2018-03-21 21:22:37 +02:00
==========================
2007-05-06 14:49:47 -07:00
Short users guide for SLUB
2018-03-21 21:22:37 +02:00
==========================
2007-05-06 14:49:47 -07:00
The basic philosophy of SLUB is very different from SLAB. SLAB
requires rebuilding the kernel to activate debug options for all
2007-05-31 00:40:47 -07:00
slab caches. SLUB always includes full debugging but it is off by default.
2007-05-06 14:49:47 -07:00
SLUB can enable debugging only for selected slabs in order to avoid
an impact on overall system performance which may make a bug more
difficult to find.
2023-12-15 11:41:49 +08:00
In order to switch debugging on one can add an option `` slab_debug ``
2007-05-06 14:49:47 -07:00
to the kernel command line. That will enable full debugging for
all slabs.
2018-03-21 21:22:37 +02:00
Typically one would then use the `` slabinfo `` command to get statistical
data and perform operation on the slabs. By default `` slabinfo `` only lists
2007-05-06 14:49:47 -07:00
slabs that have data in them. See "slabinfo -h" for more options when
2018-03-21 21:22:37 +02:00
running the command. `` slabinfo `` can be compiled with
::
2007-05-06 14:49:47 -07:00
2023-01-03 18:07:52 +00:00
gcc -o slabinfo tools/mm/slabinfo.c
2007-05-06 14:49:47 -07:00
2018-03-21 21:22:37 +02:00
Some of the modes of operation of `` slabinfo `` require that slub debugging
2007-05-06 14:49:47 -07:00
be enabled on the command line. F.e. no tracking information will be
available without debugging on and validation can only partially
be performed if debugging was not switched on.
2023-12-15 11:41:49 +08:00
Some more sophisticated uses of slab_debug:
2007-05-06 14:49:47 -07:00
-------------------------------------------
2023-12-15 11:41:49 +08:00
Parameters may be given to `` slab_debug `` . If none is specified then full
2007-05-06 14:49:47 -07:00
debugging is enabled. Format:
2023-12-15 11:41:49 +08:00
slab_debug=<Debug-Options>
2018-03-21 21:22:37 +02:00
Enable options for all slabs
2023-12-15 11:41:49 +08:00
slab_debug=<Debug-Options>,<slab name1>,<slab name2>,...
2018-10-26 15:03:15 -07:00
Enable options only for select slabs (no spaces
after a comma)
2018-03-21 21:22:37 +02:00
2020-08-06 23:18:35 -07:00
Multiple blocks of options for all slabs or selected slabs can be given, with
blocks of options delimited by ';'. The last of "all slabs" blocks is applied
to all slabs except those that match one of the "select slabs" block. Options
of the first "select slabs" blocks that matches the slab's name are applied.
2018-03-21 21:22:37 +02:00
Possible debug options are::
2007-05-06 14:49:47 -07:00
2016-03-15 14:55:06 -07:00
F Sanity checks on (enables SLAB_DEBUG_CONSISTENCY_CHECKS
Sorry SLAB legacy issues)
2007-05-06 14:49:47 -07:00
Z Red zoning
P Poisoning (object and padding)
U User tracking (free and alloc)
T Trace (please only use on single slabs)
2020-06-01 21:46:00 -07:00
A Enable failslab filter mark for the cache
2009-07-07 00:14:14 -07:00
O Switch debugging off for caches that would have
caused higher minimum slab orders
2007-07-15 23:38:14 -07:00
- Switch all debugging off (useful if the kernel is
configured with CONFIG_SLUB_DEBUG_ON)
2007-05-06 14:49:47 -07:00
2018-03-21 21:22:37 +02:00
F.e. in order to boot just with sanity checks and red zoning one would specify::
2007-05-06 14:49:47 -07:00
2023-12-15 11:41:49 +08:00
slab_debug=FZ
2007-05-06 14:49:47 -07:00
2018-03-21 21:22:37 +02:00
Trying to find an issue in the dentry cache? Try::
2007-05-06 14:49:47 -07:00
2023-12-15 11:41:49 +08:00
slab_debug=,dentry
2007-05-06 14:49:47 -07:00
2018-10-26 15:03:15 -07:00
to only enable debugging on the dentry cache. You may use an asterisk at the
end of the slab name, in order to cover all slabs with the same prefix. For
example, here's how you can poison the dentry cache as well as all kmalloc
2019-01-31 15:06:22 +11:00
slabs::
2018-10-26 15:03:15 -07:00
2023-12-15 11:41:49 +08:00
slab_debug=P,kmalloc-*,dentry
2007-05-06 14:49:47 -07:00
Red zoning and tracking may realign the slab. We can just apply sanity checks
2018-03-21 21:22:37 +02:00
to the dentry cache with::
2007-05-06 14:49:47 -07:00
2023-12-15 11:41:49 +08:00
slab_debug=F,dentry
2007-05-06 14:49:47 -07:00
2009-07-07 00:14:14 -07:00
Debugging options may require the minimum possible slab order to increase as
a result of storing the metadata (for example, caches with PAGE_SIZE object
sizes). This has a higher liklihood of resulting in slab allocation errors
in low memory situations or if there's high fragmentation of memory. To
2018-03-21 21:22:37 +02:00
switch off debugging for such caches by default, use::
2009-07-07 00:14:14 -07:00
