slub.c source code [linux/mm/slub.c]

1	// SPDX-License-Identifier: GPL-2.0
2	/*
3	* SLUB: A slab allocator that limits cache line use instead of queuing
4	* objects in per cpu and per node lists.
5	*
6	* The allocator synchronizes using per slab locks or atomic operatios
7	* and only uses a centralized lock to manage a pool of partial slabs.
8	*
9	* (C) 2007 SGI, Christoph Lameter
10	* (C) 2011 Linux Foundation, Christoph Lameter
11	*/
12
13	#include <linux/mm.h>
14	#include <linux/swap.h> /* struct reclaim_state */
15	#include <linux/module.h>
16	#include <linux/bit_spinlock.h>
17	#include <linux/interrupt.h>
18	#include <linux/bitops.h>
19	#include <linux/slab.h>
20	#include "slab.h"
21	#include <linux/proc_fs.h>
22	#include <linux/seq_file.h>
23	#include <linux/kasan.h>
24	#include <linux/cpu.h>
25	#include <linux/cpuset.h>
26	#include <linux/mempolicy.h>
27	#include <linux/ctype.h>
28	#include <linux/debugobjects.h>
29	#include <linux/kallsyms.h>
30	#include <linux/memory.h>
31	#include <linux/math64.h>
32	#include <linux/fault-inject.h>
33	#include <linux/stacktrace.h>
34	#include <linux/prefetch.h>
35	#include <linux/memcontrol.h>
36	#include <linux/random.h>
37
38	#include <trace/events/kmem.h>
39
40	#include "internal.h"
41
42	/*
43	* Lock order:
44	* 1. slab_mutex (Global Mutex)
45	* 2. node->list_lock
46	* 3. slab_lock(page) (Only on some arches and for debugging)
47	*
48	* slab_mutex
49	*
50	* The role of the slab_mutex is to protect the list of all the slabs
51	* and to synchronize major metadata changes to slab cache structures.
52	*
53	* The slab_lock is only used for debugging and on arches that do not
54	* have the ability to do a cmpxchg_double. It only protects:
55	* A. page->freelist -> List of object free in a page
56	* B. page->inuse -> Number of objects in use
57	* C. page->objects -> Number of objects in page
58	* D. page->frozen -> frozen state
59	*
60	* If a slab is frozen then it is exempt from list management. It is not
61	* on any list. The processor that froze the slab is the one who can
62	* perform list operations on the page. Other processors may put objects
63	* onto the freelist but the processor that froze the slab is the only
64	* one that can retrieve the objects from the page's freelist.
65	*
66	* The list_lock protects the partial and full list on each node and
67	* the partial slab counter. If taken then no new slabs may be added or
68	* removed from the lists nor make the number of partial slabs be modified.
69	* (Note that the total number of slabs is an atomic value that may be
70	* modified without taking the list lock).
71	*
72	* The list_lock is a centralized lock and thus we avoid taking it as
73	* much as possible. As long as SLUB does not have to handle partial
74	* slabs, operations can continue without any centralized lock. F.e.
75	* allocating a long series of objects that fill up slabs does not require
76	* the list lock.
77	* Interrupts are disabled during allocation and deallocation in order to
78	* make the slab allocator safe to use in the context of an irq. In addition
79	* interrupts are disabled to ensure that the processor does not change
80	* while handling per_cpu slabs, due to kernel preemption.
81	*
82	* SLUB assigns one slab for allocation to each processor.
83	* Allocations only occur from these slabs called cpu slabs.
84	*
85	* Slabs with free elements are kept on a partial list and during regular
86	* operations no list for full slabs is used. If an object in a full slab is
87	* freed then the slab will show up again on the partial lists.
88	* We track full slabs for debugging purposes though because otherwise we
89	* cannot scan all objects.
90	*
91	* Slabs are freed when they become empty. Teardown and setup is
92	* minimal so we rely on the page allocators per cpu caches for
93	* fast frees and allocs.
94	*
95	* Overloading of page flags that are otherwise used for LRU management.
96	*
97	* PageActive The slab is frozen and exempt from list processing.
98	* This means that the slab is dedicated to a purpose
99	* such as satisfying allocations for a specific
100	* processor. Objects may be freed in the slab while
101	* it is frozen but slab_free will then skip the usual
102	* list operations. It is up to the processor holding
103	* the slab to integrate the slab into the slab lists
104	* when the slab is no longer needed.
105	*
106	* One use of this flag is to mark slabs that are
107	* used for allocations. Then such a slab becomes a cpu
108	* slab. The cpu slab may be equipped with an additional
109	* freelist that allows lockless access to
110	* free objects in addition to the regular freelist
111	* that requires the slab lock.
112	*
113	* PageError Slab requires special handling due to debug
114	* options set. This moves slab handling out of
115	* the fast path and disables lockless freelists.
116	*/
117
118	static inline int kmem_cache_debug(struct kmem_cache *s)
119	{
120	#ifdef CONFIG_SLUB_DEBUG
121	return unlikely(s->flags & SLAB_DEBUG_FLAGS);
122	#else
123	return `0`;
124	#endif
125	}
126
127	void fixup_red_left(struct* kmem_cache s, void* *p)
128	{
129	if (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE)
130	p += s->red_left_pad;
131
132	return p;
133	}
134
135	static inline bool kmem_cache_has_cpu_partial(struct kmem_cache *s)
136	{
137	#ifdef CONFIG_SLUB_CPU_PARTIAL
138	return !kmem_cache_debug(s);
139	#else
140	return false;
141	#endif
142	}
143
144	/*
145	* Issues still to be resolved:
146	*
147	* - Support PAGE_ALLOC_DEBUG. Should be easy to do.
148	*
149	* - Variable sizing of the per node arrays
150	*/
151
152	/ Enable to test recovery from slab corruption on boot /
153	#undef SLUB_RESILIENCY_TEST
154
155	/ Enable to log cmpxchg failures /
156	#undef SLUB_DEBUG_CMPXCHG
157
158	/*
159	* Mininum number of partial slabs. These will be left on the partial
160	* lists even if they are empty. kmem_cache_shrink may reclaim them.
161	*/
162	#define MIN_PARTIAL 5
163
164	/*
165	* Maximum number of desirable partial slabs.
166	* The existence of more partial slabs makes kmem_cache_shrink
167	* sort the partial list by the number of objects in use.
168	*/
169	#define MAX_PARTIAL 10
170
171	#define DEBUG_DEFAULT_FLAGS (SLAB_CONSISTENCY_CHECKS \| SLAB_RED_ZONE \| \
172	SLAB_POISON \| SLAB_STORE_USER)
173
174	/*
175	* These debug flags cannot use CMPXCHG because there might be consistency
176	* issues when checking or reading debug information
177	*/
178	#define SLAB_NO_CMPXCHG (SLAB_CONSISTENCY_CHECKS \| SLAB_STORE_USER \| \
179	SLAB_TRACE)
180
181
182	/*
183	* Debugging flags that require metadata to be stored in the slab. These get
184	* disabled when slub_debug=O is used and a cache's min order increases with
185	* metadata.
186	*/
187	#define DEBUG_METADATA_FLAGS (SLAB_RED_ZONE \| SLAB_POISON \| SLAB_STORE_USER)
188
189	#define OO_SHIFT 16
190	#define OO_MASK ((1 << OO_SHIFT) - 1)
191	#define MAX_OBJS_PER_PAGE 32767 /* since page.objects is u15 */
192
193	/ Internal SLUB flags /
194	/ Poison object /
195	#define __OBJECT_POISON ((slab_flags_t __force)0x80000000U)
196	/ Use cmpxchg_double /
197	#define __CMPXCHG_DOUBLE ((slab_flags_t __force)0x40000000U)
198
199	/*
200	* Tracking user of a slab.
201	*/
202	#define TRACK_ADDRS_COUNT 16
203	struct track {
204	unsigned long addr; / Called from address /
205	#ifdef CONFIG_STACKTRACE
206	unsigned long addrs[TRACK_ADDRS_COUNT]; / Called from address /
207	#endif
208	int cpu; / Was running on cpu /
209	int pid; / Pid context /
210	unsigned long when; / When did the operation occur /
211	};
212
213	enum track_item { TRACK_ALLOC, TRACK_FREE };
214
215	#ifdef CONFIG_SYSFS
216	static int sysfs_slab_add(struct kmem_cache *);
217	static int sysfs_slab_alias(struct kmem_cache , const* char *);
218	static void memcg_propagate_slab_attrs(struct kmem_cache *s);
219	static void sysfs_slab_remove(struct kmem_cache *s);
220	#else
221	static inline int sysfs_slab_add(struct kmem_cache s) { return* `0`; }
222	static inline int sysfs_slab_alias(struct kmem_cache s, const* char *p)
223	{ return `0`; }
224	static inline void memcg_propagate_slab_attrs(struct kmem_cache *s) { }
225	static inline void sysfs_slab_remove(struct kmem_cache *s) { }
226	#endif
227
228	static inline void stat(const struct kmem_cache s, enum* stat_item si)
229	{
230	#ifdef CONFIG_SLUB_STATS
231	/*
232	* The rmw is racy on a preemptible kernel but this is acceptable, so
233	* avoid this_cpu_add()'s irq-disable overhead.
234	*/
235	raw_cpu_inc(s->cpu_slab->stat[si]);
236	#endif
237	}
238
239	/********************************************************************
240	* Core slab cache functions
241	*******************************************************************/
242
243	/*
244	* Returns freelist pointer (ptr). With hardening, this is obfuscated
245	* with an XOR of the address where the pointer is held and a per-cache
246	* random number.
247	*/
248	static inline void freelist_ptr(const* struct kmem_cache s, void* *ptr,
249	unsigned long ptr_addr)
250	{
251	#ifdef CONFIG_SLAB_FREELIST_HARDENED
252	/*
253	* When CONFIG_KASAN_SW_TAGS is enabled, ptr_addr might be tagged.
254	* Normally, this doesn't cause any issues, as both set_freepointer()
255	* and get_freepointer() are called with a pointer with the same tag.
256	* However, there are some issues with CONFIG_SLUB_DEBUG code. For
257	* example, when __free_slub() iterates over objects in a cache, it
258	* passes untagged pointers to check_object(). check_object() in turns
259	* calls get_freepointer() with an untagged pointer, which causes the
260	* freepointer to be restored incorrectly.
261	*/
262	return (void )((unsigned* long)ptr ^ s->random ^
263	(unsigned long)kasan_reset_tag((void *)ptr_addr));
264	#else
265	return ptr;
266	#endif
267	}
268
269	/ Returns the freelist pointer recorded at location ptr_addr. /
270	static inline void freelist_dereference(const* struct kmem_cache *s,
271	void *ptr_addr)
272	{
273	return freelist_ptr(s, (void )(unsigned long *)(ptr_addr),
274	(unsigned long)ptr_addr);
275	}
276
277	static inline void get_freepointer(struct* kmem_cache s, void* *object)
278	{
279	return freelist_dereference(s, object + s->offset);
280	}
281
282	static void prefetch_freepointer(const struct kmem_cache s, void* *object)
283	{
284	prefetch(object + s->offset);
285	}
286
287	static inline void get_freepointer_safe(struct* kmem_cache s, void* *object)
288	{
289	unsigned long freepointer_addr;
290	void *p;
291
292	if (!debug_pagealloc_enabled())
293	return get_freepointer(s, object);
294
295	freepointer_addr = (unsigned long)object + s->offset;
296	probe_kernel_read(&p, (void )freepointer_addr, sizeof**(p));
297	return freelist_ptr(s, p, freepointer_addr);
298	}
299
300	static inline void set_freepointer(struct kmem_cache s, void* object, void* *fp)
301	{
302	unsigned long freeptr_addr = (unsigned long)object + s->offset;
303
304	#ifdef CONFIG_SLAB_FREELIST_HARDENED
305	BUG_ON(object == fp); / naive detection of double free or corruption /
306	#endif
307
308	(void* **)freeptr_addr = freelist_ptr(s, fp, freeptr_addr);
309	}
310
311	/ Loop over all objects in a slab /
312	#define for_each_object(__p, __s, __addr, __objects) \
313	for (__p = fixup_red_left(__s, __addr); \
314	__p < (__addr) + (__objects) * (__s)->size; \
315	__p += (__s)->size)
316
317	/ Determine object index from a given position /
318	static inline unsigned int slab_index(void p, struct* kmem_cache s, void* *addr)
319	{
320	return (kasan_reset_tag(p) - addr) / s->size;
321	}
322
323	static inline unsigned int order_objects(unsigned int order, unsigned int size)
324	{
325	return ((unsigned int)PAGE_SIZE << order) / size;
326	}
327
328	static inline struct kmem_cache_order_objects oo_make(unsigned int order,
329	unsigned int size)
330	{
331	struct kmem_cache_order_objects x = {
332	(order << OO_SHIFT) + order_objects(order, size)
333	};
334
335	return x;
336	}
337
338	static inline unsigned int oo_order(struct kmem_cache_order_objects x)
339	{
340	return x.x >> OO_SHIFT;
341	}
342
343	static inline unsigned int oo_objects(struct kmem_cache_order_objects x)
344	{
345	return x.x & OO_MASK;
346	}
347
348	/*
349	* Per slab locking using the pagelock
350	*/
351	static __always_inline void slab_lock(struct page *page)
352	{
353	VM_BUG_ON_PAGE(PageTail(page), page);
354	bit_spin_lock(PG_locked, &page->flags);
355	}
356
357	static __always_inline void slab_unlock(struct page *page)
358	{
359	VM_BUG_ON_PAGE(PageTail(page), page);
360	__bit_spin_unlock(PG_locked, &page->flags);
361	}
362
363	/ Interrupts must be disabled (for the fallback code to work right) /
364	static inline bool __cmpxchg_double_slab(struct kmem_cache s, struct* page *page,
365	void freelist_old, unsigned* long counters_old,
366	void freelist_new, unsigned* long counters_new,
367	const char *n)
368	{
369	VM_BUG_ON(!irqs_disabled());
370	#if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
371	defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
372	if (s->flags & __CMPXCHG_DOUBLE) {
373	if (cmpxchg_double(&page->freelist, &page->counters,
374	freelist_old, counters_old,
375	freelist_new, counters_new))
376	return true;
377	} else
378	#endif
379	{
380	slab_lock(page);
381	if (page->freelist == freelist_old &&
382	page->counters == counters_old) {
383	page->freelist = freelist_new;
384	page->counters = counters_new;
385	slab_unlock(page);
386	return true;
387	}
388	slab_unlock(page);
389	}
390
391	cpu_relax();
392	stat(s, CMPXCHG_DOUBLE_FAIL);
393
394	#ifdef SLUB_DEBUG_CMPXCHG
395	pr_info("%s %s: cmpxchg double redo ", n, s->name);
396	#endif
397
398	return false;
399	}
400
401	static inline bool cmpxchg_double_slab(struct kmem_cache s, struct* page *page,
402	void freelist_old, unsigned* long counters_old,
403	void freelist_new, unsigned* long counters_new,
404	const char *n)
405	{
406	#if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
407	defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
408	if (s->flags & __CMPXCHG_DOUBLE) {
409	if (cmpxchg_double(&page->freelist, &page->counters,
410	freelist_old, counters_old,
411	freelist_new, counters_new))
412	return true;
413	} else
414	#endif
415	{
416	unsigned long flags;
417
418	local_irq_save(flags);
419	slab_lock(page);
420	if (page->freelist == freelist_old &&
421	page->counters == counters_old) {
422	page->freelist = freelist_new;
423	page->counters = counters_new;
424	slab_unlock(page);
425	local_irq_restore(flags);
426	return true;
427	}
428	slab_unlock(page);
429	local_irq_restore(flags);
430	}
431
432	cpu_relax();
433	stat(s, CMPXCHG_DOUBLE_FAIL);
434
435	#ifdef SLUB_DEBUG_CMPXCHG
436	pr_info("%s %s: cmpxchg double redo ", n, s->name);
437	#endif
438
439	return false;
440	}
441
442	#ifdef CONFIG_SLUB_DEBUG
443	/*
444	* Determine a map of object in use on a page.
