2 * SLUB: A slab allocator that limits cache line use instead of queuing
3 * objects in per cpu and per node lists.
5 * The allocator synchronizes using per slab locks or atomic operatios
6 * and only uses a centralized lock to manage a pool of partial slabs.
8 * (C) 2007 SGI, Christoph Lameter
9 * (C) 2011 Linux Foundation, Christoph Lameter
13 #include <linux/swap.h> /* struct reclaim_state */
14 #include <linux/module.h>
15 #include <linux/bit_spinlock.h>
16 #include <linux/interrupt.h>
17 #include <linux/bitops.h>
18 #include <linux/slab.h>
20 #include <linux/proc_fs.h>
21 #include <linux/notifier.h>
22 #include <linux/seq_file.h>
23 #include <linux/kasan.h>
24 #include <linux/kmemcheck.h>
25 #include <linux/cpu.h>
26 #include <linux/cpuset.h>
27 #include <linux/mempolicy.h>
28 #include <linux/ctype.h>
29 #include <linux/debugobjects.h>
30 #include <linux/kallsyms.h>
31 #include <linux/memory.h>
32 #include <linux/math64.h>
33 #include <linux/fault-inject.h>
34 #include <linux/stacktrace.h>
35 #include <linux/prefetch.h>
36 #include <linux/memcontrol.h>
38 #include <trace/events/kmem.h>
44 * 1. slab_mutex (Global Mutex)
46 * 3. slab_lock(page) (Only on some arches and for debugging)
50 * The role of the slab_mutex is to protect the list of all the slabs
51 * and to synchronize major metadata changes to slab cache structures.
53 * The slab_lock is only used for debugging and on arches that do not
54 * have the ability to do a cmpxchg_double. It only protects the second
55 * double word in the page struct. Meaning
56 * A. page->freelist -> List of object free in a page
57 * B. page->counters -> Counters of objects
58 * C. page->frozen -> frozen state
60 * If a slab is frozen then it is exempt from list management. It is not
61 * on any list. The processor that froze the slab is the one who can
62 * perform list operations on the page. Other processors may put objects
63 * onto the freelist but the processor that froze the slab is the only
64 * one that can retrieve the objects from the page's freelist.
66 * The list_lock protects the partial and full list on each node and
67 * the partial slab counter. If taken then no new slabs may be added or
68 * removed from the lists nor make the number of partial slabs be modified.
69 * (Note that the total number of slabs is an atomic value that may be
70 * modified without taking the list lock).
72 * The list_lock is a centralized lock and thus we avoid taking it as
73 * much as possible. As long as SLUB does not have to handle partial
74 * slabs, operations can continue without any centralized lock. F.e.
75 * allocating a long series of objects that fill up slabs does not require
77 * Interrupts are disabled during allocation and deallocation in order to
78 * make the slab allocator safe to use in the context of an irq. In addition
79 * interrupts are disabled to ensure that the processor does not change
80 * while handling per_cpu slabs, due to kernel preemption.
82 * SLUB assigns one slab for allocation to each processor.
83 * Allocations only occur from these slabs called cpu slabs.
85 * Slabs with free elements are kept on a partial list and during regular
86 * operations no list for full slabs is used. If an object in a full slab is
87 * freed then the slab will show up again on the partial lists.
88 * We track full slabs for debugging purposes though because otherwise we
89 * cannot scan all objects.
91 * Slabs are freed when they become empty. Teardown and setup is
92 * minimal so we rely on the page allocators per cpu caches for
93 * fast frees and allocs.
95 * Overloading of page flags that are otherwise used for LRU management.
97 * PageActive The slab is frozen and exempt from list processing.
98 * This means that the slab is dedicated to a purpose
99 * such as satisfying allocations for a specific
100 * processor. Objects may be freed in the slab while
101 * it is frozen but slab_free will then skip the usual
102 * list operations. It is up to the processor holding
103 * the slab to integrate the slab into the slab lists
104 * when the slab is no longer needed.
106 * One use of this flag is to mark slabs that are
107 * used for allocations. Then such a slab becomes a cpu
108 * slab. The cpu slab may be equipped with an additional
109 * freelist that allows lockless access to
110 * free objects in addition to the regular freelist
111 * that requires the slab lock.
113 * PageError Slab requires special handling due to debug
114 * options set. This moves slab handling out of
115 * the fast path and disables lockless freelists.
118 static inline int kmem_cache_debug(struct kmem_cache *s)
120 #ifdef CONFIG_SLUB_DEBUG
121 return unlikely(s->flags & SLAB_DEBUG_FLAGS);
127 static inline bool kmem_cache_has_cpu_partial(struct kmem_cache *s)
129 #ifdef CONFIG_SLUB_CPU_PARTIAL
130 return !kmem_cache_debug(s);
137 * Issues still to be resolved:
139 * - Support PAGE_ALLOC_DEBUG. Should be easy to do.
141 * - Variable sizing of the per node arrays
144 /* Enable to test recovery from slab corruption on boot */
145 #undef SLUB_RESILIENCY_TEST
147 /* Enable to log cmpxchg failures */
148 #undef SLUB_DEBUG_CMPXCHG
151 * Mininum number of partial slabs. These will be left on the partial
152 * lists even if they are empty. kmem_cache_shrink may reclaim them.
154 #define MIN_PARTIAL 5
157 * Maximum number of desirable partial slabs.
158 * The existence of more partial slabs makes kmem_cache_shrink
159 * sort the partial list by the number of objects in use.
161 #define MAX_PARTIAL 10
163 #define DEBUG_DEFAULT_FLAGS (SLAB_CONSISTENCY_CHECKS | SLAB_RED_ZONE | \
164 SLAB_POISON | SLAB_STORE_USER)
167 * Debugging flags that require metadata to be stored in the slab. These get
168 * disabled when slub_debug=O is used and a cache's min order increases with
171 #define DEBUG_METADATA_FLAGS (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER)
174 #define OO_MASK ((1 << OO_SHIFT) - 1)
175 #define MAX_OBJS_PER_PAGE 32767 /* since page.objects is u15 */
177 /* Internal SLUB flags */
178 #define __OBJECT_POISON 0x80000000UL /* Poison object */
179 #define __CMPXCHG_DOUBLE 0x40000000UL /* Use cmpxchg_double */
182 static struct notifier_block slab_notifier;
186 * Tracking user of a slab.
188 #define TRACK_ADDRS_COUNT 16
190 unsigned long addr; /* Called from address */
191 #ifdef CONFIG_STACKTRACE
192 unsigned long addrs[TRACK_ADDRS_COUNT]; /* Called from address */
194 int cpu; /* Was running on cpu */
195 int pid; /* Pid context */
196 unsigned long when; /* When did the operation occur */
199 enum track_item { TRACK_ALLOC, TRACK_FREE };
202 static int sysfs_slab_add(struct kmem_cache *);
203 static int sysfs_slab_alias(struct kmem_cache *, const char *);
204 static void memcg_propagate_slab_attrs(struct kmem_cache *s);
206 static inline int sysfs_slab_add(struct kmem_cache *s) { return 0; }
207 static inline int sysfs_slab_alias(struct kmem_cache *s, const char *p)
209 static inline void memcg_propagate_slab_attrs(struct kmem_cache *s) { }
212 static inline void stat(const struct kmem_cache *s, enum stat_item si)
214 #ifdef CONFIG_SLUB_STATS
216 * The rmw is racy on a preemptible kernel but this is acceptable, so
217 * avoid this_cpu_add()'s irq-disable overhead.
219 raw_cpu_inc(s->cpu_slab->stat[si]);
223 /********************************************************************
224 * Core slab cache functions
225 *******************************************************************/
227 /* Verify that a pointer has an address that is valid within a slab page */
228 static inline int check_valid_pointer(struct kmem_cache *s,
229 struct page *page, const void *object)
236 base = page_address(page);
237 if (object < base || object >= base + page->objects * s->size ||
238 (object - base) % s->size) {
245 static inline void *get_freepointer(struct kmem_cache *s, void *object)
247 return *(void **)(object + s->offset);
250 static void prefetch_freepointer(const struct kmem_cache *s, void *object)
252 prefetch(object + s->offset);
255 static inline void *get_freepointer_safe(struct kmem_cache *s, void *object)
259 #ifdef CONFIG_DEBUG_PAGEALLOC
260 probe_kernel_read(&p, (void **)(object + s->offset), sizeof(p));
262 p = get_freepointer(s, object);
267 static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp)
269 *(void **)(object + s->offset) = fp;
272 /* Loop over all objects in a slab */
273 #define for_each_object(__p, __s, __addr, __objects) \
274 for (__p = (__addr); __p < (__addr) + (__objects) * (__s)->size;\
277 #define for_each_object_idx(__p, __idx, __s, __addr, __objects) \
278 for (__p = (__addr), __idx = 1; __idx <= __objects;\
279 __p += (__s)->size, __idx++)
281 /* Determine object index from a given position */
282 static inline int slab_index(void *p, struct kmem_cache *s, void *addr)
284 return (p - addr) / s->size;
287 static inline int order_objects(int order, unsigned long size, int reserved)
289 return ((PAGE_SIZE << order) - reserved) / size;
292 static inline struct kmem_cache_order_objects oo_make(int order,
293 unsigned long size, int reserved)
295 struct kmem_cache_order_objects x = {
296 (order << OO_SHIFT) + order_objects(order, size, reserved)
302 static inline int oo_order(struct kmem_cache_order_objects x)
304 return x.x >> OO_SHIFT;
307 static inline int oo_objects(struct kmem_cache_order_objects x)
309 return x.x & OO_MASK;
313 * Per slab locking using the pagelock
315 static __always_inline void slab_lock(struct page *page)
317 VM_BUG_ON_PAGE(PageTail(page), page);
318 bit_spin_lock(PG_locked, &page->flags);
321 static __always_inline void slab_unlock(struct page *page)
323 VM_BUG_ON_PAGE(PageTail(page), page);
324 __bit_spin_unlock(PG_locked, &page->flags);
327 static inline void set_page_slub_counters(struct page *page, unsigned long counters_new)
330 tmp.counters = counters_new;
332 * page->counters can cover frozen/inuse/objects as well
333 * as page->_count. If we assign to ->counters directly
334 * we run the risk of losing updates to page->_count, so
335 * be careful and only assign to the fields we need.
337 page->frozen = tmp.frozen;
338 page->inuse = tmp.inuse;
339 page->objects = tmp.objects;
342 /* Interrupts must be disabled (for the fallback code to work right) */
343 static inline bool __cmpxchg_double_slab(struct kmem_cache *s, struct page *page,
344 void *freelist_old, unsigned long counters_old,
345 void *freelist_new, unsigned long counters_new,
348 VM_BUG_ON(!irqs_disabled());
349 #if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
350 defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
351 if (s->flags & __CMPXCHG_DOUBLE) {
352 if (cmpxchg_double(&page->freelist, &page->counters,
353 freelist_old, counters_old,
354 freelist_new, counters_new))
360 if (page->freelist == freelist_old &&
361 page->counters == counters_old) {
362 page->freelist = freelist_new;
363 set_page_slub_counters(page, counters_new);
371 stat(s, CMPXCHG_DOUBLE_FAIL);
373 #ifdef SLUB_DEBUG_CMPXCHG
374 pr_info("%s %s: cmpxchg double redo ", n, s->name);
380 static inline bool cmpxchg_double_slab(struct kmem_cache *s, struct page *page,
381 void *freelist_old, unsigned long counters_old,
382 void *freelist_new, unsigned long counters_new,
385 #if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
386 defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
387 if (s->flags & __CMPXCHG_DOUBLE) {
388 if (cmpxchg_double(&page->freelist, &page->counters,
389 freelist_old, counters_old,
390 freelist_new, counters_new))
397 local_irq_save(flags);
399 if (page->freelist == freelist_old &&
400 page->counters == counters_old) {
401 page->freelist = freelist_new;
402 set_page_slub_counters(page, counters_new);
404 local_irq_restore(flags);
408 local_irq_restore(flags);
412 stat(s, CMPXCHG_DOUBLE_FAIL);
414 #ifdef SLUB_DEBUG_CMPXCHG
415 pr_info("%s %s: cmpxchg double redo ", n, s->name);
421 #ifdef CONFIG_SLUB_DEBUG
423 * Determine a map of object in use on a page.
425 * Node listlock must be held to guarantee that the page does
426 * not vanish from under us.
428 static void get_map(struct kmem_cache *s, struct page *page, unsigned long *map)
431 void *addr = page_address(page);
433 for (p = page->freelist; p; p = get_freepointer(s, p))
434 set_bit(slab_index(p, s, addr), map);
440 #if defined(CONFIG_SLUB_DEBUG_ON)
441 static int slub_debug = DEBUG_DEFAULT_FLAGS;
442 #elif defined(CONFIG_KASAN)
443 static int slub_debug = SLAB_STORE_USER;
445 static int slub_debug;
448 static char *slub_debug_slabs;
449 static int disable_higher_order_debug;
452 * slub is about to manipulate internal object metadata. This memory lies
453 * outside the range of the allocated object, so accessing it would normally
454 * be reported by kasan as a bounds error. metadata_access_enable() is used
455 * to tell kasan that these accesses are OK.
457 static inline void metadata_access_enable(void)
459 kasan_disable_current();
462 static inline void metadata_access_disable(void)
464 kasan_enable_current();
470 static void print_section(char *text, u8 *addr, unsigned int length)
472 metadata_access_enable();
473 print_hex_dump(KERN_ERR, text, DUMP_PREFIX_ADDRESS, 16, 1, addr,
475 metadata_access_disable();
478 static struct track *get_track(struct kmem_cache *s, void *object,
479 enum track_item alloc)
484 p = object + s->offset + sizeof(void *);
486 p = object + s->inuse;
491 static void set_track(struct kmem_cache *s, void *object,
492 enum track_item alloc, unsigned long addr)
494 struct track *p = get_track(s, object, alloc);
497 #ifdef CONFIG_STACKTRACE
498 struct stack_trace trace;
501 trace.nr_entries = 0;
502 trace.max_entries = TRACK_ADDRS_COUNT;
503 trace.entries = p->addrs;
505 metadata_access_enable();
506 save_stack_trace(&trace);
507 metadata_access_disable();
509 /* See rant in lockdep.c */
510 if (trace.nr_entries != 0 &&
511 trace.entries[trace.nr_entries - 1] == ULONG_MAX)
514 for (i = trace.nr_entries; i < TRACK_ADDRS_COUNT; i++)
518 p->cpu = smp_processor_id();
519 p->pid = current->pid;
522 memset(p, 0, sizeof(struct track));
525 static void init_tracking(struct kmem_cache *s, void *object)
527 if (!(s->flags & SLAB_STORE_USER))
530 set_track(s, object, TRACK_FREE, 0UL);
531 set_track(s, object, TRACK_ALLOC, 0UL);
534 static void print_track(const char *s, struct track *t)
539 pr_err("INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
540 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
541 #ifdef CONFIG_STACKTRACE
544 for (i = 0; i < TRACK_ADDRS_COUNT; i++)
546 pr_err("\t%pS\n", (void *)t->addrs[i]);
553 static void print_tracking(struct kmem_cache *s, void *object)
555 if (!(s->flags & SLAB_STORE_USER))
558 print_track("Allocated", get_track(s, object, TRACK_ALLOC));
559 print_track("Freed", get_track(s, object, TRACK_FREE));
562 static void print_page_info(struct page *page)
564 pr_err("INFO: Slab 0x%p objects=%u used=%u fp=0x%p flags=0x%04lx\n",
565 page, page->objects, page->inuse, page->freelist, page->flags);
569 static void slab_bug(struct kmem_cache *s, char *fmt, ...)
571 struct va_format vaf;
577 pr_err("=============================================================================\n");
578 pr_err("BUG %s (%s): %pV\n", s->name, print_tainted(), &vaf);
579 pr_err("-----------------------------------------------------------------------------\n\n");
581 add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
585 static void slab_fix(struct kmem_cache *s, char *fmt, ...)
587 struct va_format vaf;
593 pr_err("FIX %s: %pV\n", s->name, &vaf);
597 static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p)
599 unsigned int off; /* Offset of last byte */
600 u8 *addr = page_address(page);
602 print_tracking(s, p);
604 print_page_info(page);
606 pr_err("INFO: Object 0x%p @offset=%tu fp=0x%p\n\n",
607 p, p - addr, get_freepointer(s, p));
610 print_section("Bytes b4 ", p - 16, 16);
612 print_section("Object ", p, min_t(unsigned long, s->object_size,
614 if (s->flags & SLAB_RED_ZONE)
615 print_section("Redzone ", p + s->object_size,
616 s->inuse - s->object_size);
619 off = s->offset + sizeof(void *);
623 if (s->flags & SLAB_STORE_USER)
624 off += 2 * sizeof(struct track);
627 /* Beginning of the filler is the free pointer */
628 print_section("Padding ", p + off, s->size - off);
633 void object_err(struct kmem_cache *s, struct page *page,
634 u8 *object, char *reason)
636 slab_bug(s, "%s", reason);
637 print_trailer(s, page, object);
640 static void slab_err(struct kmem_cache *s, struct page *page,
641 const char *fmt, ...)
647 vsnprintf(buf, sizeof(buf), fmt, args);
649 slab_bug(s, "%s", buf);
650 print_page_info(page);
654 static void init_object(struct kmem_cache *s, void *object, u8 val)
658 if (s->flags & __OBJECT_POISON) {
659 memset(p, POISON_FREE, s->object_size - 1);
660 p[s->object_size - 1] = POISON_END;
663 if (s->flags & SLAB_RED_ZONE)
664 memset(p + s->object_size, val, s->inuse - s->object_size);
667 static void restore_bytes(struct kmem_cache *s, char *message, u8 data,
668 void *from, void *to)
670 slab_fix(s, "Restoring 0x%p-0x%p=0x%x\n", from, to - 1, data);
671 memset(from, data, to - from);
674 static int check_bytes_and_report(struct kmem_cache *s, struct page *page,
675 u8 *object, char *what,
676 u8 *start, unsigned int value, unsigned int bytes)
681 metadata_access_enable();
682 fault = memchr_inv(start, value, bytes);
683 metadata_access_disable();
688 while (end > fault && end[-1] == value)
691 slab_bug(s, "%s overwritten", what);
692 pr_err("INFO: 0x%p-0x%p. First byte 0x%x instead of 0x%x\n",
693 fault, end - 1, fault[0], value);
694 print_trailer(s, page, object);
696 restore_bytes(s, what, value, fault, end);
704 * Bytes of the object to be managed.