2023-12-15 11:41:49 +08:00
slab_debug=O
2009-07-07 00:14:14 -07:00
2020-08-06 23:18:35 -07:00
You can apply different options to different list of slab names, using blocks
of options. This will enable red zoning for dentry and user tracking for
kmalloc. All other slabs will not get any debugging enabled::
2023-12-15 11:41:49 +08:00
slab_debug=Z,dentry;U,kmalloc-*
2020-08-06 23:18:35 -07:00
You can also enable options (e.g. sanity checks and poisoning) for all caches
except some that are deemed too performance critical and don't need to be
debugged by specifying global debug options followed by a list of slab names
with "-" as options::
2023-12-15 11:41:49 +08:00
slab_debug=FZ;-,zs_handle,zspage
2020-08-06 23:18:35 -07:00
mm, slub: make some slub_debug related attributes read-only
SLUB_DEBUG creates several files under /sys/kernel/slab/<cache>/ that can
be read to check if the respective debugging options are enabled for given
cache. The options can be also toggled at runtime by writing into the
files. Some of those, namely red_zone, poison, and store_user can be
toggled only when no objects yet exist in the cache.
Vijayanand reports [1] that there is a problem with freelist randomization
if changing the debugging option's state results in different number of
objects per page, and the random sequence cache needs thus needs to be
recomputed.
However, another problem is that the check for "no objects yet exist in
the cache" is racy, as noted by Jann [2] and fixing that would add
overhead or otherwise complicate the allocation/freeing paths. Thus it
would be much simpler just to remove the runtime toggling support. The
documentation describes it's "In case you forgot to enable debugging on
the kernel command line", but the neccessity of having no objects limits
its usefulness anyway for many caches.
Vijayanand describes an use case [3] where debugging is enabled for all
but zram caches for memory overhead reasons, and using the runtime toggles
was the only way to achieve such configuration. After the previous patch
it's now possible to do that directly from the kernel boot option, so we
can remove the dangerous runtime toggles by making the /sys attribute
files read-only.
While updating it, also improve the documentation of the debugging /sys files.
[1] https://lkml.kernel.org/r/1580379523-32272-1-git-send-email-vjitta@codeaurora.org
[2] https://lore.kernel.org/r/CAG48ez31PP--h6_FzVyfJ4H86QYczAFPdxtJHUEEan+7VJETAQ@mail.gmail.com
[3] https://lore.kernel.org/r/1383cd32-1ddc-4dac-b5f8-9c42282fa81c@codeaurora.org
Reported-by: Vijayanand Jitta <vjitta@codeaurora.org>
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Roman Gushchin <guro@fb.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Pekka Enberg <penberg@kernel.org>
Link: http://lkml.kernel.org/r/20200610163135.17364-3-vbabka@suse.cz
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-08-06 23:18:38 -07:00
The state of each debug option for a slab can be found in the respective files
under::
2007-05-06 14:49:47 -07:00
2018-03-21 21:22:37 +02:00
/sys/kernel/slab/<slab name>/
2007-05-06 14:49:47 -07:00
mm, slub: make some slub_debug related attributes read-only
SLUB_DEBUG creates several files under /sys/kernel/slab/<cache>/ that can
be read to check if the respective debugging options are enabled for given
cache. The options can be also toggled at runtime by writing into the
files. Some of those, namely red_zone, poison, and store_user can be
toggled only when no objects yet exist in the cache.
Vijayanand reports [1] that there is a problem with freelist randomization
if changing the debugging option's state results in different number of
objects per page, and the random sequence cache needs thus needs to be
recomputed.
However, another problem is that the check for "no objects yet exist in
the cache" is racy, as noted by Jann [2] and fixing that would add
overhead or otherwise complicate the allocation/freeing paths. Thus it
would be much simpler just to remove the runtime toggling support. The
documentation describes it's "In case you forgot to enable debugging on
the kernel command line", but the neccessity of having no objects limits
its usefulness anyway for many caches.
Vijayanand describes an use case [3] where debugging is enabled for all
but zram caches for memory overhead reasons, and using the runtime toggles
was the only way to achieve such configuration. After the previous patch
it's now possible to do that directly from the kernel boot option, so we
can remove the dangerous runtime toggles by making the /sys attribute
files read-only.
While updating it, also improve the documentation of the debugging /sys files.