445	*
446	* Node listlock must be held to guarantee that the page does
447	* not vanish from under us.
448	*/
449	static void get_map(struct kmem_cache s, struct* page page, unsigned* long *map)
450	{
451	void *p;
452	void *addr = page_address(page);
453
454	for (p = page->freelist; p; p = get_freepointer(s, p))
455	set_bit(slab_index(p, s, addr), map);
456	}
457
458	static inline unsigned int size_from_object(struct kmem_cache *s)
459	{
460	if (s->flags & SLAB_RED_ZONE)
461	return s->size - s->red_left_pad;
462
463	return s->size;
464	}
465
466	static inline void restore_red_left(struct* kmem_cache s, void* *p)
467	{
468	if (s->flags & SLAB_RED_ZONE)
469	p -= s->red_left_pad;
470
471	return p;
472	}
473
474	/*
475	* Debug settings:
476	*/
477	#if defined(CONFIG_SLUB_DEBUG_ON)
478	static slab_flags_t slub_debug = DEBUG_DEFAULT_FLAGS;
479	#else
480	static slab_flags_t slub_debug;
481	#endif
482
483	static char *slub_debug_slabs;
484	static int disable_higher_order_debug;
485
486	/*
487	* slub is about to manipulate internal object metadata. This memory lies
488	* outside the range of the allocated object, so accessing it would normally
489	* be reported by kasan as a bounds error. metadata_access_enable() is used
490	* to tell kasan that these accesses are OK.
491	*/
492	static inline void metadata_access_enable(void)
493	{
494	kasan_disable_current();
495	}
496
497	static inline void metadata_access_disable(void)
498	{
499	kasan_enable_current();
500	}
501
502	/*
503	* Object debugging
504	*/
505
506	/ Verify that a pointer has an address that is valid within a slab page /
507	static inline int check_valid_pointer(struct kmem_cache *s,
508	struct page page, void* *object)
509	{
510	void *base;
511
512	if (!object)
513	return `1`;
514
515	base = page_address(page);
516	object = kasan_reset_tag(object);
517	object = restore_red_left(s, object);
518	if (object < base \|\| object >= base + page->objects * s->size \|\|
519	(object - base) % s->size) {
520	return `0`;
521	}
522
523	return `1`;
524	}
525
526	static void print_section(char level, char* text, u8 addr,
527	unsigned int length)
528	{
529	metadata_access_enable();
530	print_hex_dump(level, text, DUMP_PREFIX_ADDRESS, `16`, `1`, addr,
531	length, `1`);
532	metadata_access_disable();
533	}
534
535	static struct track get_track(struct* kmem_cache s, void* *object,
536	enum track_item alloc)
537	{
538	struct track *p;
539
540	if (s->offset)
541	p = object + s->offset + sizeof(void *);
542	else
543	p = object + s->inuse;
544
545	return p + alloc;
546	}
547
548	static void set_track(struct kmem_cache s, void* *object,
549	enum track_item alloc, unsigned long addr)
550	{
551	struct track *p = get_track(s, object, alloc);
552
553	if (addr) {
554	#ifdef CONFIG_STACKTRACE
555	struct stack_trace trace;
556	int i;
557
558	trace.nr_entries = `0`;
559	trace.max_entries = TRACK_ADDRS_COUNT;
560	trace.entries = p->addrs;
561	trace.skip = `3`;
562	metadata_access_enable();
563	save_stack_trace(&trace);
564	metadata_access_disable();
565
566	/ See rant in lockdep.c /
567	if (trace.nr_entries != `0` &&
568	trace.entries[trace.nr_entries - `1`] == ULONG_MAX)
569	trace.nr_entries--;
570
571	for (i = trace.nr_entries; i < TRACK_ADDRS_COUNT; i++)
572	p->addrs[i] = `0`;
573	#endif
574	p->addr = addr;
575	p->cpu = smp_processor_id();
576	p->pid = current->pid;
577	p->when = jiffies;
578	} else
579	memset(p, `0`, sizeof(struct track));
580	}
581
582	static void init_tracking(struct kmem_cache s, void* *object)
583	{
584	if (!(s->flags & SLAB_STORE_USER))
585	return;
586
587	set_track(s, object, TRACK_FREE, `0UL`);
588	set_track(s, object, TRACK_ALLOC, `0UL`);
589	}
590
591	static void print_track(const char s, struct* track t, unsigned* long pr_time)
592	{
593	if (!t->addr)
594	return;
595
596	pr_err("INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
597	s, (void *)t->addr, pr_time - t->when, t->cpu, t->pid);
598	#ifdef CONFIG_STACKTRACE
599	{
600	int i;
601	for (i = `0`; i < TRACK_ADDRS_COUNT; i++)
602	if (t->addrs[i])
603	pr_err("\t%pS\n", (void *)t->addrs[i]);
604	else
605	break;
606	}
607	#endif
608	}
609
610	static void print_tracking(struct kmem_cache s, void* *object)
611	{
612	unsigned long pr_time = jiffies;
613	if (!(s->flags & SLAB_STORE_USER))
614	return;
615
616	print_track("Allocated", get_track(s, object, TRACK_ALLOC), pr_time);
617	print_track("Freed", get_track(s, object, TRACK_FREE), pr_time);
618	}
619
620	static void print_page_info(struct page *page)
621	{
622	pr_err("INFO: Slab 0x%p objects=%u used=%u fp=0x%p flags=0x%04lx\n",
623	page, page->objects, page->inuse, page->freelist, page->flags);
624
625	}
626
627	static void slab_bug(struct kmem_cache s, char* *fmt, ...)
628	{
629	struct va_format vaf;
630	va_list args;
631
632	va_start(args, fmt);
633	vaf.fmt = fmt;
634	vaf.va = &args;
635	pr_err("=============================================================================\n");
636	pr_err("BUG %s (%s): %pV\n", s->name, print_tainted(), &vaf);
637	pr_err("-----------------------------------------------------------------------------\n\n");
638
639	add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
640	va_end(args);
641	}
642
643	static void slab_fix(struct kmem_cache s, char* *fmt, ...)
644	{
645	struct va_format vaf;
646	va_list args;
647
648	va_start(args, fmt);
649	vaf.fmt = fmt;
650	vaf.va = &args;
651	pr_err("FIX %s: %pV\n", s->name, &vaf);
652	va_end(args);
653	}
654
655	static void print_trailer(struct kmem_cache s, struct* page page, u8 p)
656	{
657	unsigned int off; / Offset of last byte /
658	u8 *addr = page_address(page);
659
660	print_tracking(s, p);
661
662	print_page_info(page);
663
664	pr_err("INFO: Object 0x%p @offset=%tu fp=0x%p\n\n",
665	p, p - addr, get_freepointer(s, p));
666
667	if (s->flags & SLAB_RED_ZONE)
668	print_section(KERN_ERR, "Redzone ", p - s->red_left_pad,
669	s->red_left_pad);
670	else if (p > addr + `16`)
671	print_section(KERN_ERR, "Bytes b4 ", p - `16`, `16`);
672
673	print_section(KERN_ERR, "Object ", p,
674	min_t(unsigned int, s->object_size, PAGE_SIZE));
675	if (s->flags & SLAB_RED_ZONE)
676	print_section(KERN_ERR, "Redzone ", p + s->object_size,
677	s->inuse - s->object_size);
678
679	if (s->offset)
680	off = s->offset + sizeof(void *);
681	else
682	off = s->inuse;
683
684	if (s->flags & SLAB_STORE_USER)
685	off += `2` * sizeof(struct track);
686
687	off += kasan_metadata_size(s);
688
689	if (off != size_from_object(s))
690	/ Beginning of the filler is the free pointer /
691	print_section(KERN_ERR, "Padding ", p + off,
692	size_from_object(s) - off);
693
694	dump_stack();
695	}
696
697	void object_err(struct kmem_cache s, struct* page *page,
698	u8 object, char* *reason)
699	{
700	slab_bug(s, "%s", reason);
701	print_trailer(s, page, object);
702	}
703
704	static __printf(`3`, `4`) void slab_err(struct kmem_cache s, struct* page *page,
705	const char *fmt, ...)
706	{
707	va_list args;
708	char buf[`100`];
709
710	va_start(args, fmt);
711	vsnprintf(buf, sizeof(buf), fmt, args);
712	va_end(args);
713	slab_bug(s, "%s", buf);
714	print_page_info(page);
715	dump_stack();
716	}
717
718	static void init_object(struct kmem_cache s, void* *object, u8 val)
719	{
720	u8 *p = object;
721
722	if (s->flags & SLAB_RED_ZONE)
723	memset(p - s->red_left_pad, val, s->red_left_pad);
724
725	if (s->flags & __OBJECT_POISON) {
726	memset(p, POISON_FREE, s->object_size - `1`);
727	p[s->object_size - `1`] = POISON_END;
728	}
729
730	if (s->flags & SLAB_RED_ZONE)
731	memset(p + s->object_size, val, s->inuse - s->object_size);
732	}
733
734	static void restore_bytes(struct kmem_cache s, char* *message, u8 data,
735	void from, void* *to)
736	{
737	slab_fix(s, "Restoring 0x%p-0x%p=0x%x\n", from, to - `1`, data);
738	memset(from, data, to - from);
739	}
740
741	static int check_bytes_and_report(struct kmem_cache s, struct* page *page,
742	u8 object, char* *what,
743	u8 start, unsigned* int value, unsigned int bytes)
744	{
745	u8 *fault;
746	u8 *end;
747
748	metadata_access_enable();
749	fault = memchr_inv(start, value, bytes);
750	metadata_access_disable();
751	if (!fault)
752	return `1`;
753
754	end = start + bytes;
755	while (end > fault && end[-`1`] == value)
756	end--;
757
758	slab_bug(s, "%s overwritten", what);
759	pr_err("INFO: 0x%p-0x%p. First byte 0x%x instead of 0x%x\n",
760	fault, end - `1`, fault[`0`], value);
761	print_trailer(s, page, object);
762
763	restore_bytes(s, what, value, fault, end);
764	return `0`;
765	}
766
767	/*
768	* Object layout:
769	*
770	* object address
771	* Bytes of the object to be managed.
772	* If the freepointer may overlay the object then the free
773	* pointer is the first word of the object.
774	*
775	* Poisoning uses 0x6b (POISON_FREE) and the last byte is
776	* 0xa5 (POISON_END)
777	*
778	* object + s->object_size
779	* Padding to reach word boundary. This is also used for Redzoning.
780	* Padding is extended by another word if Redzoning is enabled and
781	* object_size == inuse.
782	*
783	* We fill with 0xbb (RED_INACTIVE) for inactive objects and with
784	* 0xcc (RED_ACTIVE) for objects in use.
785	*
786	* object + s->inuse
787	* Meta data starts here.
788	*
789	* A. Free pointer (if we cannot overwrite object on free)
790	* B. Tracking data for SLAB_STORE_USER
791	* C. Padding to reach required alignment boundary or at mininum
792	* one word if debugging is on to be able to detect writes
793	* before the word boundary.
794	*
795	* Padding is done using 0x5a (POISON_INUSE)
796	*
797	* object + s->size
798	* Nothing is used beyond s->size.
799	*
800	* If slabcaches are merged then the object_size and inuse boundaries are mostly
801	* ignored. And therefore no slab options that rely on these boundaries
802	* may be used with merged slabcaches.
803	*/
804
805	static int check_pad_bytes(struct kmem_cache s, struct* page page, u8 p)
806	{
807	unsigned long off = s->inuse; / The end of info /
808
809	if (s->offset)
810	/ Freepointer is placed after the object. /
811	off += sizeof(void *);
812
813	if (s->flags & SLAB_STORE_USER)
814	/ We also have user information there /
815	off += `2` * sizeof(struct track);
816
817	off += kasan_metadata_size(s);
818
819	if (size_from_object(s) == off)
820	return `1`;
821
822	return check_bytes_and_report(s, page, p, "Object padding",
823	p + off, POISON_INUSE, size_from_object(s) - off);
824	}
825
826	/ Check the pad bytes at the end of a slab page /
827	static int slab_pad_check(struct kmem_cache s, struct* page *page)
828	{
829	u8 *start;
830	u8 *fault;
831	u8 *end;
832	u8 *pad;
833	int length;
834	int remainder;
835
836	if (!(s->flags & SLAB_POISON))
837	return `1`;
838
839	start = page_address(page);
840	length = PAGE_SIZE << compound_order(page);
841	end = start + length;
842	remainder = length % s->size;
843	if (!remainder)
844	return `1`;
845
846	pad = end - remainder;
847	metadata_access_enable();
848	fault = memchr_inv(pad, POISON_INUSE, remainder);
849	metadata_access_disable();
850	if (!fault)
851	return `1`;
852	while (end > fault && end[-`1`] == POISON_INUSE)
853	end--;
854
855	slab_err(s, page, "Padding overwritten. 0x%p-0x%p", fault, end - `1`);
856	print_section(KERN_ERR, "Padding ", pad, remainder);
857
858	restore_bytes(s, "slab padding", POISON_INUSE, fault, end);
859	return `0`;
860	}
861
862	static int check_object(struct kmem_cache s, struct* page *page,
863	void *object, u8 val)
864	{
865	u8 *p = object;
866	u8 *endobject = object + s->object_size;
867
868	if (s->flags & SLAB_RED_ZONE) {
869	if (!check_bytes_and_report(s, page, object, "Redzone",
870	object - s->red_left_pad, val, s->red_left_pad))
871	return `0`;
872
873	if (!check_bytes_and_report(s, page, object, "Redzone",
874	endobject, val, s->inuse - s->object_size))
875	return `0`;
876	} else {
877	if ((s->flags & SLAB_POISON) && s->object_size < s->inuse) {
878	check_bytes_and_report(s, page, p, "Alignment padding",
879	endobject, POISON_INUSE,
880	s->inuse - s->object_size);
881	}
882	}
883
884	if (s->flags & SLAB_POISON) {
885	if (val != SLUB_RED_ACTIVE && (s->flags & __OBJECT_POISON) &&
886	(!check_bytes_and_report(s, page, p, "Poison", p,
887	POISON_FREE, s->object_size - `1`) \|\|
888	!check_bytes_and_report(s, page, p, "Poison",
889	p + s->object_size - `1`, POISON_END, `1`)))
890	return `0`;
891	/*
892	* check_pad_bytes cleans up on its own.
