aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/vm/slub.txt
blob: df812b03b65d3383962496204d7c3f3e10f6308e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
Short users guide for SLUB
--------------------------

The basic philosophy of SLUB is very different from SLAB. SLAB
requires rebuilding the kernel to activate debug options for all
slab caches. SLUB always includes full debugging but it is off by default.
SLUB can enable debugging only for selected slabs in order to avoid
an impact on overall system performance which may make a bug more
difficult to find.

In order to switch debugging on one can add a option "slub_debug"
to the kernel command line. That will enable full debugging for
all slabs.

Typically one would then use the "slabinfo" command to get statistical
data and perform operation on the slabs. By default slabinfo only lists
slabs that have data in them. See "slabinfo -h" for more options when
running the command. slabinfo can be compiled with

gcc -o slabinfo Documentation/vm/slabinfo.c

Some of the modes of operation of slabinfo require that slub debugging
be enabled on the command line. F.e. no tracking information will be
available without debugging on and validation can only partially
be performed if debugging was not switched on.

Some more sophisticated uses of slub_debug:
-------------------------------------------

Parameters may be given to slub_debug. If none is specified then full
debugging is enabled. Format:

slub_debug=<Debug-Options>       Enable options for all slabs
slub_debug=<Debug-Options>,<slab name>
				Enable options only for select slabs

Possible debug options are
	F		Sanity checks on (enables SLAB_DEBUG_FREE. Sorry
			SLAB legacy issues)
	Z		Red zoning
	P		Poisoning (object and padding)
	U		User tracking (free and alloc)
	T		Trace (please only use on single slabs)
	-		Switch all debugging off (useful if the kernel is
			configured with CONFIG_SLUB_DEBUG_ON)

F.e. in order to boot just with sanity checks and red zoning one would specify:

	slub_debug=FZ

Trying to find an issue in the dentry cache? Try

	slub_debug=,dentry_cache

to only enable debugging on the dentry cache.

Red zoning and tracking may realign the slab.  We can just apply sanity checks
to the dentry cache with

	slub_debug=F,dentry_cache

In case you forgot to enable debugging on the kernel command line: It is
possible to enable debugging manually when the kernel is up. Look at the
contents of:

/sys/slab/<slab name>/

Look at the writable files. Writing 1 to them will enable the
corresponding debug option. All options can be set on a slab that does
not contain objects. If the slab already contains objects then sanity checks
and tracing may only be enabled. The other options may cause the realignment
of objects.

Careful with tracing: It may spew out lots of information and never stop if
used on the wrong slab.

Slab merging
------------

If no debug options are specified then SLUB may merge similar slabs together
in order to reduce overhead and increase cache hotness of objects.
slabinfo -a displays which slabs were merged together.

Slab validation
---------------

SLUB can validate all object if the kernel was booted with slub_debug. In
order to do so you must have the slabinfo tool. Then you can do

slabinfo -v

which will test all objects. Output will be generated to the syslog.

This also works in a more limited way if boot was without slab debug.
In that case slabinfo -v simply tests all reachable objects. Usually
these are in the cpu slabs and the partial slabs. Full slabs are not
tracked by SLUB in a non debug situation.

Getting more performance
------------------------

To some degree SLUB's performance is limited by the need to take the
list_lock once in a while to deal with partial slabs. That overhead is
governed by the order of the allocation for each slab. The allocations
can be influenced by kernel parameters:

slub_min_objects=x		(default 4)
slub_min_order=x		(default 0)
slub_max_order=x		(default 1)

slub_min_objects allows to specify how many objects must at least fit
into one slab in order for the allocation order to be acceptable.
In general slub will be able to perform this number of allocations
on a slab without consulting centralized resources (list_lock) where
contention may occur.

slub_min_order specifies a minim order of slabs. A similar effect like
slub_min_objects.

slub_max_order specified the order at which slub_min_objects should no
longer be checked. This is useful to avoid SLUB trying to generate
super large order pages to fit slub_min_objects of a slab cache with
large object sizes into one high order page.