[1] https://lkml.kernel.org/r/1580379523-32272-1-git-send-email-vjitta@codeaurora.org
[2] https://lore.kernel.org/r/CAG48ez31PP--h6_FzVyfJ4H86QYczAFPdxtJHUEEan+7VJETAQ@mail.gmail.com
[3] https://lore.kernel.org/r/1383cd32-1ddc-4dac-b5f8-9c42282fa81c@codeaurora.org
Reported-by: Vijayanand Jitta <vjitta@codeaurora.org>
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Roman Gushchin <guro@fb.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Pekka Enberg <penberg@kernel.org>
Link: http://lkml.kernel.org/r/20200610163135.17364-3-vbabka@suse.cz
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-08-06 23:18:38 -07:00
If the file contains 1, the option is enabled, 0 means disabled. The debug
2023-12-15 11:41:49 +08:00
options from the `` slab_debug `` parameter translate to the following files::
mm, slub: make some slub_debug related attributes read-only
SLUB_DEBUG creates several files under /sys/kernel/slab/<cache>/ that can
be read to check if the respective debugging options are enabled for given
cache. The options can be also toggled at runtime by writing into the
files. Some of those, namely red_zone, poison, and store_user can be
toggled only when no objects yet exist in the cache.
Vijayanand reports [1] that there is a problem with freelist randomization
if changing the debugging option's state results in different number of
objects per page, and the random sequence cache needs thus needs to be
recomputed.
However, another problem is that the check for "no objects yet exist in
the cache" is racy, as noted by Jann [2] and fixing that would add
overhead or otherwise complicate the allocation/freeing paths. Thus it
would be much simpler just to remove the runtime toggling support. The
documentation describes it's "In case you forgot to enable debugging on
the kernel command line", but the neccessity of having no objects limits
its usefulness anyway for many caches.
Vijayanand describes an use case [3] where debugging is enabled for all
but zram caches for memory overhead reasons, and using the runtime toggles
was the only way to achieve such configuration. After the previous patch
it's now possible to do that directly from the kernel boot option, so we
can remove the dangerous runtime toggles by making the /sys attribute
files read-only.
While updating it, also improve the documentation of the debugging /sys files.
[1] https://lkml.kernel.org/r/1580379523-32272-1-git-send-email-vjitta@codeaurora.org
[2] https://lore.kernel.org/r/CAG48ez31PP--h6_FzVyfJ4H86QYczAFPdxtJHUEEan+7VJETAQ@mail.gmail.com
[3] https://lore.kernel.org/r/1383cd32-1ddc-4dac-b5f8-9c42282fa81c@codeaurora.org
Reported-by: Vijayanand Jitta <vjitta@codeaurora.org>
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Roman Gushchin <guro@fb.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Pekka Enberg <penberg@kernel.org>
Link: http://lkml.kernel.org/r/20200610163135.17364-3-vbabka@suse.cz
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-08-06 23:18:38 -07:00
F sanity_checks
Z red_zone
P poison
U store_user
T trace
A failslab
2022-09-20 15:11:11 +03:00
failslab file is writable, so writing 1 or 0 will enable or disable
the option at runtime. Write returns -EINVAL if cache is an alias.
2020-08-06 23:18:45 -07:00
Careful with tracing: It may spew out lots of information and never stop if
used on the wrong slab.
2007-05-06 14:49:47 -07:00
2007-05-31 00:40:47 -07:00
Slab merging
2018-03-21 21:22:37 +02:00
============
2007-05-06 14:49:47 -07:00
2007-05-31 00:40:47 -07:00
If no debug options are specified then SLUB may merge similar slabs together
2007-05-06 14:49:47 -07:00
in order to reduce overhead and increase cache hotness of objects.
2018-03-21 21:22:37 +02:00
`` slabinfo -a `` displays which slabs were merged together.
2007-05-06 14:49:47 -07:00
2007-05-31 00:40:47 -07:00
Slab validation
2018-03-21 21:22:37 +02:00
===============
2007-05-31 00:40:47 -07:00
2023-12-15 11:41:49 +08:00
SLUB can validate all object if the kernel was booted with slab_debug. In
2018-03-21 21:22:37 +02:00
order to do so you must have the `` slabinfo `` tool. Then you can do
::
2007-05-31 00:40:47 -07:00
2018-03-21 21:22:37 +02:00
slabinfo -v
2007-05-31 00:40:47 -07:00
which will test all objects. Output will be generated to the syslog.
This also works in a more limited way if boot was without slab debug.
2018-03-21 21:22:37 +02:00
In that case `` slabinfo -v `` simply tests all reachable objects. Usually
2007-05-31 00:40:47 -07:00
these are in the cpu slabs and the partial slabs. Full slabs are not
tracked by SLUB in a non debug situation.