705 * If the freepointer may overlay the object then the free
706 * pointer is the first word of the object.
708 * Poisoning uses 0x6b (POISON_FREE) and the last byte is
711 * object + s->object_size
712 * Padding to reach word boundary. This is also used for Redzoning.
713 * Padding is extended by another word if Redzoning is enabled and
714 * object_size == inuse.
716 * We fill with 0xbb (RED_INACTIVE) for inactive objects and with
717 * 0xcc (RED_ACTIVE) for objects in use.
720 * Meta data starts here.
722 * A. Free pointer (if we cannot overwrite object on free)
723 * B. Tracking data for SLAB_STORE_USER
724 * C. Padding to reach required alignment boundary or at mininum
725 * one word if debugging is on to be able to detect writes
726 * before the word boundary.
728 * Padding is done using 0x5a (POISON_INUSE)
731 * Nothing is used beyond s->size.
733 * If slabcaches are merged then the object_size and inuse boundaries are mostly
734 * ignored. And therefore no slab options that rely on these boundaries
735 * may be used with merged slabcaches.
738 static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p)
740 unsigned long off = s->inuse; /* The end of info */
743 /* Freepointer is placed after the object. */
744 off += sizeof(void *);
746 if (s->flags & SLAB_STORE_USER)
747 /* We also have user information there */
748 off += 2 * sizeof(struct track);
753 return check_bytes_and_report(s, page, p, "Object padding",
754 p + off, POISON_INUSE, s->size - off);
757 /* Check the pad bytes at the end of a slab page */
758 static int slab_pad_check(struct kmem_cache *s, struct page *page)
766 if (!(s->flags & SLAB_POISON))
769 start = page_address(page);
770 length = (PAGE_SIZE << compound_order(page)) - s->reserved;
771 end = start + length;
772 remainder = length % s->size;
776 metadata_access_enable();
777 fault = memchr_inv(end - remainder, POISON_INUSE, remainder);
778 metadata_access_disable();
781 while (end > fault && end[-1] == POISON_INUSE)
784 slab_err(s, page, "Padding overwritten. 0x%p-0x%p", fault, end - 1);
785 print_section("Padding ", end - remainder, remainder);
787 restore_bytes(s, "slab padding", POISON_INUSE, end - remainder, end);
791 static int check_object(struct kmem_cache *s, struct page *page,
792 void *object, u8 val)
795 u8 *endobject = object + s->object_size;
797 if (s->flags & SLAB_RED_ZONE) {
798 if (!check_bytes_and_report(s, page, object, "Redzone",
799 endobject, val, s->inuse - s->object_size))
802 if ((s->flags & SLAB_POISON) && s->object_size < s->inuse) {
803 check_bytes_and_report(s, page, p, "Alignment padding",
804 endobject, POISON_INUSE,
805 s->inuse - s->object_size);
809 if (s->flags & SLAB_POISON) {
810 if (val != SLUB_RED_ACTIVE && (s->flags & __OBJECT_POISON) &&
811 (!check_bytes_and_report(s, page, p, "Poison", p,
812 POISON_FREE, s->object_size - 1) ||
813 !check_bytes_and_report(s, page, p, "Poison",
814 p + s->object_size - 1, POISON_END, 1)))
817 * check_pad_bytes cleans up on its own.
819 check_pad_bytes(s, page, p);
822 if (!s->offset && val == SLUB_RED_ACTIVE)
824 * Object and freepointer overlap. Cannot check
825 * freepointer while object is allocated.
829 /* Check free pointer validity */
830 if (!check_valid_pointer(s, page, get_freepointer(s, p))) {
831 object_err(s, page, p, "Freepointer corrupt");
833 * No choice but to zap it and thus lose the remainder
834 * of the free objects in this slab. May cause
835 * another error because the object count is now wrong.
837 set_freepointer(s, p, NULL);
843 static int check_slab(struct kmem_cache *s, struct page *page)
847 VM_BUG_ON(!irqs_disabled());
849 if (!PageSlab(page)) {
850 slab_err(s, page, "Not a valid slab page");
854 maxobj = order_objects(compound_order(page), s->size, s->reserved);
855 if (page->objects > maxobj) {
856 slab_err(s, page, "objects %u > max %u",
857 page->objects, maxobj);
860 if (page->inuse > page->objects) {
861 slab_err(s, page, "inuse %u > max %u",
862 page->inuse, page->objects);
865 /* Slab_pad_check fixes things up after itself */
866 slab_pad_check(s, page);
871 * Determine if a certain object on a page is on the freelist. Must hold the
872 * slab lock to guarantee that the chains are in a consistent state.
874 static int on_freelist(struct kmem_cache *s, struct page *page, void *search)
882 while (fp && nr <= page->objects) {
885 if (!check_valid_pointer(s, page, fp)) {
887 object_err(s, page, object,
888 "Freechain corrupt");
889 set_freepointer(s, object, NULL);
891 slab_err(s, page, "Freepointer corrupt");
892 page->freelist = NULL;
893 page->inuse = page->objects;
894 slab_fix(s, "Freelist cleared");
900 fp = get_freepointer(s, object);
904 max_objects = order_objects(compound_order(page), s->size, s->reserved);
905 if (max_objects > MAX_OBJS_PER_PAGE)
906 max_objects = MAX_OBJS_PER_PAGE;
908 if (page->objects != max_objects) {
909 slab_err(s, page, "Wrong number of objects. Found %d but "
910 "should be %d", page->objects, max_objects);
911 page->objects = max_objects;
912 slab_fix(s, "Number of objects adjusted.");
914 if (page->inuse != page->objects - nr) {
915 slab_err(s, page, "Wrong object count. Counter is %d but "
916 "counted were %d", page->inuse, page->objects - nr);
917 page->inuse = page->objects - nr;
918 slab_fix(s, "Object count adjusted.");
920 return search == NULL;
923 static void trace(struct kmem_cache *s, struct page *page, void *object,
926 if (s->flags & SLAB_TRACE) {
927 pr_info("TRACE %s %s 0x%p inuse=%d fp=0x%p\n",
929 alloc ? "alloc" : "free",
934 print_section("Object ", (void *)object,
942 * Tracking of fully allocated slabs for debugging purposes.
944 static void add_full(struct kmem_cache *s,
945 struct kmem_cache_node *n, struct page *page)
947 if (!(s->flags & SLAB_STORE_USER))
950 lockdep_assert_held(&n->list_lock);
951 list_add(&page->lru, &n->full);
954 static void remove_full(struct kmem_cache *s, struct kmem_cache_node *n, struct page *page)
956 if (!(s->flags & SLAB_STORE_USER))
959 lockdep_assert_held(&n->list_lock);
960 list_del(&page->lru);
963 /* Tracking of the number of slabs for debugging purposes */
964 static inline unsigned long slabs_node(struct kmem_cache *s, int node)
966 struct kmem_cache_node *n = get_node(s, node);
968 return atomic_long_read(&n->nr_slabs);
971 static inline unsigned long node_nr_slabs(struct kmem_cache_node *n)
973 return atomic_long_read(&n->nr_slabs);
976 static inline void inc_slabs_node(struct kmem_cache *s, int node, int objects)
978 struct kmem_cache_node *n = get_node(s, node);
981 * May be called early in order to allocate a slab for the
982 * kmem_cache_node structure. Solve the chicken-egg
983 * dilemma by deferring the increment of the count during
984 * bootstrap (see early_kmem_cache_node_alloc).
987 atomic_long_inc(&n->nr_slabs);
988 atomic_long_add(objects, &n->total_objects);
991 static inline void dec_slabs_node(struct kmem_cache *s, int node, int objects)
993 struct kmem_cache_node *n = get_node(s, node);
995 atomic_long_dec(&n->nr_slabs);
996 atomic_long_sub(objects, &n->total_objects);
999 /* Object debug checks for alloc/free paths */
1000 static void setup_object_debug(struct kmem_cache *s, struct page *page,
1003 if (!(s->flags & (SLAB_STORE_USER|SLAB_RED_ZONE|__OBJECT_POISON)))
1006 init_object(s, object, SLUB_RED_INACTIVE);
1007 init_tracking(s, object);
1010 static inline int alloc_consistency_checks(struct kmem_cache *s,
1012 void *object, unsigned long addr)
1014 if (!check_slab(s, page))
1017 if (!check_valid_pointer(s, page, object)) {
1018 object_err(s, page, object, "Freelist Pointer check fails");
1022 if (!check_object(s, page, object, SLUB_RED_INACTIVE))
1028 static noinline int alloc_debug_processing(struct kmem_cache *s,
1030 void *object, unsigned long addr)
1032 if (s->flags & SLAB_CONSISTENCY_CHECKS) {
1033 if (!alloc_consistency_checks(s, page, object, addr))
1037 /* Success perform special debug activities for allocs */
1038 if (s->flags & SLAB_STORE_USER)
1039 set_track(s, object, TRACK_ALLOC, addr);
1040 trace(s, page, object, 1);
1041 init_object(s, object, SLUB_RED_ACTIVE);
1045 if (PageSlab(page)) {
1047 * If this is a slab page then lets do the best we can
1048 * to avoid issues in the future. Marking all objects
1049 * as used avoids touching the remaining objects.
1051 slab_fix(s, "Marking all objects used");
1052 page->inuse = page->objects;
1053 page->freelist = NULL;
1058 static inline int free_consistency_checks(struct kmem_cache *s,
1059 struct page *page, void *object, unsigned long addr)
1061 if (!check_valid_pointer(s, page, object)) {
1062 slab_err(s, page, "Invalid object pointer 0x%p", object);
1066 if (on_freelist(s, page, object)) {
1067 object_err(s, page, object, "Object already free");
1071 if (!check_object(s, page, object, SLUB_RED_ACTIVE))
1074 if (unlikely(s != page->slab_cache)) {
1075 if (!PageSlab(page)) {
1076 slab_err(s, page, "Attempt to free object(0x%p) "
1077 "outside of slab", object);
1078 } else if (!page->slab_cache) {
1079 pr_err("SLUB <none>: no slab for object 0x%p.\n",
1083 object_err(s, page, object,
1084 "page slab pointer corrupt.");
1090 /* Supports checking bulk free of a constructed freelist */
1091 static noinline int free_debug_processing(
1092 struct kmem_cache *s, struct page *page,
1093 void *head, void *tail, int bulk_cnt,
1096 struct kmem_cache_node *n = get_node(s, page_to_nid(page));
1097 void *object = head;
1099 unsigned long uninitialized_var(flags);
1102 spin_lock_irqsave(&n->list_lock, flags);
1105 if (s->flags & SLAB_CONSISTENCY_CHECKS) {
1106 if (!check_slab(s, page))
1113 if (s->flags & SLAB_CONSISTENCY_CHECKS) {
1114 if (!free_consistency_checks(s, page, object, addr))
1118 if (s->flags & SLAB_STORE_USER)
1119 set_track(s, object, TRACK_FREE, addr);
1120 trace(s, page, object, 0);
1121 /* Freepointer not overwritten by init_object(), SLAB_POISON moved it */
1122 init_object(s, object, SLUB_RED_INACTIVE);
1124 /* Reached end of constructed freelist yet? */
1125 if (object != tail) {
1126 object = get_freepointer(s, object);
1132 if (cnt != bulk_cnt)
1133 slab_err(s, page, "Bulk freelist count(%d) invalid(%d)\n",
1137 spin_unlock_irqrestore(&n->list_lock, flags);
1139 slab_fix(s, "Object at 0x%p not freed", object);
1143 static int __init setup_slub_debug(char *str)
1145 slub_debug = DEBUG_DEFAULT_FLAGS;
1146 if (*str++ != '=' || !*str)
1148 * No options specified. Switch on full debugging.
1154 * No options but restriction on slabs. This means full
1155 * debugging for slabs matching a pattern.
1162 * Switch off all debugging measures.
1167 * Determine which debug features should be switched on
1169 for (; *str && *str != ','; str++) {
1170 switch (tolower(*str)) {
1172 slub_debug |= SLAB_CONSISTENCY_CHECKS;
1175 slub_debug |= SLAB_RED_ZONE;
1178 slub_debug |= SLAB_POISON;
1181 slub_debug |= SLAB_STORE_USER;
1184 slub_debug |= SLAB_TRACE;
1187 slub_debug |= SLAB_FAILSLAB;
1191 * Avoid enabling debugging on caches if its minimum
1192 * order would increase as a result.
1194 disable_higher_order_debug = 1;
1197 pr_err("slub_debug option '%c' unknown. skipped\n",
1204 slub_debug_slabs = str + 1;
1209 __setup("slub_debug", setup_slub_debug);
1211 unsigned long kmem_cache_flags(unsigned long object_size,
1212 unsigned long flags, const char *name,
1213 void (*ctor)(void *))
1216 * Enable debugging if selected on the kernel commandline.
1218 if (slub_debug && (!slub_debug_slabs || (name &&
1219 !strncmp(slub_debug_slabs, name, strlen(slub_debug_slabs)))))
1220 flags |= slub_debug;
1224 #else /* !CONFIG_SLUB_DEBUG */
1225 static inline void setup_object_debug(struct kmem_cache *s,
1226 struct page *page, void *object) {}
1228 static inline int alloc_debug_processing(struct kmem_cache *s,
1229 struct page *page, void *object, unsigned long addr) { return 0; }
1231 static inline int free_debug_processing(
1232 struct kmem_cache *s, struct page *page,
1233 void *head, void *tail, int bulk_cnt,
1234 unsigned long addr) { return 0; }
1236 static inline int slab_pad_check(struct kmem_cache *s, struct page *page)
1238 static inline int check_object(struct kmem_cache *s, struct page *page,
1239 void *object, u8 val) { return 1; }
1240 static inline void add_full(struct kmem_cache *s, struct kmem_cache_node *n,
1241 struct page *page) {}
1242 static inline void remove_full(struct kmem_cache *s, struct kmem_cache_node *n,
1243 struct page *page) {}
1244 unsigned long kmem_cache_flags(unsigned long object_size,
1245 unsigned long flags, const char *name,
1246 void (*ctor)(void *))
1250 #define slub_debug 0
1252 #define disable_higher_order_debug 0
1254 static inline unsigned long slabs_node(struct kmem_cache *s, int node)
1256 static inline unsigned long node_nr_slabs(struct kmem_cache_node *n)
1258 static inline void inc_slabs_node(struct kmem_cache *s, int node,
1260 static inline void dec_slabs_node(struct kmem_cache *s, int node,
1263 #endif /* CONFIG_SLUB_DEBUG */
1266 * Hooks for other subsystems that check memory allocations. In a typical
1267 * production configuration these hooks all should produce no code at all.
1269 static inline void kmalloc_large_node_hook(void *ptr, size_t size, gfp_t flags)
1271 kmemleak_alloc(ptr, size, 1, flags);
1272 kasan_kmalloc_large(ptr, size);
1275 static inline void kfree_hook(const void *x)
1278 kasan_kfree_large(x);
1281 static inline void slab_free_hook(struct kmem_cache *s, void *x)
1283 kmemleak_free_recursive(x, s->flags);
1286 * Trouble is that we may no longer disable interrupts in the fast path
1287 * So in order to make the debug calls that expect irqs to be
1288 * disabled we need to disable interrupts temporarily.
1290 #if defined(CONFIG_KMEMCHECK) || defined(CONFIG_LOCKDEP)
1292 unsigned long flags;
1294 local_irq_save(flags);
1295 kmemcheck_slab_free(s, x, s->object_size);
1296 debug_check_no_locks_freed(x, s->object_size);
1297 local_irq_restore(flags);
1300 if (!(s->flags & SLAB_DEBUG_OBJECTS))
1301 debug_check_no_obj_freed(x, s->object_size);
1303 kasan_slab_free(s, x);
1306 static inline void slab_free_freelist_hook(struct kmem_cache *s,
1307 void *head, void *tail)
1310 * Compiler cannot detect this function can be removed if slab_free_hook()
1311 * evaluates to nothing. Thus, catch all relevant config debug options here.
1313 #if defined(CONFIG_KMEMCHECK) || \
1314 defined(CONFIG_LOCKDEP) || \
1315 defined(CONFIG_DEBUG_KMEMLEAK) || \
1316 defined(CONFIG_DEBUG_OBJECTS_FREE) || \
1317 defined(CONFIG_KASAN)
1319 void *object = head;
1320 void *tail_obj = tail ? : head;
1323 slab_free_hook(s, object);
1324 } while ((object != tail_obj) &&
1325 (object = get_freepointer(s, object)));
1329 static void setup_object(struct kmem_cache *s, struct page *page,
1332 setup_object_debug(s, page, object);
1333 if (unlikely(s->ctor)) {
1334 kasan_unpoison_object_data(s, object);
1336 kasan_poison_object_data(s, object);
1341 * Slab allocation and freeing
1343 static inline struct page *alloc_slab_page(struct kmem_cache *s,
1344 gfp_t flags, int node, struct kmem_cache_order_objects oo)
1347 int order = oo_order(oo);
1349 flags |= __GFP_NOTRACK;
1351 if (node == NUMA_NO_NODE)
1352 page = alloc_pages(flags, order);
1354 page = __alloc_pages_node(node, flags, order);
1356 if (page && memcg_charge_slab(page, flags, order, s)) {
1357 __free_pages(page, order);
1364 static struct page *allocate_slab(struct kmem_cache *s, gfp_t flags, int node)
1367 struct kmem_cache_order_objects oo = s->oo;
1372 flags &= gfp_allowed_mask;
1374 if (gfpflags_allow_blocking(flags))
1377 flags |= s->allocflags;
1380 * Let the initial higher-order allocation fail under memory pressure
1381 * so we fall-back to the minimum order allocation.
