the-tree/mm/slab.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * linux/mm/slab.c
0004  * Written by Mark Hemment, 1996/97.
0005  * (markhe@nextd.demon.co.uk)
0006  *
0007  * kmem_cache_destroy() + some cleanup - 1999 Andrea Arcangeli
0008  *
0009  * Major cleanup, different bufctl logic, per-cpu arrays
0010  *  (c) 2000 Manfred Spraul
0011  *
0012  * Cleanup, make the head arrays unconditional, preparation for NUMA
0013  *  (c) 2002 Manfred Spraul
0014  *
0015  * An implementation of the Slab Allocator as described in outline in;
0016  *  UNIX Internals: The New Frontiers by Uresh Vahalia
0017  *  Pub: Prentice Hall  ISBN 0-13-101908-2
0018  * or with a little more detail in;
0019  *  The Slab Allocator: An Object-Caching Kernel Memory Allocator
0020  *  Jeff Bonwick (Sun Microsystems).
0021  *  Presented at: USENIX Summer 1994 Technical Conference
0022  *
0023  * The memory is organized in caches, one cache for each object type.
0024  * (e.g. inode_cache, dentry_cache, buffer_head, vm_area_struct)
0025  * Each cache consists out of many slabs (they are small (usually one
0026  * page long) and always contiguous), and each slab contains multiple
0027  * initialized objects.
0028  *
0029  * This means, that your constructor is used only for newly allocated
0030  * slabs and you must pass objects with the same initializations to
0031  * kmem_cache_free.
0032  *
0033  * Each cache can only support one memory type (GFP_DMA, GFP_HIGHMEM,
0034  * normal). If you need a special memory type, then must create a new
0035  * cache for that memory type.
0036  *
0037  * In order to reduce fragmentation, the slabs are sorted in 3 groups:
0038  *   full slabs with 0 free objects
0039  *   partial slabs
0040  *   empty slabs with no allocated objects
0041  *
0042  * If partial slabs exist, then new allocations come from these slabs,
0043  * otherwise from empty slabs or new slabs are allocated.
0044  *
0045  * kmem_cache_destroy() CAN CRASH if you try to allocate from the cache
0046  * during kmem_cache_destroy(). The caller must prevent concurrent allocs.
0047  *
0048  * Each cache has a short per-cpu head array, most allocs
0049  * and frees go into that array, and if that array overflows, then 1/2
0050  * of the entries in the array are given back into the global cache.
0051  * The head array is strictly LIFO and should improve the cache hit rates.
0052  * On SMP, it additionally reduces the spinlock operations.
0053  *
0054  * The c_cpuarray may not be read with enabled local interrupts -
0055  * it's changed with a smp_call_function().
0056  *
0057  * SMP synchronization:
0058  *  constructors and destructors are called without any locking.
0059  *  Several members in struct kmem_cache and struct slab never change, they
0060  *  are accessed without any locking.
0061  *  The per-cpu arrays are never accessed from the wrong cpu, no locking,
0062  *      and local interrupts are disabled so slab code is preempt-safe.
0063  *  The non-constant members are protected with a per-cache irq spinlock.
0064  *
0065  * Many thanks to Mark Hemment, who wrote another per-cpu slab patch
0066  * in 2000 - many ideas in the current implementation are derived from
0067  * his patch.
0068  *
0069  * Further notes from the original documentation:
0070  *
0071  * 11 April '97.  Started multi-threading - markhe
0072  *  The global cache-chain is protected by the mutex 'slab_mutex'.
0073  *  The sem is only needed when accessing/extending the cache-chain, which
0074  *  can never happen inside an interrupt (kmem_cache_create(),
0075  *  kmem_cache_shrink() and kmem_cache_reap()).
0076  *
0077  *  At present, each engine can be growing a cache.  This should be blocked.
0078  *
0079  * 15 March 2005. NUMA slab allocator.
0080  *  Shai Fultheim <shai@scalex86.org>.
0081  *  Shobhit Dayal <shobhit@calsoftinc.com>
0082  *  Alok N Kataria <alokk@calsoftinc.com>
0083  *  Christoph Lameter <christoph@lameter.com>
0084  *
0085  *  Modified the slab allocator to be node aware on NUMA systems.
0086  *  Each node has its own list of partial, free and full slabs.
0087  *  All object allocations for a node occur from node specific slab lists.
0088  */
0089
0090 #include    <linux/slab.h>
0091 #include    <linux/mm.h>
0092 #include    <linux/poison.h>
0093 #include    <linux/swap.h>
0094 #include    <linux/cache.h>
0095 #include    <linux/interrupt.h>
0096 #include    <linux/init.h>
0097 #include    <linux/compiler.h>
0098 #include    <linux/cpuset.h>
0099 #include    <linux/proc_fs.h>
0100 #include    <linux/seq_file.h>
0101 #include    <linux/notifier.h>
0102 #include    <linux/kallsyms.h>
0103 #include    <linux/kfence.h>
0104 #include    <linux/cpu.h>
0105 #include    <linux/sysctl.h>
0106 #include    <linux/module.h>
0107 #include    <linux/rcupdate.h>
0108 #include    <linux/string.h>
0109 #include    <linux/uaccess.h>
0110 #include    <linux/nodemask.h>
0111 #include    <linux/kmemleak.h>
0112 #include    <linux/mempolicy.h>
0113 #include    <linux/mutex.h>
0114 #include    <linux/fault-inject.h>
0115 #include    <linux/rtmutex.h>
0116 #include    <linux/reciprocal_div.h>
0117 #include    <linux/debugobjects.h>
0118 #include    <linux/memory.h>
0119 #include    <linux/prefetch.h>
0120 #include    <linux/sched/task_stack.h>
0121
0122 #include    <net/sock.h>
0123
0124 #include    <asm/cacheflush.h>
0125 #include    <asm/tlbflush.h>
0126 #include    <asm/page.h>
0127
0128 #include <trace/events/kmem.h>
0129
0130 #include    "internal.h"
0131
0132 #include    "slab.h"
0133
0134 /*
0135  * DEBUG    - 1 for kmem_cache_create() to honour; SLAB_RED_ZONE & SLAB_POISON.
0136  *        0 for faster, smaller code (especially in the critical paths).
0137  *
0138  * STATS    - 1 to collect stats for /proc/slabinfo.
0139  *        0 for faster, smaller code (especially in the critical paths).
0140  *
0141  * FORCED_DEBUG - 1 enables SLAB_RED_ZONE and SLAB_POISON (if possible)
0142  */
0143
0144 #ifdef CONFIG_DEBUG_SLAB
0145 #define DEBUG       1
0146 #define STATS       1
0147 #define FORCED_DEBUG    1
0148 #else
0149 #define DEBUG       0
0150 #define STATS       0
0151 #define FORCED_DEBUG    0
0152 #endif
0153
0154 /* Shouldn't this be in a header file somewhere? */
0155 #define BYTES_PER_WORD      sizeof(void *)
0156 #define REDZONE_ALIGN       max(BYTES_PER_WORD, __alignof__(unsigned long long))
0157
0158 #ifndef ARCH_KMALLOC_FLAGS
0159 #define ARCH_KMALLOC_FLAGS SLAB_HWCACHE_ALIGN
0160 #endif
0161
0162 #define FREELIST_BYTE_INDEX (((PAGE_SIZE >> BITS_PER_BYTE) \
0163                 <= SLAB_OBJ_MIN_SIZE) ? 1 : 0)
0164
0165 #if FREELIST_BYTE_INDEX
0166 typedef unsigned char freelist_idx_t;
0167 #else
0168 typedef unsigned short freelist_idx_t;
0169 #endif
0170
0171 #define SLAB_OBJ_MAX_NUM ((1 << sizeof(freelist_idx_t) * BITS_PER_BYTE) - 1)
0172
0173 /*
0174  * struct array_cache
0175  *
0176  * Purpose:
0177  * - LIFO ordering, to hand out cache-warm objects from _alloc
0178  * - reduce the number of linked list operations
0179  * - reduce spinlock operations
0180  *
0181  * The limit is stored in the per-cpu structure to reduce the data cache
0182  * footprint.