893	*/
894	check_pad_bytes(s, page, p);
895	}
896
897	if (!s->offset && val == SLUB_RED_ACTIVE)
898	/*
899	* Object and freepointer overlap. Cannot check
900	* freepointer while object is allocated.
901	*/
902	return `1`;
903
904	/ Check free pointer validity /
905	if (!check_valid_pointer(s, page, get_freepointer(s, p))) {
906	object_err(s, page, p, "Freepointer corrupt");
907	/*
908	* No choice but to zap it and thus lose the remainder
909	* of the free objects in this slab. May cause
910	* another error because the object count is now wrong.
911	*/
912	set_freepointer(s, p, NULL);
913	return `0`;
914	}
915	return `1`;
916	}
917
918	static int check_slab(struct kmem_cache s, struct* page *page)
919	{
920	int maxobj;
921
922	VM_BUG_ON(!irqs_disabled());
923
924	if (!PageSlab(page)) {
925	slab_err(s, page, "Not a valid slab page");
926	return `0`;
927	}
928
929	maxobj = order_objects(compound_order(page), s->size);
930	if (page->objects > maxobj) {
931	slab_err(s, page, "objects %u > max %u",
932	page->objects, maxobj);
933	return `0`;
934	}
935	if (page->inuse > page->objects) {
936	slab_err(s, page, "inuse %u > max %u",
937	page->inuse, page->objects);
938	return `0`;
939	}
940	/ Slab_pad_check fixes things up after itself /
941	slab_pad_check(s, page);
942	return `1`;
943	}
944
945	/*
946	* Determine if a certain object on a page is on the freelist. Must hold the
947	* slab lock to guarantee that the chains are in a consistent state.
948	*/
949	static int on_freelist(struct kmem_cache s, struct* page page, void* *search)
950	{
951	int nr = `0`;
952	void *fp;
953	void *object = NULL;
954	int max_objects;
955
956	fp = page->freelist;
957	while (fp && nr <= page->objects) {
958	if (fp == search)
959	return `1`;
960	if (!check_valid_pointer(s, page, fp)) {
961	if (object) {
962	object_err(s, page, object,
963	"Freechain corrupt");
964	set_freepointer(s, object, NULL);
965	} else {
966	slab_err(s, page, "Freepointer corrupt");
967	page->freelist = NULL;
968	page->inuse = page->objects;
969	slab_fix(s, "Freelist cleared");
970	return `0`;
971	}
972	break;
973	}
974	object = fp;
975	fp = get_freepointer(s, object);
976	nr++;
977	}
978
979	max_objects = order_objects(compound_order(page), s->size);
980	if (max_objects > MAX_OBJS_PER_PAGE)
981	max_objects = MAX_OBJS_PER_PAGE;
982
983	if (page->objects != max_objects) {
984	slab_err(s, page, "Wrong number of objects. Found %d but should be %d",
985	page->objects, max_objects);
986	page->objects = max_objects;
987	slab_fix(s, "Number of objects adjusted.");
988	}
989	if (page->inuse != page->objects - nr) {
990	slab_err(s, page, "Wrong object count. Counter is %d but counted were %d",
991	page->inuse, page->objects - nr);
992	page->inuse = page->objects - nr;
993	slab_fix(s, "Object count adjusted.");
994	}
995	return search == NULL;
996	}
997
998	static void trace(struct kmem_cache s, struct* page page, void* *object,
999	int alloc)
1000	{
1001	if (s->flags & SLAB_TRACE) {
1002	pr_info("TRACE %s %s 0x%p inuse=%d fp=0x%p\n",
1003	s->name,
1004	alloc ? "alloc" : "free",
1005	object, page->inuse,
1006	page->freelist);
1007
1008	if (!alloc)
1009	print_section(KERN_INFO, "Object ", (void *)object,
1010	s->object_size);
1011
1012	dump_stack();
1013	}
1014	}
1015
1016	/*
1017	* Tracking of fully allocated slabs for debugging purposes.
1018	*/
1019	static void add_full(struct kmem_cache *s,
1020	struct kmem_cache_node n, struct* page *page)
1021	{
1022	if (!(s->flags & SLAB_STORE_USER))
1023	return;
1024
1025	lockdep_assert_held(&n->list_lock);
1026	list_add(&page->lru, &n->full);
1027	}
1028
1029	static void remove_full(struct kmem_cache s, struct* kmem_cache_node n, struct* page *page)
1030	{
1031	if (!(s->flags & SLAB_STORE_USER))
1032	return;
1033
1034	lockdep_assert_held(&n->list_lock);
1035	list_del(&page->lru);
1036	}
1037
1038	/ Tracking of the number of slabs for debugging purposes /
1039	static inline unsigned long slabs_node(struct kmem_cache s, int* node)
1040	{
1041	struct kmem_cache_node *n = get_node(s, node);
1042
1043	return atomic_long_read(&n->nr_slabs);
1044	}
1045
1046	static inline unsigned long node_nr_slabs(struct kmem_cache_node *n)
1047	{
1048	return atomic_long_read(&n->nr_slabs);
1049	}
1050
1051	static inline void inc_slabs_node(struct kmem_cache s, int* node, int objects)
1052	{
1053	struct kmem_cache_node *n = get_node(s, node);
1054
1055	/*
1056	* May be called early in order to allocate a slab for the
1057	* kmem_cache_node structure. Solve the chicken-egg
1058	* dilemma by deferring the increment of the count during
1059	* bootstrap (see early_kmem_cache_node_alloc).
1060	*/
1061	if (likely(n)) {
1062	atomic_long_inc(&n->nr_slabs);
1063	atomic_long_add(objects, &n->total_objects);
1064	}
1065	}
1066	static inline void dec_slabs_node(struct kmem_cache s, int* node, int objects)
1067	{
1068	struct kmem_cache_node *n = get_node(s, node);
1069
1070	atomic_long_dec(&n->nr_slabs);
1071	atomic_long_sub(objects, &n->total_objects);
1072	}
1073
1074	/ Object debug checks for alloc/free paths /
1075	static void setup_object_debug(struct kmem_cache s, struct* page *page,
1076	void *object)
1077	{
1078	if (!(s->flags & (SLAB_STORE_USER\|SLAB_RED_ZONE\|__OBJECT_POISON)))
1079	return;
1080
1081	init_object(s, object, SLUB_RED_INACTIVE);
1082	init_tracking(s, object);
1083	}
1084
1085	static void setup_page_debug(struct kmem_cache s, void* addr, int* order)
1086	{
1087	if (!(s->flags & SLAB_POISON))
1088	return;
1089
1090	metadata_access_enable();
1091	memset(addr, POISON_INUSE, PAGE_SIZE << order);
1092	metadata_access_disable();
1093	}
1094
1095	static inline int alloc_consistency_checks(struct kmem_cache *s,
1096	struct page page, void* *object)
1097	{
1098	if (!check_slab(s, page))
1099	return `0`;
1100
1101	if (!check_valid_pointer(s, page, object)) {
1102	object_err(s, page, object, "Freelist Pointer check fails");
1103	return `0`;
1104	}
1105
1106	if (!check_object(s, page, object, SLUB_RED_INACTIVE))
1107	return `0`;
1108
1109	return `1`;
1110	}
1111
1112	static noinline int alloc_debug_processing(struct kmem_cache *s,
1113	struct page *page,
1114	void object, unsigned* long addr)
1115	{
1116	if (s->flags & SLAB_CONSISTENCY_CHECKS) {
1117	if (!alloc_consistency_checks(s, page, object))
1118	goto bad;
1119	}
1120
1121	/ Success perform special debug activities for allocs /
1122	if (s->flags & SLAB_STORE_USER)
1123	set_track(s, object, TRACK_ALLOC, addr);
1124	trace(s, page, object, `1`);
1125	init_object(s, object, SLUB_RED_ACTIVE);
1126	return `1`;
1127
1128	bad:
1129	if (PageSlab(page)) {
1130	/*
1131	* If this is a slab page then lets do the best we can
1132	* to avoid issues in the future. Marking all objects
1133	* as used avoids touching the remaining objects.
1134	*/
1135	slab_fix(s, "Marking all objects used");
1136	page->inuse = page->objects;
1137	page->freelist = NULL;
1138	}
1139	return `0`;
1140	}
1141
1142	static inline int free_consistency_checks(struct kmem_cache *s,
1143	struct page page, void* object, unsigned* long addr)
1144	{
1145	if (!check_valid_pointer(s, page, object)) {
1146	slab_err(s, page, "Invalid object pointer 0x%p", object);
1147	return `0`;
1148	}
1149
1150	if (on_freelist(s, page, object)) {
1151	object_err(s, page, object, "Object already free");
1152	return `0`;
1153	}
1154
1155	if (!check_object(s, page, object, SLUB_RED_ACTIVE))
1156	return `0`;
1157
1158	if (unlikely(s != page->slab_cache)) {
1159	if (!PageSlab(page)) {
1160	slab_err(s, page, "Attempt to free object(0x%p) outside of slab",
1161	object);
1162	} else if (!page->slab_cache) {
1163	pr_err("SLUB <none>: no slab for object 0x%p.\n",
1164	object);
1165	dump_stack();
1166	} else
1167	object_err(s, page, object,
1168	"page slab pointer corrupt.");
1169	return `0`;
1170	}
1171	return `1`;
1172	}
1173
1174	/ Supports checking bulk free of a constructed freelist /
1175	static noinline int free_debug_processing(
1176	struct kmem_cache s, struct* page *page,
1177	void head, void* tail, int* bulk_cnt,
1178	unsigned long addr)
1179	{
1180	struct kmem_cache_node *n = get_node(s, page_to_nid(page));
1181	void *object = head;
1182	int cnt = `0`;
1183	unsigned long uninitialized_var(flags);
1184	int ret = `0`;
1185
1186	spin_lock_irqsave(&n->list_lock, flags);
1187	slab_lock(page);
1188
1189	if (s->flags & SLAB_CONSISTENCY_CHECKS) {
1190	if (!check_slab(s, page))
1191	goto out;
1192	}
1193
1194	next_object:
1195	cnt++;
1196
1197	if (s->flags & SLAB_CONSISTENCY_CHECKS) {
1198	if (!free_consistency_checks(s, page, object, addr))
1199	goto out;
1200	}
1201
1202	if (s->flags & SLAB_STORE_USER)
1203	set_track(s, object, TRACK_FREE, addr);
1204	trace(s, page, object, `0`);
1205	/ Freepointer not overwritten by init_object(), SLAB_POISON moved it /
1206	init_object(s, object, SLUB_RED_INACTIVE);
1207
1208	/ Reached end of constructed freelist yet? /
1209	if (object != tail) {
1210	object = get_freepointer(s, object);
1211	goto next_object;
1212	}
1213	ret = `1`;
1214
1215	out:
1216	if (cnt != bulk_cnt)
1217	slab_err(s, page, "Bulk freelist count(%d) invalid(%d)\n",
1218	bulk_cnt, cnt);
1219
1220	slab_unlock(page);
1221	spin_unlock_irqrestore(&n->list_lock, flags);
1222	if (!ret)
1223	slab_fix(s, "Object at 0x%p not freed", object);
1224	return ret;
1225	}
1226
1227	static int __init setup_slub_debug(char *str)
1228	{
1229	slub_debug = DEBUG_DEFAULT_FLAGS;
1230	if (str++ != `'='` \|\| !str)
1231	/*
1232	* No options specified. Switch on full debugging.
1233	*/
1234	goto out;
1235
1236	if (*str == `','`)
1237	/*
1238	* No options but restriction on slabs. This means full
1239	* debugging for slabs matching a pattern.
1240	*/
1241	goto check_slabs;
1242
1243	slub_debug = `0`;
1244	if (*str == `'-'`)
1245	/*
1246	* Switch off all debugging measures.
1247	*/
1248	goto out;
1249
1250	/*
1251	* Determine which debug features should be switched on
1252	*/
1253	for (; str && str != `','`; str++) {
1254	switch (tolower(*str)) {
1255	case `'f'`:
1256	slub_debug \|= SLAB_CONSISTENCY_CHECKS;
1257	break;
1258	case `'z'`:
1259	slub_debug \|= SLAB_RED_ZONE;
1260	break;
1261	case `'p'`:
1262	slub_debug \|= SLAB_POISON;
1263	break;
1264	case `'u'`:
1265	slub_debug \|= SLAB_STORE_USER;
1266	break;
1267	case `'t'`:
1268	slub_debug \|= SLAB_TRACE;
1269	break;
1270	case `'a'`:
1271	slub_debug \|= SLAB_FAILSLAB;
1272	break;
1273	case `'o'`:
1274	/*
1275	* Avoid enabling debugging on caches if its minimum
1276	* order would increase as a result.
1277	*/
1278	disable_higher_order_debug = `1`;
1279	break;
1280	default:
1281	pr_err("slub_debug option '%c' unknown. skipped\n",
1282	*str);
1283	}
1284	}
1285
1286	check_slabs:
1287	if (*str == `','`)
1288	slub_debug_slabs = str + `1`;
1289	out:
1290	return `1`;
1291	}
1292
1293	__setup("slub_debug", setup_slub_debug);
1294
1295	/*
1296	* kmem_cache_flags - apply debugging options to the cache
1297	* @object_size: the size of an object without meta data
1298	* @flags: flags to set
1299	* @name: name of the cache
1300	* @ctor: constructor function
1301	*
1302	* Debug option(s) are applied to @flags. In addition to the debug
1303	* option(s), if a slab name (or multiple) is specified i.e.
1304	* slub_debug=<Debug-Options>,<slab name1>,<slab name2> ...
1305	* then only the select slabs will receive the debug option(s).
