx_kthread+0x10/0x10 [ 4277.435566] ret_from_fork_asm+0x1b/0x30 [ 4277.436280] v4: - Rephrase wording. - Remove a useless add_full(). v3: - Reuse slab->fronzen bit as a corrupted marker. - https://lore.kernel.org/all/20241011102020.58087-1-yuan.gao@ucloud.cn/ v2: - Call remove_partial() and add_full() only for slab folios. - https://lore.kernel.org/linux-mm/20241007091850.16959-1-yuan.gao@ucloud.cn/ v1: - https://lore.kernel.org/linux-mm/20241006044755.79634-1-yuan.gao@ucloud.cn/ Signed-off-by: yuan.gao Fixes: 643b113849d8 ("slub: enable tracking of full slabs") Suggested-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> Suggested-by: Vlastimil Babka Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> --- mm/slab.h | 5 +++++ mm/slub.c | 9 ++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/mm/slab.h b/mm/slab.h index 6c6fe6d630ce..8d7caf50ef96 100644 --- a/mm/slab.h +++ b/mm/slab.h @@ -73,6 +73,11 @@ struct slab { struct { unsigned inuse:16; unsigned objects:15; + /* + * If slab debugging is enabled then the + * frozen bit can be reused to indicate + * that the slab was corrupted + */ unsigned frozen:1; }; }; diff --git a/mm/slub.c b/mm/slub.c index 5b832512044e..15ba89fef89a 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1423,6 +1423,11 @@ static int check_slab(struct kmem_cache *s, struct slab *slab) slab->inuse, slab->objects); return 0; } + if (slab->frozen) { + slab_err(s, slab, "Slab disabled since SLUB metadata consistency check failed"); + return 0; + } + /* Slab_pad_check fixes things up after itself */ slab_pad_check(s, slab); return 1; @@ -1603,6 +1608,7 @@ static noinline bool alloc_debug_processing(struct kmem_cache *s, slab_fix(s, "Marking all objects used"); slab->inuse = slab->objects; slab->freelist = NULL; + slab->frozen = 1; /* mark consistency-failed slab as frozen */ } return false; } @@ -2744,7 +2750,8 @@ static void *alloc_single_from_partial(struct kmem_cache *s, slab->inuse++; if (!alloc_debug_processing(s, slab, object, orig_size)) { - remove_partial(n, slab); + if (folio_test_slab(slab_folio(slab))) + remove_partial(n, slab); return NULL; }