2007-05-06 14:49:47 -07:00
Getting more performance
2018-03-21 21:22:37 +02:00
========================
2007-05-06 14:49:47 -07:00
To some degree SLUB's performance is limited by the need to take the
list_lock once in a while to deal with partial slabs. That overhead is
governed by the order of the allocation for each slab. The allocations
can be influenced by kernel parameters:
2023-12-15 11:41:50 +08:00
.. slab_min_objects=x (default: automatically scaled by number of cpus)
2023-12-15 11:41:49 +08:00
.. slab_min_order=x (default 0)
.. slab_max_order=x (default 3 (PAGE_ALLOC_COSTLY_ORDER))
2018-03-21 21:22:37 +02:00
2023-12-15 11:41:49 +08:00
`` slab_min_objects ``
2018-03-21 21:22:37 +02:00
allows to specify how many objects must at least fit into one
slab in order for the allocation order to be acceptable. In
general slub will be able to perform this number of
allocations on a slab without consulting centralized resources
(list_lock) where contention may occur.
2023-12-15 11:41:49 +08:00
`` slab_min_order ``
2019-01-31 15:06:21 +11:00
specifies a minimum order of slabs. A similar effect like
2023-12-15 11:41:49 +08:00
`` slab_min_objects `` .
2018-03-21 21:22:37 +02:00
2023-12-15 11:41:49 +08:00
`` slab_max_order ``
specified the order at which `` slab_min_objects `` should no
2018-03-21 21:22:37 +02:00
longer be checked. This is useful to avoid SLUB trying to
2023-12-15 11:41:49 +08:00
generate super large order pages to fit `` slab_min_objects ``
2018-03-21 21:22:37 +02:00
of a slab cache with large object sizes into one high order
page. Setting command line parameter
`` debug_guardpage_minorder=N `` (N > 0), forces setting
2023-12-15 11:41:49 +08:00
`` slab_max_order `` to 0, what cause minimum possible order of
2018-03-21 21:22:37 +02:00
slabs allocation.
2007-05-06 14:49:47 -07:00
2007-05-31 00:40:47 -07:00
SLUB Debug output
2018-03-21 21:22:37 +02:00
=================
Here is a sample of slub debug output::
====================================================================
2021-06-15 18:23:19 -07:00
BUG kmalloc-8: Right Redzone overwritten
2018-03-21 21:22:37 +02:00
--------------------------------------------------------------------
INFO: 0xc90f6d28-0xc90f6d2b. First byte 0x00 instead of 0xcc
INFO: Slab 0xc528c530 flags=0x400000c3 inuse=61 fp=0xc90f6d58
INFO: Object 0xc90f6d20 @offset=3360 fp=0xc90f6d58
INFO: Allocated in get_modalias+0x61/0xf5 age=53 cpu=1 pid=554
2021-06-15 18:23:19 -07:00
Bytes b4 (0xc90f6d10): 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
Object (0xc90f6d20): 31 30 31 39 2e 30 30 35 1019.005
Redzone (0xc90f6d28): 00 cc cc cc .
Padding (0xc90f6d50): 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
2018-03-21 21:22:37 +02:00
[<c010523d> ] dump_trace+0x63/0x1eb
[<c01053df> ] show_trace_log_lvl+0x1a/0x2f
[<c010601d> ] show_trace+0x12/0x14
[<c0106035> ] dump_stack+0x16/0x18
[<c017e0fa> ] object_err+0x143/0x14b
[<c017e2cc> ] check_object+0x66/0x234
[<c017eb43> ] __slab_free+0x239/0x384
[<c017f446> ] kfree+0xa6/0xc6
[<c02e2335> ] get_modalias+0xb9/0xf5
[<c02e23b7> ] dmi_dev_uevent+0x27/0x3c
[<c027866a> ] dev_uevent+0x1ad/0x1da
[<c0205024> ] kobject_uevent_env+0x20a/0x45b
[<c020527f> ] kobject_uevent+0xa/0xf
[<c02779f1> ] store_uevent+0x4f/0x58
[<c027758e> ] dev_attr_store+0x29/0x2f
[<c01bec4f> ] sysfs_write_file+0x16e/0x19c
[<c0183ba7> ] vfs_write+0xd1/0x15a
[<c01841d7> ] sys_write+0x3d/0x72
[<c0104112> ] sysenter_past_esp+0x5f/0x99
[<b7f7b410> ] 0xb7f7b410
=======================
FIX kmalloc-8: Restoring Redzone 0xc90f6d28-0xc90f6d2b=0xcc
2007-05-31 00:40:47 -07:00
2007-07-17 04:03:18 -07:00
If SLUB encounters a corrupted object (full detection requires the kernel
2023-12-15 11:41:49 +08:00
to be booted with slab_debug) then the following output will be dumped
2007-07-17 04:03:18 -07:00
into the syslog:
2007-05-31 00:40:47 -07:00
2007-07-17 04:03:18 -07:00
1. Description of the problem encountered
2007-05-31 00:40:47 -07:00
2018-03-21 21:22:37 +02:00
This will be a message in the system log starting with::
2007-05-31 00:40:47 -07:00
2018-03-21 21:22:37 +02:00
===============================================
BUG <slab cache affected>: <What went wrong>
-----------------------------------------------
2007-05-31 00:40:47 -07:00
2018-03-21 21:22:37 +02:00
INFO: <corruption start>-<corruption_end> <more info>
INFO: Slab <address> <slab information>
INFO: Object <address> <object information>
INFO: Allocated in <kernel function> age=<jiffies since alloc> cpu=<allocated by
2007-07-17 04:03:18 -07:00
cpu> pid=<pid of the process>
2018-03-21 21:22:37 +02:00
INFO: Freed in <kernel function> age=<jiffies since free> cpu=<freed by cpu>
pid=<pid of the process>
2007-05-31 00:40:47 -07:00
2018-03-21 21:22:37 +02:00
(Object allocation / free information is only available if SLAB_STORE_USER is
2023-12-15 11:41:49 +08:00
set for the slab. slab_debug sets that option)
