Re: [PATCH RFC 4/4] mm/slab: serialize defer_free_barrier()

[Vlastimil Babka (SUSE)]

On 6/24/26 15:11, Harry Yoo (Oracle) wrote:
> irq_work_sync() uses rcuwait instead of busy waiting in two cases:
> 
>   1. The kernel is using PREEMPT_RT and the irq work does not run in a
>      hardirq context.
> 
>   2. The architecture cannot send inter-processor interrupts to make
>      busy waiting reasonably short.
> 
> However, rcuwait.h says:
>> The caller is responsible for locking around rcuwait_wait_event(),
>> and [prepare_to/finish]_rcuwait() such that writes to @task are
>> properly serialized.
> 
> Since defer_free_barrier() calls irq_work_sync() without any locks,
> it can potentially cause a hang as writes to @task are not serialized.
> 
> Fix this by calling defer_free_barrier() under slab_mutex and
> cpus_read_lock() and add lockdep asserts.
> 
> Now that defer_free_barrier() is called inside cpus_read_lock(), iterate
> over online cpus instead of possible cpus.
> 
> Reported-by: Sashiko <sashiko+bot@xxxxxxxxxx>
> Closes: https://sashiko.dev/#/patchset/20260615-kfree_rcu_nolock-v3-0-70a54f3775bb%40kernel.org?part=5
> Fixes: af92793e52c3 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Harry Yoo (Oracle) <harry@xxxxxxxxxx>

Acked-by: Vlastimil Babka (SUSE) <vbabka@xxxxxxxxxx>

> ---
>  mm/slab_common.c | 5 ++---
>  mm/slub.c        | 6 +++++-
>  2 files changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index 388eb5980859..27f77273fabe 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -550,11 +550,10 @@ void kmem_cache_destroy(struct kmem_cache *s)
>  		rcu_barrier();
>  	}
>  
> -	/* Wait for deferred work from kmalloc/kfree_nolock() */
> -	defer_free_barrier();
> -
>  	cpus_read_lock();
>  	mutex_lock(&slab_mutex);
> +	/* Wait for deferred work from kmalloc/kfree_nolock() */
> +	defer_free_barrier();
>  
>  	s->refcount--;
>  	if (s->refcount) {
> diff --git a/mm/slub.c b/mm/slub.c
> index 4a3618e3967e..52c8d3f33782 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -6411,7 +6411,11 @@ void defer_free_barrier(void)
>  {
>  	int cpu;
>  
> -	for_each_possible_cpu(cpu)
> +	/* irq_work_sync() may use rcuwait that requires serialization */
> +	lockdep_assert_held(&slab_mutex);
> +	lockdep_assert_cpus_held();
> +
> +	for_each_online_cpu(cpu)
>  		irq_work_sync(&per_cpu_ptr(&defer_free_objects, cpu)->work);
>  }
>  
>