1306	*/
1307	slab_flags_t kmem_cache_flags(unsigned int object_size,
1308	slab_flags_t flags, const char *name,
1309	void (ctor)(void* *))
1310	{
1311	char *iter;
1312	size_t len;
1313
1314	/ If slub_debug = 0, it folds into the if conditional. /
1315	if (!slub_debug_slabs)
1316	return flags \| slub_debug;
1317
1318	len = strlen(name);
1319	iter = slub_debug_slabs;
1320	while (*iter) {
1321	char end, glob;
1322	size_t cmplen;
1323
1324	end = strchr(iter, `','`);
1325	if (!end)
1326	end = iter + strlen(iter);
1327
1328	glob = strnchr(iter, end - iter, `'*'`);
1329	if (glob)
1330	cmplen = glob - iter;
1331	else
1332	cmplen = max_t(size_t, len, (end - iter));
1333
1334	if (!strncmp(name, iter, cmplen)) {
1335	flags \|= slub_debug;
1336	break;
1337	}
1338
1339	if (!*end)
1340	break;
1341	iter = end + `1`;
1342	}
1343
1344	return flags;
1345	}
1346	#else /* !CONFIG_SLUB_DEBUG */
1347	static inline void setup_object_debug(struct kmem_cache *s,
1348	struct page page, void* *object) {}
1349	static inline void setup_page_debug(struct kmem_cache *s,
1350	void addr, int* order) {}
1351
1352	static inline int alloc_debug_processing(struct kmem_cache *s,
1353	struct page page, void* object, unsigned* long addr) { return `0`; }
1354
1355	static inline int free_debug_processing(
1356	struct kmem_cache s, struct* page *page,
1357	void head, void* tail, int* bulk_cnt,
1358	unsigned long addr) { return `0`; }
1359
1360	static inline int slab_pad_check(struct kmem_cache s, struct* page *page)
1361	{ return `1`; }
1362	static inline int check_object(struct kmem_cache s, struct* page *page,
1363	void object, u8 val) { return* `1`; }
1364	static inline void add_full(struct kmem_cache s, struct* kmem_cache_node *n,
1365	struct page *page) {}
1366	static inline void remove_full(struct kmem_cache s, struct* kmem_cache_node *n,
1367	struct page *page) {}
1368	slab_flags_t kmem_cache_flags(unsigned int object_size,
1369	slab_flags_t flags, const char *name,
1370	void (ctor)(void* *))
1371	{
1372	return flags;
1373	}
1374	#define slub_debug 0
1375
1376	#define disable_higher_order_debug 0
1377
1378	static inline unsigned long slabs_node(struct kmem_cache s, int* node)
1379	{ return `0`; }
1380	static inline unsigned long node_nr_slabs(struct kmem_cache_node *n)
1381	{ return `0`; }
1382	static inline void inc_slabs_node(struct kmem_cache s, int* node,
1383	int objects) {}
1384	static inline void dec_slabs_node(struct kmem_cache s, int* node,
1385	int objects) {}
1386
1387	#endif /* CONFIG_SLUB_DEBUG */
1388
1389	/*
1390	* Hooks for other subsystems that check memory allocations. In a typical
1391	* production configuration these hooks all should produce no code at all.
1392	*/
1393	static inline void kmalloc_large_node_hook(void* *ptr, size_t size, gfp_t flags)
1394	{
1395	ptr = kasan_kmalloc_large(ptr, size, flags);
1396	/ As ptr might get tagged, call kmemleak hook after KASAN. /
1397	kmemleak_alloc(ptr, size, `1`, flags);
1398	return ptr;
1399	}
1400
1401	static __always_inline void kfree_hook(void *x)
1402	{
1403	kmemleak_free(x);
1404	kasan_kfree_large(x, _RET_IP_);
1405	}
1406
1407	static __always_inline bool slab_free_hook(struct kmem_cache s, void* *x)
1408	{
1409	kmemleak_free_recursive(x, s->flags);
1410
1411	/*
1412	* Trouble is that we may no longer disable interrupts in the fast path
1413	* So in order to make the debug calls that expect irqs to be
1414	* disabled we need to disable interrupts temporarily.
1415	*/
1416	#ifdef CONFIG_LOCKDEP
1417	{
1418	unsigned long flags;
1419
1420	local_irq_save(flags);
1421	debug_check_no_locks_freed(x, s->object_size);
1422	local_irq_restore(flags);
1423	}
1424	#endif
1425	if (!(s->flags & SLAB_DEBUG_OBJECTS))
1426	debug_check_no_obj_freed(x, s->object_size);
1427
1428	/ KASAN might put x into memory quarantine, delaying its reuse /
1429	return kasan_slab_free(s, x, _RET_IP_);
1430	}
1431
1432	static inline bool slab_free_freelist_hook(struct kmem_cache *s,
1433	void *head, void* **tail)
1434	{
1435	/*
1436	* Compiler cannot detect this function can be removed if slab_free_hook()
1437	* evaluates to nothing. Thus, catch all relevant config debug options here.
1438	*/
1439	#if defined(CONFIG_LOCKDEP) \|\| \
1440	defined(CONFIG_DEBUG_KMEMLEAK) \|\| \
1441	defined(CONFIG_DEBUG_OBJECTS_FREE) \|\| \
1442	defined(CONFIG_KASAN)
1443
1444	void *object;
1445	void next = head;
1446	void old_tail = tail ? tail : head;
1447
1448	/ Head and tail of the reconstructed freelist /
1449	*head = NULL;
1450	*tail = NULL;
1451
1452	do {
1453	object = next;
1454	next = get_freepointer(s, object);
1455	/ If object's reuse doesn't have to be delayed /
1456	if (!slab_free_hook(s, object)) {
1457	/ Move object to the new freelist /
1458	set_freepointer(s, object, *head);
1459	*head = object;
1460	if (!*tail)
1461	*tail = object;
1462	}
1463	} while (object != old_tail);
1464
1465	if (head == tail)
1466	*tail = NULL;
1467
1468	return *head != NULL;
1469	#else
1470	return true;
1471	#endif
1472	}
1473
1474	static void setup_object(struct* kmem_cache s, struct* page *page,
1475	void *object)
1476	{
1477	setup_object_debug(s, page, object);
1478	object = kasan_init_slab_obj(s, object);
1479	if (unlikely(s->ctor)) {
1480	kasan_unpoison_object_data(s, object);
1481	s->ctor(object);
1482	kasan_poison_object_data(s, object);
1483	}
1484	return object;
1485	}
1486
1487	/*
1488	* Slab allocation and freeing
1489	*/
1490	static inline struct page alloc_slab_page(struct* kmem_cache *s,
1491	gfp_t flags, int node, struct kmem_cache_order_objects oo)
1492	{
1493	struct page *page;
1494	unsigned int order = oo_order(oo);
1495
1496	if (node == NUMA_NO_NODE)
1497	page = alloc_pages(flags, order);
1498	else
1499	page = __alloc_pages_node(node, flags, order);
1500
1501	if (page && memcg_charge_slab(page, flags, order, s)) {
1502	__free_pages(page, order);
1503	page = NULL;
1504	}
1505
1506	return page;
1507	}
1508
1509	#ifdef CONFIG_SLAB_FREELIST_RANDOM
1510	/ Pre-initialize the random sequence cache /
1511	static int init_cache_random_seq(struct kmem_cache *s)
1512	{
1513	unsigned int count = oo_objects(s->oo);
1514	int err;
1515
1516	/ Bailout if already initialised /
1517	if (s->random_seq)
1518	return `0`;
1519
1520	err = cache_random_seq_create(s, count, GFP_KERNEL);
1521	if (err) {
1522	pr_err("SLUB: Unable to initialize free list for %s\n",
1523	s->name);
1524	return err;
1525	}
1526
1527	/ Transform to an offset on the set of pages /
1528	if (s->random_seq) {
1529	unsigned int i;
1530
1531	for (i = `0`; i < count; i++)
1532	s->random_seq[i] *= s->size;
1533	}
1534	return `0`;
1535	}
1536
1537	/ Initialize each random sequence freelist per cache /
1538	static void __init init_freelist_randomization(void)
1539	{
1540	struct kmem_cache *s;
1541
1542	mutex_lock(&slab_mutex);
1543
1544	list_for_each_entry(s, &slab_caches, list)
1545	init_cache_random_seq(s);
1546
1547	mutex_unlock(&slab_mutex);
1548	}
1549
1550	/ Get the next entry on the pre-computed freelist randomized /
1551	static void next_freelist_entry(struct* kmem_cache s, struct* page *page,
1552	unsigned long pos, void* *start,
1553	unsigned long page_limit,
1554	unsigned long freelist_count)
1555	{
1556	unsigned int idx;
1557
1558	/*
1559	* If the target page allocation failed, the number of objects on the
1560	* page might be smaller than the usual size defined by the cache.
1561	*/
1562	do {
1563	idx = s->random_seq[*pos];
1564	*pos += `1`;
1565	if (*pos >= freelist_count)
1566	*pos = `0`;
1567	} while (unlikely(idx >= page_limit));
1568
1569	return (char *)start + idx;
1570	}
1571
1572	/ Shuffle the single linked freelist based on a random pre-computed sequence /
1573	static bool shuffle_freelist(struct kmem_cache s, struct* page *page)
1574	{
1575	void *start;
1576	void *cur;
1577	void *next;
1578	unsigned long idx, pos, page_limit, freelist_count;
1579
1580	if (page->objects < `2` \|\| !s->random_seq)
1581	return false;
1582
1583	freelist_count = oo_objects(s->oo);
1584	pos = get_random_int() % freelist_count;
1585
1586	page_limit = page->objects * s->size;
1587	start = fixup_red_left(s, page_address(page));
1588
1589	/ First entry is used as the base of the freelist /
1590	cur = next_freelist_entry(s, page, &pos, start, page_limit,
1591	freelist_count);
1592	cur = setup_object(s, page, cur);
1593	page->freelist = cur;
1594
1595	for (idx = `1`; idx < page->objects; idx++) {
1596	next = next_freelist_entry(s, page, &pos, start, page_limit,
1597	freelist_count);
1598	next = setup_object(s, page, next);
1599	set_freepointer(s, cur, next);
1600	cur = next;
1601	}
1602	set_freepointer(s, cur, NULL);
1603
1604	return true;
1605	}
1606	#else
1607	static inline int init_cache_random_seq(struct kmem_cache *s)
1608	{
1609	return `0`;
1610	}
1611	static inline void init_freelist_randomization(void) { }
1612	static inline bool shuffle_freelist(struct kmem_cache s, struct* page *page)
1613	{
1614	return false;
1615	}
1616	#endif /* CONFIG_SLAB_FREELIST_RANDOM */
1617
1618	static struct page allocate_slab(struct* kmem_cache s, gfp_t flags, int* node)
1619	{
1620	struct page *page;
1621	struct kmem_cache_order_objects oo = s->oo;
1622	gfp_t alloc_gfp;
1623	void start, p, *next;
1624	int idx, order;
1625	bool shuffle;
1626
1627	flags &= gfp_allowed_mask;
1628
1629	if (gfpflags_allow_blocking(flags))
1630	local_irq_enable();
1631
1632	flags \|= s->allocflags;
1633
1634	/*
1635	* Let the initial higher-order allocation fail under memory pressure
1636	* so we fall-back to the minimum order allocation.
1637	*/
1638	alloc_gfp = (flags \| __GFP_NOWARN \| __GFP_NORETRY) & ~__GFP_NOFAIL;
1639	if ((alloc_gfp & __GFP_DIRECT_RECLAIM) && oo_order(oo) > oo_order(s->min))
1640	alloc_gfp = (alloc_gfp \| __GFP_NOMEMALLOC) & ~(__GFP_RECLAIM\|__GFP_NOFAIL);
1641
1642	page = alloc_slab_page(s, alloc_gfp, node, oo);
1643	if (unlikely(!page)) {
1644	oo = s->min;
1645	alloc_gfp = flags;
1646	/*
1647	* Allocation may have failed due to fragmentation.
1648	* Try a lower order alloc if possible
1649	*/
1650	page = alloc_slab_page(s, alloc_gfp, node, oo);
1651	if (unlikely(!page))
1652	goto out;
1653	stat(s, ORDER_FALLBACK);
1654	}
1655
1656	page->objects = oo_objects(oo);
1657
1658	order = compound_order(page);
1659	page->slab_cache = s;
1660	__SetPageSlab(page);
1661	if (page_is_pfmemalloc(page))
1662	SetPageSlabPfmemalloc(page);
1663
1664	kasan_poison_slab(page);
1665
1666	start = page_address(page);
1667
1668	setup_page_debug(s, start, order);
1669
1670	shuffle = shuffle_freelist(s, page);
1671
1672	if (!shuffle) {
1673	start = fixup_red_left(s, start);
1674	start = setup_object(s, page, start);
1675	page->freelist = start;
1676	for (idx = `0`, p = start; idx < page->objects - `1`; idx++) {
1677	next = p + s->size;
1678	next = setup_object(s, page, next);
1679	set_freepointer(s, p, next);
1680	p = next;
1681	}
1682	set_freepointer(s, p, NULL);
1683	}
1684
1685	page->inuse = page->objects;
1686	page->frozen = `1`;
1687
1688	out:
1689	if (gfpflags_allow_blocking(flags))
1690	local_irq_disable();
1691	if (!page)
1692	return NULL;
1693
1694	mod_lruvec_page_state(page,
1695	(s->flags & SLAB_RECLAIM_ACCOUNT) ?
1696	NR_SLAB_RECLAIMABLE : NR_SLAB_UNRECLAIMABLE,
1697	`1` << oo_order(oo));
1698
1699	inc_slabs_node(s, page_to_nid(page), page->objects);
1700
1701	return page;
1702	}
1703
1704	static struct page new_slab(struct* kmem_cache s, gfp_t flags, int* node)
1705	{
1706	if (unlikely(flags & GFP_SLAB_BUG_MASK)) {
1707	gfp_t invalid_mask = flags & GFP_SLAB_BUG_MASK;
1708	flags &= ~GFP_SLAB_BUG_MASK;
1709	pr_warn("Unexpected gfp: %#x (%pGg). Fixing up to gfp: %#x (%pGg). Fix your code!\n",
1710	invalid_mask, &invalid_mask, flags, &flags);
1711	dump_stack();
1712	}
1713
1714	return allocate_slab(s,
1715	flags & (GFP_RECLAIM_MASK \| GFP_CONSTRAINT_MASK), node);
1716	}
1717
1718	static void __free_slab(struct kmem_cache s, struct* page *page)
1719	{
1720	int order = compound_order(page);
1721	int pages = `1` << order;
1722
1723	if (s->flags & SLAB_CONSISTENCY_CHECKS) {
1724	void *p;
1725
1726	slab_pad_check(s, page);
1727	for_each_object(p, s, page_address(page),
1728	page->objects)
1729	check_object(s, page, p, SLUB_RED_INACTIVE);
1730	}
1731
1732	mod_lruvec_page_state(page,
1733	(s->flags & SLAB_RECLAIM_ACCOUNT) ?