2007-05-31 00:40:47 -07:00
2007-07-17 04:03:18 -07:00
2. The object contents if an object was involved.
2007-05-31 00:40:47 -07:00
2018-03-21 21:22:37 +02:00
Various types of lines can follow the BUG SLUB line:
2007-05-31 00:40:47 -07:00
2018-03-21 21:22:37 +02:00
Bytes b4 <address> : <bytes>
2007-07-17 04:03:18 -07:00
Shows a few bytes before the object where the problem was detected.
2007-05-31 00:40:47 -07:00
Can be useful if the corruption does not stop with the start of the
object.
2018-03-21 21:22:37 +02:00
Object <address> : <bytes>
2007-05-31 00:40:47 -07:00
The bytes of the object. If the object is inactive then the bytes
2007-07-17 04:03:18 -07:00
typically contain poison values. Any non-poison value shows a
2007-05-31 00:40:47 -07:00
corruption by a write after free.
2018-03-21 21:22:37 +02:00
Redzone <address> : <bytes>
2007-07-17 04:03:18 -07:00
The Redzone following the object. The Redzone is used to detect
2007-05-31 00:40:47 -07:00
writes after the object. All bytes should always have the same
value. If there is any deviation then it is due to a write after
the object boundary.
2007-07-17 04:03:18 -07:00
(Redzone information is only available if SLAB_RED_ZONE is set.
2023-12-15 11:41:49 +08:00
slab_debug sets that option)
2007-05-31 00:40:47 -07:00
2018-03-21 21:22:37 +02:00
Padding <address> : <bytes>
2007-05-31 00:40:47 -07:00
Unused data to fill up the space in order to get the next object
properly aligned. In the debug case we make sure that there are
2007-07-17 04:03:18 -07:00
at least 4 bytes of padding. This allows the detection of writes
2007-05-31 00:40:47 -07:00
before the object.
2007-07-17 04:03:18 -07:00
3. A stackdump
2018-03-21 21:22:37 +02:00
The stackdump describes the location where the error was detected. The cause
of the corruption is may be more likely found by looking at the function that
allocated or freed the object.
2007-07-17 04:03:18 -07:00
4. Report on how the problem was dealt with in order to ensure the continued
2018-03-21 21:22:37 +02:00
operation of the system.
2007-07-17 04:03:18 -07:00
2018-03-21 21:22:37 +02:00
These are messages in the system log beginning with::
2007-07-17 04:03:18 -07:00
2018-03-21 21:22:37 +02:00
FIX <slab cache affected>: <corrective action taken>
2007-07-17 04:03:18 -07:00
2018-03-21 21:22:37 +02:00
In the above sample SLUB found that the Redzone of an active object has
been overwritten. Here a string of 8 characters was written into a slab that
has the length of 8 characters. However, a 8 character string needs a
terminating 0. That zero has overwritten the first byte of the Redzone field.
After reporting the details of the issue encountered the FIX SLUB message
tells us that SLUB has restored the Redzone to its proper value and then
system operations continue.
2007-07-17 04:03:18 -07:00
2018-03-21 21:22:37 +02:00
Emergency operations
====================
2007-07-17 04:03:18 -07:00
2018-03-21 21:22:37 +02:00
Minimal debugging (sanity checks alone) can be enabled by booting with::
2007-07-17 04:03:18 -07:00
2023-12-15 11:41:49 +08:00
slab_debug=F
2007-07-17 04:03:18 -07:00
This will be generally be enough to enable the resiliency features of slub
which will keep the system running even if a bad kernel component will
keep corrupting objects. This may be important for production systems.