0183  *
0184  */
0185 struct array_cache {
0186     unsigned int avail;
0187     unsigned int limit;
0188     unsigned int batchcount;
0189     unsigned int touched;
0190     void *entry[];  /*
0191              * Must have this definition in here for the proper
0192              * alignment of array_cache. Also simplifies accessing
0193              * the entries.
0194              */
0195 };
0196
0197 struct alien_cache {
0198     spinlock_t lock;
0199     struct array_cache ac;
0200 };
0201
0202 /*
0203  * Need this for bootstrapping a per node allocator.
0204  */
0205 #define NUM_INIT_LISTS (2 * MAX_NUMNODES)
0206 static struct kmem_cache_node __initdata init_kmem_cache_node[NUM_INIT_LISTS];
0207 #define CACHE_CACHE 0
0208 #define SIZE_NODE (MAX_NUMNODES)
0209
0210 static int drain_freelist(struct kmem_cache *cache,
0211             struct kmem_cache_node *n, int tofree);
0212 static void free_block(struct kmem_cache *cachep, void **objpp, int len,
0213             int node, struct list_head *list);
0214 static void slabs_destroy(struct kmem_cache *cachep, struct list_head *list);
0215 static int enable_cpucache(struct kmem_cache *cachep, gfp_t gfp);
0216 static void cache_reap(struct work_struct *unused);
0217
0218 static inline void fixup_objfreelist_debug(struct kmem_cache *cachep,
0219                         void **list);
0220 static inline void fixup_slab_list(struct kmem_cache *cachep,
0221                 struct kmem_cache_node *n, struct slab *slab,
0222                 void **list);
0223 static int slab_early_init = 1;
0224
0225 #define INDEX_NODE kmalloc_index(sizeof(struct kmem_cache_node))
0226
0227 static void kmem_cache_node_init(struct kmem_cache_node *parent)
0228 {
0229     INIT_LIST_HEAD(&parent->slabs_full);
0230     INIT_LIST_HEAD(&parent->slabs_partial);
0231     INIT_LIST_HEAD(&parent->slabs_free);
0232     parent->total_slabs = 0;
0233     parent->free_slabs = 0;
0234     parent->shared = NULL;
0235     parent->alien = NULL;
0236     parent->colour_next = 0;
0237     spin_lock_init(&parent->list_lock);
0238     parent->free_objects = 0;
0239     parent->free_touched = 0;
0240 }
0241
0242 #define MAKE_LIST(cachep, listp, slab, nodeid)              \
0243     do {                                \
0244         INIT_LIST_HEAD(listp);                  \
0245         list_splice(&get_node(cachep, nodeid)->slab, listp);    \
0246     } while (0)
0247
0248 #define MAKE_ALL_LISTS(cachep, ptr, nodeid)             \
0249     do {                                \
0250     MAKE_LIST((cachep), (&(ptr)->slabs_full), slabs_full, nodeid);  \
0251     MAKE_LIST((cachep), (&(ptr)->slabs_partial), slabs_partial, nodeid); \
0252     MAKE_LIST((cachep), (&(ptr)->slabs_free), slabs_free, nodeid);  \
0253     } while (0)
0254
0255 #define CFLGS_OBJFREELIST_SLAB  ((slab_flags_t __force)0x40000000U)
0256 #define CFLGS_OFF_SLAB      ((slab_flags_t __force)0x80000000U)
0257 #define OBJFREELIST_SLAB(x) ((x)->flags & CFLGS_OBJFREELIST_SLAB)
0258 #define OFF_SLAB(x) ((x)->flags & CFLGS_OFF_SLAB)
0259
0260 #define BATCHREFILL_LIMIT   16
0261 /*
0262  * Optimization question: fewer reaps means less probability for unnecessary
0263  * cpucache drain/refill cycles.
0264  *
0265  * OTOH the cpuarrays can contain lots of objects,
0266  * which could lock up otherwise freeable slabs.
0267  */
0268 #define REAPTIMEOUT_AC      (2*HZ)
0269 #define REAPTIMEOUT_NODE    (4*HZ)
0270
0271 #if STATS
0272 #define STATS_INC_ACTIVE(x) ((x)->num_active++)
0273 #define STATS_DEC_ACTIVE(x) ((x)->num_active--)
0274 #define STATS_INC_ALLOCED(x)    ((x)->num_allocations++)
0275 #define STATS_INC_GROWN(x)  ((x)->grown++)
0276 #define STATS_ADD_REAPED(x, y)  ((x)->reaped += (y))
0277 #define STATS_SET_HIGH(x)                       \
0278     do {                                \
0279         if ((x)->num_active > (x)->high_mark)           \
0280             (x)->high_mark = (x)->num_active;       \
0281     } while (0)
0282 #define STATS_INC_ERR(x)    ((x)->errors++)
0283 #define STATS_INC_NODEALLOCS(x) ((x)->node_allocs++)
0284 #define STATS_INC_NODEFREES(x)  ((x)->node_frees++)
0285 #define STATS_INC_ACOVERFLOW(x)   ((x)->node_overflow++)
0286 #define STATS_SET_FREEABLE(x, i)                    \
0287     do {                                \
0288         if ((x)->max_freeable < i)              \
0289             (x)->max_freeable = i;              \
0290     } while (0)
0291 #define STATS_INC_ALLOCHIT(x)   atomic_inc(&(x)->allochit)
0292 #define STATS_INC_ALLOCMISS(x)  atomic_inc(&(x)->allocmiss)
0293 #define STATS_INC_FREEHIT(x)    atomic_inc(&(x)->freehit)
0294 #define STATS_INC_FREEMISS(x)   atomic_inc(&(x)->freemiss)
0295 #else
0296 #define STATS_INC_ACTIVE(x) do { } while (0)
0297 #define STATS_DEC_ACTIVE(x) do { } while (0)
0298 #define STATS_INC_ALLOCED(x)    do { } while (0)
0299 #define STATS_INC_GROWN(x)  do { } while (0)
0300 #define STATS_ADD_REAPED(x, y)  do { (void)(y); } while (0)
0301 #define STATS_SET_HIGH(x)   do { } while (0)
0302 #define STATS_INC_ERR(x)    do { } while (0)
0303 #define STATS_INC_NODEALLOCS(x) do { } while (0)
0304 #define STATS_INC_NODEFREES(x)  do { } while (0)
0305 #define STATS_INC_ACOVERFLOW(x)   do { } while (0)
0306 #define STATS_SET_FREEABLE(x, i) do { } while (0)
0307 #define STATS_INC_ALLOCHIT(x)   do { } while (0)
0308 #define STATS_INC_ALLOCMISS(x)  do { } while (0)
0309 #define STATS_INC_FREEHIT(x)    do { } while (0)
0310 #define STATS_INC_FREEMISS(x)   do { } while (0)
0311 #endif
0312
0313 #if DEBUG
0314
0315 /*
0316  * memory layout of objects:
0317  * 0        : objp
0318  * 0 .. cachep->obj_offset - BYTES_PER_WORD - 1: padding. This ensures that
0319  *      the end of an object is aligned with the end of the real
0320  *      allocation. Catches writes behind the end of the allocation.