1734	NR_SLAB_RECLAIMABLE : NR_SLAB_UNRECLAIMABLE,
1735	-pages);
1736
1737	__ClearPageSlabPfmemalloc(page);
1738	__ClearPageSlab(page);
1739
1740	page->mapping = NULL;
1741	if (current->reclaim_state)
1742	current->reclaim_state->reclaimed_slab += pages;
1743	memcg_uncharge_slab(page, order, s);
1744	__free_pages(page, order);
1745	}
1746
1747	static void rcu_free_slab(struct rcu_head *h)
1748	{
1749	struct page page = container_of(h, struct* page, rcu_head);
1750
1751	__free_slab(page->slab_cache, page);
1752	}
1753
1754	static void free_slab(struct kmem_cache s, struct* page *page)
1755	{
1756	if (unlikely(s->flags & SLAB_TYPESAFE_BY_RCU)) {
1757	call_rcu(&page->rcu_head, rcu_free_slab);
1758	} else
1759	__free_slab(s, page);
1760	}
1761
1762	static void discard_slab(struct kmem_cache s, struct* page *page)
1763	{
1764	dec_slabs_node(s, page_to_nid(page), page->objects);
1765	free_slab(s, page);
1766	}
1767
1768	/*
1769	* Management of partially allocated slabs.
1770	*/
1771	static inline void
1772	__add_partial(struct kmem_cache_node n, struct* page page, int* tail)
1773	{
1774	n->nr_partial++;
1775	if (tail == DEACTIVATE_TO_TAIL)
1776	list_add_tail(&page->lru, &n->partial);
1777	else
1778	list_add(&page->lru, &n->partial);
1779	}
1780
1781	static inline void add_partial(struct kmem_cache_node *n,
1782	struct page page, int* tail)
1783	{
1784	lockdep_assert_held(&n->list_lock);
1785	__add_partial(n, page, tail);
1786	}
1787
1788	static inline void remove_partial(struct kmem_cache_node *n,
1789	struct page *page)
1790	{
1791	lockdep_assert_held(&n->list_lock);
1792	list_del(&page->lru);
1793	n->nr_partial--;
1794	}
1795
1796	/*
1797	* Remove slab from the partial list, freeze it and
1798	* return the pointer to the freelist.
1799	*
1800	* Returns a list of objects or NULL if it fails.
1801	*/
1802	static inline void acquire_slab(struct* kmem_cache *s,
1803	struct kmem_cache_node n, struct* page *page,
1804	int mode, int *objects)
1805	{
1806	void *freelist;
1807	unsigned long counters;
1808	struct page new;
1809
1810	lockdep_assert_held(&n->list_lock);
1811
1812	/*
1813	* Zap the freelist and set the frozen bit.
1814	* The old freelist is the list of objects for the
1815	* per cpu allocation list.
1816	*/
1817	freelist = page->freelist;
1818	counters = page->counters;
1819	new.counters = counters;
1820	*objects = new.objects - new.inuse;
1821	if (mode) {
1822	new.inuse = page->objects;
1823	new.freelist = NULL;
1824	} else {
1825	new.freelist = freelist;
1826	}
1827
1828	VM_BUG_ON(new.frozen);
1829	new.frozen = `1`;
1830
1831	if (!__cmpxchg_double_slab(s, page,
1832	freelist, counters,
1833	new.freelist, new.counters,
1834	"acquire_slab"))
1835	return NULL;
1836
1837	remove_partial(n, page);
1838	WARN_ON(!freelist);
1839	return freelist;
1840	}
1841
1842	static void put_cpu_partial(struct kmem_cache s, struct* page page, int* drain);
1843	static inline bool pfmemalloc_match(struct page *page, gfp_t gfpflags);
1844
1845	/*
1846	* Try to allocate a partial slab from a specific node.
1847	*/
1848	static void get_partial_node(struct* kmem_cache s, struct* kmem_cache_node *n,
1849	struct kmem_cache_cpu *c, gfp_t flags)
1850	{
1851	struct page page, page2;
1852	void *object = NULL;
1853	unsigned int available = `0`;
1854	int objects;
1855
1856	/*
1857	* Racy check. If we mistakenly see no partial slabs then we
1858	* just allocate an empty slab. If we mistakenly try to get a
1859	* partial slab and there is none available then get_partials()
1860	* will return NULL.
1861	*/
1862	if (!n \|\| !n->nr_partial)
1863	return NULL;
1864
1865	spin_lock(&n->list_lock);
1866	list_for_each_entry_safe(page, page2, &n->partial, lru) {
1867	void *t;
1868
1869	if (!pfmemalloc_match(page, flags))
1870	continue;
1871
1872	t = acquire_slab(s, n, page, object == NULL, &objects);
1873	if (!t)
1874	break;
1875
1876	available += objects;
1877	if (!object) {
1878	c->page = page;
1879	stat(s, ALLOC_FROM_PARTIAL);
1880	object = t;
1881	} else {
1882	put_cpu_partial(s, page, `0`);
1883	stat(s, CPU_PARTIAL_NODE);
1884	}
1885	if (!kmem_cache_has_cpu_partial(s)
1886	\|\| available > slub_cpu_partial(s) / `2`)
1887	break;
1888
1889	}
1890	spin_unlock(&n->list_lock);
1891	return object;
1892	}
1893
1894	/*
1895	* Get a page from somewhere. Search in increasing NUMA distances.
1896	*/
1897	static void get_any_partial(struct* kmem_cache *s, gfp_t flags,
1898	struct kmem_cache_cpu *c)
1899	{
1900	#ifdef CONFIG_NUMA
1901	struct zonelist *zonelist;
1902	struct zoneref *z;
1903	struct zone *zone;
1904	enum zone_type high_zoneidx = gfp_zone(flags);
1905	void *object;
1906	unsigned int cpuset_mems_cookie;
1907
1908	/*
1909	* The defrag ratio allows a configuration of the tradeoffs between
1910	* inter node defragmentation and node local allocations. A lower
1911	* defrag_ratio increases the tendency to do local allocations
1912	* instead of attempting to obtain partial slabs from other nodes.
1913	*
1914	* If the defrag_ratio is set to 0 then kmalloc() always
1915	* returns node local objects. If the ratio is higher then kmalloc()
1916	* may return off node objects because partial slabs are obtained
1917	* from other nodes and filled up.
1918	*
1919	* If /sys/kernel/slab/xx/remote_node_defrag_ratio is set to 100
1920	* (which makes defrag_ratio = 1000) then every (well almost)
1921	* allocation will first attempt to defrag slab caches on other nodes.
1922	* This means scanning over all nodes to look for partial slabs which
1923	* may be expensive if we do it every time we are trying to find a slab
1924	* with available objects.
1925	*/
1926	if (!s->remote_node_defrag_ratio \|\|
1927	get_cycles() % `1024` > s->remote_node_defrag_ratio)
1928	return NULL;
1929
1930	do {
1931	cpuset_mems_cookie = read_mems_allowed_begin();
1932	zonelist = node_zonelist(mempolicy_slab_node(), flags);
1933	for_each_zone_zonelist(zone, z, zonelist, high_zoneidx) {
1934	struct kmem_cache_node *n;
1935
1936	n = get_node(s, zone_to_nid(zone));
1937
1938	if (n && cpuset_zone_allowed(zone, flags) &&
1939	n->nr_partial > s->min_partial) {
1940	object = get_partial_node(s, n, c, flags);
1941	if (object) {
1942	/*
1943	* Don't check read_mems_allowed_retry()
1944	* here - if mems_allowed was updated in
1945	* parallel, that was a harmless race
1946	* between allocation and the cpuset
1947	* update
1948	*/
1949	return object;
1950	}
1951	}
1952	}
1953	} while (read_mems_allowed_retry(cpuset_mems_cookie));
1954	#endif
1955	return NULL;
1956	}
1957
1958	/*
1959	* Get a partial page, lock it and return it.
1960	*/
1961	static void get_partial(struct* kmem_cache s, gfp_t flags, int* node,
1962	struct kmem_cache_cpu *c)
1963	{
1964	void *object;
1965	int searchnode = node;
1966
1967	if (node == NUMA_NO_NODE)
1968	searchnode = numa_mem_id();
1969	else if (!node_present_pages(node))
1970	searchnode = node_to_mem_node(node);
1971
1972	object = get_partial_node(s, get_node(s, searchnode), c, flags);
1973	if (object \|\| node != NUMA_NO_NODE)
1974	return object;
1975
1976	return get_any_partial(s, flags, c);
1977	}
1978
1979	#ifdef CONFIG_PREEMPT
1980	/*
1981	* Calculate the next globally unique transaction for disambiguiation
1982	* during cmpxchg. The transactions start with the cpu number and are then
1983	* incremented by CONFIG_NR_CPUS.
1984	*/
1985	#define TID_STEP roundup_pow_of_two(CONFIG_NR_CPUS)
1986	#else
1987	/*
1988	* No preemption supported therefore also no need to check for
1989	* different cpus.
1990	*/
1991	#define TID_STEP 1
1992	#endif
1993
1994	static inline unsigned long next_tid(unsigned long tid)
1995	{
1996	return tid + TID_STEP;
1997	}
1998
1999	static inline unsigned int tid_to_cpu(unsigned long tid)
2000	{
2001	return tid % TID_STEP;
2002	}
2003
2004	static inline unsigned long tid_to_event(unsigned long tid)
2005	{
2006	return tid / TID_STEP;
2007	}
2008
2009	static inline unsigned int init_tid(int cpu)
2010	{
2011	return cpu;
2012	}
2013
2014	static inline void note_cmpxchg_failure(const char *n,
2015	const struct kmem_cache s, unsigned* long tid)
2016	{
2017	#ifdef SLUB_DEBUG_CMPXCHG
2018	unsigned long actual_tid = __this_cpu_read(s->cpu_slab->tid);
2019
2020	pr_info("%s %s: cmpxchg redo ", n, s->name);
2021
2022	#ifdef CONFIG_PREEMPT
2023	if (tid_to_cpu(tid) != tid_to_cpu(actual_tid))
2024	pr_warn("due to cpu change %d -> %d\n",
2025	tid_to_cpu(tid), tid_to_cpu(actual_tid));
2026	else
2027	#endif
2028	if (tid_to_event(tid) != tid_to_event(actual_tid))
2029	pr_warn("due to cpu running other code. Event %ld->%ld\n",
2030	tid_to_event(tid), tid_to_event(actual_tid));
2031	else
2032	pr_warn("for unknown reason: actual=%lx was=%lx target=%lx\n",
2033	actual_tid, tid, next_tid(tid));
2034	#endif
2035	stat(s, CMPXCHG_DOUBLE_CPU_FAIL);
2036	}
2037
2038	static void init_kmem_cache_cpus(struct kmem_cache *s)
2039	{
2040	int cpu;
2041
2042	for_each_possible_cpu(cpu)
2043	per_cpu_ptr(s->cpu_slab, cpu)->tid = init_tid(cpu);
2044	}
2045
2046	/*
2047	* Remove the cpu slab
2048	*/
2049	static void deactivate_slab(struct kmem_cache s, struct* page *page,
2050	void freelist, struct* kmem_cache_cpu *c)
2051	{
2052	enum slab_modes { M_NONE, M_PARTIAL, M_FULL, M_FREE };
2053	struct kmem_cache_node *n = get_node(s, page_to_nid(page));
2054	int lock = `0`;
2055	enum slab_modes l = M_NONE, m = M_NONE;
2056	void *nextfree;
2057	int tail = DEACTIVATE_TO_HEAD;
2058	struct page new;
2059	struct page old;
2060
2061	if (page->freelist) {
2062	stat(s, DEACTIVATE_REMOTE_FREES);
2063	tail = DEACTIVATE_TO_TAIL;
2064	}
2065
2066	/*
2067	* Stage one: Free all available per cpu objects back
2068	* to the page freelist while it is still frozen. Leave the
2069	* last one.
2070	*
2071	* There is no need to take the list->lock because the page
2072	* is still frozen.
2073	*/
2074	while (freelist && (nextfree = get_freepointer(s, freelist))) {
2075	void *prior;
2076	unsigned long counters;
2077
2078	do {
2079	prior = page->freelist;
2080	counters = page->counters;
2081	set_freepointer(s, freelist, prior);
2082	new.counters = counters;
2083	new.inuse--;
2084	VM_BUG_ON(!new.frozen);
2085
2086	} while (!__cmpxchg_double_slab(s, page,
2087	prior, counters,
2088	freelist, new.counters,
2089	"drain percpu freelist"));
2090
2091	freelist = nextfree;
2092	}
2093
2094	/*
2095	* Stage two: Ensure that the page is unfrozen while the
2096	* list presence reflects the actual number of objects
2097	* during unfreeze.
2098	*
2099	* We setup the list membership and then perform a cmpxchg
2100	* with the count. If there is a mismatch then the page
2101	* is not unfrozen but the page is on the wrong list.
2102	*
2103	* Then we restart the process which may have to remove
2104	* the page from the list that we just put it on again
2105	* because the number of objects in the slab may have
2106	* changed.
2107	*/
2108	redo:
2109
2110	old.freelist = page->freelist;
2111	old.counters = page->counters;
2112	VM_BUG_ON(!old.frozen);
2113
2114	/ Determine target state of the slab /
2115	new.counters = old.counters;
2116	if (freelist) {
2117	new.inuse--;
2118	set_freepointer(s, freelist, old.freelist);
2119	new.freelist = freelist;
2120	} else
2121	new.freelist = old.freelist;
2122
2123	new.frozen = `0`;
2124
2125	if (!new.inuse && n->nr_partial >= s->min_partial)
2126	m = M_FREE;
2127	else if (new.freelist) {
2128	m = M_PARTIAL;
2129	if (!lock) {
2130	lock = `1`;
2131	/*
2132	* Taking the spinlock removes the possibility
2133	* that acquire_slab() will see a slab page that
2134	* is frozen
2135	*/
2136	spin_lock(&n->list_lock);
2137	}
2138	} else {
2139	m = M_FULL;
2140	if (kmem_cache_debug(s) && !lock) {
2141	lock = `1`;
2142	/*
2143	* This also ensures that the scanning of full
2144	* slabs from diagnostic functions will not see
2145	* any frozen slabs.
2146	*/
2147	spin_lock(&n->list_lock);
2148	}
2149	}
2150
2151	if (l != m) {
2152	if (l == M_PARTIAL)
2153	remove_partial(n, page);
2154	else if (l == M_FULL)
2155	remove_full(s, n, page);
2156
2157	if (m == M_PARTIAL)
2158	add_partial(n, page, tail);
2159	else if (m == M_FULL)
2160	add_full(s, n, page);
2161	}
2162
2163	l = m;
2164	if (!__cmpxchg_double_slab(s, page,
2165	old.freelist, old.counters,
2166	new.freelist, new.counters,
2167	"unfreezing slab"))
2168	goto redo;
2169
2170	if (lock)
2171	spin_unlock(&n->list_lock);
2172
2173	if (m == M_PARTIAL)
2174	stat(s, tail);
2175	else if (m == M_FULL)
2176	stat(s, DEACTIVATE_FULL);
2177	else if (m == M_FREE) {
2178	stat(s, DEACTIVATE_EMPTY);
2179	discard_slab(s, page);
2180	stat(s, FREE_SLAB);
2181	}
2182
2183	c->page = NULL;
2184	c->freelist = NULL;
2185	}
2186
2187	/*
2188	* Unfreeze all the cpu partial slabs.