1383 alloc_gfp = (flags | __GFP_NOWARN | __GFP_NORETRY) & ~__GFP_NOFAIL;
1384 if ((alloc_gfp & __GFP_DIRECT_RECLAIM) && oo_order(oo) > oo_order(s->min))
1385 alloc_gfp = (alloc_gfp | __GFP_NOMEMALLOC) & ~__GFP_DIRECT_RECLAIM;
1387 page = alloc_slab_page(s, alloc_gfp, node, oo);
1388 if (unlikely(!page)) {
1392 * Allocation may have failed due to fragmentation.
1393 * Try a lower order alloc if possible
1395 page = alloc_slab_page(s, alloc_gfp, node, oo);
1396 if (unlikely(!page))
1398 stat(s, ORDER_FALLBACK);
1401 if (kmemcheck_enabled &&
1402 !(s->flags & (SLAB_NOTRACK | DEBUG_DEFAULT_FLAGS))) {
1403 int pages = 1 << oo_order(oo);
1405 kmemcheck_alloc_shadow(page, oo_order(oo), alloc_gfp, node);
1408 * Objects from caches that have a constructor don't get
1409 * cleared when they're allocated, so we need to do it here.
1412 kmemcheck_mark_uninitialized_pages(page, pages);
1414 kmemcheck_mark_unallocated_pages(page, pages);
1417 page->objects = oo_objects(oo);
1419 order = compound_order(page);
1420 page->slab_cache = s;
1421 __SetPageSlab(page);
1422 if (page_is_pfmemalloc(page))
1423 SetPageSlabPfmemalloc(page);
1425 start = page_address(page);
1427 if (unlikely(s->flags & SLAB_POISON))
1428 memset(start, POISON_INUSE, PAGE_SIZE << order);
1430 kasan_poison_slab(page);
1432 for_each_object_idx(p, idx, s, start, page->objects) {
1433 setup_object(s, page, p);
1434 if (likely(idx < page->objects))
1435 set_freepointer(s, p, p + s->size);
1437 set_freepointer(s, p, NULL);
1440 page->freelist = start;
1441 page->inuse = page->objects;
1445 if (gfpflags_allow_blocking(flags))
1446 local_irq_disable();
1450 mod_zone_page_state(page_zone(page),
1451 (s->flags & SLAB_RECLAIM_ACCOUNT) ?
1452 NR_SLAB_RECLAIMABLE : NR_SLAB_UNRECLAIMABLE,
1455 inc_slabs_node(s, page_to_nid(page), page->objects);
1460 static struct page *new_slab(struct kmem_cache *s, gfp_t flags, int node)
1462 if (unlikely(flags & GFP_SLAB_BUG_MASK)) {
1463 pr_emerg("gfp: %u\n", flags & GFP_SLAB_BUG_MASK);
1467 return allocate_slab(s,
1468 flags & (GFP_RECLAIM_MASK | GFP_CONSTRAINT_MASK), node);
1471 static void __free_slab(struct kmem_cache *s, struct page *page)
1473 int order = compound_order(page);
1474 int pages = 1 << order;
1476 if (s->flags & SLAB_CONSISTENCY_CHECKS) {
1479 slab_pad_check(s, page);
1480 for_each_object(p, s, page_address(page),
1482 check_object(s, page, p, SLUB_RED_INACTIVE);
1485 kmemcheck_free_shadow(page, compound_order(page));
1487 mod_zone_page_state(page_zone(page),
1488 (s->flags & SLAB_RECLAIM_ACCOUNT) ?
1489 NR_SLAB_RECLAIMABLE : NR_SLAB_UNRECLAIMABLE,
1492 __ClearPageSlabPfmemalloc(page);
1493 __ClearPageSlab(page);
1495 page_mapcount_reset(page);
1496 if (current->reclaim_state)
1497 current->reclaim_state->reclaimed_slab += pages;
1498 __free_kmem_pages(page, order);
1501 #define need_reserve_slab_rcu \
1502 (sizeof(((struct page *)NULL)->lru) < sizeof(struct rcu_head))
1504 static void rcu_free_slab(struct rcu_head *h)
1508 if (need_reserve_slab_rcu)
1509 page = virt_to_head_page(h);
1511 page = container_of((struct list_head *)h, struct page, lru);
1513 __free_slab(page->slab_cache, page);
1516 static void free_slab(struct kmem_cache *s, struct page *page)
1518 if (unlikely(s->flags & SLAB_DESTROY_BY_RCU)) {
1519 struct rcu_head *head;
1521 if (need_reserve_slab_rcu) {
1522 int order = compound_order(page);
1523 int offset = (PAGE_SIZE << order) - s->reserved;
1525 VM_BUG_ON(s->reserved != sizeof(*head));
1526 head = page_address(page) + offset;
1528 head = &page->rcu_head;
1531 call_rcu(head, rcu_free_slab);
1533 __free_slab(s, page);
1536 static void discard_slab(struct kmem_cache *s, struct page *page)
1538 dec_slabs_node(s, page_to_nid(page), page->objects);
1543 * Management of partially allocated slabs.
1546 __add_partial(struct kmem_cache_node *n, struct page *page, int tail)
1549 if (tail == DEACTIVATE_TO_TAIL)
1550 list_add_tail(&page->lru, &n->partial);
1552 list_add(&page->lru, &n->partial);
1555 static inline void add_partial(struct kmem_cache_node *n,
1556 struct page *page, int tail)
1558 lockdep_assert_held(&n->list_lock);
1559 __add_partial(n, page, tail);
1562 static inline void remove_partial(struct kmem_cache_node *n,
1565 lockdep_assert_held(&n->list_lock);
1566 list_del(&page->lru);
1571 * Remove slab from the partial list, freeze it and
1572 * return the pointer to the freelist.
1574 * Returns a list of objects or NULL if it fails.
1576 static inline void *acquire_slab(struct kmem_cache *s,
1577 struct kmem_cache_node *n, struct page *page,
1578 int mode, int *objects)
1581 unsigned long counters;
1584 lockdep_assert_held(&n->list_lock);
1587 * Zap the freelist and set the frozen bit.
1588 * The old freelist is the list of objects for the
1589 * per cpu allocation list.
1591 freelist = page->freelist;
1592 counters = page->counters;
1593 new.counters = counters;
1594 *objects = new.objects - new.inuse;
1596 new.inuse = page->objects;
1597 new.freelist = NULL;
1599 new.freelist = freelist;
1602 VM_BUG_ON(new.frozen);
1605 if (!__cmpxchg_double_slab(s, page,
1607 new.freelist, new.counters,
1611 remove_partial(n, page);
1616 static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain);
1617 static inline bool pfmemalloc_match(struct page *page, gfp_t gfpflags);
1620 * Try to allocate a partial slab from a specific node.
1622 static void *get_partial_node(struct kmem_cache *s, struct kmem_cache_node *n,
1623 struct kmem_cache_cpu *c, gfp_t flags)
1625 struct page *page, *page2;
1626 void *object = NULL;
1631 * Racy check. If we mistakenly see no partial slabs then we
1632 * just allocate an empty slab. If we mistakenly try to get a
1633 * partial slab and there is none available then get_partials()
1636 if (!n || !n->nr_partial)
1639 spin_lock(&n->list_lock);
1640 list_for_each_entry_safe(page, page2, &n->partial, lru) {
1643 if (!pfmemalloc_match(page, flags))
1646 t = acquire_slab(s, n, page, object == NULL, &objects);
1650 available += objects;
1653 stat(s, ALLOC_FROM_PARTIAL);
1656 put_cpu_partial(s, page, 0);
1657 stat(s, CPU_PARTIAL_NODE);
1659 if (!kmem_cache_has_cpu_partial(s)
1660 || available > s->cpu_partial / 2)
1664 spin_unlock(&n->list_lock);
1669 * Get a page from somewhere. Search in increasing NUMA distances.
1671 static void *get_any_partial(struct kmem_cache *s, gfp_t flags,
1672 struct kmem_cache_cpu *c)
1675 struct zonelist *zonelist;
1678 enum zone_type high_zoneidx = gfp_zone(flags);
1680 unsigned int cpuset_mems_cookie;
1683 * The defrag ratio allows a configuration of the tradeoffs between
1684 * inter node defragmentation and node local allocations. A lower
1685 * defrag_ratio increases the tendency to do local allocations
1686 * instead of attempting to obtain partial slabs from other nodes.
1688 * If the defrag_ratio is set to 0 then kmalloc() always
1689 * returns node local objects. If the ratio is higher then kmalloc()
1690 * may return off node objects because partial slabs are obtained
1691 * from other nodes and filled up.
1693 * If /sys/kernel/slab/xx/defrag_ratio is set to 100 (which makes
1694 * defrag_ratio = 1000) then every (well almost) allocation will
1695 * first attempt to defrag slab caches on other nodes. This means
1696 * scanning over all nodes to look for partial slabs which may be
1697 * expensive if we do it every time we are trying to find a slab
1698 * with available objects.
1700 if (!s->remote_node_defrag_ratio ||
1701 get_cycles() % 1024 > s->remote_node_defrag_ratio)
1705 cpuset_mems_cookie = read_mems_allowed_begin();
1706 zonelist = node_zonelist(mempolicy_slab_node(), flags);
1707 for_each_zone_zonelist(zone, z, zonelist, high_zoneidx) {
1708 struct kmem_cache_node *n;
1710 n = get_node(s, zone_to_nid(zone));
1712 if (n && cpuset_zone_allowed(zone, flags) &&
1713 n->nr_partial > s->min_partial) {
1714 object = get_partial_node(s, n, c, flags);
1717 * Don't check read_mems_allowed_retry()
1718 * here - if mems_allowed was updated in
1719 * parallel, that was a harmless race
1720 * between allocation and the cpuset
1727 } while (read_mems_allowed_retry(cpuset_mems_cookie));
1733 * Get a partial page, lock it and return it.
1735 static void *get_partial(struct kmem_cache *s, gfp_t flags, int node,
1736 struct kmem_cache_cpu *c)
1739 int searchnode = node;
1741 if (node == NUMA_NO_NODE)
1742 searchnode = numa_mem_id();
1743 else if (!node_present_pages(node))
1744 searchnode = node_to_mem_node(node);
1746 object = get_partial_node(s, get_node(s, searchnode), c, flags);
1747 if (object || node != NUMA_NO_NODE)
1750 return get_any_partial(s, flags, c);
1753 #ifdef CONFIG_PREEMPT
1755 * Calculate the next globally unique transaction for disambiguiation
1756 * during cmpxchg. The transactions start with the cpu number and are then
1757 * incremented by CONFIG_NR_CPUS.
1759 #define TID_STEP roundup_pow_of_two(CONFIG_NR_CPUS)
1762 * No preemption supported therefore also no need to check for
1768 static inline unsigned long next_tid(unsigned long tid)
1770 return tid + TID_STEP;
1773 static inline unsigned int tid_to_cpu(unsigned long tid)
1775 return tid % TID_STEP;
1778 static inline unsigned long tid_to_event(unsigned long tid)
1780 return tid / TID_STEP;
1783 static inline unsigned int init_tid(int cpu)
1788 static inline void note_cmpxchg_failure(const char *n,
1789 const struct kmem_cache *s, unsigned long tid)
1791 #ifdef SLUB_DEBUG_CMPXCHG
1792 unsigned long actual_tid = __this_cpu_read(s->cpu_slab->tid);
1794 pr_info("%s %s: cmpxchg redo ", n, s->name);
1796 #ifdef CONFIG_PREEMPT
1797 if (tid_to_cpu(tid) != tid_to_cpu(actual_tid))
1798 pr_warn("due to cpu change %d -> %d\n",
1799 tid_to_cpu(tid), tid_to_cpu(actual_tid));
1802 if (tid_to_event(tid) != tid_to_event(actual_tid))
1803 pr_warn("due to cpu running other code. Event %ld->%ld\n",
1804 tid_to_event(tid), tid_to_event(actual_tid));
1806 pr_warn("for unknown reason: actual=%lx was=%lx target=%lx\n",
1807 actual_tid, tid, next_tid(tid));
1809 stat(s, CMPXCHG_DOUBLE_CPU_FAIL);
1812 static void init_kmem_cache_cpus(struct kmem_cache *s)
1816 for_each_possible_cpu(cpu)
1817 per_cpu_ptr(s->cpu_slab, cpu)->tid = init_tid(cpu);
1821 * Remove the cpu slab
1823 static void deactivate_slab(struct kmem_cache *s, struct page *page,
1826 enum slab_modes { M_NONE, M_PARTIAL, M_FULL, M_FREE };
1827 struct kmem_cache_node *n = get_node(s, page_to_nid(page));
1829 enum slab_modes l = M_NONE, m = M_NONE;
1831 int tail = DEACTIVATE_TO_HEAD;
1835 if (page->freelist) {
1836 stat(s, DEACTIVATE_REMOTE_FREES);
1837 tail = DEACTIVATE_TO_TAIL;
1841 * Stage one: Free all available per cpu objects back
1842 * to the page freelist while it is still frozen. Leave the
1845 * There is no need to take the list->lock because the page
1848 while (freelist && (nextfree = get_freepointer(s, freelist))) {
1850 unsigned long counters;
1853 prior = page->freelist;
1854 counters = page->counters;
1855 set_freepointer(s, freelist, prior);
1856 new.counters = counters;
1858 VM_BUG_ON(!new.frozen);
1860 } while (!__cmpxchg_double_slab(s, page,
1862 freelist, new.counters,
1863 "drain percpu freelist"));
1865 freelist = nextfree;
1869 * Stage two: Ensure that the page is unfrozen while the
1870 * list presence reflects the actual number of objects
1873 * We setup the list membership and then perform a cmpxchg
1874 * with the count. If there is a mismatch then the page
1875 * is not unfrozen but the page is on the wrong list.
1877 * Then we restart the process which may have to remove
1878 * the page from the list that we just put it on again
1879 * because the number of objects in the slab may have
1884 old.freelist = page->freelist;
1885 old.counters = page->counters;
1886 VM_BUG_ON(!old.frozen);
1888 /* Determine target state of the slab */
1889 new.counters = old.counters;
1892 set_freepointer(s, freelist, old.freelist);
1893 new.freelist = freelist;
1895 new.freelist = old.freelist;
1899 if (!new.inuse && n->nr_partial >= s->min_partial)
1901 else if (new.freelist) {
1906 * Taking the spinlock removes the possiblity
1907 * that acquire_slab() will see a slab page that
1910 spin_lock(&n->list_lock);
1914 if (kmem_cache_debug(s) && !lock) {
1917 * This also ensures that the scanning of full
1918 * slabs from diagnostic functions will not see
1921 spin_lock(&n->list_lock);
1929 remove_partial(n, page);
1931 else if (l == M_FULL)
1933 remove_full(s, n, page);
1935 if (m == M_PARTIAL) {
1937 add_partial(n, page, tail);
1940 } else if (m == M_FULL) {
1942 stat(s, DEACTIVATE_FULL);
1943 add_full(s, n, page);
1949 if (!__cmpxchg_double_slab(s, page,
1950 old.freelist, old.counters,
1951 new.freelist, new.counters,
1956 spin_unlock(&n->list_lock);
1959 stat(s, DEACTIVATE_EMPTY);
1960 discard_slab(s, page);
1966 * Unfreeze all the cpu partial slabs.
1968 * This function must be called with interrupts disabled
1969 * for the cpu using c (or some other guarantee must be there
1970 * to guarantee no concurrent accesses).
1972 static void unfreeze_partials(struct kmem_cache *s,
1973 struct kmem_cache_cpu *c)
1975 #ifdef CONFIG_SLUB_CPU_PARTIAL
1976 struct kmem_cache_node *n = NULL, *n2 = NULL;
1977 struct page *page, *discard_page = NULL;
1979 while ((page = c->partial)) {
1983 c->partial = page->next;
1985 n2 = get_node(s, page_to_nid(page));
1988 spin_unlock(&n->list_lock);
1991 spin_lock(&n->list_lock);
1996 old.freelist = page->freelist;
1997 old.counters = page->counters;
1998 VM_BUG_ON(!old.frozen);
2000 new.counters = old.counters;
2001 new.freelist = old.freelist;
2005 } while (!__cmpxchg_double_slab(s, page,
2006 old.freelist, old.counters,
2007 new.freelist, new.counters,
2008 "unfreezing slab"));
2010 if (unlikely(!new.inuse && n->nr_partial >= s->min_partial)) {
2011 page->next = discard_page;
2012 discard_page = page;
2014 add_partial(n, page, DEACTIVATE_TO_TAIL);
2015 stat(s, FREE_ADD_PARTIAL);
2020 spin_unlock(&n->list_lock);
2022 while (discard_page) {
2023 page = discard_page;
2024 discard_page = discard_page->next;
2026 stat(s, DEACTIVATE_EMPTY);
2027 discard_slab(s, page);
2034 * Put a page that was just frozen (in __slab_free) into a partial page
2035 * slot if available. This is done without interrupts disabled and without
2036 * preemption disabled. The cmpxchg is racy and may put the partial page
2037 * onto a random cpus partial slot.
2039 * If we did not find a slot then simply move all the partials to the
2040 * per node partial list.
2042 static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain)
2044 #ifdef CONFIG_SLUB_CPU_PARTIAL
2045 struct page *oldpage;
2053 oldpage = this_cpu_read(s->cpu_slab->partial);
2056 pobjects = oldpage->pobjects;
2057 pages = oldpage->pages;
2058 if (drain && pobjects > s->cpu_partial) {
2059 unsigned long flags;
2061 * partial array is full. Move the existing
2062 * set to the per node partial list.