0321  * cachep->obj_offset - BYTES_PER_WORD .. cachep->obj_offset - 1:
0322  *      redzone word.
0323  * cachep->obj_offset: The real object.
0324  * cachep->size - 2* BYTES_PER_WORD: redzone word [BYTES_PER_WORD long]
0325  * cachep->size - 1* BYTES_PER_WORD: last caller address
0326  *                  [BYTES_PER_WORD long]
0327  */
0328 static int obj_offset(struct kmem_cache *cachep)
0329 {
0330     return cachep->obj_offset;
0331 }
0332
0333 static unsigned long long *dbg_redzone1(struct kmem_cache *cachep, void *objp)
0334 {
0335     BUG_ON(!(cachep->flags & SLAB_RED_ZONE));
0336     return (unsigned long long *) (objp + obj_offset(cachep) -
0337                       sizeof(unsigned long long));
0338 }
0339
0340 static unsigned long long *dbg_redzone2(struct kmem_cache *cachep, void *objp)
0341 {
0342     BUG_ON(!(cachep->flags & SLAB_RED_ZONE));
0343     if (cachep->flags & SLAB_STORE_USER)
0344         return (unsigned long long *)(objp + cachep->size -
0345                           sizeof(unsigned long long) -
0346                           REDZONE_ALIGN);
0347     return (unsigned long long *) (objp + cachep->size -
0348                        sizeof(unsigned long long));
0349 }
0350
0351 static void **dbg_userword(struct kmem_cache *cachep, void *objp)
0352 {
0353     BUG_ON(!(cachep->flags & SLAB_STORE_USER));
0354     return (void **)(objp + cachep->size - BYTES_PER_WORD);
0355 }
0356
0357 #else
0358
0359 #define obj_offset(x)           0
0360 #define dbg_redzone1(cachep, objp)  ({BUG(); (unsigned long long *)NULL;})
0361 #define dbg_redzone2(cachep, objp)  ({BUG(); (unsigned long long *)NULL;})
0362 #define dbg_userword(cachep, objp)  ({BUG(); (void **)NULL;})
0363
0364 #endif
0365
0366 /*
0367  * Do not go above this order unless 0 objects fit into the slab or
0368  * overridden on the command line.
0369  */
0370 #define SLAB_MAX_ORDER_HI   1
0371 #define SLAB_MAX_ORDER_LO   0
0372 static int slab_max_order = SLAB_MAX_ORDER_LO;
0373 static bool slab_max_order_set __initdata;
0374
0375 static inline void *index_to_obj(struct kmem_cache *cache,
0376                  const struct slab *slab, unsigned int idx)
0377 {
0378     return slab->s_mem + cache->size * idx;
0379 }
0380
0381 #define BOOT_CPUCACHE_ENTRIES   1
0382 /* internal cache of cache description objs */
0383 static struct kmem_cache kmem_cache_boot = {
0384     .batchcount = 1,
0385     .limit = BOOT_CPUCACHE_ENTRIES,
0386     .shared = 1,
0387     .size = sizeof(struct kmem_cache),
0388     .name = "kmem_cache",
0389 };
0390
0391 static DEFINE_PER_CPU(struct delayed_work, slab_reap_work);
0392
0393 static inline struct array_cache *cpu_cache_get(struct kmem_cache *cachep)
0394 {
0395     return this_cpu_ptr(cachep->cpu_cache);
0396 }
0397
0398 /*
0399  * Calculate the number of objects and left-over bytes for a given buffer size.
0400  */
0401 static unsigned int cache_estimate(unsigned long gfporder, size_t buffer_size,
0402         slab_flags_t flags, size_t *left_over)
0403 {
0404     unsigned int num;
0405     size_t slab_size = PAGE_SIZE << gfporder;
0406
0407     /*
0408      * The slab management structure can be either off the slab or
0409      * on it. For the latter case, the memory allocated for a
0410      * slab is used for:
0411      *
0412      * - @buffer_size bytes for each object
0413      * - One freelist_idx_t for each object
0414      *
0415      * We don't need to consider alignment of freelist because
0416      * freelist will be at the end of slab page. The objects will be
0417      * at the correct alignment.
0418      *
0419      * If the slab management structure is off the slab, then the
0420      * alignment will already be calculated into the size. Because
0421      * the slabs are all pages aligned, the objects will be at the
0422      * correct alignment when allocated.
0423      */
0424     if (flags & (CFLGS_OBJFREELIST_SLAB | CFLGS_OFF_SLAB)) {
0425         num = slab_size / buffer_size;
0426         *left_over = slab_size % buffer_size;
0427     } else {
0428         num = slab_size / (buffer_size + sizeof(freelist_idx_t));
0429         *left_over = slab_size %
0430             (buffer_size + sizeof(freelist_idx_t));
0431     }
0432
0433     return num;
0434 }
0435
0436 #if DEBUG
0437 #define slab_error(cachep, msg) __slab_error(__func__, cachep, msg)
0438
0439 static void __slab_error(const char *function, struct kmem_cache *cachep,
0440             char *msg)
0441 {
0442     pr_err("slab error in %s(): cache `%s': %s\n",
0443            function, cachep->name, msg);
0444     dump_stack();
0445     add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
0446 }
0447 #endif
0448
0449 /*
0450  * By default on NUMA we use alien caches to stage the freeing of
0451  * objects allocated from other nodes. This causes massive memory
0452  * inefficiencies when using fake NUMA setup to split memory into a
0453  * large number of small nodes, so it can be disabled on the command
0454  * line
0455   */
0456
0457 static int use_alien_caches __read_mostly = 1;
0458 static int __init noaliencache_setup(char *s)
0459 {
0460     use_alien_caches = 0;
0461     return 1;
0462 }
0463 __setup("noaliencache", noaliencache_setup);
0464
0465 static int __init slab_max_order_setup(char *str)
0466 {
0467     get_option(&str, &slab_max_order);
0468     slab_max_order = slab_max_order < 0 ? 0 :
0469                 min(slab_max_order, MAX_ORDER - 1);
0470     slab_max_order_set = true;
0471
0472     return 1;
0473 }
0474 __setup("slab_max_order=", slab_max_order_setup);
0475
0476 #ifdef CONFIG_NUMA
0477 /*
0478  * Special reaping functions for NUMA systems called from cache_reap().
0479  * These take care of doing round robin flushing of alien caches (containing
0480  * objects freed on different nodes from which they were allocated) and the
0481  * flushing of remote pcps by calling drain_node_pages.
0482  */
0483 static DEFINE_PER_CPU(unsigned long, slab_reap_node);
0484
0485 static void init_reap_node(int cpu)
0486 {
0487     per_cpu(slab_reap_node, cpu) = next_node_in(cpu_to_mem(cpu),
0488                             node_online_map);
0489 }
0490
0491 static void next_reap_node(void)
0492 {
0493     int node = __this_cpu_read(slab_reap_node);
0494
0495     node = next_node_in(node, node_online_map);
0496     __this_cpu_write(slab_reap_node, node);
0497 }
0498
0499 #else
0500 #define init_reap_node(cpu) do { } while (0)
0501 #define next_reap_node(void) do { } while (0)
0502 #endif
0503
0504 /*
0505  * Initiate the reap timer running on the target CPU.  We run at around 1 to 2Hz
0506  * via the workqueue/eventd.