Performance will be impacted by the sanity checks and there will be a
continual stream of error messages to the syslog but no additional memory
will be used (unlike full debugging).
No guarantees. The kernel component still needs to be fixed. Performance
may be optimized further by locating the slab that experiences corruption
and enabling debugging only for that cache
2018-03-21 21:22:37 +02:00
I.e.::
2007-07-17 04:03:18 -07:00
2023-12-15 11:41:49 +08:00
slab_debug=F,dentry
2007-07-17 04:03:18 -07:00
If the corruption occurs by writing after the end of the object then it
may be advisable to enable a Redzone to avoid corrupting the beginning
2018-03-21 21:22:37 +02:00
of other objects::
2007-07-17 04:03:18 -07:00
2023-12-15 11:41:49 +08:00
slab_debug=FZ,dentry
2007-05-31 00:40:47 -07:00
2015-10-23 08:51:45 +09:00
Extended slabinfo mode and plotting
2018-03-21 21:22:37 +02:00
===================================
2015-10-23 08:51:45 +09:00
2018-03-21 21:22:37 +02:00
The `` slabinfo `` tool has a special 'extended' ('-X') mode that includes:
2015-10-23 08:51:45 +09:00
- Slabcache Totals
- Slabs sorted by size (up to -N <num> slabs, default 1)
- Slabs sorted by loss (up to -N <num> slabs, default 1)
2018-03-21 21:22:37 +02:00
Additionally, in this mode `` slabinfo `` does not dynamically scale
sizes (G/M/K) and reports everything in bytes (this functionality is
also available to other slabinfo modes via '-B' option) which makes
reporting more precise and accurate. Moreover, in some sense the `-X'
mode also simplifies the analysis of slabs' behaviour, because its
output can be plotted using the `` slabinfo-gnuplot.sh `` script. So it
pushes the analysis from looking through the numbers (tons of numbers)
to something easier -- visual analysis.
2015-10-23 08:51:45 +09:00
To generate plots:
2018-03-21 21:22:37 +02:00
a) collect slabinfo extended records, for example::
while [ 1 ]; do slabinfo -X >> FOO_STATS; sleep 1; done
b) pass stats file(-s) to `` slabinfo-gnuplot.sh `` script::
slabinfo-gnuplot.sh FOO_STATS [FOO_STATS2 .. FOO_STATSN]
The `` slabinfo-gnuplot.sh `` script will pre-processes the collected records
and generates 3 png files (and 3 pre-processing cache files) per STATS
file:
- Slabcache Totals: FOO_STATS-totals.png
- Slabs sorted by size: FOO_STATS-slabs-by-size.png
- Slabs sorted by loss: FOO_STATS-slabs-by-loss.png
Another use case, when `` slabinfo-gnuplot.sh `` can be useful, is when you
need to compare slabs' behaviour "prior to" and "after" some code
modification. To help you out there, `` slabinfo-gnuplot.sh `` script
can 'merge' the `Slabcache Totals` sections from different
measurements. To visually compare N plots:
a) Collect as many STATS1, STATS2, .. STATSN files as you need::
while [ 1 ]; do slabinfo -X >> STATS<X>; sleep 1; done
b) Pre-process those STATS files::
slabinfo-gnuplot.sh STATS1 STATS2 .. STATSN
c) Execute `` slabinfo-gnuplot.sh `` in '-t' mode, passing all of the
generated pre-processed \*-totals::
slabinfo-gnuplot.sh -t STATS1-totals STATS2-totals .. STATSN-totals
This will produce a single plot (png file).
Plots, expectedly, can be large so some fluctuations or small spikes
can go unnoticed. To deal with that, `` slabinfo-gnuplot.sh `` has two
options to 'zoom-in'/'zoom-out':
2020-10-22 15:26:53 +01:00
a) `` -s %d,%d `` -- overwrites the default image width and height
2018-03-21 21:22:37 +02:00
b) `` -r %d,%d `` -- specifies a range of samples to use (for example,
in `` slabinfo -X >> FOO_STATS; sleep 1; `` case, using a `` -r
40,60`` range will plot only samples collected between 40th and
60th seconds).
2015-10-23 08:51:45 +09:00
2021-06-08 10:45:17 +02:00
DebugFS files for SLUB
======================
For more information about current state of SLUB caches with the user tracking
debug option enabled, debugfs files are available, typically under
/sys/kernel/debug/slab/<cache>/ (created only for caches with enabled user
tracking). There are 2 types of these files with the following debug
information:
1. alloc_traces::
Prints information about unique allocation traces of the currently
allocated objects. The output is sorted by frequency of each trace.
Information in the output:
mm/slub: enable debugging memory wasting of kmalloc
kmalloc's API family is critical for mm, with one nature that it will
round up the request size to a fixed one (mostly power of 2). Say
when user requests memory for '2^n + 1' bytes, actually 2^(n+1) bytes
could be allocated, so in worst case, there is around 50% memory
space waste.
