[PATCH] Revert "slub: Remove node check in slab_free"

From: Ingo Molnar
Date: Wed May 25 2011 - 03:37:47 EST

Next message: Jens Axboe: "Re: [PATCH] SCSI IOCTL: Check for device deletion [was Re: __elv_add_request OOPS]"
Previous message: KOSAKI Motohiro: "Re: [PATCH] set_migratetype_isolate: remove unused variable."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This reverts commit 442b06bcea23a01934d3da7ec5898fa154a6cafb.

As Linus explained it's broken. Quoting Linus:

That whole "deactivate_slab()" + "c->page = NULL" that this patch
does looks bogus.

Look at __slab_alloc(), we have:

page = c->page;
if (!page)
goto new_slab;

slab_lock(page);
if (unlikely(!node_match(c, node)))
goto another_slab;

and let's assume we have two users racing on that "c->page". The
"slab_lock()" is going to work for one of them, right?

Ok, so the one it works for will then hit:

if (kmem_cache_debug(s))
goto debug;

and thus get to the new "deactivate_slab(s,c) + c->page = NULL" and
then unlock the page.

In the meantime, the one that wasn't able to lock the page will now
go forward, but will not have "node_match()" any more, so it does
that "goto another_slab".

Which does "deactivate_slab(s,c)" again, and now c->page is NULL, so
that totally breaks.

Reported-and-bisected-by: James Morris <jmorris@xxxxxxxxx>
Analyzed-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Acked-by: Pekka Enberg <penberg@xxxxxxxxxx>
Link: http://lkml.kernel.org/r/alpine.LRH.2.00.1105242146240.12134@xxxxxxxxxxxxxxxx
Signed-off-by: Ingo Molnar <mingo@xxxxxxx>
---
mm/slub.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/mm/slub.c b/mm/slub.c
index 4ea7f1a..ed1281b 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1881,8 +1881,6 @@ debug:

page->inuse++;
page->freelist = get_freepointer(s, object);
- deactivate_slab(s, c);
- c->page = NULL;
c->node = NUMA_NO_NODE;
goto unlock_out;
}
@@ -2114,7 +2112,7 @@ redo:
tid = c->tid;
barrier();

- if (likely(page == c->page)) {
+ if (likely(page == c->page && c->node != NUMA_NO_NODE)) {
set_freepointer(s, object, c->freelist);

if (unlikely(!irqsafe_cpu_cmpxchg_double(
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jens Axboe: "Re: [PATCH] SCSI IOCTL: Check for device deletion [was Re: __elv_add_request OOPS]"
Previous message: KOSAKI Motohiro: "Re: [PATCH] set_migratetype_isolate: remove unused variable."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]