0507  * Add the CPU number into the expiration time to minimize the possibility of
0508  * the CPUs getting into lockstep and contending for the global cache chain
0509  * lock.
0510  */
0511 static void start_cpu_timer(int cpu)
0512 {
0513     struct delayed_work *reap_work = &per_cpu(slab_reap_work, cpu);
0514
0515     if (reap_work->work.func == NULL) {
0516         init_reap_node(cpu);
0517         INIT_DEFERRABLE_WORK(reap_work, cache_reap);
0518         schedule_delayed_work_on(cpu, reap_work,
0519                     __round_jiffies_relative(HZ, cpu));
0520     }
0521 }
0522
0523 static void init_arraycache(struct array_cache *ac, int limit, int batch)
0524 {
0525     if (ac) {
0526         ac->avail = 0;
0527         ac->limit = limit;
0528         ac->batchcount = batch;
0529         ac->touched = 0;
0530     }
0531 }
0532
0533 static struct array_cache *alloc_arraycache(int node, int entries,
0534                         int batchcount, gfp_t gfp)
0535 {
0536     size_t memsize = sizeof(void *) * entries + sizeof(struct array_cache);
0537     struct array_cache *ac = NULL;
0538
0539     ac = kmalloc_node(memsize, gfp, node);
0540     /*
0541      * The array_cache structures contain pointers to free object.
0542      * However, when such objects are allocated or transferred to another
0543      * cache the pointers are not cleared and they could be counted as
0544      * valid references during a kmemleak scan. Therefore, kmemleak must
0545      * not scan such objects.
0546      */
0547     kmemleak_no_scan(ac);
0548     init_arraycache(ac, entries, batchcount);
0549     return ac;
0550 }
0551
0552 static noinline void cache_free_pfmemalloc(struct kmem_cache *cachep,
0553                     struct slab *slab, void *objp)
0554 {
0555     struct kmem_cache_node *n;
0556     int slab_node;
0557     LIST_HEAD(list);
0558
0559     slab_node = slab_nid(slab);
0560     n = get_node(cachep, slab_node);
0561
0562     spin_lock(&n->list_lock);
0563     free_block(cachep, &objp, 1, slab_node, &list);
0564     spin_unlock(&n->list_lock);
0565
0566     slabs_destroy(cachep, &list);
0567 }
0568
0569 /*
0570  * Transfer objects in one arraycache to another.
0571  * Locking must be handled by the caller.
0572  *
0573  * Return the number of entries transferred.
0574  */
0575 static int transfer_objects(struct array_cache *to,
0576         struct array_cache *from, unsigned int max)
0577 {
0578     /* Figure out how many entries to transfer */
0579     int nr = min3(from->avail, max, to->limit - to->avail);
0580
0581     if (!nr)
0582         return 0;
0583
0584     memcpy(to->entry + to->avail, from->entry + from->avail - nr,
0585             sizeof(void *) *nr);
0586
0587     from->avail -= nr;
0588     to->avail += nr;
0589     return nr;
0590 }
0591
0592 /* &alien->lock must be held by alien callers. */
0593 static __always_inline void __free_one(struct array_cache *ac, void *objp)
0594 {
0595     /* Avoid trivial double-free. */
0596     if (IS_ENABLED(CONFIG_SLAB_FREELIST_HARDENED) &&
0597         WARN_ON_ONCE(ac->avail > 0 && ac->entry[ac->avail - 1] == objp))
0598         return;
0599     ac->entry[ac->avail++] = objp;
0600 }
0601
0602 #ifndef CONFIG_NUMA
0603
0604 #define drain_alien_cache(cachep, alien) do { } while (0)
0605 #define reap_alien(cachep, n) do { } while (0)
0606
0607 static inline struct alien_cache **alloc_alien_cache(int node,
0608                         int limit, gfp_t gfp)
0609 {
0610     return NULL;
0611 }
0612
0613 static inline void free_alien_cache(struct alien_cache **ac_ptr)
0614 {
0615 }
0616
0617 static inline int cache_free_alien(struct kmem_cache *cachep, void *objp)
0618 {
0619     return 0;
0620 }
0621
0622 static inline gfp_t gfp_exact_node(gfp_t flags)
0623 {
0624     return flags & ~__GFP_NOFAIL;
0625 }
0626
0627 #else   /* CONFIG_NUMA */
0628
0629 static struct alien_cache *__alloc_alien_cache(int node, int entries,
0630                         int batch, gfp_t gfp)
0631 {
0632     size_t memsize = sizeof(void *) * entries + sizeof(struct alien_cache);
0633     struct alien_cache *alc = NULL;
0634
0635     alc = kmalloc_node(memsize, gfp, node);
0636     if (alc) {
0637         kmemleak_no_scan(alc);
0638         init_arraycache(&alc->ac, entries, batch);
0639         spin_lock_init(&alc->lock);
0640     }
0641     return alc;
0642 }
0643
0644 static struct alien_cache **alloc_alien_cache(int node, int limit, gfp_t gfp)
0645 {
0646     struct alien_cache **alc_ptr;
0647     int i;
0648
0649     if (limit > 1)
0650         limit = 12;
0651     alc_ptr = kcalloc_node(nr_node_ids, sizeof(void *), gfp, node);
0652     if (!alc_ptr)
0653         return NULL;
0654
0655     for_each_node(i) {
0656         if (i == node || !node_online(i))
0657             continue;
0658         alc_ptr[i] = __alloc_alien_cache(node, limit, 0xbaadf00d, gfp);
0659         if (!alc_ptr[i]) {
0660             for (i--; i >= 0; i--)
0661                 kfree(alc_ptr[i]);
0662             kfree(alc_ptr);
0663             return NULL;
0664         }
0665     }
0666     return alc_ptr;
0667 }
0668
0669 static void free_alien_cache(struct alien_cache **alc_ptr)
0670 {
0671     int i;
0672
0673     if (!alc_ptr)
0674         return;
0675     for_each_node(i)
0676         kfree(alc_ptr[i]);
0677     kfree(alc_ptr);
0678 }
0679
0680 static void __drain_alien_cache(struct kmem_cache *cachep,
0681                 struct array_cache *ac, int node,
0682                 struct list_head *list)
0683 {
0684     struct kmem_cache_node *n = get_node(cachep, node);
0685
0686     if (ac->avail) {
0687         spin_lock(&n->list_lock);
0688         /*
0689          * Stuff objects into the remote nodes shared array first.
0690          * That way we could avoid the overhead of putting the objects
0691          * into the free lists and getting them back later.
0692          */
0693         if (n->shared)
0694             transfer_objects(n->shared, ac, ac->limit);
0695
0696         free_block(cachep, ac->entry, ac->avail, node, list);
0697         ac->avail = 0;
0698         spin_unlock(&n->list_lock);
0699     }
0700 }
0701
0702 /*
0703  * Called from cache_reap() to regularly drain alien caches round robin.