2064 local_irq_save(flags);
2065 unfreeze_partials(s, this_cpu_ptr(s->cpu_slab));
2066 local_irq_restore(flags);
2070 stat(s, CPU_PARTIAL_DRAIN);
2075 pobjects += page->objects - page->inuse;
2077 page->pages = pages;
2078 page->pobjects = pobjects;
2079 page->next = oldpage;
2081 } while (this_cpu_cmpxchg(s->cpu_slab->partial, oldpage, page)
2083 if (unlikely(!s->cpu_partial)) {
2084 unsigned long flags;
2086 local_irq_save(flags);
2087 unfreeze_partials(s, this_cpu_ptr(s->cpu_slab));
2088 local_irq_restore(flags);
2094 static inline void flush_slab(struct kmem_cache *s, struct kmem_cache_cpu *c)
2096 stat(s, CPUSLAB_FLUSH);
2097 deactivate_slab(s, c->page, c->freelist);
2099 c->tid = next_tid(c->tid);
2107 * Called from IPI handler with interrupts disabled.
2109 static inline void __flush_cpu_slab(struct kmem_cache *s, int cpu)
2111 struct kmem_cache_cpu *c = per_cpu_ptr(s->cpu_slab, cpu);
2117 unfreeze_partials(s, c);
2121 static void flush_cpu_slab(void *d)
2123 struct kmem_cache *s = d;
2125 __flush_cpu_slab(s, smp_processor_id());
2128 static bool has_cpu_slab(int cpu, void *info)
2130 struct kmem_cache *s = info;
2131 struct kmem_cache_cpu *c = per_cpu_ptr(s->cpu_slab, cpu);
2133 return c->page || c->partial;
2136 static void flush_all(struct kmem_cache *s)
2138 on_each_cpu_cond(has_cpu_slab, flush_cpu_slab, s, 1, GFP_ATOMIC);
2142 * Check if the objects in a per cpu structure fit numa
2143 * locality expectations.
2145 static inline int node_match(struct page *page, int node)
2148 if (!page || (node != NUMA_NO_NODE && page_to_nid(page) != node))
2154 #ifdef CONFIG_SLUB_DEBUG
2155 static int count_free(struct page *page)
2157 return page->objects - page->inuse;
2160 static inline unsigned long node_nr_objs(struct kmem_cache_node *n)
2162 return atomic_long_read(&n->total_objects);
2164 #endif /* CONFIG_SLUB_DEBUG */
2166 #if defined(CONFIG_SLUB_DEBUG) || defined(CONFIG_SYSFS)
2167 static unsigned long count_partial(struct kmem_cache_node *n,
2168 int (*get_count)(struct page *))
2170 unsigned long flags;
2171 unsigned long x = 0;
2174 spin_lock_irqsave(&n->list_lock, flags);
2175 list_for_each_entry(page, &n->partial, lru)
2176 x += get_count(page);
2177 spin_unlock_irqrestore(&n->list_lock, flags);
2180 #endif /* CONFIG_SLUB_DEBUG || CONFIG_SYSFS */
2182 static noinline void
2183 slab_out_of_memory(struct kmem_cache *s, gfp_t gfpflags, int nid)
2185 #ifdef CONFIG_SLUB_DEBUG
2186 static DEFINE_RATELIMIT_STATE(slub_oom_rs, DEFAULT_RATELIMIT_INTERVAL,
2187 DEFAULT_RATELIMIT_BURST);
2189 struct kmem_cache_node *n;
2191 if ((gfpflags & __GFP_NOWARN) || !__ratelimit(&slub_oom_rs))
2194 pr_warn("SLUB: Unable to allocate memory on node %d (gfp=0x%x)\n",
2196 pr_warn(" cache: %s, object size: %d, buffer size: %d, default order: %d, min order: %d\n",
2197 s->name, s->object_size, s->size, oo_order(s->oo),
2200 if (oo_order(s->min) > get_order(s->object_size))
2201 pr_warn(" %s debugging increased min order, use slub_debug=O to disable.\n",
2204 for_each_kmem_cache_node(s, node, n) {
2205 unsigned long nr_slabs;
2206 unsigned long nr_objs;
2207 unsigned long nr_free;
2209 nr_free = count_partial(n, count_free);
2210 nr_slabs = node_nr_slabs(n);
2211 nr_objs = node_nr_objs(n);
2213 pr_warn(" node %d: slabs: %ld, objs: %ld, free: %ld\n",
2214 node, nr_slabs, nr_objs, nr_free);
2219 static inline void *new_slab_objects(struct kmem_cache *s, gfp_t flags,
2220 int node, struct kmem_cache_cpu **pc)
2223 struct kmem_cache_cpu *c = *pc;
2226 freelist = get_partial(s, flags, node, c);
2231 page = new_slab(s, flags, node);
2233 c = raw_cpu_ptr(s->cpu_slab);
2238 * No other reference to the page yet so we can
2239 * muck around with it freely without cmpxchg
2241 freelist = page->freelist;
2242 page->freelist = NULL;
2244 stat(s, ALLOC_SLAB);
2253 static inline bool pfmemalloc_match(struct page *page, gfp_t gfpflags)
2255 if (unlikely(PageSlabPfmemalloc(page)))
2256 return gfp_pfmemalloc_allowed(gfpflags);
2262 * Check the page->freelist of a page and either transfer the freelist to the
2263 * per cpu freelist or deactivate the page.
2265 * The page is still frozen if the return value is not NULL.
2267 * If this function returns NULL then the page has been unfrozen.
2269 * This function must be called with interrupt disabled.
2271 static inline void *get_freelist(struct kmem_cache *s, struct page *page)
2274 unsigned long counters;
2278 freelist = page->freelist;
2279 counters = page->counters;
2281 new.counters = counters;
2282 VM_BUG_ON(!new.frozen);
2284 new.inuse = page->objects;
2285 new.frozen = freelist != NULL;
2287 } while (!__cmpxchg_double_slab(s, page,
2296 * Slow path. The lockless freelist is empty or we need to perform
2299 * Processing is still very fast if new objects have been freed to the
2300 * regular freelist. In that case we simply take over the regular freelist
2301 * as the lockless freelist and zap the regular freelist.
2303 * If that is not working then we fall back to the partial lists. We take the
2304 * first element of the freelist as the object to allocate now and move the
2305 * rest of the freelist to the lockless freelist.
2307 * And if we were unable to get a new slab from the partial slab lists then
2308 * we need to allocate a new slab. This is the slowest path since it involves
2309 * a call to the page allocator and the setup of a new slab.
2311 * Version of __slab_alloc to use when we know that interrupts are
2312 * already disabled (which is the case for bulk allocation).
2314 static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
2315 unsigned long addr, struct kmem_cache_cpu *c)
2325 if (unlikely(!node_match(page, node))) {
2326 int searchnode = node;
2328 if (node != NUMA_NO_NODE && !node_present_pages(node))
2329 searchnode = node_to_mem_node(node);
2331 if (unlikely(!node_match(page, searchnode))) {
2332 stat(s, ALLOC_NODE_MISMATCH);
2333 deactivate_slab(s, page, c->freelist);
2341 * By rights, we should be searching for a slab page that was
2342 * PFMEMALLOC but right now, we are losing the pfmemalloc
2343 * information when the page leaves the per-cpu allocator
2345 if (unlikely(!pfmemalloc_match(page, gfpflags))) {
2346 deactivate_slab(s, page, c->freelist);
2352 /* must check again c->freelist in case of cpu migration or IRQ */
2353 freelist = c->freelist;
2357 freelist = get_freelist(s, page);
2361 stat(s, DEACTIVATE_BYPASS);
2365 stat(s, ALLOC_REFILL);
2369 * freelist is pointing to the list of objects to be used.
2370 * page is pointing to the page from which the objects are obtained.
2371 * That page must be frozen for per cpu allocations to work.
2373 VM_BUG_ON(!c->page->frozen);
2374 c->freelist = get_freepointer(s, freelist);
2375 c->tid = next_tid(c->tid);
2381 page = c->page = c->partial;
2382 c->partial = page->next;
2383 stat(s, CPU_PARTIAL_ALLOC);
2388 freelist = new_slab_objects(s, gfpflags, node, &c);
2390 if (unlikely(!freelist)) {
2391 slab_out_of_memory(s, gfpflags, node);
2396 if (likely(!kmem_cache_debug(s) && pfmemalloc_match(page, gfpflags)))
2399 /* Only entered in the debug case */
2400 if (kmem_cache_debug(s) &&
2401 !alloc_debug_processing(s, page, freelist, addr))
2402 goto new_slab; /* Slab failed checks. Next slab needed */
2404 deactivate_slab(s, page, get_freepointer(s, freelist));
2411 * Another one that disabled interrupt and compensates for possible
2412 * cpu changes by refetching the per cpu area pointer.
2414 static void *__slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
2415 unsigned long addr, struct kmem_cache_cpu *c)
2418 unsigned long flags;
2420 local_irq_save(flags);
2421 #ifdef CONFIG_PREEMPT
2423 * We may have been preempted and rescheduled on a different
2424 * cpu before disabling interrupts. Need to reload cpu area
2427 c = this_cpu_ptr(s->cpu_slab);
2430 p = ___slab_alloc(s, gfpflags, node, addr, c);
2431 local_irq_restore(flags);
2436 * Inlined fastpath so that allocation functions (kmalloc, kmem_cache_alloc)
2437 * have the fastpath folded into their functions. So no function call
2438 * overhead for requests that can be satisfied on the fastpath.
2440 * The fastpath works by first checking if the lockless freelist can be used.
2441 * If not then __slab_alloc is called for slow processing.
2443 * Otherwise we can simply pick the next object from the lockless free list.
2445 static __always_inline void *slab_alloc_node(struct kmem_cache *s,
2446 gfp_t gfpflags, int node, unsigned long addr)
2449 struct kmem_cache_cpu *c;
2453 s = slab_pre_alloc_hook(s, gfpflags);
2458 * Must read kmem_cache cpu data via this cpu ptr. Preemption is
2459 * enabled. We may switch back and forth between cpus while
2460 * reading from one cpu area. That does not matter as long
2461 * as we end up on the original cpu again when doing the cmpxchg.
2463 * We should guarantee that tid and kmem_cache are retrieved on
2464 * the same cpu. It could be different if CONFIG_PREEMPT so we need
2465 * to check if it is matched or not.
2468 tid = this_cpu_read(s->cpu_slab->tid);
2469 c = raw_cpu_ptr(s->cpu_slab);
2470 } while (IS_ENABLED(CONFIG_PREEMPT) &&
2471 unlikely(tid != READ_ONCE(c->tid)));
2474 * Irqless object alloc/free algorithm used here depends on sequence
2475 * of fetching cpu_slab's data. tid should be fetched before anything
2476 * on c to guarantee that object and page associated with previous tid
2477 * won't be used with current tid. If we fetch tid first, object and
2478 * page could be one associated with next tid and our alloc/free
2479 * request will be failed. In this case, we will retry. So, no problem.
2484 * The transaction ids are globally unique per cpu and per operation on
2485 * a per cpu queue. Thus they can be guarantee that the cmpxchg_double
2486 * occurs on the right processor and that there was no operation on the
2487 * linked list in between.
2490 object = c->freelist;
2492 if (unlikely(!object || !node_match(page, node))) {
2493 object = __slab_alloc(s, gfpflags, node, addr, c);
2494 stat(s, ALLOC_SLOWPATH);
2496 void *next_object = get_freepointer_safe(s, object);
2499 * The cmpxchg will only match if there was no additional
2500 * operation and if we are on the right processor.
2502 * The cmpxchg does the following atomically (without lock
2504 * 1. Relocate first pointer to the current per cpu area.
2505 * 2. Verify that tid and freelist have not been changed
2506 * 3. If they were not changed replace tid and freelist
2508 * Since this is without lock semantics the protection is only
2509 * against code executing on this cpu *not* from access by
2512 if (unlikely(!this_cpu_cmpxchg_double(
2513 s->cpu_slab->freelist, s->cpu_slab->tid,
2515 next_object, next_tid(tid)))) {
2517 note_cmpxchg_failure("slab_alloc", s, tid);
2520 prefetch_freepointer(s, next_object);
2521 stat(s, ALLOC_FASTPATH);
2524 if (unlikely(gfpflags & __GFP_ZERO) && object)
2525 memset(object, 0, s->object_size);
2527 slab_post_alloc_hook(s, gfpflags, 1, &object);
2532 static __always_inline void *slab_alloc(struct kmem_cache *s,
2533 gfp_t gfpflags, unsigned long addr)
2535 return slab_alloc_node(s, gfpflags, NUMA_NO_NODE, addr);
2538 void *kmem_cache_alloc(struct kmem_cache *s, gfp_t gfpflags)
2540 void *ret = slab_alloc(s, gfpflags, _RET_IP_);
2542 trace_kmem_cache_alloc(_RET_IP_, ret, s->object_size,
2547 EXPORT_SYMBOL(kmem_cache_alloc);
2549 #ifdef CONFIG_TRACING
2550 void *kmem_cache_alloc_trace(struct kmem_cache *s, gfp_t gfpflags, size_t size)
2552 void *ret = slab_alloc(s, gfpflags, _RET_IP_);
2553 trace_kmalloc(_RET_IP_, ret, size, s->size, gfpflags);
2554 kasan_kmalloc(s, ret, size);
2557 EXPORT_SYMBOL(kmem_cache_alloc_trace);
2561 void *kmem_cache_alloc_node(struct kmem_cache *s, gfp_t gfpflags, int node)
2563 void *ret = slab_alloc_node(s, gfpflags, node, _RET_IP_);
2565 trace_kmem_cache_alloc_node(_RET_IP_, ret,
2566 s->object_size, s->size, gfpflags, node);
2570 EXPORT_SYMBOL(kmem_cache_alloc_node);
2572 #ifdef CONFIG_TRACING
2573 void *kmem_cache_alloc_node_trace(struct kmem_cache *s,
2575 int node, size_t size)
2577 void *ret = slab_alloc_node(s, gfpflags, node, _RET_IP_);
2579 trace_kmalloc_node(_RET_IP_, ret,
2580 size, s->size, gfpflags, node);
2582 kasan_kmalloc(s, ret, size);
2585 EXPORT_SYMBOL(kmem_cache_alloc_node_trace);
2590 * Slow path handling. This may still be called frequently since objects
2591 * have a longer lifetime than the cpu slabs in most processing loads.
2593 * So we still attempt to reduce cache line usage. Just take the slab
2594 * lock and free the item. If there is no additional partial page
2595 * handling required then we can return immediately.
2597 static void __slab_free(struct kmem_cache *s, struct page *page,
2598 void *head, void *tail, int cnt,
2605 unsigned long counters;
2606 struct kmem_cache_node *n = NULL;
2607 unsigned long uninitialized_var(flags);
2609 stat(s, FREE_SLOWPATH);
2611 if (kmem_cache_debug(s) &&
2612 !free_debug_processing(s, page, head, tail, cnt, addr))
2617 spin_unlock_irqrestore(&n->list_lock, flags);
2620 prior = page->freelist;
2621 counters = page->counters;
2622 set_freepointer(s, tail, prior);
2623 new.counters = counters;
2624 was_frozen = new.frozen;
2626 if ((!new.inuse || !prior) && !was_frozen) {
2628 if (kmem_cache_has_cpu_partial(s) && !prior) {
2631 * Slab was on no list before and will be
2633 * We can defer the list move and instead
2638 } else { /* Needs to be taken off a list */
2640 n = get_node(s, page_to_nid(page));
2642 * Speculatively acquire the list_lock.
2643 * If the cmpxchg does not succeed then we may
2644 * drop the list_lock without any processing.
2646 * Otherwise the list_lock will synchronize with
2647 * other processors updating the list of slabs.
2649 spin_lock_irqsave(&n->list_lock, flags);
2654 } while (!cmpxchg_double_slab(s, page,
2662 * If we just froze the page then put it onto the
2663 * per cpu partial list.
2665 if (new.frozen && !was_frozen) {
2666 put_cpu_partial(s, page, 1);
2667 stat(s, CPU_PARTIAL_FREE);
2670 * The list lock was not taken therefore no list
2671 * activity can be necessary.
2674 stat(s, FREE_FROZEN);
2678 if (unlikely(!new.inuse && n->nr_partial >= s->min_partial))
2682 * Objects left in the slab. If it was not on the partial list before
2685 if (!kmem_cache_has_cpu_partial(s) && unlikely(!prior)) {
2686 if (kmem_cache_debug(s))
2687 remove_full(s, n, page);
2688 add_partial(n, page, DEACTIVATE_TO_TAIL);
2689 stat(s, FREE_ADD_PARTIAL);
2691 spin_unlock_irqrestore(&n->list_lock, flags);
2697 * Slab on the partial list.
2699 remove_partial(n, page);
2700 stat(s, FREE_REMOVE_PARTIAL);
2702 /* Slab must be on the full list */
2703 remove_full(s, n, page);
2706 spin_unlock_irqrestore(&n->list_lock, flags);
2708 discard_slab(s, page);
2712 * Fastpath with forced inlining to produce a kfree and kmem_cache_free that
2713 * can perform fastpath freeing without additional function calls.
2715 * The fastpath is only possible if we are freeing to the current cpu slab
2716 * of this processor. This typically the case if we have just allocated
2719 * If fastpath is not possible then fall back to __slab_free where we deal
2720 * with all sorts of special processing.
2722 * Bulk free of a freelist with several objects (all pointing to the
2723 * same page) possible by specifying head and tail ptr, plus objects
2724 * count (cnt). Bulk free indicated by tail pointer being set.
2726 static __always_inline void slab_free(struct kmem_cache *s, struct page *page,
2727 void *head, void *tail, int cnt,
2730 void *tail_obj = tail ? : head;
2731 struct kmem_cache_cpu *c;
2734 slab_free_freelist_hook(s, head, tail);
2738 * Determine the currently cpus per cpu slab.
2739 * The cpu may change afterward. However that does not matter since
2740 * data is retrieved via this pointer. If we are on the same cpu
2741 * during the cmpxchg then the free will succeed.