The wastage is not a big issue for requests that get allocated/freed
quickly, but may cause problems with objects that have longer life
time.
We've met a kernel boot OOM panic (v5.10), and from the dumped slab
info:
[ 26.062145] kmalloc-2k 814056KB 814056KB
From debug we found there are huge number of 'struct iova_magazine',
whose size is 1032 bytes (1024 + 8), so each allocation will waste
1016 bytes. Though the issue was solved by giving the right (bigger)
size of RAM, it is still nice to optimize the size (either use a
kmalloc friendly size or create a dedicated slab for it).
And from lkml archive, there was another crash kernel OOM case [1]
back in 2019, which seems to be related with the similar slab waste
situation, as the log is similar:
[ 4.332648] iommu: Adding device 0000:20:02.0 to group 16
[ 4.338946] swapper/0 invoked oom-killer: gfp_mask=0x6040c0(GFP_KERNEL|__GFP_COMP), nodemask=(null), order=0, oom_score_adj=0
...
[ 4.857565] kmalloc-2048 59164KB 59164KB
The crash kernel only has 256M memory, and 59M is pretty big here.
(Note: the related code has been changed and optimised in recent
kernel [2], these logs are just picked to demo the problem, also
a patch changing its size to 1024 bytes has been merged)
So add an way to track each kmalloc's memory waste info, and
leverage the existing SLUB debug framework (specifically
SLUB_STORE_USER) to show its call stack of original allocation,
so that user can evaluate the waste situation, identify some hot
spots and optimize accordingly, for a better utilization of memory.
The waste info is integrated into existing interface:
'/sys/kernel/debug/slab/kmalloc-xx/alloc_traces', one example of
'kmalloc-4k' after boot is:
126 ixgbe_alloc_q_vector+0xbe/0x830 [ixgbe] waste=233856/1856 age=280763/281414/282065 pid=1330 cpus=32 nodes=1
__kmem_cache_alloc_node+0x11f/0x4e0
__kmalloc_node+0x4e/0x140
ixgbe_alloc_q_vector+0xbe/0x830 [ixgbe]
ixgbe_init_interrupt_scheme+0x2ae/0xc90 [ixgbe]
ixgbe_probe+0x165f/0x1d20 [ixgbe]
local_pci_probe+0x78/0xc0
work_for_cpu_fn+0x26/0x40
...
which means in 'kmalloc-4k' slab, there are 126 requests of
2240 bytes which got a 4KB space (wasting 1856 bytes each
and 233856 bytes in total), from ixgbe_alloc_q_vector().
And when system starts some real workload like multiple docker
instances, there could are more severe waste.
[1]. https://lkml.org/lkml/2019/8/12/266
[2]. https://lore.kernel.org/lkml/2920df89-9975-5785-f79b-257d3052dfaf@huawei.com/
[Thanks Hyeonggon for pointing out several bugs about sorting/format]
[Thanks Vlastimil for suggesting way to reduce memory usage of
orig_size and keep it only for kmalloc objects]
Signed-off-by: Feng Tang <feng.tang@intel.com>
Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: John Garry <john.garry@huawei.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
2022-09-13 14:54:20 +08:00
Number of objects, allocating function, possible memory wastage of
kmalloc objects(total/per-object), minimal/average/maximal jiffies
since alloc, pid range of the allocating processes, cpu mask of
allocating cpus, numa node mask of origins of memory, and stack trace.
2021-06-08 10:45:17 +02:00
Example:::
mm/slub: enable debugging memory wasting of kmalloc
kmalloc's API family is critical for mm, with one nature that it will
round up the request size to a fixed one (mostly power of 2). Say
when user requests memory for '2^n + 1' bytes, actually 2^(n+1) bytes
could be allocated, so in worst case, there is around 50% memory
space waste.
The wastage is not a big issue for requests that get allocated/freed
quickly, but may cause problems with objects that have longer life
time.
We've met a kernel boot OOM panic (v5.10), and from the dumped slab
info:
[ 26.062145] kmalloc-2k 814056KB 814056KB
From debug we found there are huge number of 'struct iova_magazine',
whose size is 1032 bytes (1024 + 8), so each allocation will waste
1016 bytes. Though the issue was solved by giving the right (bigger)
size of RAM, it is still nice to optimize the size (either use a
kmalloc friendly size or create a dedicated slab for it).
And from lkml archive, there was another crash kernel OOM case [1]
back in 2019, which seems to be related with the similar slab waste
situation, as the log is similar:
[ 4.332648] iommu: Adding device 0000:20:02.0 to group 16
[ 4.338946] swapper/0 invoked oom-killer: gfp_mask=0x6040c0(GFP_KERNEL|__GFP_COMP), nodemask=(null), order=0, oom_score_adj=0
...