0704  */
0705 static void reap_alien(struct kmem_cache *cachep, struct kmem_cache_node *n)
0706 {
0707     int node = __this_cpu_read(slab_reap_node);
0708
0709     if (n->alien) {
0710         struct alien_cache *alc = n->alien[node];
0711         struct array_cache *ac;
0712
0713         if (alc) {
0714             ac = &alc->ac;
0715             if (ac->avail && spin_trylock_irq(&alc->lock)) {
0716                 LIST_HEAD(list);
0717
0718                 __drain_alien_cache(cachep, ac, node, &list);
0719                 spin_unlock_irq(&alc->lock);
0720                 slabs_destroy(cachep, &list);
0721             }
0722         }
0723     }
0724 }
0725
0726 static void drain_alien_cache(struct kmem_cache *cachep,
0727                 struct alien_cache **alien)
0728 {
0729     int i = 0;
0730     struct alien_cache *alc;
0731     struct array_cache *ac;
0732     unsigned long flags;
0733
0734     for_each_online_node(i) {
0735         alc = alien[i];
0736         if (alc) {
0737             LIST_HEAD(list);
0738
0739             ac = &alc->ac;
0740             spin_lock_irqsave(&alc->lock, flags);
0741             __drain_alien_cache(cachep, ac, i, &list);
0742             spin_unlock_irqrestore(&alc->lock, flags);
0743             slabs_destroy(cachep, &list);
0744         }
0745     }
0746 }
0747
0748 static int __cache_free_alien(struct kmem_cache *cachep, void *objp,
0749                 int node, int slab_node)
0750 {
0751     struct kmem_cache_node *n;
0752     struct alien_cache *alien = NULL;
0753     struct array_cache *ac;
0754     LIST_HEAD(list);
0755
0756     n = get_node(cachep, node);
0757     STATS_INC_NODEFREES(cachep);
0758     if (n->alien && n->alien[slab_node]) {
0759         alien = n->alien[slab_node];
0760         ac = &alien->ac;
0761         spin_lock(&alien->lock);
0762         if (unlikely(ac->avail == ac->limit)) {
0763             STATS_INC_ACOVERFLOW(cachep);
0764             __drain_alien_cache(cachep, ac, slab_node, &list);
0765         }
0766         __free_one(ac, objp);
0767         spin_unlock(&alien->lock);
0768         slabs_destroy(cachep, &list);
0769     } else {
0770         n = get_node(cachep, slab_node);
0771         spin_lock(&n->list_lock);
0772         free_block(cachep, &objp, 1, slab_node, &list);
0773         spin_unlock(&n->list_lock);
0774         slabs_destroy(cachep, &list);
0775     }
0776     return 1;
0777 }
0778
0779 static inline int cache_free_alien(struct kmem_cache *cachep, void *objp)
0780 {
0781     int slab_node = slab_nid(virt_to_slab(objp));
0782     int node = numa_mem_id();
0783     /*
0784      * Make sure we are not freeing an object from another node to the array
0785      * cache on this cpu.
0786      */
0787     if (likely(node == slab_node))
0788         return 0;
0789
0790     return __cache_free_alien(cachep, objp, node, slab_node);
0791 }
0792
0793 /*
0794  * Construct gfp mask to allocate from a specific node but do not reclaim or
0795  * warn about failures.
0796  */
0797 static inline gfp_t gfp_exact_node(gfp_t flags)
0798 {
0799     return (flags | __GFP_THISNODE | __GFP_NOWARN) & ~(__GFP_RECLAIM|__GFP_NOFAIL);
0800 }
0801 #endif
0802
0803 static int init_cache_node(struct kmem_cache *cachep, int node, gfp_t gfp)
0804 {
0805     struct kmem_cache_node *n;
0806
0807     /*
0808      * Set up the kmem_cache_node for cpu before we can
0809      * begin anything. Make sure some other cpu on this
0810      * node has not already allocated this
0811      */
0812     n = get_node(cachep, node);
0813     if (n) {
0814         spin_lock_irq(&n->list_lock);
0815         n->free_limit = (1 + nr_cpus_node(node)) * cachep->batchcount +
0816                 cachep->num;
0817         spin_unlock_irq(&n->list_lock);
0818
0819         return 0;
0820     }
0821
0822     n = kmalloc_node(sizeof(struct kmem_cache_node), gfp, node);
0823     if (!n)
0824         return -ENOMEM;
0825
0826     kmem_cache_node_init(n);
0827     n->next_reap = jiffies + REAPTIMEOUT_NODE +
0828             ((unsigned long)cachep) % REAPTIMEOUT_NODE;
0829
0830     n->free_limit =
0831         (1 + nr_cpus_node(node)) * cachep->batchcount + cachep->num;
0832
0833     /*
0834      * The kmem_cache_nodes don't come and go as CPUs
0835      * come and go.  slab_mutex provides sufficient
0836      * protection here.
0837      */
0838     cachep->node[node] = n;
0839
0840     return 0;
0841 }
0842
0843 #if (defined(CONFIG_NUMA) && defined(CONFIG_MEMORY_HOTPLUG)) || defined(CONFIG_SMP)
0844 /*
0845  * Allocates and initializes node for a node on each slab cache, used for
0846  * either memory or cpu hotplug.  If memory is being hot-added, the kmem_cache_node
0847  * will be allocated off-node since memory is not yet online for the new node.
0848  * When hotplugging memory or a cpu, existing nodes are not replaced if
0849  * already in use.
0850  *
0851  * Must hold slab_mutex.
0852  */
0853 static int init_cache_node_node(int node)
0854 {
0855     int ret;
0856     struct kmem_cache *cachep;
0857
0858     list_for_each_entry(cachep, &slab_caches, list) {
0859         ret = init_cache_node(cachep, node, GFP_KERNEL);
0860         if (ret)
0861             return ret;
0862     }
0863
0864     return 0;
0865 }
0866 #endif
0867
0868 static int setup_kmem_cache_node(struct kmem_cache *cachep,
0869                 int node, gfp_t gfp, bool force_change)
0870 {
0871     int ret = -ENOMEM;
0872     struct kmem_cache_node *n;
0873     struct array_cache *old_shared = NULL;
0874     struct array_cache *new_shared = NULL;
0875     struct alien_cache **new_alien = NULL;
0876     LIST_HEAD(list);
0877
0878     if (use_alien_caches) {
0879         new_alien = alloc_alien_cache(node, cachep->limit, gfp);
0880         if (!new_alien)
0881             goto fail;
0882     }
0883
0884     if (cachep->shared) {
0885         new_shared = alloc_arraycache(node,
0886             cachep->shared * cachep->batchcount, 0xbaadf00d, gfp);
0887         if (!new_shared)
0888             goto fail;
0889     }
0890
0891     ret = init_cache_node(cachep, node, gfp);
0892     if (ret)
0893         goto fail;
0894
0895     n = get_node(cachep, node);
0896     spin_lock_irq(&n->list_lock);
0897     if (n->shared && force_change) {
0898         free_block(cachep, n->shared->entry,
0899                 n->shared->avail, node, &list);
0900         n->shared->avail = 0;
0901     }
0902
0903     if (!n->shared || force_change) {
0904         old_shared = n->shared;
0905         n->shared = new_shared;
0906         new_shared = NULL;
0907     }
0908
0909     if (!n->alien) {
0910         n->alien = new_alien;
0911         new_alien = NULL;
0912     }
0913
0914     spin_unlock_irq(&n->list_lock);
0915     slabs_destroy(cachep, &list);
0916
0917     /*
0918      * To protect lockless access to n->shared during irq disabled context.
0919      * If n->shared isn't NULL in irq disabled context, accessing to it is
0920      * guaranteed to be valid until irq is re-enabled, because it will be
0921      * freed after synchronize_rcu().