2189	*
2190	* This function must be called with interrupts disabled
2191	* for the cpu using c (or some other guarantee must be there
2192	* to guarantee no concurrent accesses).
2193	*/
2194	static void unfreeze_partials(struct kmem_cache *s,
2195	struct kmem_cache_cpu *c)
2196	{
2197	#ifdef CONFIG_SLUB_CPU_PARTIAL
2198	struct kmem_cache_node n = NULL, n2 = NULL;
2199	struct page page, discard_page = NULL;
2200
2201	while ((page = c->partial)) {
2202	struct page new;
2203	struct page old;
2204
2205	c->partial = page->next;
2206
2207	n2 = get_node(s, page_to_nid(page));
2208	if (n != n2) {
2209	if (n)
2210	spin_unlock(&n->list_lock);
2211
2212	n = n2;
2213	spin_lock(&n->list_lock);
2214	}
2215
2216	do {
2217
2218	old.freelist = page->freelist;
2219	old.counters = page->counters;
2220	VM_BUG_ON(!old.frozen);
2221
2222	new.counters = old.counters;
2223	new.freelist = old.freelist;
2224
2225	new.frozen = `0`;
2226
2227	} while (!__cmpxchg_double_slab(s, page,
2228	old.freelist, old.counters,
2229	new.freelist, new.counters,
2230	"unfreezing slab"));
2231
2232	if (unlikely(!new.inuse && n->nr_partial >= s->min_partial)) {
2233	page->next = discard_page;
2234	discard_page = page;
2235	} else {
2236	add_partial(n, page, DEACTIVATE_TO_TAIL);
2237	stat(s, FREE_ADD_PARTIAL);
2238	}
2239	}
2240
2241	if (n)
2242	spin_unlock(&n->list_lock);
2243
2244	while (discard_page) {
2245	page = discard_page;
2246	discard_page = discard_page->next;
2247
2248	stat(s, DEACTIVATE_EMPTY);
2249	discard_slab(s, page);
2250	stat(s, FREE_SLAB);
2251	}
2252	#endif
2253	}
2254
2255	/*
2256	* Put a page that was just frozen (in __slab_free\|get_partial_node) into a
2257	* partial page slot if available.
2258	*
2259	* If we did not find a slot then simply move all the partials to the
2260	* per node partial list.
2261	*/
2262	static void put_cpu_partial(struct kmem_cache s, struct* page page, int* drain)
2263	{
2264	#ifdef CONFIG_SLUB_CPU_PARTIAL
2265	struct page *oldpage;
2266	int pages;
2267	int pobjects;
2268
2269	preempt_disable();
2270	do {
2271	pages = `0`;
2272	pobjects = `0`;
2273	oldpage = this_cpu_read(s->cpu_slab->partial);
2274
2275	if (oldpage) {
2276	pobjects = oldpage->pobjects;
2277	pages = oldpage->pages;
2278	if (drain && pobjects > s->cpu_partial) {
2279	unsigned long flags;
2280	/*
2281	* partial array is full. Move the existing
2282	* set to the per node partial list.
2283	*/
2284	local_irq_save(flags);
2285	unfreeze_partials(s, this_cpu_ptr(s->cpu_slab));
2286	local_irq_restore(flags);
2287	oldpage = NULL;
2288	pobjects = `0`;
2289	pages = `0`;
2290	stat(s, CPU_PARTIAL_DRAIN);
2291	}
2292	}
2293
2294	pages++;
2295	pobjects += page->objects - page->inuse;
2296
2297	page->pages = pages;
2298	page->pobjects = pobjects;
2299	page->next = oldpage;
2300
2301	} while (this_cpu_cmpxchg(s->cpu_slab->partial, oldpage, page)
2302	!= oldpage);
2303	if (unlikely(!s->cpu_partial)) {
2304	unsigned long flags;
2305
2306	local_irq_save(flags);
2307	unfreeze_partials(s, this_cpu_ptr(s->cpu_slab));
2308	local_irq_restore(flags);
2309	}
2310	preempt_enable();
2311	#endif
2312	}
2313
2314	static inline void flush_slab(struct kmem_cache s, struct* kmem_cache_cpu *c)
2315	{
2316	stat(s, CPUSLAB_FLUSH);
2317	deactivate_slab(s, c->page, c->freelist, c);
2318
2319	c->tid = next_tid(c->tid);
2320	}
2321
2322	/*
2323	* Flush cpu slab.
2324	*
2325	* Called from IPI handler with interrupts disabled.
2326	*/
2327	static inline void __flush_cpu_slab(struct kmem_cache s, int* cpu)
2328	{
2329	struct kmem_cache_cpu *c = per_cpu_ptr(s->cpu_slab, cpu);
2330
2331	if (c->page)
2332	flush_slab(s, c);
2333
2334	unfreeze_partials(s, c);
2335	}
2336
2337	static void flush_cpu_slab(void *d)
2338	{
2339	struct kmem_cache *s = d;
2340
2341	__flush_cpu_slab(s, smp_processor_id());
2342	}
2343
2344	static bool has_cpu_slab(int cpu, void *info)
2345	{
2346	struct kmem_cache *s = info;
2347	struct kmem_cache_cpu *c = per_cpu_ptr(s->cpu_slab, cpu);
2348
2349	return c->page \|\| slub_percpu_partial(c);
2350	}
2351
2352	static void flush_all(struct kmem_cache *s)
2353	{
2354	on_each_cpu_cond(has_cpu_slab, flush_cpu_slab, s, `1`, GFP_ATOMIC);
2355	}
2356
2357	/*
2358	* Use the cpu notifier to insure that the cpu slabs are flushed when
2359	* necessary.
2360	*/
2361	static int slub_cpu_dead(unsigned int cpu)
2362	{
2363	struct kmem_cache *s;
2364	unsigned long flags;
2365
2366	mutex_lock(&slab_mutex);
2367	list_for_each_entry(s, &slab_caches, list) {
2368	local_irq_save(flags);
2369	__flush_cpu_slab(s, cpu);
2370	local_irq_restore(flags);
2371	}
2372	mutex_unlock(&slab_mutex);
2373	return `0`;
2374	}
2375
2376	/*
2377	* Check if the objects in a per cpu structure fit numa
2378	* locality expectations.
2379	*/
2380	static inline int node_match(struct page page, int* node)
2381	{
2382	#ifdef CONFIG_NUMA
2383	if (node != NUMA_NO_NODE && page_to_nid(page) != node)
2384	return `0`;
2385	#endif
2386	return `1`;
2387	}
2388
2389	#ifdef CONFIG_SLUB_DEBUG
2390	static int count_free(struct page *page)
2391	{
2392	return page->objects - page->inuse;
2393	}
2394
2395	static inline unsigned long node_nr_objs(struct kmem_cache_node *n)
2396	{
2397	return atomic_long_read(&n->total_objects);
2398	}
2399	#endif /* CONFIG_SLUB_DEBUG */
2400
2401	#if defined(CONFIG_SLUB_DEBUG) \|\| defined(CONFIG_SYSFS)
2402	static unsigned long count_partial(struct kmem_cache_node *n,
2403	int (get_count)(struct* page *))
2404	{
2405	unsigned long flags;
2406	unsigned long x = `0`;
2407	struct page *page;
2408
2409	spin_lock_irqsave(&n->list_lock, flags);
2410	list_for_each_entry(page, &n->partial, lru)
2411	x += get_count(page);
2412	spin_unlock_irqrestore(&n->list_lock, flags);
2413	return x;
2414	}
2415	#endif /* CONFIG_SLUB_DEBUG \|\| CONFIG_SYSFS */
2416
2417	static noinline void
2418	slab_out_of_memory(struct kmem_cache s, gfp_t gfpflags, int* nid)
2419	{
2420	#ifdef CONFIG_SLUB_DEBUG
2421	static DEFINE_RATELIMIT_STATE(slub_oom_rs, DEFAULT_RATELIMIT_INTERVAL,
2422	DEFAULT_RATELIMIT_BURST);
2423	int node;
2424	struct kmem_cache_node *n;
2425
2426	if ((gfpflags & __GFP_NOWARN) \|\| !__ratelimit(&slub_oom_rs))
2427	return;
2428
2429	pr_warn("SLUB: Unable to allocate memory on node %d, gfp=%#x(%pGg)\n",
2430	nid, gfpflags, &gfpflags);
2431	pr_warn(" cache: %s, object size: %u, buffer size: %u, default order: %u, min order: %u\n",
2432	s->name, s->object_size, s->size, oo_order(s->oo),
2433	oo_order(s->min));
2434
2435	if (oo_order(s->min) > get_order(s->object_size))
2436	pr_warn(" %s debugging increased min order, use slub_debug=O to disable.\n",
2437	s->name);
2438
2439	for_each_kmem_cache_node(s, node, n) {
2440	unsigned long nr_slabs;
2441	unsigned long nr_objs;
2442	unsigned long nr_free;
2443
2444	nr_free = count_partial(n, count_free);
2445	nr_slabs = node_nr_slabs(n);
2446	nr_objs = node_nr_objs(n);
2447
2448	pr_warn(" node %d: slabs: %ld, objs: %ld, free: %ld\n",
2449	node, nr_slabs, nr_objs, nr_free);
2450	}
2451	#endif
2452	}
2453
2454	static inline void new_slab_objects(struct* kmem_cache *s, gfp_t flags,
2455	int node, struct kmem_cache_cpu **pc)
2456	{
2457	void *freelist;
2458	struct kmem_cache_cpu c = pc;
2459	struct page *page;
2460
2461	WARN_ON_ONCE(s->ctor && (flags & __GFP_ZERO));
2462
2463	freelist = get_partial(s, flags, node, c);
2464
2465	if (freelist)
2466	return freelist;
2467
2468	page = new_slab(s, flags, node);
2469	if (page) {
2470	c = raw_cpu_ptr(s->cpu_slab);
2471	if (c->page)
2472	flush_slab(s, c);
2473
2474	/*
2475	* No other reference to the page yet so we can
2476	* muck around with it freely without cmpxchg
2477	*/
2478	freelist = page->freelist;
2479	page->freelist = NULL;
2480
2481	stat(s, ALLOC_SLAB);
2482	c->page = page;
2483	*pc = c;
2484	}
2485
2486	return freelist;
2487	}
2488
2489	static inline bool pfmemalloc_match(struct page *page, gfp_t gfpflags)
2490	{
2491	if (unlikely(PageSlabPfmemalloc(page)))
2492	return gfp_pfmemalloc_allowed(gfpflags);
2493
2494	return true;
2495	}
2496
2497	/*
2498	* Check the page->freelist of a page and either transfer the freelist to the
2499	* per cpu freelist or deactivate the page.
2500	*
2501	* The page is still frozen if the return value is not NULL.
2502	*
2503	* If this function returns NULL then the page has been unfrozen.
2504	*
2505	* This function must be called with interrupt disabled.
2506	*/
2507	static inline void get_freelist(struct* kmem_cache s, struct* page *page)
2508	{
2509	struct page new;
2510	unsigned long counters;
2511	void *freelist;
2512
2513	do {
2514	freelist = page->freelist;
2515	counters = page->counters;
2516
2517	new.counters = counters;
2518	VM_BUG_ON(!new.frozen);
2519
2520	new.inuse = page->objects;
2521	new.frozen = freelist != NULL;
2522
2523	} while (!__cmpxchg_double_slab(s, page,
2524	freelist, counters,
2525	NULL, new.counters,
2526	"get_freelist"));
2527
2528	return freelist;
2529	}
2530
2531	/*
2532	* Slow path. The lockless freelist is empty or we need to perform
2533	* debugging duties.
2534	*
2535	* Processing is still very fast if new objects have been freed to the
2536	* regular freelist. In that case we simply take over the regular freelist
2537	* as the lockless freelist and zap the regular freelist.
2538	*
2539	* If that is not working then we fall back to the partial lists. We take the
2540	* first element of the freelist as the object to allocate now and move the
2541	* rest of the freelist to the lockless freelist.
2542	*
2543	* And if we were unable to get a new slab from the partial slab lists then
2544	* we need to allocate a new slab. This is the slowest path since it involves
2545	* a call to the page allocator and the setup of a new slab.
2546	*
2547	* Version of __slab_alloc to use when we know that interrupts are
2548	* already disabled (which is the case for bulk allocation).
2549	*/
2550	static void ___slab_alloc(struct* kmem_cache s, gfp_t gfpflags, int* node,
2551	unsigned long addr, struct kmem_cache_cpu *c)
2552	{
2553	void *freelist;
2554	struct page *page;
2555
2556	page = c->page;
2557	if (!page)
2558	goto new_slab;
2559	redo:
2560
2561	if (unlikely(!node_match(page, node))) {
2562	int searchnode = node;
2563
2564	if (node != NUMA_NO_NODE && !node_present_pages(node))
2565	searchnode = node_to_mem_node(node);
2566
2567	if (unlikely(!node_match(page, searchnode))) {
2568	stat(s, ALLOC_NODE_MISMATCH);
2569	deactivate_slab(s, page, c->freelist, c);
2570	goto new_slab;
2571	}
2572	}
2573
2574	/*
2575	* By rights, we should be searching for a slab page that was
2576	* PFMEMALLOC but right now, we are losing the pfmemalloc
2577	* information when the page leaves the per-cpu allocator
2578	*/
2579	if (unlikely(!pfmemalloc_match(page, gfpflags))) {
2580	deactivate_slab(s, page, c->freelist, c);
2581	goto new_slab;
2582	}
2583
2584	/ must check again c->freelist in case of cpu migration or IRQ /
2585	freelist = c->freelist;
2586	if (freelist)
2587	goto load_freelist;
2588
2589	freelist = get_freelist(s, page);
2590
2591	if (!freelist) {
2592	c->page = NULL;
2593	stat(s, DEACTIVATE_BYPASS);
2594	goto new_slab;
2595	}
2596
2597	stat(s, ALLOC_REFILL);
2598
2599	load_freelist:
2600	/*
2601	* freelist is pointing to the list of objects to be used.
2602	* page is pointing to the page from which the objects are obtained.
2603	* That page must be frozen for per cpu allocations to work.