2744 tid = this_cpu_read(s->cpu_slab->tid);
2745 c = raw_cpu_ptr(s->cpu_slab);
2746 } while (IS_ENABLED(CONFIG_PREEMPT) &&
2747 unlikely(tid != READ_ONCE(c->tid)));
2749 /* Same with comment on barrier() in slab_alloc_node() */
2752 if (likely(page == c->page)) {
2753 set_freepointer(s, tail_obj, c->freelist);
2755 if (unlikely(!this_cpu_cmpxchg_double(
2756 s->cpu_slab->freelist, s->cpu_slab->tid,
2758 head, next_tid(tid)))) {
2760 note_cmpxchg_failure("slab_free", s, tid);
2763 stat(s, FREE_FASTPATH);
2765 __slab_free(s, page, head, tail_obj, cnt, addr);
2769 void kmem_cache_free(struct kmem_cache *s, void *x)
2771 s = cache_from_obj(s, x);
2774 slab_free(s, virt_to_head_page(x), x, NULL, 1, _RET_IP_);
2775 trace_kmem_cache_free(_RET_IP_, x);
2777 EXPORT_SYMBOL(kmem_cache_free);
2779 struct detached_freelist {
2784 struct kmem_cache *s;
2788 * This function progressively scans the array with free objects (with
2789 * a limited look ahead) and extract objects belonging to the same
2790 * page. It builds a detached freelist directly within the given
2791 * page/objects. This can happen without any need for
2792 * synchronization, because the objects are owned by running process.
2793 * The freelist is build up as a single linked list in the objects.
2794 * The idea is, that this detached freelist can then be bulk
2795 * transferred to the real freelist(s), but only requiring a single
2796 * synchronization primitive. Look ahead in the array is limited due
2797 * to performance reasons.
2800 int build_detached_freelist(struct kmem_cache *s, size_t size,
2801 void **p, struct detached_freelist *df)
2803 size_t first_skipped_index = 0;
2808 /* Always re-init detached_freelist */
2813 /* Do we need !ZERO_OR_NULL_PTR(object) here? (for kfree) */
2814 } while (!object && size);
2819 page = virt_to_head_page(object);
2821 /* Handle kalloc'ed objects */
2822 if (unlikely(!PageSlab(page))) {
2823 BUG_ON(!PageCompound(page));
2825 __free_kmem_pages(page, compound_order(page));
2826 p[size] = NULL; /* mark object processed */
2829 /* Derive kmem_cache from object */
2830 df->s = page->slab_cache;
2832 df->s = cache_from_obj(s, object); /* Support for memcg */
2835 /* Start new detached freelist */
2837 set_freepointer(df->s, object, NULL);
2839 df->freelist = object;
2840 p[size] = NULL; /* mark object processed */
2846 continue; /* Skip processed objects */
2848 /* df->page is always set at this point */
2849 if (df->page == virt_to_head_page(object)) {
2850 /* Opportunity build freelist */
2851 set_freepointer(df->s, object, df->freelist);
2852 df->freelist = object;
2854 p[size] = NULL; /* mark object processed */
2859 /* Limit look ahead search */
2863 if (!first_skipped_index)
2864 first_skipped_index = size + 1;
2867 return first_skipped_index;
2870 /* Note that interrupts must be enabled when calling this function. */
2871 void kmem_cache_free_bulk(struct kmem_cache *s, size_t size, void **p)
2877 struct detached_freelist df;
2879 size = build_detached_freelist(s, size, p, &df);
2880 if (unlikely(!df.page))
2883 slab_free(df.s, df.page, df.freelist, df.tail, df.cnt,_RET_IP_);
2884 } while (likely(size));
2886 EXPORT_SYMBOL(kmem_cache_free_bulk);
2888 /* Note that interrupts must be enabled when calling this function. */
2889 int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size,
2892 struct kmem_cache_cpu *c;
2895 /* memcg and kmem_cache debug support */
2896 s = slab_pre_alloc_hook(s, flags);
2900 * Drain objects in the per cpu slab, while disabling local
2901 * IRQs, which protects against PREEMPT and interrupts
2902 * handlers invoking normal fastpath.
2904 local_irq_disable();
2905 c = this_cpu_ptr(s->cpu_slab);
2907 for (i = 0; i < size; i++) {
2908 void *object = c->freelist;
2910 if (unlikely(!object)) {
2912 * Invoking slow path likely have side-effect
2913 * of re-populating per CPU c->freelist
2915 p[i] = ___slab_alloc(s, flags, NUMA_NO_NODE,
2917 if (unlikely(!p[i]))
2920 c = this_cpu_ptr(s->cpu_slab);
2921 continue; /* goto for-loop */
2923 c->freelist = get_freepointer(s, object);
2926 c->tid = next_tid(c->tid);
2929 /* Clear memory outside IRQ disabled fastpath loop */
2930 if (unlikely(flags & __GFP_ZERO)) {
2933 for (j = 0; j < i; j++)
2934 memset(p[j], 0, s->object_size);
2937 /* memcg and kmem_cache debug support */
2938 slab_post_alloc_hook(s, flags, size, p);
2942 slab_post_alloc_hook(s, flags, i, p);
2943 __kmem_cache_free_bulk(s, i, p);
2946 EXPORT_SYMBOL(kmem_cache_alloc_bulk);
2950 * Object placement in a slab is made very easy because we always start at
2951 * offset 0. If we tune the size of the object to the alignment then we can
2952 * get the required alignment by putting one properly sized object after
2955 * Notice that the allocation order determines the sizes of the per cpu
2956 * caches. Each processor has always one slab available for allocations.
2957 * Increasing the allocation order reduces the number of times that slabs
2958 * must be moved on and off the partial lists and is therefore a factor in
2963 * Mininum / Maximum order of slab pages. This influences locking overhead
2964 * and slab fragmentation. A higher order reduces the number of partial slabs
2965 * and increases the number of allocations possible without having to
2966 * take the list_lock.
2968 static int slub_min_order;
2969 static int slub_max_order = PAGE_ALLOC_COSTLY_ORDER;
2970 static int slub_min_objects;
2973 * Calculate the order of allocation given an slab object size.
2975 * The order of allocation has significant impact on performance and other
2976 * system components. Generally order 0 allocations should be preferred since
2977 * order 0 does not cause fragmentation in the page allocator. Larger objects
2978 * be problematic to put into order 0 slabs because there may be too much
2979 * unused space left. We go to a higher order if more than 1/16th of the slab
2982 * In order to reach satisfactory performance we must ensure that a minimum
2983 * number of objects is in one slab. Otherwise we may generate too much
2984 * activity on the partial lists which requires taking the list_lock. This is
2985 * less a concern for large slabs though which are rarely used.
2987 * slub_max_order specifies the order where we begin to stop considering the
2988 * number of objects in a slab as critical. If we reach slub_max_order then
2989 * we try to keep the page order as low as possible. So we accept more waste
2990 * of space in favor of a small page order.
2992 * Higher order allocations also allow the placement of more objects in a
2993 * slab and thereby reduce object handling overhead. If the user has
2994 * requested a higher mininum order then we start with that one instead of
2995 * the smallest order which will fit the object.
2997 static inline int slab_order(int size, int min_objects,
2998 int max_order, int fract_leftover, int reserved)
3002 int min_order = slub_min_order;
3004 if (order_objects(min_order, size, reserved) > MAX_OBJS_PER_PAGE)
3005 return get_order(size * MAX_OBJS_PER_PAGE) - 1;
3007 for (order = max(min_order, get_order(min_objects * size + reserved));
3008 order <= max_order; order++) {
3010 unsigned long slab_size = PAGE_SIZE << order;
3012 rem = (slab_size - reserved) % size;
3014 if (rem <= slab_size / fract_leftover)
3021 static inline int calculate_order(int size, int reserved)
3029 * Attempt to find best configuration for a slab. This
3030 * works by first attempting to generate a layout with
3031 * the best configuration and backing off gradually.
3033 * First we increase the acceptable waste in a slab. Then
3034 * we reduce the minimum objects required in a slab.
3036 min_objects = slub_min_objects;
3038 min_objects = 4 * (fls(nr_cpu_ids) + 1);
3039 max_objects = order_objects(slub_max_order, size, reserved);
3040 min_objects = min(min_objects, max_objects);
3042 while (min_objects > 1) {
3044 while (fraction >= 4) {
3045 order = slab_order(size, min_objects,
3046 slub_max_order, fraction, reserved);
3047 if (order <= slub_max_order)
3055 * We were unable to place multiple objects in a slab. Now
3056 * lets see if we can place a single object there.
3058 order = slab_order(size, 1, slub_max_order, 1, reserved);
3059 if (order <= slub_max_order)
3063 * Doh this slab cannot be placed using slub_max_order.
3065 order = slab_order(size, 1, MAX_ORDER, 1, reserved);
3066 if (order < MAX_ORDER)
3072 init_kmem_cache_node(struct kmem_cache_node *n)
3075 spin_lock_init(&n->list_lock);
3076 INIT_LIST_HEAD(&n->partial);
3077 #ifdef CONFIG_SLUB_DEBUG
3078 atomic_long_set(&n->nr_slabs, 0);
3079 atomic_long_set(&n->total_objects, 0);
3080 INIT_LIST_HEAD(&n->full);
3084 static inline int alloc_kmem_cache_cpus(struct kmem_cache *s)
3086 BUILD_BUG_ON(PERCPU_DYNAMIC_EARLY_SIZE <
3087 KMALLOC_SHIFT_HIGH * sizeof(struct kmem_cache_cpu));
3090 * Must align to double word boundary for the double cmpxchg
3091 * instructions to work; see __pcpu_double_call_return_bool().
3093 s->cpu_slab = __alloc_percpu(sizeof(struct kmem_cache_cpu),
3094 2 * sizeof(void *));
3099 init_kmem_cache_cpus(s);
3104 static struct kmem_cache *kmem_cache_node;
3107 * No kmalloc_node yet so do it by hand. We know that this is the first
3108 * slab on the node for this slabcache. There are no concurrent accesses
3111 * Note that this function only works on the kmem_cache_node
3112 * when allocating for the kmem_cache_node. This is used for bootstrapping
3113 * memory on a fresh node that has no slab structures yet.
3115 static void early_kmem_cache_node_alloc(int node)
3118 struct kmem_cache_node *n;
3120 BUG_ON(kmem_cache_node->size < sizeof(struct kmem_cache_node));
3122 page = new_slab(kmem_cache_node, GFP_NOWAIT, node);
3125 if (page_to_nid(page) != node) {
3126 pr_err("SLUB: Unable to allocate memory from node %d\n", node);
3127 pr_err("SLUB: Allocating a useless per node structure in order to be able to continue\n");
3132 page->freelist = get_freepointer(kmem_cache_node, n);
3135 kmem_cache_node->node[node] = n;
3136 #ifdef CONFIG_SLUB_DEBUG
3137 init_object(kmem_cache_node, n, SLUB_RED_ACTIVE);
3138 init_tracking(kmem_cache_node, n);
3140 kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node));
3141 init_kmem_cache_node(n);
3142 inc_slabs_node(kmem_cache_node, node, page->objects);
3145 * No locks need to be taken here as it has just been
3146 * initialized and there is no concurrent access.
3148 __add_partial(n, page, DEACTIVATE_TO_HEAD);
3151 static void free_kmem_cache_nodes(struct kmem_cache *s)
3154 struct kmem_cache_node *n;
3156 for_each_kmem_cache_node(s, node, n) {
3157 kmem_cache_free(kmem_cache_node, n);
3158 s->node[node] = NULL;
3162 void __kmem_cache_release(struct kmem_cache *s)
3164 free_percpu(s->cpu_slab);
3165 free_kmem_cache_nodes(s);
3168 static int init_kmem_cache_nodes(struct kmem_cache *s)
3172 for_each_node_state(node, N_NORMAL_MEMORY) {
3173 struct kmem_cache_node *n;
3175 if (slab_state == DOWN) {
3176 early_kmem_cache_node_alloc(node);
3179 n = kmem_cache_alloc_node(kmem_cache_node,
3183 free_kmem_cache_nodes(s);
3188 init_kmem_cache_node(n);
3193 static void set_min_partial(struct kmem_cache *s, unsigned long min)
3195 if (min < MIN_PARTIAL)
3197 else if (min > MAX_PARTIAL)
3199 s->min_partial = min;
3203 * calculate_sizes() determines the order and the distribution of data within
3206 static int calculate_sizes(struct kmem_cache *s, int forced_order)
3208 unsigned long flags = s->flags;
3209 unsigned long size = s->object_size;
3213 * Round up object size to the next word boundary. We can only
3214 * place the free pointer at word boundaries and this determines
3215 * the possible location of the free pointer.
3217 size = ALIGN(size, sizeof(void *));
3219 #ifdef CONFIG_SLUB_DEBUG
3221 * Determine if we can poison the object itself. If the user of
3222 * the slab may touch the object after free or before allocation
3223 * then we should never poison the object itself.
3225 if ((flags & SLAB_POISON) && !(flags & SLAB_DESTROY_BY_RCU) &&
3227 s->flags |= __OBJECT_POISON;
3229 s->flags &= ~__OBJECT_POISON;
3233 * If we are Redzoning then check if there is some space between the
3234 * end of the object and the free pointer. If not then add an
3235 * additional word to have some bytes to store Redzone information.
3237 if ((flags & SLAB_RED_ZONE) && size == s->object_size)
3238 size += sizeof(void *);
3242 * With that we have determined the number of bytes in actual use
3243 * by the object. This is the potential offset to the free pointer.
3247 if (((flags & (SLAB_DESTROY_BY_RCU | SLAB_POISON)) ||
3250 * Relocate free pointer after the object if it is not
3251 * permitted to overwrite the first word of the object on
3254 * This is the case if we do RCU, have a constructor or
3255 * destructor or are poisoning the objects.
3258 size += sizeof(void *);
3261 #ifdef CONFIG_SLUB_DEBUG
3262 if (flags & SLAB_STORE_USER)
3264 * Need to store information about allocs and frees after
3267 size += 2 * sizeof(struct track);
3269 if (flags & SLAB_RED_ZONE)
3271 * Add some empty padding so that we can catch
3272 * overwrites from earlier objects rather than let
3273 * tracking information or the free pointer be
3274 * corrupted if a user writes before the start
3277 size += sizeof(void *);
3281 * SLUB stores one object immediately after another beginning from
3282 * offset 0. In order to align the objects we have to simply size
3283 * each object to conform to the alignment.
3285 size = ALIGN(size, s->align);
3287 if (forced_order >= 0)
3288 order = forced_order;
3290 order = calculate_order(size, s->reserved);
3297 s->allocflags |= __GFP_COMP;
3299 if (s->flags & SLAB_CACHE_DMA)
3300 s->allocflags |= GFP_DMA;
3302 if (s->flags & SLAB_RECLAIM_ACCOUNT)
3303 s->allocflags |= __GFP_RECLAIMABLE;
3306 * Determine the number of objects per slab
3308 s->oo = oo_make(order, size, s->reserved);
3309 s->min = oo_make(get_order(size), size, s->reserved);
3310 if (oo_objects(s->oo) > oo_objects(s->max))
3313 return !!oo_objects(s->oo);
3316 static int kmem_cache_open(struct kmem_cache *s, unsigned long flags)
3318 s->flags = kmem_cache_flags(s->size, flags, s->name, s->ctor);
3321 if (need_reserve_slab_rcu && (s->flags & SLAB_DESTROY_BY_RCU))
3322 s->reserved = sizeof(struct rcu_head);
3324 if (!calculate_sizes(s, -1))
3326 if (disable_higher_order_debug) {
3328 * Disable debugging flags that store metadata if the min slab
3331 if (get_order(s->size) > get_order(s->object_size)) {
3332 s->flags &= ~DEBUG_METADATA_FLAGS;
3334 if (!calculate_sizes(s, -1))
3339 #if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
3340 defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
3341 if (system_has_cmpxchg_double() && (s->flags & SLAB_DEBUG_FLAGS) == 0)
3342 /* Enable fast mode */
3343 s->flags |= __CMPXCHG_DOUBLE;
3347 * The larger the object size is, the more pages we want on the partial
3348 * list to avoid pounding the page allocator excessively.
3350 set_min_partial(s, ilog2(s->size) / 2);
3353 * cpu_partial determined the maximum number of objects kept in the
3354 * per cpu partial lists of a processor.
3356 * Per cpu partial lists mainly contain slabs that just have one
3357 * object freed. If they are used for allocation then they can be
3358 * filled up again with minimal effort. The slab will never hit the
3359 * per node partial lists and therefore no locking will be required.
3361 * This setting also determines
3363 * A) The number of objects from per cpu partial slabs dumped to the
3364 * per node list when we reach the limit.
3365 * B) The number of objects in cpu partial slabs to extract from the
3366 * per node list when we run out of per cpu objects. We only fetch
3367 * 50% to keep some capacity around for frees.
3369 if (!kmem_cache_has_cpu_partial(s))
3371 else if (s->size >= PAGE_SIZE)
3373 else if (s->size >= 1024)
3375 else if (s->size >= 256)
3376 s->cpu_partial = 13;
3378 s->cpu_partial = 30;
3381 s->remote_node_defrag_ratio = 1000;
3383 if (!init_kmem_cache_nodes(s))
3386 if (alloc_kmem_cache_cpus(s))
3389 free_kmem_cache_nodes(s);
3391 if (flags & SLAB_PANIC)
3392 panic("Cannot create slab %s size=%lu realsize=%u "
3393 "order=%u offset=%u flags=%lx\n",
3394 s->name, (unsigned long)s->size, s->size,
3395 oo_order(s->oo), s->offset, flags);
3399 static void list_slab_objects(struct kmem_cache *s, struct page *page,
3402 #ifdef CONFIG_SLUB_DEBUG
3403 void *addr = page_address(page);
3405 unsigned long *map = kzalloc(BITS_TO_LONGS(page->objects) *
3406 sizeof(long), GFP_ATOMIC);
3409 slab_err(s, page, text, s->name);
3412 get_map(s, page, map);
3413 for_each_object(p, s, addr, page->objects) {
3415 if (!test_bit(slab_index(p, s, addr), map)) {
3416 pr_err("INFO: Object 0x%p @offset=%tu\n", p, p - addr);
3417 print_tracking(s, p);
3426 * Attempt to free all partial slabs on a node.
3427 * This is called from __kmem_cache_shutdown(). We must take list_lock
3428 * because sysfs file might still access partial list after the shutdowning.