0922      */
0923     if (old_shared && force_change)
0924         synchronize_rcu();
0925
0926 fail:
0927     kfree(old_shared);
0928     kfree(new_shared);
0929     free_alien_cache(new_alien);
0930
0931     return ret;
0932 }
0933
0934 #ifdef CONFIG_SMP
0935
0936 static void cpuup_canceled(long cpu)
0937 {
0938     struct kmem_cache *cachep;
0939     struct kmem_cache_node *n = NULL;
0940     int node = cpu_to_mem(cpu);
0941     const struct cpumask *mask = cpumask_of_node(node);
0942
0943     list_for_each_entry(cachep, &slab_caches, list) {
0944         struct array_cache *nc;
0945         struct array_cache *shared;
0946         struct alien_cache **alien;
0947         LIST_HEAD(list);
0948
0949         n = get_node(cachep, node);
0950         if (!n)
0951             continue;
0952
0953         spin_lock_irq(&n->list_lock);
0954
0955         /* Free limit for this kmem_cache_node */
0956         n->free_limit -= cachep->batchcount;
0957
0958         /* cpu is dead; no one can alloc from it. */
0959         nc = per_cpu_ptr(cachep->cpu_cache, cpu);
0960         free_block(cachep, nc->entry, nc->avail, node, &list);
0961         nc->avail = 0;
0962
0963         if (!cpumask_empty(mask)) {
0964             spin_unlock_irq(&n->list_lock);
0965             goto free_slab;
0966         }
0967
0968         shared = n->shared;
0969         if (shared) {
0970             free_block(cachep, shared->entry,
0971                    shared->avail, node, &list);
0972             n->shared = NULL;
0973         }
0974
0975         alien = n->alien;
0976         n->alien = NULL;
0977
0978         spin_unlock_irq(&n->list_lock);
0979
0980         kfree(shared);
0981         if (alien) {
0982             drain_alien_cache(cachep, alien);
0983             free_alien_cache(alien);
0984         }
0985
0986 free_slab:
0987         slabs_destroy(cachep, &list);
0988     }
0989     /*
0990      * In the previous loop, all the objects were freed to
0991      * the respective cache's slabs,  now we can go ahead and
0992      * shrink each nodelist to its limit.
0993      */
0994     list_for_each_entry(cachep, &slab_caches, list) {
0995         n = get_node(cachep, node);
0996         if (!n)
0997             continue;
0998         drain_freelist(cachep, n, INT_MAX);
0999     }
1000 }
1001
1002 static int cpuup_prepare(long cpu)
1003 {
1004     struct kmem_cache *cachep;
1005     int node = cpu_to_mem(cpu);
1006     int err;
1007
1008     /*
1009      * We need to do this right in the beginning since
1010      * alloc_arraycache's are going to use this list.
1011      * kmalloc_node allows us to add the slab to the right
1012      * kmem_cache_node and not this cpu's kmem_cache_node
1013      */
1014     err = init_cache_node_node(node);
1015     if (err < 0)
1016         goto bad;
1017
1018     /*
1019      * Now we can go ahead with allocating the shared arrays and
1020      * array caches
1021      */
1022     list_for_each_entry(cachep, &slab_caches, list) {
1023         err = setup_kmem_cache_node(cachep, node, GFP_KERNEL, false);
1024         if (err)
1025             goto bad;
1026     }
1027
1028     return 0;
1029 bad:
1030     cpuup_canceled(cpu);
1031     return -ENOMEM;
1032 }
1033
1034 int slab_prepare_cpu(unsigned int cpu)
1035 {
1036     int err;
1037
1038     mutex_lock(&slab_mutex);
1039     err = cpuup_prepare(cpu);
1040     mutex_unlock(&slab_mutex);
1041     return err;
1042 }
1043
1044 /*
1045  * This is called for a failed online attempt and for a successful
1046  * offline.
1047  *
1048  * Even if all the cpus of a node are down, we don't free the
1049  * kmem_cache_node of any cache. This is to avoid a race between cpu_down, and
1050  * a kmalloc allocation from another cpu for memory from the node of
1051  * the cpu going down.  The kmem_cache_node structure is usually allocated from
1052  * kmem_cache_create() and gets destroyed at kmem_cache_destroy().
1053  */
1054 int slab_dead_cpu(unsigned int cpu)
1055 {
1056     mutex_lock(&slab_mutex);
1057     cpuup_canceled(cpu);
1058     mutex_unlock(&slab_mutex);
1059     return 0;
1060 }
1061 #endif
1062
1063 static int slab_online_cpu(unsigned int cpu)
1064 {
1065     start_cpu_timer(cpu);
1066     return 0;
1067 }
1068
1069 static int slab_offline_cpu(unsigned int cpu)
1070 {
1071     /*
1072      * Shutdown cache reaper. Note that the slab_mutex is held so
1073      * that if cache_reap() is invoked it cannot do anything
1074      * expensive but will only modify reap_work and reschedule the
1075      * timer.
1076      */
1077     cancel_delayed_work_sync(&per_cpu(slab_reap_work, cpu));
1078     /* Now the cache_reaper is guaranteed to be not running. */
1079     per_cpu(slab_reap_work, cpu).work.func = NULL;
1080     return 0;
1081 }
1082
1083 #if defined(CONFIG_NUMA)
1084 /*
1085  * Drains freelist for a node on each slab cache, used for memory hot-remove.
1086  * Returns -EBUSY if all objects cannot be drained so that the node is not
1087  * removed.
1088  *
1089  * Must hold slab_mutex.
1090  */
1091 static int __meminit drain_cache_node_node(int node)
1092 {
1093     struct kmem_cache *cachep;
1094     int ret = 0;
1095
1096     list_for_each_entry(cachep, &slab_caches, list) {
1097         struct kmem_cache_node *n;
1098
1099         n = get_node(cachep, node);
1100         if (!n)
1101             continue;
1102
1103         drain_freelist(cachep, n, INT_MAX);
1104
1105         if (!list_empty(&n->slabs_full) ||
1106             !list_empty(&n->slabs_partial)) {
1107             ret = -EBUSY;
1108             break;
1109         }
1110     }
1111     return ret;
1112 }
1113
1114 static int __meminit slab_memory_callback(struct notifier_block *self,
1115                     unsigned long action, void *arg)
1116 {
1117     struct memory_notify *mnb = arg;
1118     int ret = 0;
1119     int nid;
1120
1121     nid = mnb->status_change_nid;
1122     if (nid < 0)
1123         goto out;
1124
1125     switch (action) {
1126     case MEM_GOING_ONLINE:
1127         mutex_lock(&slab_mutex);
1128         ret = init_cache_node_node(nid);
1129         mutex_unlock(&slab_mutex);
1130         break;
1131     case MEM_GOING_OFFLINE:
1132         mutex_lock(&slab_mutex);
1133         ret = drain_cache_node_node(nid);
1134         mutex_unlock(&slab_mutex);
1135         break;
1136     case MEM_ONLINE:
1137     case MEM_OFFLINE:
1138     case MEM_CANCEL_ONLINE:
1139     case MEM_CANCEL_OFFLINE:
1140         break;
1141     }
1142 out:
1143     return notifier_from_errno(ret);
1144 }
1145 #endif /* CONFIG_NUMA */
1146
1147 /*
1148  * swap the static kmem_cache_node with kmalloced memory
1149  */
1150 static void __init init_list(struct kmem_cache *cachep, struct kmem_cache_node *list,
1151                 int nodeid)
1152 {
1153     struct kmem_cache_node *ptr;
1154
1155     ptr = kmalloc_node(sizeof(struct kmem_cache_node), GFP_NOWAIT, nodeid);
1156     BUG_ON(!ptr);
1157
1158     memcpy(ptr, list, sizeof(struct kmem_cache_node));
1159     /*
1160      * Do not assume that spinlocks can be initialized via memcpy:
1161      */
1162     spin_lock_init(&ptr->list_lock);
1163
1164     MAKE_ALL_LISTS(cachep, ptr, nodeid);
1165     cachep->node[nodeid] = ptr;
1166 }
1167
1168 /*
1169  * For setting up all the kmem_cache_node for cache whose buffer_size is same as
1170  * size of kmem_cache_node.