SLUB Debug output
-----------------

Here is a sample of slub debug output:

*** SLUB kmalloc-8: Redzone Active@0xc90f6d20 slab 0xc528c530 offset=3360 flags=0x400000c3 inuse=61 freelist=0xc90f6d58
  Bytes b4 0xc90f6d10:  00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
    Object 0xc90f6d20:  31 30 31 39 2e 30 30 35                         1019.005
   Redzone 0xc90f6d28:  00 cc cc cc                                     .
FreePointer 0xc90f6d2c -> 0xc90f6d58
Last alloc: get_modalias+0x61/0xf5 jiffies_ago=53 cpu=1 pid=554
Filler 0xc90f6d50:  5a 5a 5a 5a 5a 5a 5a 5a                         ZZZZZZZZ
  [<c010523d>] dump_trace+0x63/0x1eb
  [<c01053df>] show_trace_log_lvl+0x1a/0x2f
  [<c010601d>] show_trace+0x12/0x14
  [<c0106035>] dump_stack+0x16/0x18
  [<c017e0fa>] object_err+0x143/0x14b
  [<c017e2cc>] check_object+0x66/0x234
  [<c017eb43>] __slab_free+0x239/0x384
  [<c017f446>] kfree+0xa6/0xc6
  [<c02e2335>] get_modalias+0xb9/0xf5
  [<c02e23b7>] dmi_dev_uevent+0x27/0x3c
  [<c027866a>] dev_uevent+0x1ad/0x1da
  [<c0205024>] kobject_uevent_env+0x20a/0x45b
  [<c020527f>] kobject_uevent+0xa/0xf
  [<c02779f1>] store_uevent+0x4f/0x58
  [<c027758e>] dev_attr_store+0x29/0x2f
  [<c01bec4f>] sysfs_write_file+0x16e/0x19c
  [<c0183ba7>] vfs_write+0xd1/0x15a
  [<c01841d7>] sys_write+0x3d/0x72
  [<c0104112>] sysenter_past_esp+0x5f/0x99
  [<b7f7b410>] 0xb7f7b410
  =======================
@@@ SLUB kmalloc-8: Restoring redzone (0xcc) from 0xc90f6d28-0xc90f6d2b



If SLUB encounters a corrupted object then it will perform the following
actions:

1. Isolation and report of the issue

This will be a message in the system log starting with

*** SLUB <slab cache affected>: <What went wrong>@<object address>
offset=<offset of object into slab> flags=<slabflags>
inuse=<objects in use in this slab> freelist=<first free object in slab>

2. Report on how the problem was dealt with in order to ensure the continued
operation of the system.

These are messages in the system log beginning with

@@@ SLUB <slab cache affected>: <corrective action taken>


In the above sample SLUB found that the Redzone of an active object has
been overwritten. Here a string of 8 characters was written into a slab that
has the length of 8 characters. However, a 8 character string needs a
terminating 0. That zero has overwritten the first byte of the Redzone field.
After reporting the details of the issue encountered the @@@ SLUB message
tell us that SLUB has restored the redzone to its proper value and then
system operations continue.

Various types of lines can follow the @@@ SLUB line:

Bytes b4 <address> : <bytes>
	Show a few bytes before the object where the problem was detected.
	Can be useful if the corruption does not stop with the start of the
	object.

Object <address> : <bytes>
	The bytes of the object. If the object is inactive then the bytes
	typically contain poisoning values. Any non-poison value shows a
	corruption by a write after free.

Redzone <address> : <bytes>
	The redzone following the object. The redzone is used to detect
	writes after the object. All bytes should always have the same
	value. If there is any deviation then it is due to a write after
	the object boundary.

Freepointer
	The pointer to the next free object in the slab. May become
	corrupted if overwriting continues after the red zone.

Last alloc:
Last free:
	Shows the address from which the object was allocated/freed last.
	We note the pid, the time and the CPU that did so. This is usually
	the most useful information to figure out where things went wrong.
	Here get_modalias() did an kmalloc(8) instead of a kmalloc(9).

Filler <address> : <bytes>
	Unused data to fill up the space in order to get the next object
	properly aligned. In the debug case we make sure that there are
	at least 4 bytes of filler. This allow for the detection of writes
	before the object.

Following the filler will be a stackdump. That stackdump describes the
location where the error was detected. The cause of the corruption is more
likely to be found by looking at the information about the last alloc / free.

Christoph Lameter, <clameter@sgi.com>, May 23, 2007