3430 static void free_partial(struct kmem_cache *s, struct kmem_cache_node *n)
3432 struct page *page, *h;
3434 BUG_ON(irqs_disabled());
3435 spin_lock_irq(&n->list_lock);
3436 list_for_each_entry_safe(page, h, &n->partial, lru) {
3438 remove_partial(n, page);
3439 discard_slab(s, page);
3441 list_slab_objects(s, page,
3442 "Objects remaining in %s on __kmem_cache_shutdown()");
3445 spin_unlock_irq(&n->list_lock);
3449 * Release all resources used by a slab cache.
3451 int __kmem_cache_shutdown(struct kmem_cache *s)
3454 struct kmem_cache_node *n;
3457 /* Attempt to free all objects */
3458 for_each_kmem_cache_node(s, node, n) {
3460 if (n->nr_partial || slabs_node(s, node))
3466 /********************************************************************
3468 *******************************************************************/
3470 static int __init setup_slub_min_order(char *str)
3472 get_option(&str, &slub_min_order);
3477 __setup("slub_min_order=", setup_slub_min_order);
3479 static int __init setup_slub_max_order(char *str)
3481 get_option(&str, &slub_max_order);
3482 slub_max_order = min(slub_max_order, MAX_ORDER - 1);
3487 __setup("slub_max_order=", setup_slub_max_order);
3489 static int __init setup_slub_min_objects(char *str)
3491 get_option(&str, &slub_min_objects);
3496 __setup("slub_min_objects=", setup_slub_min_objects);
3498 void *__kmalloc(size_t size, gfp_t flags)
3500 struct kmem_cache *s;
3503 if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
3504 return kmalloc_large(size, flags);
3506 s = kmalloc_slab(size, flags);
3508 if (unlikely(ZERO_OR_NULL_PTR(s)))
3511 ret = slab_alloc(s, flags, _RET_IP_);
3513 trace_kmalloc(_RET_IP_, ret, size, s->size, flags);
3515 kasan_kmalloc(s, ret, size);
3519 EXPORT_SYMBOL(__kmalloc);
3522 static void *kmalloc_large_node(size_t size, gfp_t flags, int node)
3527 flags |= __GFP_COMP | __GFP_NOTRACK;
3528 page = alloc_kmem_pages_node(node, flags, get_order(size));
3530 ptr = page_address(page);
3532 kmalloc_large_node_hook(ptr, size, flags);
3536 void *__kmalloc_node(size_t size, gfp_t flags, int node)
3538 struct kmem_cache *s;
3541 if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) {
3542 ret = kmalloc_large_node(size, flags, node);
3544 trace_kmalloc_node(_RET_IP_, ret,
3545 size, PAGE_SIZE << get_order(size),
3551 s = kmalloc_slab(size, flags);
3553 if (unlikely(ZERO_OR_NULL_PTR(s)))
3556 ret = slab_alloc_node(s, flags, node, _RET_IP_);
3558 trace_kmalloc_node(_RET_IP_, ret, size, s->size, flags, node);
3560 kasan_kmalloc(s, ret, size);
3564 EXPORT_SYMBOL(__kmalloc_node);
3567 static size_t __ksize(const void *object)
3571 if (unlikely(object == ZERO_SIZE_PTR))
3574 page = virt_to_head_page(object);
3576 if (unlikely(!PageSlab(page))) {
3577 WARN_ON(!PageCompound(page));
3578 return PAGE_SIZE << compound_order(page);
3581 return slab_ksize(page->slab_cache);
3584 size_t ksize(const void *object)
3586 size_t size = __ksize(object);
3587 /* We assume that ksize callers could use whole allocated area,
3588 so we need unpoison this area. */
3589 kasan_krealloc(object, size);
3592 EXPORT_SYMBOL(ksize);
3594 void kfree(const void *x)
3597 void *object = (void *)x;
3599 trace_kfree(_RET_IP_, x);
3601 if (unlikely(ZERO_OR_NULL_PTR(x)))
3604 page = virt_to_head_page(x);
3605 if (unlikely(!PageSlab(page))) {
3606 BUG_ON(!PageCompound(page));
3608 __free_kmem_pages(page, compound_order(page));
3611 slab_free(page->slab_cache, page, object, NULL, 1, _RET_IP_);
3613 EXPORT_SYMBOL(kfree);
3615 #define SHRINK_PROMOTE_MAX 32
3618 * kmem_cache_shrink discards empty slabs and promotes the slabs filled
3619 * up most to the head of the partial lists. New allocations will then
3620 * fill those up and thus they can be removed from the partial lists.
3622 * The slabs with the least items are placed last. This results in them
3623 * being allocated from last increasing the chance that the last objects
3624 * are freed in them.
3626 int __kmem_cache_shrink(struct kmem_cache *s, bool deactivate)
3630 struct kmem_cache_node *n;
3633 struct list_head discard;
3634 struct list_head promote[SHRINK_PROMOTE_MAX];
3635 unsigned long flags;
3640 * Disable empty slabs caching. Used to avoid pinning offline
3641 * memory cgroups by kmem pages that can be freed.
3647 * s->cpu_partial is checked locklessly (see put_cpu_partial),
3648 * so we have to make sure the change is visible.
3650 kick_all_cpus_sync();
3654 for_each_kmem_cache_node(s, node, n) {
3655 INIT_LIST_HEAD(&discard);
3656 for (i = 0; i < SHRINK_PROMOTE_MAX; i++)
3657 INIT_LIST_HEAD(promote + i);
3659 spin_lock_irqsave(&n->list_lock, flags);
3662 * Build lists of slabs to discard or promote.
3664 * Note that concurrent frees may occur while we hold the
3665 * list_lock. page->inuse here is the upper limit.
3667 list_for_each_entry_safe(page, t, &n->partial, lru) {
3668 int free = page->objects - page->inuse;
3670 /* Do not reread page->inuse */
3673 /* We do not keep full slabs on the list */
3676 if (free == page->objects) {
3677 list_move(&page->lru, &discard);
3679 } else if (free <= SHRINK_PROMOTE_MAX)
3680 list_move(&page->lru, promote + free - 1);
3684 * Promote the slabs filled up most to the head of the
3687 for (i = SHRINK_PROMOTE_MAX - 1; i >= 0; i--)
3688 list_splice(promote + i, &n->partial);
3690 spin_unlock_irqrestore(&n->list_lock, flags);
3692 /* Release empty slabs */
3693 list_for_each_entry_safe(page, t, &discard, lru)
3694 discard_slab(s, page);
3696 if (slabs_node(s, node))
3703 static int slab_mem_going_offline_callback(void *arg)
3705 struct kmem_cache *s;
3707 mutex_lock(&slab_mutex);
3708 list_for_each_entry(s, &slab_caches, list)
3709 __kmem_cache_shrink(s, false);
3710 mutex_unlock(&slab_mutex);
3715 static void slab_mem_offline_callback(void *arg)
3717 struct kmem_cache_node *n;
3718 struct kmem_cache *s;
3719 struct memory_notify *marg = arg;
3722 offline_node = marg->status_change_nid_normal;
3725 * If the node still has available memory. we need kmem_cache_node
3728 if (offline_node < 0)
3731 mutex_lock(&slab_mutex);
3732 list_for_each_entry(s, &slab_caches, list) {
3733 n = get_node(s, offline_node);
3736 * if n->nr_slabs > 0, slabs still exist on the node
3737 * that is going down. We were unable to free them,
3738 * and offline_pages() function shouldn't call this
3739 * callback. So, we must fail.
3741 BUG_ON(slabs_node(s, offline_node));
3743 s->node[offline_node] = NULL;
3744 kmem_cache_free(kmem_cache_node, n);
3747 mutex_unlock(&slab_mutex);
3750 static int slab_mem_going_online_callback(void *arg)
3752 struct kmem_cache_node *n;
3753 struct kmem_cache *s;
3754 struct memory_notify *marg = arg;
3755 int nid = marg->status_change_nid_normal;
3759 * If the node's memory is already available, then kmem_cache_node is
3760 * already created. Nothing to do.
3766 * We are bringing a node online. No memory is available yet. We must
3767 * allocate a kmem_cache_node structure in order to bring the node
3770 mutex_lock(&slab_mutex);
3771 list_for_each_entry(s, &slab_caches, list) {
3773 * XXX: kmem_cache_alloc_node will fallback to other nodes
3774 * since memory is not yet available from the node that
3777 n = kmem_cache_alloc(kmem_cache_node, GFP_KERNEL);
3782 init_kmem_cache_node(n);
3786 mutex_unlock(&slab_mutex);
3790 static int slab_memory_callback(struct notifier_block *self,
3791 unsigned long action, void *arg)
3796 case MEM_GOING_ONLINE:
3797 ret = slab_mem_going_online_callback(arg);
3799 case MEM_GOING_OFFLINE:
3800 ret = slab_mem_going_offline_callback(arg);
3803 case MEM_CANCEL_ONLINE:
3804 slab_mem_offline_callback(arg);
3807 case MEM_CANCEL_OFFLINE:
3811 ret = notifier_from_errno(ret);
3817 static struct notifier_block slab_memory_callback_nb = {
3818 .notifier_call = slab_memory_callback,
3819 .priority = SLAB_CALLBACK_PRI,
3822 /********************************************************************
3823 * Basic setup of slabs
3824 *******************************************************************/
3827 * Used for early kmem_cache structures that were allocated using
3828 * the page allocator. Allocate them properly then fix up the pointers
3829 * that may be pointing to the wrong kmem_cache structure.
3832 static struct kmem_cache * __init bootstrap(struct kmem_cache *static_cache)
3835 struct kmem_cache *s = kmem_cache_zalloc(kmem_cache, GFP_NOWAIT);
3836 struct kmem_cache_node *n;
3838 memcpy(s, static_cache, kmem_cache->object_size);
3841 * This runs very early, and only the boot processor is supposed to be
3842 * up. Even if it weren't true, IRQs are not up so we couldn't fire
3845 __flush_cpu_slab(s, smp_processor_id());
3846 for_each_kmem_cache_node(s, node, n) {
3849 list_for_each_entry(p, &n->partial, lru)
3852 #ifdef CONFIG_SLUB_DEBUG
3853 list_for_each_entry(p, &n->full, lru)
3857 slab_init_memcg_params(s);
3858 list_add(&s->list, &slab_caches);
3862 void __init kmem_cache_init(void)
3864 static __initdata struct kmem_cache boot_kmem_cache,
3865 boot_kmem_cache_node;
3867 if (debug_guardpage_minorder())
3870 kmem_cache_node = &boot_kmem_cache_node;
3871 kmem_cache = &boot_kmem_cache;
3873 create_boot_cache(kmem_cache_node, "kmem_cache_node",
3874 sizeof(struct kmem_cache_node), SLAB_HWCACHE_ALIGN);
3876 register_hotmemory_notifier(&slab_memory_callback_nb);
3878 /* Able to allocate the per node structures */
3879 slab_state = PARTIAL;
3881 create_boot_cache(kmem_cache, "kmem_cache",
3882 offsetof(struct kmem_cache, node) +
3883 nr_node_ids * sizeof(struct kmem_cache_node *),
3884 SLAB_HWCACHE_ALIGN);
3886 kmem_cache = bootstrap(&boot_kmem_cache);
3889 * Allocate kmem_cache_node properly from the kmem_cache slab.
3890 * kmem_cache_node is separately allocated so no need to
3891 * update any list pointers.
3893 kmem_cache_node = bootstrap(&boot_kmem_cache_node);
3895 /* Now we can use the kmem_cache to allocate kmalloc slabs */
3896 setup_kmalloc_cache_index_table();
3897 create_kmalloc_caches(0);
3900 register_cpu_notifier(&slab_notifier);
3903 pr_info("SLUB: HWalign=%d, Order=%d-%d, MinObjects=%d, CPUs=%d, Nodes=%d\n",
3905 slub_min_order, slub_max_order, slub_min_objects,
3906 nr_cpu_ids, nr_node_ids);
3909 void __init kmem_cache_init_late(void)
3914 __kmem_cache_alias(const char *name, size_t size, size_t align,
3915 unsigned long flags, void (*ctor)(void *))
3917 struct kmem_cache *s, *c;
3919 s = find_mergeable(size, align, flags, name, ctor);
3924 * Adjust the object sizes so that we clear
3925 * the complete object on kzalloc.
3927 s->object_size = max(s->object_size, (int)size);
3928 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
3930 for_each_memcg_cache(c, s) {
3931 c->object_size = s->object_size;
3932 c->inuse = max_t(int, c->inuse,
3933 ALIGN(size, sizeof(void *)));
3936 if (sysfs_slab_alias(s, name)) {
3945 int __kmem_cache_create(struct kmem_cache *s, unsigned long flags)
3949 err = kmem_cache_open(s, flags);
3953 /* Mutex is not taken during early boot */
3954 if (slab_state <= UP)
3957 memcg_propagate_slab_attrs(s);
3958 err = sysfs_slab_add(s);
3960 __kmem_cache_release(s);
3967 * Use the cpu notifier to insure that the cpu slabs are flushed when
3970 static int slab_cpuup_callback(struct notifier_block *nfb,
3971 unsigned long action, void *hcpu)
3973 long cpu = (long)hcpu;
3974 struct kmem_cache *s;
3975 unsigned long flags;
3978 case CPU_UP_CANCELED:
3979 case CPU_UP_CANCELED_FROZEN:
3981 case CPU_DEAD_FROZEN:
3982 mutex_lock(&slab_mutex);
3983 list_for_each_entry(s, &slab_caches, list) {
3984 local_irq_save(flags);
3985 __flush_cpu_slab(s, cpu);
3986 local_irq_restore(flags);
3988 mutex_unlock(&slab_mutex);
3996 static struct notifier_block slab_notifier = {
3997 .notifier_call = slab_cpuup_callback
4002 void *__kmalloc_track_caller(size_t size, gfp_t gfpflags, unsigned long caller)
4004 struct kmem_cache *s;
4007 if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
4008 return kmalloc_large(size, gfpflags);
4010 s = kmalloc_slab(size, gfpflags);
4012 if (unlikely(ZERO_OR_NULL_PTR(s)))
4015 ret = slab_alloc(s, gfpflags, caller);
4017 /* Honor the call site pointer we received. */
4018 trace_kmalloc(caller, ret, size, s->size, gfpflags);
4024 void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags,
4025 int node, unsigned long caller)
4027 struct kmem_cache *s;
4030 if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) {
4031 ret = kmalloc_large_node(size, gfpflags, node);
4033 trace_kmalloc_node(caller, ret,
4034 size, PAGE_SIZE << get_order(size),
4040 s = kmalloc_slab(size, gfpflags);
4042 if (unlikely(ZERO_OR_NULL_PTR(s)))
4045 ret = slab_alloc_node(s, gfpflags, node, caller);
4047 /* Honor the call site pointer we received. */
4048 trace_kmalloc_node(caller, ret, size, s->size, gfpflags, node);
4055 static int count_inuse(struct page *page)
4060 static int count_total(struct page *page)
4062 return page->objects;
4066 #ifdef CONFIG_SLUB_DEBUG
4067 static int validate_slab(struct kmem_cache *s, struct page *page,
4071 void *addr = page_address(page);
4073 if (!check_slab(s, page) ||
4074 !on_freelist(s, page, NULL))
4077 /* Now we know that a valid freelist exists */
4078 bitmap_zero(map, page->objects);
4080 get_map(s, page, map);
4081 for_each_object(p, s, addr, page->objects) {
4082 if (test_bit(slab_index(p, s, addr), map))
4083 if (!check_object(s, page, p, SLUB_RED_INACTIVE))
4087 for_each_object(p, s, addr, page->objects)
4088 if (!test_bit(slab_index(p, s, addr), map))
4089 if (!check_object(s, page, p, SLUB_RED_ACTIVE))
4094 static void validate_slab_slab(struct kmem_cache *s, struct page *page,
4098 validate_slab(s, page, map);
4102 static int validate_slab_node(struct kmem_cache *s,
4103 struct kmem_cache_node *n, unsigned long *map)
4105 unsigned long count = 0;
4107 unsigned long flags;
4109 spin_lock_irqsave(&n->list_lock, flags);
4111 list_for_each_entry(page, &n->partial, lru) {
4112 validate_slab_slab(s, page, map);
4115 if (count != n->nr_partial)
4116 pr_err("SLUB %s: %ld partial slabs counted but counter=%ld\n",
4117 s->name, count, n->nr_partial);
4119 if (!(s->flags & SLAB_STORE_USER))
4122 list_for_each_entry(page, &n->full, lru) {
4123 validate_slab_slab(s, page, map);
4126 if (count != atomic_long_read(&n->nr_slabs))
4127 pr_err("SLUB: %s %ld slabs counted but counter=%ld\n",
4128 s->name, count, atomic_long_read(&n->nr_slabs));
4131 spin_unlock_irqrestore(&n->list_lock, flags);
4135 static long validate_slab_cache(struct kmem_cache *s)
4138 unsigned long count = 0;
4139 unsigned long *map = kmalloc(BITS_TO_LONGS(oo_objects(s->max)) *
4140 sizeof(unsigned long), GFP_KERNEL);
4141 struct kmem_cache_node *n;
4147 for_each_kmem_cache_node(s, node, n)
4148 count += validate_slab_node(s, n, map);
4153 * Generate lists of code addresses where slabcache objects are allocated
4158 unsigned long count;
4165 DECLARE_BITMAP(cpus, NR_CPUS);
4171 unsigned long count;
4172 struct location *loc;
4175 static void free_loc_track(struct loc_track *t)
4178 free_pages((unsigned long)t->loc,
4179 get_order(sizeof(struct location) * t->max));
4182 static int alloc_loc_track(struct loc_track *t, unsigned long max, gfp_t flags)
4187 order = get_order(sizeof(struct location) * max);
4189 l = (void *)__get_free_pages(flags, order);
4194 memcpy(l, t->loc, sizeof(struct location) * t->count);
4202 static int add_location(struct loc_track *t, struct kmem_cache *s,
4203 const struct track *track)
4205 long start, end, pos;
4207 unsigned long caddr;
4208 unsigned long age = jiffies - track->when;
4214 pos = start + (end - start + 1) / 2;
4217 * There is nothing at "end". If we end up there
4218 * we need to add something to before end.