[ 4.857565] kmalloc-2048 59164KB 59164KB
The crash kernel only has 256M memory, and 59M is pretty big here.
(Note: the related code has been changed and optimised in recent
kernel [2], these logs are just picked to demo the problem, also
a patch changing its size to 1024 bytes has been merged)
So add an way to track each kmalloc's memory waste info, and
leverage the existing SLUB debug framework (specifically
SLUB_STORE_USER) to show its call stack of original allocation,
so that user can evaluate the waste situation, identify some hot
spots and optimize accordingly, for a better utilization of memory.
The waste info is integrated into existing interface:
'/sys/kernel/debug/slab/kmalloc-xx/alloc_traces', one example of
'kmalloc-4k' after boot is:
126 ixgbe_alloc_q_vector+0xbe/0x830 [ixgbe] waste=233856/1856 age=280763/281414/282065 pid=1330 cpus=32 nodes=1
__kmem_cache_alloc_node+0x11f/0x4e0
__kmalloc_node+0x4e/0x140
ixgbe_alloc_q_vector+0xbe/0x830 [ixgbe]
ixgbe_init_interrupt_scheme+0x2ae/0xc90 [ixgbe]
ixgbe_probe+0x165f/0x1d20 [ixgbe]
local_pci_probe+0x78/0xc0
work_for_cpu_fn+0x26/0x40
...
which means in 'kmalloc-4k' slab, there are 126 requests of
2240 bytes which got a 4KB space (wasting 1856 bytes each
and 233856 bytes in total), from ixgbe_alloc_q_vector().
And when system starts some real workload like multiple docker
instances, there could are more severe waste.
[1]. https://lkml.org/lkml/2019/8/12/266
[2]. https://lore.kernel.org/lkml/2920df89-9975-5785-f79b-257d3052dfaf@huawei.com/
[Thanks Hyeonggon for pointing out several bugs about sorting/format]
[Thanks Vlastimil for suggesting way to reduce memory usage of
orig_size and keep it only for kmalloc objects]
Signed-off-by: Feng Tang <feng.tang@intel.com>
Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: John Garry <john.garry@huawei.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
2022-09-13 14:54:20 +08:00
338 pci_alloc_dev+0x2c/0xa0 waste=521872/1544 age=290837/291891/293509 pid=1 cpus=106 nodes=0-1
__kmem_cache_alloc_node+0x11f/0x4e0
kmalloc_trace+0x26/0xa0
pci_alloc_dev+0x2c/0xa0
pci_scan_single_device+0xd2/0x150
pci_scan_slot+0xf7/0x2d0
pci_scan_child_bus_extend+0x4e/0x360
acpi_pci_root_create+0x32e/0x3b0
pci_acpi_scan_root+0x2b9/0x2d0
acpi_pci_root_add.cold.11+0x110/0xb0a
acpi_bus_attach+0x262/0x3f0
device_for_each_child+0xb7/0x110
acpi_dev_for_each_child+0x77/0xa0
acpi_bus_attach+0x108/0x3f0
device_for_each_child+0xb7/0x110
acpi_dev_for_each_child+0x77/0xa0
acpi_bus_attach+0x108/0x3f0
2021-06-08 10:45:17 +02:00
2. free_traces::
Prints information about unique freeing traces of the currently allocated
objects. The freeing traces thus come from the previous life-cycle of the
objects and are reported as not available for objects allocated for the first
time. The output is sorted by frequency of each trace.
Information in the output:
Number of objects, freeing function, minimal/average/maximal jiffies since free,
pid range of the freeing processes, cpu mask of freeing cpus, and stack trace.
Example:::
1980 <not-available> age=4294912290 pid=0 cpus=0
51 acpi_ut_update_ref_count+0x6a6/0x782 age=236886/237027/237772 pid=1 cpus=1
kfree+0x2db/0x420
acpi_ut_update_ref_count+0x6a6/0x782
acpi_ut_update_object_reference+0x1ad/0x234
acpi_ut_remove_reference+0x7d/0x84
acpi_rs_get_prt_method_data+0x97/0xd6
acpi_get_irq_routing_table+0x82/0xc4
acpi_pci_irq_find_prt_entry+0x8e/0x2e0
acpi_pci_irq_lookup+0x3a/0x1e0
acpi_pci_irq_enable+0x77/0x240
pcibios_enable_device+0x39/0x40
do_pci_enable_device.part.0+0x5d/0xe0
pci_enable_device_flags+0xfc/0x120
pci_enable_device+0x13/0x20
virtio_pci_probe+0x9e/0x170
local_pci_probe+0x48/0x80
pci_device_probe+0x105/0x1c0
2008-07-04 09:59:22 -07:00
Christoph Lameter, May 30, 2007
2015-10-23 08:51:45 +09:00
Sergey Senozhatsky, October 23, 2015