2604	*/
2605	VM_BUG_ON(!c->page->frozen);
2606	c->freelist = get_freepointer(s, freelist);
2607	c->tid = next_tid(c->tid);
2608	return freelist;
2609
2610	new_slab:
2611
2612	if (slub_percpu_partial(c)) {
2613	page = c->page = slub_percpu_partial(c);
2614	slub_set_percpu_partial(c, page);
2615	stat(s, CPU_PARTIAL_ALLOC);
2616	goto redo;
2617	}
2618
2619	freelist = new_slab_objects(s, gfpflags, node, &c);
2620
2621	if (unlikely(!freelist)) {
2622	slab_out_of_memory(s, gfpflags, node);
2623	return NULL;
2624	}
2625
2626	page = c->page;
2627	if (likely(!kmem_cache_debug(s) && pfmemalloc_match(page, gfpflags)))
2628	goto load_freelist;
2629
2630	/ Only entered in the debug case /
2631	if (kmem_cache_debug(s) &&
2632	!alloc_debug_processing(s, page, freelist, addr))
2633	goto new_slab; / Slab failed checks. Next slab needed /
2634
2635	deactivate_slab(s, page, get_freepointer(s, freelist), c);
2636	return freelist;
2637	}
2638
2639	/*
2640	* Another one that disabled interrupt and compensates for possible
2641	* cpu changes by refetching the per cpu area pointer.
2642	*/
2643	static void __slab_alloc(struct* kmem_cache s, gfp_t gfpflags, int* node,
2644	unsigned long addr, struct kmem_cache_cpu *c)
2645	{
2646	void *p;
2647	unsigned long flags;
2648
2649	local_irq_save(flags);
2650	#ifdef CONFIG_PREEMPT
2651	/*
2652	* We may have been preempted and rescheduled on a different
2653	* cpu before disabling interrupts. Need to reload cpu area
2654	* pointer.
2655	*/
2656	c = this_cpu_ptr(s->cpu_slab);
2657	#endif
2658
2659	p = ___slab_alloc(s, gfpflags, node, addr, c);
2660	local_irq_restore(flags);
2661	return p;
2662	}
2663
2664	/*
2665	* Inlined fastpath so that allocation functions (kmalloc, kmem_cache_alloc)
2666	* have the fastpath folded into their functions. So no function call
2667	* overhead for requests that can be satisfied on the fastpath.
2668	*
2669	* The fastpath works by first checking if the lockless freelist can be used.
2670	* If not then __slab_alloc is called for slow processing.
2671	*
2672	* Otherwise we can simply pick the next object from the lockless free list.
2673	*/
2674	static __always_inline void slab_alloc_node(struct* kmem_cache *s,
2675	gfp_t gfpflags, int node, unsigned long addr)
2676	{
2677	void *object;
2678	struct kmem_cache_cpu *c;
2679	struct page *page;
2680	unsigned long tid;
2681
2682	s = slab_pre_alloc_hook(s, gfpflags);
2683	if (!s)
2684	return NULL;
2685	redo:
2686	/*
2687	* Must read kmem_cache cpu data via this cpu ptr. Preemption is
2688	* enabled. We may switch back and forth between cpus while
2689	* reading from one cpu area. That does not matter as long
2690	* as we end up on the original cpu again when doing the cmpxchg.
2691	*
2692	* We should guarantee that tid and kmem_cache are retrieved on
2693	* the same cpu. It could be different if CONFIG_PREEMPT so we need
2694	* to check if it is matched or not.
2695	*/
2696	do {
2697	tid = this_cpu_read(s->cpu_slab->tid);
2698	c = raw_cpu_ptr(s->cpu_slab);
2699	} while (IS_ENABLED(CONFIG_PREEMPT) &&
2700	unlikely(tid != READ_ONCE(c->tid)));
2701
2702	/*
2703	* Irqless object alloc/free algorithm used here depends on sequence
2704	* of fetching cpu_slab's data. tid should be fetched before anything
2705	* on c to guarantee that object and page associated with previous tid
2706	* won't be used with current tid. If we fetch tid first, object and
2707	* page could be one associated with next tid and our alloc/free
2708	* request will be failed. In this case, we will retry. So, no problem.
2709	*/
2710	barrier();
2711
2712	/*
2713	* The transaction ids are globally unique per cpu and per operation on
2714	* a per cpu queue. Thus they can be guarantee that the cmpxchg_double
2715	* occurs on the right processor and that there was no operation on the
2716	* linked list in between.
2717	*/
2718
2719	object = c->freelist;
2720	page = c->page;
2721	if (unlikely(!object \|\| !node_match(page, node))) {
2722	object = __slab_alloc(s, gfpflags, node, addr, c);
2723	stat(s, ALLOC_SLOWPATH);
2724	} else {
2725	void *next_object = get_freepointer_safe(s, object);
2726
2727	/*
2728	* The cmpxchg will only match if there was no additional
2729	* operation and if we are on the right processor.
2730	*
2731	* The cmpxchg does the following atomically (without lock
2732	* semantics!)
2733	* 1. Relocate first pointer to the current per cpu area.
2734	* 2. Verify that tid and freelist have not been changed
2735	* 3. If they were not changed replace tid and freelist
2736	*
2737	* Since this is without lock semantics the protection is only
2738	* against code executing on this cpu not from access by
2739	* other cpus.
2740	*/
2741	if (unlikely(!this_cpu_cmpxchg_double(
2742	s->cpu_slab->freelist, s->cpu_slab->tid,
2743	object, tid,
2744	next_object, next_tid(tid)))) {
2745
2746	note_cmpxchg_failure("slab_alloc", s, tid);
2747	goto redo;
2748	}
2749	prefetch_freepointer(s, next_object);
2750	stat(s, ALLOC_FASTPATH);
2751	}
2752
2753	if (unlikely(gfpflags & __GFP_ZERO) && object)
2754	memset(object, `0`, s->object_size);
2755
2756	slab_post_alloc_hook(s, gfpflags, `1`, &object);
2757
2758	return object;
2759	}
2760
2761	static __always_inline void slab_alloc(struct* kmem_cache *s,
2762	gfp_t gfpflags, unsigned long addr)
2763	{
2764	return slab_alloc_node(s, gfpflags, NUMA_NO_NODE, addr);
2765	}
2766
2767	void kmem_cache_alloc(struct* kmem_cache *s, gfp_t gfpflags)
2768	{
2769	void *ret = slab_alloc(s, gfpflags, _RET_IP_);
2770
2771	trace_kmem_cache_alloc(_RET_IP_, ret, s->object_size,
2772	s->size, gfpflags);
2773
2774	return ret;
2775	}
2776	EXPORT_SYMBOL(kmem_cache_alloc);
2777
2778	#ifdef CONFIG_TRACING
2779	void kmem_cache_alloc_trace(struct* kmem_cache *s, gfp_t gfpflags, size_t size)
2780	{
2781	void *ret = slab_alloc(s, gfpflags, _RET_IP_);
2782	trace_kmalloc(_RET_IP_, ret, size, s->size, gfpflags);
2783	ret = kasan_kmalloc(s, ret, size, gfpflags);
2784	return ret;
2785	}
2786	EXPORT_SYMBOL(kmem_cache_alloc_trace);
2787	#endif
2788
2789	#ifdef CONFIG_NUMA
2790	void kmem_cache_alloc_node(struct* kmem_cache s, gfp_t gfpflags, int* node)
2791	{
2792	void *ret = slab_alloc_node(s, gfpflags, node, _RET_IP_);
2793
2794	trace_kmem_cache_alloc_node(_RET_IP_, ret,
2795	s->object_size, s->size, gfpflags, node);
2796
2797	return ret;
2798	}
2799	EXPORT_SYMBOL(kmem_cache_alloc_node);
2800
2801	#ifdef CONFIG_TRACING
2802	void kmem_cache_alloc_node_trace(struct* kmem_cache *s,
2803	gfp_t gfpflags,
2804	int node, size_t size)
2805	{
2806	void *ret = slab_alloc_node(s, gfpflags, node, _RET_IP_);
2807
2808	trace_kmalloc_node(_RET_IP_, ret,
2809	size, s->size, gfpflags, node);
2810
2811	ret = kasan_kmalloc(s, ret, size, gfpflags);
2812	return ret;
2813	}
2814	EXPORT_SYMBOL(kmem_cache_alloc_node_trace);
2815	#endif
2816	#endif
2817
2818	/*
2819	* Slow path handling. This may still be called frequently since objects
2820	* have a longer lifetime than the cpu slabs in most processing loads.
2821	*
2822	* So we still attempt to reduce cache line usage. Just take the slab
2823	* lock and free the item. If there is no additional partial page
2824	* handling required then we can return immediately.
2825	*/
2826	static void __slab_free(struct kmem_cache s, struct* page *page,
2827	void head, void* tail, int* cnt,
2828	unsigned long addr)
2829
2830	{
2831	void *prior;
2832	int was_frozen;
2833	struct page new;
2834	unsigned long counters;
2835	struct kmem_cache_node *n = NULL;
2836	unsigned long uninitialized_var(flags);
2837
2838	stat(s, FREE_SLOWPATH);
2839
2840	if (kmem_cache_debug(s) &&
2841	!free_debug_processing(s, page, head, tail, cnt, addr))
2842	return;
2843
2844	do {
2845	if (unlikely(n)) {
2846	spin_unlock_irqrestore(&n->list_lock, flags);
2847	n = NULL;
2848	}
2849	prior = page->freelist;
2850	counters = page->counters;
2851	set_freepointer(s, tail, prior);
2852	new.counters = counters;
2853	was_frozen = new.frozen;
2854	new.inuse -= cnt;
2855	if ((!new.inuse \|\| !prior) && !was_frozen) {
2856
2857	if (kmem_cache_has_cpu_partial(s) && !prior) {
2858
2859	/*
2860	* Slab was on no list before and will be
2861	* partially empty
2862	* We can defer the list move and instead
2863	* freeze it.
2864	*/
2865	new.frozen = `1`;
2866
2867	} else { / Needs to be taken off a list /
2868
2869	n = get_node(s, page_to_nid(page));
2870	/*
2871	* Speculatively acquire the list_lock.
2872	* If the cmpxchg does not succeed then we may
2873	* drop the list_lock without any processing.
2874	*
2875	* Otherwise the list_lock will synchronize with
2876	* other processors updating the list of slabs.
2877	*/
2878	spin_lock_irqsave(&n->list_lock, flags);
2879
2880	}
2881	}
2882
2883	} while (!cmpxchg_double_slab(s, page,
2884	prior, counters,
2885	head, new.counters,
2886	"__slab_free"));
2887
2888	if (likely(!n)) {
2889
2890	/*
2891	* If we just froze the page then put it onto the
2892	* per cpu partial list.
2893	*/
2894	if (new.frozen && !was_frozen) {
2895	put_cpu_partial(s, page, `1`);
2896	stat(s, CPU_PARTIAL_FREE);
2897	}
2898	/*
2899	* The list lock was not taken therefore no list
2900	* activity can be necessary.
2901	*/
2902	if (was_frozen)
2903	stat(s, FREE_FROZEN);
2904	return;
2905	}
2906
2907	if (unlikely(!new.inuse && n->nr_partial >= s->min_partial))
2908	goto slab_empty;
2909
2910	/*
2911	* Objects left in the slab. If it was not on the partial list before
2912	* then add it.
2913	*/
2914	if (!kmem_cache_has_cpu_partial(s) && unlikely(!prior)) {
2915	if (kmem_cache_debug(s))
2916	remove_full(s, n, page);
2917	add_partial(n, page, DEACTIVATE_TO_TAIL);
2918	stat(s, FREE_ADD_PARTIAL);
2919	}
2920	spin_unlock_irqrestore(&n->list_lock, flags);
2921	return;
2922
2923	slab_empty:
2924	if (prior) {
2925	/*
2926	* Slab on the partial list.
2927	*/
2928	remove_partial(n, page);
2929	stat(s, FREE_REMOVE_PARTIAL);
2930	} else {
2931	/ Slab must be on the full list /
2932	remove_full(s, n, page);
2933	}
2934
2935	spin_unlock_irqrestore(&n->list_lock, flags);
2936	stat(s, FREE_SLAB);
2937	discard_slab(s, page);
2938	}
2939
2940	/*
2941	* Fastpath with forced inlining to produce a kfree and kmem_cache_free that
2942	* can perform fastpath freeing without additional function calls.
2943	*
2944	* The fastpath is only possible if we are freeing to the current cpu slab
2945	* of this processor. This typically the case if we have just allocated
2946	* the item before.
2947	*
2948	* If fastpath is not possible then fall back to __slab_free where we deal
2949	* with all sorts of special processing.
2950	*
2951	* Bulk free of a freelist with several objects (all pointing to the
2952	* same page) possible by specifying head and tail ptr, plus objects
2953	* count (cnt). Bulk free indicated by tail pointer being set.
2954	*/
2955	static __always_inline void do_slab_free(struct kmem_cache *s,
2956	struct page page, void* head, void* *tail,
2957	int cnt, unsigned long addr)
2958	{
2959	void *tail_obj = tail ? : head;
2960	struct kmem_cache_cpu *c;
2961	unsigned long tid;
2962	redo:
2963	/*
2964	* Determine the currently cpus per cpu slab.
2965	* The cpu may change afterward. However that does not matter since
2966	* data is retrieved via this pointer. If we are on the same cpu
2967	* during the cmpxchg then the free will succeed.
2968	*/
2969	do {
2970	tid = this_cpu_read(s->cpu_slab->tid);
2971	c = raw_cpu_ptr(s->cpu_slab);
2972	} while (IS_ENABLED(CONFIG_PREEMPT) &&
2973	unlikely(tid != READ_ONCE(c->tid)));
2974
2975	/ Same with comment on barrier() in slab_alloc_node() /
2976	barrier();
2977
2978	if (likely(page == c->page)) {
2979	set_freepointer(s, tail_obj, c->freelist);
2980
2981	if (unlikely(!this_cpu_cmpxchg_double(
2982	s->cpu_slab->freelist, s->cpu_slab->tid,
2983	c->freelist, tid,
2984	head, next_tid(tid)))) {
2985
2986	note_cmpxchg_failure("slab_free", s, tid);
2987	goto redo;
2988	}
2989	stat(s, FREE_FASTPATH);
2990	} else
2991	__slab_free(s, page, head, tail_obj, cnt, addr);
2992
2993	}
2994
2995	static __always_inline void slab_free(struct kmem_cache s, struct* page *page,
2996	void head, void* tail, int* cnt,
2997	unsigned long addr)
2998	{
2999	/*
3000	* With KASAN enabled slab_free_freelist_hook modifies the freelist
3001	* to remove objects, whose reuse must be delayed.
3002	*/
3003	if (slab_free_freelist_hook(s, &head, &tail))
3004	do_slab_free(s, page, head, tail, cnt, addr);
3005	}
3006
3007	#ifdef CONFIG_KASAN_GENERIC
3008	void ___cache_free(struct kmem_cache cache, void* x, unsigned* long addr)
3009	{
3010	do_slab_free(cache, virt_to_head_page(x), x, NULL, `1`, addr);
3011	}
3012	#endif
3013
3014	void kmem_cache_free(struct kmem_cache s, void* *x)
3015	{
3016	s = cache_from_obj(s, x);
3017	if (!s)
3018	return;
3019	slab_free(s, virt_to_head_page(x), x, NULL, `1`, _RET_IP_);
3020	trace_kmem_cache_free(_RET_IP_, x);
3021	}
3022	EXPORT_SYMBOL(kmem_cache_free);
3023
3024	struct detached_freelist {
3025	struct page *page;
3026	void *tail;
3027	void *freelist;
3028	int cnt;
3029	struct kmem_cache *s;
3030	};
3031
3032	/*
3033	* This function progressively scans the array with free objects (with
3034	* a limited look ahead) and extract objects belonging to the same
3035	* page. It builds a detached freelist directly within the given
3036	* page/objects. This can happen without any need for
3037	* synchronization, because the objects are owned by running process.