4223 caddr = t->loc[pos].addr;
4224 if (track->addr == caddr) {
4230 if (age < l->min_time)
4232 if (age > l->max_time)
4235 if (track->pid < l->min_pid)
4236 l->min_pid = track->pid;
4237 if (track->pid > l->max_pid)
4238 l->max_pid = track->pid;
4240 cpumask_set_cpu(track->cpu,
4241 to_cpumask(l->cpus));
4243 node_set(page_to_nid(virt_to_page(track)), l->nodes);
4247 if (track->addr < caddr)
4254 * Not found. Insert new tracking element.
4256 if (t->count >= t->max && !alloc_loc_track(t, 2 * t->max, GFP_ATOMIC))
4262 (t->count - pos) * sizeof(struct location));
4265 l->addr = track->addr;
4269 l->min_pid = track->pid;
4270 l->max_pid = track->pid;
4271 cpumask_clear(to_cpumask(l->cpus));
4272 cpumask_set_cpu(track->cpu, to_cpumask(l->cpus));
4273 nodes_clear(l->nodes);
4274 node_set(page_to_nid(virt_to_page(track)), l->nodes);
4278 static void process_slab(struct loc_track *t, struct kmem_cache *s,
4279 struct page *page, enum track_item alloc,
4282 void *addr = page_address(page);
4285 bitmap_zero(map, page->objects);
4286 get_map(s, page, map);
4288 for_each_object(p, s, addr, page->objects)
4289 if (!test_bit(slab_index(p, s, addr), map))
4290 add_location(t, s, get_track(s, p, alloc));
4293 static int list_locations(struct kmem_cache *s, char *buf,
4294 enum track_item alloc)
4298 struct loc_track t = { 0, 0, NULL };
4300 unsigned long *map = kmalloc(BITS_TO_LONGS(oo_objects(s->max)) *
4301 sizeof(unsigned long), GFP_KERNEL);
4302 struct kmem_cache_node *n;
4304 if (!map || !alloc_loc_track(&t, PAGE_SIZE / sizeof(struct location),
4307 return sprintf(buf, "Out of memory\n");
4309 /* Push back cpu slabs */
4312 for_each_kmem_cache_node(s, node, n) {
4313 unsigned long flags;
4316 if (!atomic_long_read(&n->nr_slabs))
4319 spin_lock_irqsave(&n->list_lock, flags);
4320 list_for_each_entry(page, &n->partial, lru)
4321 process_slab(&t, s, page, alloc, map);
4322 list_for_each_entry(page, &n->full, lru)
4323 process_slab(&t, s, page, alloc, map);
4324 spin_unlock_irqrestore(&n->list_lock, flags);
4327 for (i = 0; i < t.count; i++) {
4328 struct location *l = &t.loc[i];
4330 if (len > PAGE_SIZE - KSYM_SYMBOL_LEN - 100)
4332 len += sprintf(buf + len, "%7ld ", l->count);
4335 len += sprintf(buf + len, "%pS", (void *)l->addr);
4337 len += sprintf(buf + len, "<not-available>");
4339 if (l->sum_time != l->min_time) {
4340 len += sprintf(buf + len, " age=%ld/%ld/%ld",
4342 (long)div_u64(l->sum_time, l->count),
4345 len += sprintf(buf + len, " age=%ld",
4348 if (l->min_pid != l->max_pid)
4349 len += sprintf(buf + len, " pid=%ld-%ld",
4350 l->min_pid, l->max_pid);
4352 len += sprintf(buf + len, " pid=%ld",
4355 if (num_online_cpus() > 1 &&
4356 !cpumask_empty(to_cpumask(l->cpus)) &&
4357 len < PAGE_SIZE - 60)
4358 len += scnprintf(buf + len, PAGE_SIZE - len - 50,
4360 cpumask_pr_args(to_cpumask(l->cpus)));
4362 if (nr_online_nodes > 1 && !nodes_empty(l->nodes) &&
4363 len < PAGE_SIZE - 60)
4364 len += scnprintf(buf + len, PAGE_SIZE - len - 50,
4366 nodemask_pr_args(&l->nodes));
4368 len += sprintf(buf + len, "\n");
4374 len += sprintf(buf, "No data\n");
4379 #ifdef SLUB_RESILIENCY_TEST
4380 static void __init resiliency_test(void)
4384 BUILD_BUG_ON(KMALLOC_MIN_SIZE > 16 || KMALLOC_SHIFT_HIGH < 10);
4386 pr_err("SLUB resiliency testing\n");
4387 pr_err("-----------------------\n");
4388 pr_err("A. Corruption after allocation\n");
4390 p = kzalloc(16, GFP_KERNEL);
4392 pr_err("\n1. kmalloc-16: Clobber Redzone/next pointer 0x12->0x%p\n\n",
4395 validate_slab_cache(kmalloc_caches[4]);
4397 /* Hmmm... The next two are dangerous */
4398 p = kzalloc(32, GFP_KERNEL);
4399 p[32 + sizeof(void *)] = 0x34;
4400 pr_err("\n2. kmalloc-32: Clobber next pointer/next slab 0x34 -> -0x%p\n",
4402 pr_err("If allocated object is overwritten then not detectable\n\n");
4404 validate_slab_cache(kmalloc_caches[5]);
4405 p = kzalloc(64, GFP_KERNEL);
4406 p += 64 + (get_cycles() & 0xff) * sizeof(void *);
4408 pr_err("\n3. kmalloc-64: corrupting random byte 0x56->0x%p\n",
4410 pr_err("If allocated object is overwritten then not detectable\n\n");
4411 validate_slab_cache(kmalloc_caches[6]);
4413 pr_err("\nB. Corruption after free\n");
4414 p = kzalloc(128, GFP_KERNEL);
4417 pr_err("1. kmalloc-128: Clobber first word 0x78->0x%p\n\n", p);
4418 validate_slab_cache(kmalloc_caches[7]);
4420 p = kzalloc(256, GFP_KERNEL);
4423 pr_err("\n2. kmalloc-256: Clobber 50th byte 0x9a->0x%p\n\n", p);
4424 validate_slab_cache(kmalloc_caches[8]);
4426 p = kzalloc(512, GFP_KERNEL);
4429 pr_err("\n3. kmalloc-512: Clobber redzone 0xab->0x%p\n\n", p);
4430 validate_slab_cache(kmalloc_caches[9]);
4434 static void resiliency_test(void) {};
4439 enum slab_stat_type {
4440 SL_ALL, /* All slabs */
4441 SL_PARTIAL, /* Only partially allocated slabs */
4442 SL_CPU, /* Only slabs used for cpu caches */
4443 SL_OBJECTS, /* Determine allocated objects not slabs */
4444 SL_TOTAL /* Determine object capacity not slabs */
4447 #define SO_ALL (1 << SL_ALL)
4448 #define SO_PARTIAL (1 << SL_PARTIAL)
4449 #define SO_CPU (1 << SL_CPU)
4450 #define SO_OBJECTS (1 << SL_OBJECTS)
4451 #define SO_TOTAL (1 << SL_TOTAL)
4453 static ssize_t show_slab_objects(struct kmem_cache *s,
4454 char *buf, unsigned long flags)
4456 unsigned long total = 0;
4459 unsigned long *nodes;
4461 nodes = kzalloc(sizeof(unsigned long) * nr_node_ids, GFP_KERNEL);
4465 if (flags & SO_CPU) {
4468 for_each_possible_cpu(cpu) {
4469 struct kmem_cache_cpu *c = per_cpu_ptr(s->cpu_slab,
4474 page = READ_ONCE(c->page);
4478 node = page_to_nid(page);
4479 if (flags & SO_TOTAL)
4481 else if (flags & SO_OBJECTS)
4489 page = READ_ONCE(c->partial);
4491 node = page_to_nid(page);
4492 if (flags & SO_TOTAL)
4494 else if (flags & SO_OBJECTS)
4505 #ifdef CONFIG_SLUB_DEBUG
4506 if (flags & SO_ALL) {
4507 struct kmem_cache_node *n;
4509 for_each_kmem_cache_node(s, node, n) {
4511 if (flags & SO_TOTAL)
4512 x = atomic_long_read(&n->total_objects);
4513 else if (flags & SO_OBJECTS)
4514 x = atomic_long_read(&n->total_objects) -
4515 count_partial(n, count_free);
4517 x = atomic_long_read(&n->nr_slabs);
4524 if (flags & SO_PARTIAL) {
4525 struct kmem_cache_node *n;
4527 for_each_kmem_cache_node(s, node, n) {
4528 if (flags & SO_TOTAL)
4529 x = count_partial(n, count_total);
4530 else if (flags & SO_OBJECTS)
4531 x = count_partial(n, count_inuse);
4538 x = sprintf(buf, "%lu", total);
4540 for (node = 0; node < nr_node_ids; node++)
4542 x += sprintf(buf + x, " N%d=%lu",
4547 return x + sprintf(buf + x, "\n");
4550 #ifdef CONFIG_SLUB_DEBUG
4551 static int any_slab_objects(struct kmem_cache *s)
4554 struct kmem_cache_node *n;
4556 for_each_kmem_cache_node(s, node, n)
4557 if (atomic_long_read(&n->total_objects))
4564 #define to_slab_attr(n) container_of(n, struct slab_attribute, attr)
4565 #define to_slab(n) container_of(n, struct kmem_cache, kobj)
4567 struct slab_attribute {
4568 struct attribute attr;
4569 ssize_t (*show)(struct kmem_cache *s, char *buf);
4570 ssize_t (*store)(struct kmem_cache *s, const char *x, size_t count);
4573 #define SLAB_ATTR_RO(_name) \
4574 static struct slab_attribute _name##_attr = \
4575 __ATTR(_name, 0400, _name##_show, NULL)
4577 #define SLAB_ATTR(_name) \
4578 static struct slab_attribute _name##_attr = \
4579 __ATTR(_name, 0600, _name##_show, _name##_store)
4581 static ssize_t slab_size_show(struct kmem_cache *s, char *buf)
4583 return sprintf(buf, "%d\n", s->size);
4585 SLAB_ATTR_RO(slab_size);
4587 static ssize_t align_show(struct kmem_cache *s, char *buf)
4589 return sprintf(buf, "%d\n", s->align);
4591 SLAB_ATTR_RO(align);
4593 static ssize_t object_size_show(struct kmem_cache *s, char *buf)
4595 return sprintf(buf, "%d\n", s->object_size);
4597 SLAB_ATTR_RO(object_size);
4599 static ssize_t objs_per_slab_show(struct kmem_cache *s, char *buf)
4601 return sprintf(buf, "%d\n", oo_objects(s->oo));
4603 SLAB_ATTR_RO(objs_per_slab);
4605 static ssize_t order_store(struct kmem_cache *s,
4606 const char *buf, size_t length)
4608 unsigned long order;
4611 err = kstrtoul(buf, 10, &order);
4615 if (order > slub_max_order || order < slub_min_order)
4618 calculate_sizes(s, order);
4622 static ssize_t order_show(struct kmem_cache *s, char *buf)
4624 return sprintf(buf, "%d\n", oo_order(s->oo));
4628 static ssize_t min_partial_show(struct kmem_cache *s, char *buf)
4630 return sprintf(buf, "%lu\n", s->min_partial);
4633 static ssize_t min_partial_store(struct kmem_cache *s, const char *buf,
4639 err = kstrtoul(buf, 10, &min);
4643 set_min_partial(s, min);
4646 SLAB_ATTR(min_partial);
4648 static ssize_t cpu_partial_show(struct kmem_cache *s, char *buf)
4650 return sprintf(buf, "%u\n", s->cpu_partial);
4653 static ssize_t cpu_partial_store(struct kmem_cache *s, const char *buf,
4656 unsigned long objects;
4659 err = kstrtoul(buf, 10, &objects);
4662 if (objects && !kmem_cache_has_cpu_partial(s))
4665 s->cpu_partial = objects;
4669 SLAB_ATTR(cpu_partial);
4671 static ssize_t ctor_show(struct kmem_cache *s, char *buf)
4675 return sprintf(buf, "%pS\n", s->ctor);
4679 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
4681 return sprintf(buf, "%d\n", s->refcount < 0 ? 0 : s->refcount - 1);
4683 SLAB_ATTR_RO(aliases);
4685 static ssize_t partial_show(struct kmem_cache *s, char *buf)
4687 return show_slab_objects(s, buf, SO_PARTIAL);
4689 SLAB_ATTR_RO(partial);
4691 static ssize_t cpu_slabs_show(struct kmem_cache *s, char *buf)
4693 return show_slab_objects(s, buf, SO_CPU);
4695 SLAB_ATTR_RO(cpu_slabs);
4697 static ssize_t objects_show(struct kmem_cache *s, char *buf)
4699 return show_slab_objects(s, buf, SO_ALL|SO_OBJECTS);
4701 SLAB_ATTR_RO(objects);
4703 static ssize_t objects_partial_show(struct kmem_cache *s, char *buf)
4705 return show_slab_objects(s, buf, SO_PARTIAL|SO_OBJECTS);
4707 SLAB_ATTR_RO(objects_partial);
4709 static ssize_t slabs_cpu_partial_show(struct kmem_cache *s, char *buf)
4716 for_each_online_cpu(cpu) {
4717 struct page *page = per_cpu_ptr(s->cpu_slab, cpu)->partial;
4720 pages += page->pages;
4721 objects += page->pobjects;
4725 len = sprintf(buf, "%d(%d)", objects, pages);
4728 for_each_online_cpu(cpu) {
4729 struct page *page = per_cpu_ptr(s->cpu_slab, cpu) ->partial;
4731 if (page && len < PAGE_SIZE - 20)
4732 len += sprintf(buf + len, " C%d=%d(%d)", cpu,
4733 page->pobjects, page->pages);
4736 return len + sprintf(buf + len, "\n");
4738 SLAB_ATTR_RO(slabs_cpu_partial);
4740 static ssize_t reclaim_account_show(struct kmem_cache *s, char *buf)
4742 return sprintf(buf, "%d\n", !!(s->flags & SLAB_RECLAIM_ACCOUNT));
4745 static ssize_t reclaim_account_store(struct kmem_cache *s,
4746 const char *buf, size_t length)
4748 s->flags &= ~SLAB_RECLAIM_ACCOUNT;
4750 s->flags |= SLAB_RECLAIM_ACCOUNT;
4753 SLAB_ATTR(reclaim_account);
4755 static ssize_t hwcache_align_show(struct kmem_cache *s, char *buf)
4757 return sprintf(buf, "%d\n", !!(s->flags & SLAB_HWCACHE_ALIGN));
4759 SLAB_ATTR_RO(hwcache_align);
4761 #ifdef CONFIG_ZONE_DMA
4762 static ssize_t cache_dma_show(struct kmem_cache *s, char *buf)
4764 return sprintf(buf, "%d\n", !!(s->flags & SLAB_CACHE_DMA));
4766 SLAB_ATTR_RO(cache_dma);
4769 static ssize_t destroy_by_rcu_show(struct kmem_cache *s, char *buf)
4771 return sprintf(buf, "%d\n", !!(s->flags & SLAB_DESTROY_BY_RCU));
4773 SLAB_ATTR_RO(destroy_by_rcu);
4775 static ssize_t reserved_show(struct kmem_cache *s, char *buf)
4777 return sprintf(buf, "%d\n", s->reserved);
4779 SLAB_ATTR_RO(reserved);
4781 #ifdef CONFIG_SLUB_DEBUG
4782 static ssize_t slabs_show(struct kmem_cache *s, char *buf)
4784 return show_slab_objects(s, buf, SO_ALL);
4786 SLAB_ATTR_RO(slabs);
4788 static ssize_t total_objects_show(struct kmem_cache *s, char *buf)
4790 return show_slab_objects(s, buf, SO_ALL|SO_TOTAL);
4792 SLAB_ATTR_RO(total_objects);
4794 static ssize_t sanity_checks_show(struct kmem_cache *s, char *buf)
4796 return sprintf(buf, "%d\n", !!(s->flags & SLAB_CONSISTENCY_CHECKS));
4799 static ssize_t sanity_checks_store(struct kmem_cache *s,
4800 const char *buf, size_t length)
4802 s->flags &= ~SLAB_CONSISTENCY_CHECKS;
4803 if (buf[0] == '1') {
4804 s->flags &= ~__CMPXCHG_DOUBLE;
4805 s->flags |= SLAB_CONSISTENCY_CHECKS;
4809 SLAB_ATTR(sanity_checks);
4811 static ssize_t trace_show(struct kmem_cache *s, char *buf)
4813 return sprintf(buf, "%d\n", !!(s->flags & SLAB_TRACE));
4816 static ssize_t trace_store(struct kmem_cache *s, const char *buf,
4820 * Tracing a merged cache is going to give confusing results
4821 * as well as cause other issues like converting a mergeable
4822 * cache into an umergeable one.