1171  */
1172 static void __init set_up_node(struct kmem_cache *cachep, int index)
1173 {
1174     int node;
1175
1176     for_each_online_node(node) {
1177         cachep->node[node] = &init_kmem_cache_node[index + node];
1178         cachep->node[node]->next_reap = jiffies +
1179             REAPTIMEOUT_NODE +
1180             ((unsigned long)cachep) % REAPTIMEOUT_NODE;
1181     }
1182 }
1183
1184 /*
1185  * Initialisation.  Called after the page allocator have been initialised and
1186  * before smp_init().
1187  */
1188 void __init kmem_cache_init(void)
1189 {
1190     int i;
1191
1192     kmem_cache = &kmem_cache_boot;
1193
1194     if (!IS_ENABLED(CONFIG_NUMA) || num_possible_nodes() == 1)
1195         use_alien_caches = 0;
1196
1197     for (i = 0; i < NUM_INIT_LISTS; i++)
1198         kmem_cache_node_init(&init_kmem_cache_node[i]);
1199
1200     /*
1201      * Fragmentation resistance on low memory - only use bigger
1202      * page orders on machines with more than 32MB of memory if
1203      * not overridden on the command line.
1204      */
1205     if (!slab_max_order_set && totalram_pages() > (32 << 20) >> PAGE_SHIFT)
1206         slab_max_order = SLAB_MAX_ORDER_HI;
1207
1208     /* Bootstrap is tricky, because several objects are allocated
1209      * from caches that do not exist yet:
1210      * 1) initialize the kmem_cache cache: it contains the struct
1211      *    kmem_cache structures of all caches, except kmem_cache itself:
1212      *    kmem_cache is statically allocated.
1213      *    Initially an __init data area is used for the head array and the
1214      *    kmem_cache_node structures, it's replaced with a kmalloc allocated
1215      *    array at the end of the bootstrap.
1216      * 2) Create the first kmalloc cache.
1217      *    The struct kmem_cache for the new cache is allocated normally.
1218      *    An __init data area is used for the head array.
1219      * 3) Create the remaining kmalloc caches, with minimally sized
1220      *    head arrays.
1221      * 4) Replace the __init data head arrays for kmem_cache and the first
1222      *    kmalloc cache with kmalloc allocated arrays.
1223      * 5) Replace the __init data for kmem_cache_node for kmem_cache and
1224      *    the other cache's with kmalloc allocated memory.
1225      * 6) Resize the head arrays of the kmalloc caches to their final sizes.
1226      */
1227
1228     /* 1) create the kmem_cache */
1229
1230     /*
1231      * struct kmem_cache size depends on nr_node_ids & nr_cpu_ids
1232      */
1233     create_boot_cache(kmem_cache, "kmem_cache",
1234         offsetof(struct kmem_cache, node) +
1235                   nr_node_ids * sizeof(struct kmem_cache_node *),
1236                   SLAB_HWCACHE_ALIGN, 0, 0);
1237     list_add(&kmem_cache->list, &slab_caches);
1238     slab_state = PARTIAL;
1239
1240     /*
1241      * Initialize the caches that provide memory for the  kmem_cache_node
1242      * structures first.  Without this, further allocations will bug.
1243      */
1244     kmalloc_caches[KMALLOC_NORMAL][INDEX_NODE] = create_kmalloc_cache(
1245                 kmalloc_info[INDEX_NODE].name[KMALLOC_NORMAL],
1246                 kmalloc_info[INDEX_NODE].size,
1247                 ARCH_KMALLOC_FLAGS, 0,
1248                 kmalloc_info[INDEX_NODE].size);
1249     slab_state = PARTIAL_NODE;
1250     setup_kmalloc_cache_index_table();
1251
1252     slab_early_init = 0;
1253
1254     /* 5) Replace the bootstrap kmem_cache_node */
1255     {
1256         int nid;
1257
1258         for_each_online_node(nid) {
1259             init_list(kmem_cache, &init_kmem_cache_node[CACHE_CACHE + nid], nid);
1260
1261             init_list(kmalloc_caches[KMALLOC_NORMAL][INDEX_NODE],
1262                       &init_kmem_cache_node[SIZE_NODE + nid], nid);
1263         }
1264     }
1265
1266     create_kmalloc_caches(ARCH_KMALLOC_FLAGS);
1267 }
1268
1269 void __init kmem_cache_init_late(void)
1270 {
1271     struct kmem_cache *cachep;
1272
1273     /* 6) resize the head arrays to their final sizes */
1274     mutex_lock(&slab_mutex);
1275     list_for_each_entry(cachep, &slab_caches, list)
1276         if (enable_cpucache(cachep, GFP_NOWAIT))
1277             BUG();
1278     mutex_unlock(&slab_mutex);
1279
1280     /* Done! */
1281     slab_state = FULL;
1282
1283 #ifdef CONFIG_NUMA
1284     /*
1285      * Register a memory hotplug callback that initializes and frees
1286      * node.
1287      */
1288     hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
1289 #endif
1290
1291     /*
1292      * The reap timers are started later, with a module init call: That part
1293      * of the kernel is not yet operational.
1294      */
1295 }
1296
1297 static int __init cpucache_init(void)
1298 {
1299     int ret;
1300
1301     /*
1302      * Register the timers that return unneeded pages to the page allocator
1303      */
1304     ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "SLAB online",
1305                 slab_online_cpu, slab_offline_cpu);
1306     WARN_ON(ret < 0);
1307
1308     return 0;
1309 }
1310 __initcall(cpucache_init);
1311
1312 static noinline void
1313 slab_out_of_memory(struct kmem_cache *cachep, gfp_t gfpflags, int nodeid)
1314 {
1315 #if DEBUG
1316     struct kmem_cache_node *n;
1317     unsigned long flags;
1318     int node;
1319     static DEFINE_RATELIMIT_STATE(slab_oom_rs, DEFAULT_RATELIMIT_INTERVAL,
1320                       DEFAULT_RATELIMIT_BURST);
1321
1322     if ((gfpflags & __GFP_NOWARN) || !__ratelimit(&slab_oom_rs))
1323         return;
1324
1325     pr_warn("SLAB: Unable to allocate memory on node %d, gfp=%#x(%pGg)\n",
1326         nodeid, gfpflags, &gfpflags);
1327     pr_warn("  cache: %s, object size: %d, order: %d\n",
1328         cachep->name, cachep->size, cachep->gfporder);
1329
1330     for_each_kmem_cache_node(cachep, node, n) {
1331         unsigned long total_slabs, free_slabs, free_objs;
1332
1333         spin_lock_irqsave(&n->list_lock, flags);
1334         total_slabs = n->total_slabs;
1335         free_slabs = n->free_slabs;
1336         free_objs = n->free_objects;
1337         spin_unlock_irqrestore(&n->list_lock, flags);
1338
1339         pr_warn("  node %d: slabs: %ld/%ld, objs: %ld/%ld\n",
1340             node, total_slabs - free_slabs, total_slabs,
1341             (total_slabs * cachep->num) - free_objs,
1342             total_slabs * cachep->num);
1343     }
1344 #endif
1345 }
1346
1347 /*
1348  * Interface to system's page allocator. No need to hold the
1349  * kmem_cache_node ->list_lock.
1350  *
1351  * If we requested dmaable memory, we will get it. Even if we
1352  * did not request dmaable memory, we might get it, but that
1353  * would be relatively rare and ignorable.