3038	* The freelist is build up as a single linked list in the objects.
3039	* The idea is, that this detached freelist can then be bulk
3040	* transferred to the real freelist(s), but only requiring a single
3041	* synchronization primitive. Look ahead in the array is limited due
3042	* to performance reasons.
3043	*/
3044	static inline
3045	int build_detached_freelist(struct kmem_cache *s, size_t size,
3046	void p, struct** detached_freelist *df)
3047	{
3048	size_t first_skipped_index = `0`;
3049	int lookahead = `3`;
3050	void *object;
3051	struct page *page;
3052
3053	/ Always re-init detached_freelist /
3054	df->page = NULL;
3055
3056	do {
3057	object = p[--size];
3058	/ Do we need !ZERO_OR_NULL_PTR(object) here? (for kfree) /
3059	} while (!object && size);
3060
3061	if (!object)
3062	return `0`;
3063
3064	page = virt_to_head_page(object);
3065	if (!s) {
3066	/ Handle kalloc'ed objects /
3067	if (unlikely(!PageSlab(page))) {
3068	BUG_ON(!PageCompound(page));
3069	kfree_hook(object);
3070	__free_pages(page, compound_order(page));
3071	p[size] = NULL; / mark object processed /
3072	return size;
3073	}
3074	/ Derive kmem_cache from object /
3075	df->s = page->slab_cache;
3076	} else {
3077	df->s = cache_from_obj(s, object); / Support for memcg /
3078	}
3079
3080	/ Start new detached freelist /
3081	df->page = page;
3082	set_freepointer(df->s, object, NULL);
3083	df->tail = object;
3084	df->freelist = object;
3085	p[size] = NULL; / mark object processed /
3086	df->cnt = `1`;
3087
3088	while (size) {
3089	object = p[--size];
3090	if (!object)
3091	continue; / Skip processed objects /
3092
3093	/ df->page is always set at this point /
3094	if (df->page == virt_to_head_page(object)) {
3095	/ Opportunity build freelist /
3096	set_freepointer(df->s, object, df->freelist);
3097	df->freelist = object;
3098	df->cnt++;
3099	p[size] = NULL; / mark object processed /
3100
3101	continue;
3102	}
3103
3104	/ Limit look ahead search /
3105	if (!--lookahead)
3106	break;
3107
3108	if (!first_skipped_index)
3109	first_skipped_index = size + `1`;
3110	}
3111
3112	return first_skipped_index;
3113	}
3114
3115	/ Note that interrupts must be enabled when calling this function. /
3116	void kmem_cache_free_bulk(struct kmem_cache s, size_t size, void* **p)
3117	{
3118	if (WARN_ON(!size))
3119	return;
3120
3121	do {
3122	struct detached_freelist df;
3123
3124	size = build_detached_freelist(s, size, p, &df);
3125	if (!df.page)
3126	continue;
3127
3128	slab_free(df.s, df.page, df.freelist, df.tail, df.cnt,_RET_IP_);
3129	} while (likely(size));
3130	}
3131	EXPORT_SYMBOL(kmem_cache_free_bulk);
3132
3133	/ Note that interrupts must be enabled when calling this function. /
3134	int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size,
3135	void **p)
3136	{
3137	struct kmem_cache_cpu *c;
3138	int i;
3139
3140	/ memcg and kmem_cache debug support /
3141	s = slab_pre_alloc_hook(s, flags);
3142	if (unlikely(!s))
3143	return false;
3144	/*
3145	* Drain objects in the per cpu slab, while disabling local
3146	* IRQs, which protects against PREEMPT and interrupts
3147	* handlers invoking normal fastpath.
3148	*/
3149	local_irq_disable();
3150	c = this_cpu_ptr(s->cpu_slab);
3151
3152	for (i = `0`; i < size; i++) {
3153	void *object = c->freelist;
3154
3155	if (unlikely(!object)) {
3156	/*
3157	* Invoking slow path likely have side-effect
3158	* of re-populating per CPU c->freelist
3159	*/
3160	p[i] = ___slab_alloc(s, flags, NUMA_NO_NODE,
3161	_RET_IP_, c);
3162	if (unlikely(!p[i]))
3163	goto error;
3164
3165	c = this_cpu_ptr(s->cpu_slab);
3166	continue; / goto for-loop /
3167	}
3168	c->freelist = get_freepointer(s, object);
3169	p[i] = object;
3170	}
3171	c->tid = next_tid(c->tid);
3172	local_irq_enable();
3173
3174	/ Clear memory outside IRQ disabled fastpath loop /
3175	if (unlikely(flags & __GFP_ZERO)) {
3176	int j;
3177
3178	for (j = `0`; j < i; j++)
3179	memset(p[j], `0`, s->object_size);
3180	}
3181
3182	/ memcg and kmem_cache debug support /
3183	slab_post_alloc_hook(s, flags, size, p);
3184	return i;
3185	error:
3186	local_irq_enable();
3187	slab_post_alloc_hook(s, flags, i, p);
3188	__kmem_cache_free_bulk(s, i, p);
3189	return `0`;
3190	}
3191	EXPORT_SYMBOL(kmem_cache_alloc_bulk);
3192
3193
3194	/*
3195	* Object placement in a slab is made very easy because we always start at
3196	* offset 0. If we tune the size of the object to the alignment then we can
3197	* get the required alignment by putting one properly sized object after
3198	* another.
3199	*
3200	* Notice that the allocation order determines the sizes of the per cpu
3201	* caches. Each processor has always one slab available for allocations.
3202	* Increasing the allocation order reduces the number of times that slabs
3203	* must be moved on and off the partial lists and is therefore a factor in
3204	* locking overhead.
3205	*/
3206
3207	/*
3208	* Mininum / Maximum order of slab pages. This influences locking overhead
3209	* and slab fragmentation. A higher order reduces the number of partial slabs
3210	* and increases the number of allocations possible without having to
3211	* take the list_lock.
3212	*/
3213	static unsigned int slub_min_order;
3214	static unsigned int slub_max_order = PAGE_ALLOC_COSTLY_ORDER;
3215	static unsigned int slub_min_objects;
3216
3217	/*
3218	* Calculate the order of allocation given an slab object size.
3219	*
3220	* The order of allocation has significant impact on performance and other
3221	* system components. Generally order 0 allocations should be preferred since
3222	* order 0 does not cause fragmentation in the page allocator. Larger objects
3223	* be problematic to put into order 0 slabs because there may be too much
3224	* unused space left. We go to a higher order if more than 1/16th of the slab
3225	* would be wasted.
3226	*
3227	* In order to reach satisfactory performance we must ensure that a minimum
3228	* number of objects is in one slab. Otherwise we may generate too much
3229	* activity on the partial lists which requires taking the list_lock. This is
3230	* less a concern for large slabs though which are rarely used.
3231	*
3232	* slub_max_order specifies the order where we begin to stop considering the
3233	* number of objects in a slab as critical. If we reach slub_max_order then
3234	* we try to keep the page order as low as possible. So we accept more waste
3235	* of space in favor of a small page order.
3236	*
3237	* Higher order allocations also allow the placement of more objects in a
3238	* slab and thereby reduce object handling overhead. If the user has
3239	* requested a higher mininum order then we start with that one instead of
3240	* the smallest order which will fit the object.
3241	*/
3242	static inline unsigned int slab_order(unsigned int size,
3243	unsigned int min_objects, unsigned int max_order,
3244	unsigned int fract_leftover)
3245	{
3246	unsigned int min_order = slub_min_order;
3247	unsigned int order;
3248
3249	if (order_objects(min_order, size) > MAX_OBJS_PER_PAGE)
3250	return get_order(size * MAX_OBJS_PER_PAGE) - `1`;
3251
3252	for (order = max(min_order, (unsigned int)get_order(min_objects * size));
3253	order <= max_order; order++) {
3254
3255	unsigned int slab_size = (unsigned int)PAGE_SIZE << order;
3256	unsigned int rem;
3257
3258	rem = slab_size % size;
3259
3260	if (rem <= slab_size / fract_leftover)
3261	break;
3262	}
3263
3264	return order;
3265	}
3266
3267	static inline int calculate_order(unsigned int size)
3268	{
3269	unsigned int order;
3270	unsigned int min_objects;
3271	unsigned int max_objects;
3272
3273	/*
3274	* Attempt to find best configuration for a slab. This
3275	* works by first attempting to generate a layout with
3276	* the best configuration and backing off gradually.
3277	*
3278	* First we increase the acceptable waste in a slab. Then
3279	* we reduce the minimum objects required in a slab.
3280	*/
3281	min_objects = slub_min_objects;
3282	if (!min_objects)
3283	min_objects = `4` * (fls(nr_cpu_ids) + `1`);
3284	max_objects = order_objects(slub_max_order, size);
3285	min_objects = min(min_objects, max_objects);
3286
3287	while (min_objects > `1`) {
3288	unsigned int fraction;
3289
3290	fraction = `16`;
3291	while (fraction >= `4`) {
3292	order = slab_order(size, min_objects,
3293	slub_max_order, fraction);
3294	if (order <= slub_max_order)
3295	return order;
3296	fraction /= `2`;
3297	}
3298	min_objects--;
3299	}
3300
3301	/*
3302	* We were unable to place multiple objects in a slab. Now
3303	* lets see if we can place a single object there.
3304	*/
3305	order = slab_order(size, `1`, slub_max_order, `1`);
3306	if (order <= slub_max_order)
3307	return order;
3308
3309	/*
3310	* Doh this slab cannot be placed using slub_max_order.
3311	*/
3312	order = slab_order(size, `1`, MAX_ORDER, `1`);
3313	if (order < MAX_ORDER)
3314	return order;
3315	return -ENOSYS;
3316	}
3317
3318	static void
3319	init_kmem_cache_node(struct kmem_cache_node *n)
3320	{
3321	n->nr_partial = `0`;
3322	spin_lock_init(&n->list_lock);
3323	INIT_LIST_HEAD(&n->partial);
3324	#ifdef CONFIG_SLUB_DEBUG
3325	atomic_long_set(&n->nr_slabs, `0`);
3326	atomic_long_set(&n->total_objects, `0`);
3327	INIT_LIST_HEAD(&n->full);
3328	#endif
3329	}
3330
3331	static inline int alloc_kmem_cache_cpus(struct kmem_cache *s)
3332	{
3333	BUILD_BUG_ON(PERCPU_DYNAMIC_EARLY_SIZE <
3334	KMALLOC_SHIFT_HIGH * sizeof(struct kmem_cache_cpu));
3335
3336	/*
3337	* Must align to double word boundary for the double cmpxchg
3338	* instructions to work; see __pcpu_double_call_return_bool().
3339	*/
3340	s->cpu_slab = __alloc_percpu(sizeof(struct kmem_cache_cpu),
3341	`2` * sizeof(void *));
3342
3343	if (!s->cpu_slab)
3344	return `0`;
3345
3346	init_kmem_cache_cpus(s);
3347
3348	return `1`;
3349	}
3350
3351	static struct kmem_cache *kmem_cache_node;
3352
3353	/*
3354	* No kmalloc_node yet so do it by hand. We know that this is the first
3355	* slab on the node for this slabcache. There are no concurrent accesses
3356	* possible.
3357	*
3358	* Note that this function only works on the kmem_cache_node
3359	* when allocating for the kmem_cache_node. This is used for bootstrapping
3360	* memory on a fresh node that has no slab structures yet.
3361	*/
3362	static void early_kmem_cache_node_alloc(int node)
3363	{
3364	struct page *page;
3365	struct kmem_cache_node *n;
3366
3367	BUG_ON(kmem_cache_node->size < sizeof(struct kmem_cache_node));
3368
3369	page = new_slab(kmem_cache_node, GFP_NOWAIT, node);
3370
3371	BUG_ON(!page);
3372	if (page_to_nid(page) != node) {
3373	pr_err("SLUB: Unable to allocate memory from node %d\n", node);
3374	pr_err("SLUB: Allocating a useless per node structure in order to be able to continue\n");
3375	}
3376
3377	n = page->freelist;
3378	BUG_ON(!n);
3379	#ifdef CONFIG_SLUB_DEBUG
3380	init_object(kmem_cache_node, n, SLUB_RED_ACTIVE);
3381	init_tracking(kmem_cache_node, n);
3382	#endif
3383	n = kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node),
3384	GFP_KERNEL);
3385	page->freelist = get_freepointer(kmem_cache_node, n);
3386	page->inuse = `1`;
3387	page->frozen = `0`;
3388	kmem_cache_node->node[node] = n;
3389	init_kmem_cache_node(n);
3390	inc_slabs_node(kmem_cache_node, node, page->objects);
3391
3392	/*
3393	* No locks need to be taken here as it has just been
3394	* initialized and there is no concurrent access.
3395	*/
3396	__add_partial(n, page, DEACTIVATE_TO_HEAD);
3397	}
3398
3399	static void free_kmem_cache_nodes(struct kmem_cache *s)
3400	{
3401	int node;
3402	struct kmem_cache_node *n;
3403
3404	for_each_kmem_cache_node(s, node, n) {
3405	s->node[node] = NULL;
3406	kmem_cache_free(kmem_cache_node, n);
3407	}
3408	}
3409
3410	void __kmem_cache_release(struct kmem_cache *s)
3411	{
3412	cache_random_seq_destroy(s);
3413	free_percpu(s->cpu_slab);
3414	free_kmem_cache_nodes(s);
3415	}
3416
3417	static int init_kmem_cache_nodes(struct kmem_cache *s)
3418	{
3419	int node;
3420
3421	for_each_node_state(node, N_NORMAL_MEMORY) {
3422	struct kmem_cache_node *n;
3423
3424	if (slab_state == DOWN) {
3425	early_kmem_cache_node_alloc(node);
3426	continue;
3427	}
3428	n = kmem_cache_alloc_node(kmem_cache_node,
3429	GFP_KERNEL, node);
3430
3431	if (!n) {
3432	free_kmem_cache_nodes(s);
3433	return `0`;
3434	}
3435
3436	init_kmem_cache_node(n);
3437	s->node[node] = n;
3438	}
3439	return `1`;
3440	}
3441
3442	static void set_min_partial(struct kmem_cache s, unsigned* long min)
3443	{
3444	if (

Browse the source code of linux/mm/slub.c