4824 if (s->refcount > 1)
4827 s->flags &= ~SLAB_TRACE;
4828 if (buf[0] == '1') {
4829 s->flags &= ~__CMPXCHG_DOUBLE;
4830 s->flags |= SLAB_TRACE;
4836 static ssize_t red_zone_show(struct kmem_cache *s, char *buf)
4838 return sprintf(buf, "%d\n", !!(s->flags & SLAB_RED_ZONE));
4841 static ssize_t red_zone_store(struct kmem_cache *s,
4842 const char *buf, size_t length)
4844 if (any_slab_objects(s))
4847 s->flags &= ~SLAB_RED_ZONE;
4848 if (buf[0] == '1') {
4849 s->flags &= ~__CMPXCHG_DOUBLE;
4850 s->flags |= SLAB_RED_ZONE;
4852 calculate_sizes(s, -1);
4855 SLAB_ATTR(red_zone);
4857 static ssize_t poison_show(struct kmem_cache *s, char *buf)
4859 return sprintf(buf, "%d\n", !!(s->flags & SLAB_POISON));
4862 static ssize_t poison_store(struct kmem_cache *s,
4863 const char *buf, size_t length)
4865 if (any_slab_objects(s))
4868 s->flags &= ~SLAB_POISON;
4869 if (buf[0] == '1') {
4870 s->flags &= ~__CMPXCHG_DOUBLE;
4871 s->flags |= SLAB_POISON;
4873 calculate_sizes(s, -1);
4878 static ssize_t store_user_show(struct kmem_cache *s, char *buf)
4880 return sprintf(buf, "%d\n", !!(s->flags & SLAB_STORE_USER));
4883 static ssize_t store_user_store(struct kmem_cache *s,
4884 const char *buf, size_t length)
4886 if (any_slab_objects(s))
4889 s->flags &= ~SLAB_STORE_USER;
4890 if (buf[0] == '1') {
4891 s->flags &= ~__CMPXCHG_DOUBLE;
4892 s->flags |= SLAB_STORE_USER;
4894 calculate_sizes(s, -1);
4897 SLAB_ATTR(store_user);
4899 static ssize_t validate_show(struct kmem_cache *s, char *buf)
4904 static ssize_t validate_store(struct kmem_cache *s,
4905 const char *buf, size_t length)
4909 if (buf[0] == '1') {
4910 ret = validate_slab_cache(s);
4916 SLAB_ATTR(validate);
4918 static ssize_t alloc_calls_show(struct kmem_cache *s, char *buf)
4920 if (!(s->flags & SLAB_STORE_USER))
4922 return list_locations(s, buf, TRACK_ALLOC);
4924 SLAB_ATTR_RO(alloc_calls);
4926 static ssize_t free_calls_show(struct kmem_cache *s, char *buf)
4928 if (!(s->flags & SLAB_STORE_USER))
4930 return list_locations(s, buf, TRACK_FREE);
4932 SLAB_ATTR_RO(free_calls);
4933 #endif /* CONFIG_SLUB_DEBUG */
4935 #ifdef CONFIG_FAILSLAB
4936 static ssize_t failslab_show(struct kmem_cache *s, char *buf)
4938 return sprintf(buf, "%d\n", !!(s->flags & SLAB_FAILSLAB));
4941 static ssize_t failslab_store(struct kmem_cache *s, const char *buf,
4944 if (s->refcount > 1)
4947 s->flags &= ~SLAB_FAILSLAB;
4949 s->flags |= SLAB_FAILSLAB;
4952 SLAB_ATTR(failslab);
4955 static ssize_t shrink_show(struct kmem_cache *s, char *buf)
4960 static ssize_t shrink_store(struct kmem_cache *s,
4961 const char *buf, size_t length)
4964 kmem_cache_shrink(s);
4972 static ssize_t remote_node_defrag_ratio_show(struct kmem_cache *s, char *buf)
4974 return sprintf(buf, "%d\n", s->remote_node_defrag_ratio / 10);
4977 static ssize_t remote_node_defrag_ratio_store(struct kmem_cache *s,
4978 const char *buf, size_t length)
4980 unsigned long ratio;
4983 err = kstrtoul(buf, 10, &ratio);
4988 s->remote_node_defrag_ratio = ratio * 10;
4992 SLAB_ATTR(remote_node_defrag_ratio);
4995 #ifdef CONFIG_SLUB_STATS
4996 static int show_stat(struct kmem_cache *s, char *buf, enum stat_item si)
4998 unsigned long sum = 0;
5001 int *data = kmalloc(nr_cpu_ids * sizeof(int), GFP_KERNEL);
5006 for_each_online_cpu(cpu) {
5007 unsigned x = per_cpu_ptr(s->cpu_slab, cpu)->stat[si];
5013 len = sprintf(buf, "%lu", sum);
5016 for_each_online_cpu(cpu) {
5017 if (data[cpu] && len < PAGE_SIZE - 20)
5018 len += sprintf(buf + len, " C%d=%u", cpu, data[cpu]);
5022 return len + sprintf(buf + len, "\n");
5025 static void clear_stat(struct kmem_cache *s, enum stat_item si)
5029 for_each_online_cpu(cpu)
5030 per_cpu_ptr(s->cpu_slab, cpu)->stat[si] = 0;
5033 #define STAT_ATTR(si, text) \
5034 static ssize_t text##_show(struct kmem_cache *s, char *buf) \
5036 return show_stat(s, buf, si); \
5038 static ssize_t text##_store(struct kmem_cache *s, \
5039 const char *buf, size_t length) \
5041 if (buf[0] != '0') \
5043 clear_stat(s, si); \
5048 STAT_ATTR(ALLOC_FASTPATH, alloc_fastpath);
5049 STAT_ATTR(ALLOC_SLOWPATH, alloc_slowpath);
5050 STAT_ATTR(FREE_FASTPATH, free_fastpath);
5051 STAT_ATTR(FREE_SLOWPATH, free_slowpath);
5052 STAT_ATTR(FREE_FROZEN, free_frozen);
5053 STAT_ATTR(FREE_ADD_PARTIAL, free_add_partial);
5054 STAT_ATTR(FREE_REMOVE_PARTIAL, free_remove_partial);
5055 STAT_ATTR(ALLOC_FROM_PARTIAL, alloc_from_partial);
5056 STAT_ATTR(ALLOC_SLAB, alloc_slab);
5057 STAT_ATTR(ALLOC_REFILL, alloc_refill);
5058 STAT_ATTR(ALLOC_NODE_MISMATCH, alloc_node_mismatch);
5059 STAT_ATTR(FREE_SLAB, free_slab);
5060 STAT_ATTR(CPUSLAB_FLUSH, cpuslab_flush);
5061 STAT_ATTR(DEACTIVATE_FULL, deactivate_full);
5062 STAT_ATTR(DEACTIVATE_EMPTY, deactivate_empty);
5063 STAT_ATTR(DEACTIVATE_TO_HEAD, deactivate_to_head);
5064 STAT_ATTR(DEACTIVATE_TO_TAIL, deactivate_to_tail);
5065 STAT_ATTR(DEACTIVATE_REMOTE_FREES, deactivate_remote_frees);
5066 STAT_ATTR(DEACTIVATE_BYPASS, deactivate_bypass);
5067 STAT_ATTR(ORDER_FALLBACK, order_fallback);
5068 STAT_ATTR(CMPXCHG_DOUBLE_CPU_FAIL, cmpxchg_double_cpu_fail);
5069 STAT_ATTR(CMPXCHG_DOUBLE_FAIL, cmpxchg_double_fail);
5070 STAT_ATTR(CPU_PARTIAL_ALLOC, cpu_partial_alloc);
5071 STAT_ATTR(CPU_PARTIAL_FREE, cpu_partial_free);
5072 STAT_ATTR(CPU_PARTIAL_NODE, cpu_partial_node);
5073 STAT_ATTR(CPU_PARTIAL_DRAIN, cpu_partial_drain);
5076 static struct attribute *slab_attrs[] = {
5077 &slab_size_attr.attr,
5078 &object_size_attr.attr,
5079 &objs_per_slab_attr.attr,
5081 &min_partial_attr.attr,
5082 &cpu_partial_attr.attr,
5084 &objects_partial_attr.attr,
5086 &cpu_slabs_attr.attr,
5090 &hwcache_align_attr.attr,
5091 &reclaim_account_attr.attr,
5092 &destroy_by_rcu_attr.attr,
5094 &reserved_attr.attr,
5095 &slabs_cpu_partial_attr.attr,
5096 #ifdef CONFIG_SLUB_DEBUG
5097 &total_objects_attr.attr,
5099 &sanity_checks_attr.attr,
5101 &red_zone_attr.attr,
5103 &store_user_attr.attr,
5104 &validate_attr.attr,
5105 &alloc_calls_attr.attr,
5106 &free_calls_attr.attr,
5108 #ifdef CONFIG_ZONE_DMA
5109 &cache_dma_attr.attr,
5112 &remote_node_defrag_ratio_attr.attr,
5114 #ifdef CONFIG_SLUB_STATS
5115 &alloc_fastpath_attr.attr,
5116 &alloc_slowpath_attr.attr,
5117 &free_fastpath_attr.attr,
5118 &free_slowpath_attr.attr,
5119 &free_frozen_attr.attr,
5120 &free_add_partial_attr.attr,
5121 &free_remove_partial_attr.attr,
5122 &alloc_from_partial_attr.attr,
5123 &alloc_slab_attr.attr,
5124 &alloc_refill_attr.attr,
5125 &alloc_node_mismatch_attr.attr,
5126 &free_slab_attr.attr,
5127 &cpuslab_flush_attr.attr,
5128 &deactivate_full_attr.attr,
5129 &deactivate_empty_attr.attr,
5130 &deactivate_to_head_attr.attr,
5131 &deactivate_to_tail_attr.attr,
5132 &deactivate_remote_frees_attr.attr,
5133 &deactivate_bypass_attr.attr,
5134 &order_fallback_attr.attr,
5135 &cmpxchg_double_fail_attr.attr,
5136 &cmpxchg_double_cpu_fail_attr.attr,
5137 &cpu_partial_alloc_attr.attr,
5138 &cpu_partial_free_attr.attr,
5139 &cpu_partial_node_attr.attr,
5140 &cpu_partial_drain_attr.attr,
5142 #ifdef CONFIG_FAILSLAB
5143 &failslab_attr.attr,
5149 static struct attribute_group slab_attr_group = {
5150 .attrs = slab_attrs,
5153 static ssize_t slab_attr_show(struct kobject *kobj,
5154 struct attribute *attr,
5157 struct slab_attribute *attribute;
5158 struct kmem_cache *s;
5161 attribute = to_slab_attr(attr);
5164 if (!attribute->show)
5167 err = attribute->show(s, buf);
5172 static ssize_t slab_attr_store(struct kobject *kobj,
5173 struct attribute *attr,
5174 const char *buf, size_t len)
5176 struct slab_attribute *attribute;
5177 struct kmem_cache *s;
5180 attribute = to_slab_attr(attr);
5183 if (!attribute->store)
5186 err = attribute->store(s, buf, len);
5188 if (slab_state >= FULL && err >= 0 && is_root_cache(s)) {
5189 struct kmem_cache *c;
5191 mutex_lock(&slab_mutex);
5192 if (s->max_attr_size < len)
5193 s->max_attr_size = len;
5196 * This is a best effort propagation, so this function's return
5197 * value will be determined by the parent cache only. This is
5198 * basically because not all attributes will have a well
5199 * defined semantics for rollbacks - most of the actions will
5200 * have permanent effects.
5202 * Returning the error value of any of the children that fail
5203 * is not 100 % defined, in the sense that users seeing the
5204 * error code won't be able to know anything about the state of
5207 * Only returning the error code for the parent cache at least
5208 * has well defined semantics. The cache being written to
5209 * directly either failed or succeeded, in which case we loop
5210 * through the descendants with best-effort propagation.
5212 for_each_memcg_cache(c, s)
5213 attribute->store(c, buf, len);
5214 mutex_unlock(&slab_mutex);
5220 static void memcg_propagate_slab_attrs(struct kmem_cache *s)
5224 char *buffer = NULL;
5225 struct kmem_cache *root_cache;
5227 if (is_root_cache(s))
5230 root_cache = s->memcg_params.root_cache;
5233 * This mean this cache had no attribute written. Therefore, no point
5234 * in copying default values around
5236 if (!root_cache->max_attr_size)
5239 for (i = 0; i < ARRAY_SIZE(slab_attrs); i++) {
5242 struct slab_attribute *attr = to_slab_attr(slab_attrs[i]);
5244 if (!attr || !attr->store || !attr->show)
5248 * It is really bad that we have to allocate here, so we will
5249 * do it only as a fallback. If we actually allocate, though,
5250 * we can just use the allocated buffer until the end.
5252 * Most of the slub attributes will tend to be very small in
5253 * size, but sysfs allows buffers up to a page, so they can
5254 * theoretically happen.
5258 else if (root_cache->max_attr_size < ARRAY_SIZE(mbuf))
5261 buffer = (char *) get_zeroed_page(GFP_KERNEL);
5262 if (WARN_ON(!buffer))
5267 attr->show(root_cache, buf);
5268 attr->store(s, buf, strlen(buf));
5272 free_page((unsigned long)buffer);
5276 static void kmem_cache_release(struct kobject *k)
5278 slab_kmem_cache_release(to_slab(k));
5281 static const struct sysfs_ops slab_sysfs_ops = {
5282 .show = slab_attr_show,
5283 .store = slab_attr_store,
5286 static struct kobj_type slab_ktype = {
5287 .sysfs_ops = &slab_sysfs_ops,
5288 .release = kmem_cache_release,
5291 static int uevent_filter(struct kset *kset, struct kobject *kobj)
5293 struct kobj_type *ktype = get_ktype(kobj);
5295 if (ktype == &slab_ktype)
5300 static const struct kset_uevent_ops slab_uevent_ops = {
5301 .filter = uevent_filter,
5304 static struct kset *slab_kset;
5306 static inline struct kset *cache_kset(struct kmem_cache *s)
5309 if (!is_root_cache(s))
5310 return s->memcg_params.root_cache->memcg_kset;
5315 #define ID_STR_LENGTH 64
5317 /* Create a unique string id for a slab cache:
5319 * Format :[flags-]size
5321 static char *create_unique_id(struct kmem_cache *s)
5323 char *name = kmalloc(ID_STR_LENGTH, GFP_KERNEL);
5330 * First flags affecting slabcache operations. We will only
5331 * get here for aliasable slabs so we do not need to support
5332 * too many flags. The flags here must cover all flags that
5333 * are matched during merging to guarantee that the id is
5336 if (s->flags & SLAB_CACHE_DMA)
5338 if (s->flags & SLAB_RECLAIM_ACCOUNT)
5340 if (s->flags & SLAB_CONSISTENCY_CHECKS)
5342 if (!(s->flags & SLAB_NOTRACK))
5344 if (s->flags & SLAB_ACCOUNT)
5348 p += sprintf(p, "%07d", s->size);
5350 BUG_ON(p > name + ID_STR_LENGTH - 1);
5354 static int sysfs_slab_add(struct kmem_cache *s)
5358 int unmergeable = slab_unmergeable(s);
5362 * Slabcache can never be merged so we can use the name proper.
5363 * This is typically the case for debug situations. In that
5364 * case we can catch duplicate names easily.
5366 sysfs_remove_link(&slab_kset->kobj, s->name);
5370 * Create a unique name for the slab as a target
5373 name = create_unique_id(s);
5376 s->kobj.kset = cache_kset(s);
5377 err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name);
5381 err = sysfs_create_group(&s->kobj, &slab_attr_group);
5386 if (is_root_cache(s)) {
5387 s->memcg_kset = kset_create_and_add("cgroup", NULL, &s->kobj);
5388 if (!s->memcg_kset) {
5395 kobject_uevent(&s->kobj, KOBJ_ADD);
5397 /* Setup first alias */
5398 sysfs_slab_alias(s, s->name);
5405 kobject_del(&s->kobj);
5409 void sysfs_slab_remove(struct kmem_cache *s)
5411 if (slab_state < FULL)
5413 * Sysfs has not been setup yet so no need to remove the
5419 kset_unregister(s->memcg_kset);
5421 kobject_uevent(&s->kobj, KOBJ_REMOVE);
5422 kobject_del(&s->kobj);
5423 kobject_put(&s->kobj);
5427 * Need to buffer aliases during bootup until sysfs becomes
5428 * available lest we lose that information.
5430 struct saved_alias {
5431 struct kmem_cache *s;
5433 struct saved_alias *next;
5436 static struct saved_alias *alias_list;
5438 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
5440 struct saved_alias *al;
5442 if (slab_state == FULL) {
5444 * If we have a leftover link then remove it.
5446 sysfs_remove_link(&slab_kset->kobj, name);
5447 return sysfs_create_link(&slab_kset->kobj, &s->kobj, name);
5450 al = kmalloc(sizeof(struct saved_alias), GFP_KERNEL);
5456 al->next = alias_list;
5461 static int __init slab_sysfs_init(void)
5463 struct kmem_cache *s;
5466 mutex_lock(&slab_mutex);
5468 slab_kset = kset_create_and_add("slab", &slab_uevent_ops, kernel_kobj);
5470 mutex_unlock(&slab_mutex);
5471 pr_err("Cannot register slab subsystem.\n");
5477 list_for_each_entry(s, &slab_caches, list) {
5478 err = sysfs_slab_add(s);
5480 pr_err("SLUB: Unable to add boot slab %s to sysfs\n",
5484 while (alias_list) {
5485 struct saved_alias *al = alias_list;
5487 alias_list = alias_list->next;
5488 err = sysfs_slab_alias(al->s, al->name);
5490 pr_err("SLUB: Unable to add boot slab alias %s to sysfs\n",
5495 mutex_unlock(&slab_mutex);
5500 __initcall(slab_sysfs_init);
5501 #endif /* CONFIG_SYSFS */
5504 * The /proc/slabinfo ABI
5506 #ifdef CONFIG_SLABINFO
5507 void get_slabinfo(struct kmem_cache *s, struct slabinfo *sinfo)
5509 unsigned long nr_slabs = 0;
5510 unsigned long nr_objs = 0;
5511 unsigned long nr_free = 0;
5513 struct kmem_cache_node *n;
5515 for_each_kmem_cache_node(s, node, n) {
5516 nr_slabs += node_nr_slabs(n);
5517 nr_objs += node_nr_objs(n);
5518 nr_free += count_partial(n, count_free);
5521 sinfo->active_objs = nr_objs - nr_free;
5522 sinfo->num_objs = nr_objs;
5523 sinfo->active_slabs = nr_slabs;
5524 sinfo->num_slabs = nr_slabs;
5525 sinfo->objects_per_slab = oo_objects(s->oo);
5526 sinfo->cache_order = oo_order(s->oo);
5529 void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *s)
5533 ssize_t slabinfo_write(struct file *file, const char __user *buffer,
5534 size_t count, loff_t *ppos)
5538 #endif /* CONFIG_SLABINFO */
projects / karo-tx-linux.git / blob