1354  */
1355 static struct slab *kmem_getpages(struct kmem_cache *cachep, gfp_t flags,
1356                                 int nodeid)
1357 {
1358     struct folio *folio;
1359     struct slab *slab;
1360
1361     flags |= cachep->allocflags;
1362
1363     folio = (struct folio *) __alloc_pages_node(nodeid, flags, cachep->gfporder);
1364     if (!folio) {
1365         slab_out_of_memory(cachep, flags, nodeid);
1366         return NULL;
1367     }
1368
1369     slab = folio_slab(folio);
1370
1371     account_slab(slab, cachep->gfporder, cachep, flags);
1372     __folio_set_slab(folio);
1373     /* Record if ALLOC_NO_WATERMARKS was set when allocating the slab */
1374     if (sk_memalloc_socks() && page_is_pfmemalloc(folio_page(folio, 0)))
1375         slab_set_pfmemalloc(slab);
1376
1377     return slab;
1378 }
1379
1380 /*
1381  * Interface to system's page release.
1382  */
1383 static void kmem_freepages(struct kmem_cache *cachep, struct slab *slab)
1384 {
1385     int order = cachep->gfporder;
1386     struct folio *folio = slab_folio(slab);
1387
1388     BUG_ON(!folio_test_slab(folio));
1389     __slab_clear_pfmemalloc(slab);
1390     __folio_clear_slab(folio);
1391     page_mapcount_reset(folio_page(folio, 0));
1392     folio->mapping = NULL;
1393
1394     if (current->reclaim_state)
1395         current->reclaim_state->reclaimed_slab += 1 << order;
1396     unaccount_slab(slab, order, cachep);
1397     __free_pages(folio_page(folio, 0), order);
1398 }
1399
1400 static void kmem_rcu_free(struct rcu_head *head)
1401 {
1402     struct kmem_cache *cachep;
1403     struct slab *slab;
1404
1405     slab = container_of(head, struct slab, rcu_head);
1406     cachep = slab->slab_cache;
1407
1408     kmem_freepages(cachep, slab);
1409 }
1410
1411 #if DEBUG
1412 static bool is_debug_pagealloc_cache(struct kmem_cache *cachep)
1413 {
1414     if (debug_pagealloc_enabled_static() && OFF_SLAB(cachep) &&
1415         (cachep->size % PAGE_SIZE) == 0)
1416         return true;
1417
1418     return false;
1419 }
1420
1421 #ifdef CONFIG_DEBUG_PAGEALLOC
1422 static void slab_kernel_map(struct kmem_cache *cachep, void *objp, int map)
1423 {
1424     if (!is_debug_pagealloc_cache(cachep))
1425         return;
1426
1427     __kernel_map_pages(virt_to_page(objp), cachep->size / PAGE_SIZE, map);
1428 }
1429
1430 #else
1431 static inline void slab_kernel_map(struct kmem_cache *cachep, void *objp,
1432                 int map) {}
1433
1434 #endif
1435
1436 static void poison_obj(struct kmem_cache *cachep, void *addr, unsigned char val)
1437 {
1438     int size = cachep->object_size;
1439     addr = &((char *)addr)[obj_offset(cachep)];
1440
1441     memset(addr, val, size);
1442     *(unsigned char *)(addr + size - 1) = POISON_END;
1443 }
1444
1445 static void dump_line(char *data, int offset, int limit)
1446 {
1447     int i;
1448     unsigned char error = 0;
1449     int bad_count = 0;
1450
1451     pr_err("%03x: ", offset);
1452     for (i = 0; i < limit; i++) {
1453         if (data[offset + i] != POISON_FREE) {
1454             error = data[offset + i];
1455             bad_count++;
1456         }
1457     }
1458     print_hex_dump(KERN_CONT, "", 0, 16, 1,
1459             &data[offset], limit, 1);
1460
1461     if (bad_count == 1) {
1462         error ^= POISON_FREE;
1463         if (!(error & (error - 1))) {
1464             pr_err("Single bit error detected. Probably bad RAM.\n");
1465 #ifdef CONFIG_X86
1466             pr_err("Run memtest86+ or a similar memory test tool.\n");
1467 #else
1468             pr_err("Run a memory test tool.\n");
1469 #endif
1470         }
1471     }
1472 }
1473 #endif
1474
1475 #if DEBUG
1476
1477 static void print_objinfo(struct kmem_cache *cachep, void *objp, int lines)
1478 {
1479     int i, size;
1480     char *realobj;
1481
1482     if (cachep->flags & SLAB_RED_ZONE) {
1483         pr_err("Redzone: 0x%llx/0x%llx\n",
1484                *dbg_redzone1(cachep, objp),
1485                *dbg_redzone2(cachep, objp));
1486     }
1487
1488     if (cachep->flags & SLAB_STORE_USER)
1489         pr_err("Last user: (%pSR)\n", *dbg_userword(cachep, objp));
1490     realobj = (char *)objp + obj_offset(cachep);
1491     size = cachep->object_size;
1492     for (i = 0; i < size && lines; i += 16, lines--) {
1493         int limit;
1494         limit = 16;
1495         if (i + limit > size)
1496             limit = size - i;
1497         dump_line(realobj, i, limit);
1498     }
1499 }
1500
1501 static void check_poison_obj(struct kmem_cache *cachep, void *objp)
1502 {
1503     char *realobj;
1504     int size, i;
1505     int lines = 0;
1506
1507     if (is_debug_pagealloc_cache(cachep))
1508         return;
1509
1510     realobj = (char *)objp + obj_offset(cachep);
1511     size = cachep->object_size;
1512
1513     for (i = 0; i < size; i++) {
1514         char exp = POISON_FREE;
1515         if (i == size - 1)
1516             exp = POISON_END;
1517         if (realobj[i] != exp) {
1518             int limit;
1519             /* Mismatch ! */
1520             /* Print header */
1521             if (lines == 0) {
1522                 pr_err("Slab corruption (%s): %s start=%px, len=%d\n",
1523                        print_tainted(), cachep->name,
1524                        realobj, size);
1525                 print_objinfo(cachep, objp, 0);
1526             }
1527             /* Hexdump the affected line */
1528             i = (i / 16) * 16;
1529             limit = 16;
1530             if (i + limit > size)
1531                 limit = size - i;
1532             dump_line(realobj, i, limit);
1533             i += 16;
1534             lines++;
1535             /* Limit to 5 lines */
1536             if (lines > 5)
1537                 break;
1538         }
1539     }
1540     if (lines != 0) {
1541         /* Print some data about the neighboring objects, if they
1542          * exist:
1543          */
1544         struct slab *slab = virt_to_slab(objp);
1545         unsigned int objnr;
1546
1547         objnr = obj_to_index(cachep, slab, objp);
1548         if (objnr) {
1549             objp = index_to_obj(cachep, slab, objnr - 1);
1550             realobj = (char *)objp + obj_offset(cachep);
1551             pr_err("Prev obj: start=%px, len=%d\n", realobj, size);
1552             print_objinfo(cachep, objp, 2);
1553         }
1554         if (objnr + 1 < cachep->num) {
1555             objp = index_to_obj(cachep, slab, objnr + 1);
1556             realobj = (char *)objp + obj_offset(cachep);
1557             pr_err("Next obj: start=%px, len=%d\n", realobj, size);
1558             print_objinfo(cachep, objp, 2);
1559         }
1560     }
1561 }
1562 #endif
1563
1564 #if DEBUG
1565 static void slab_destroy_debugcheck(struct kmem_cache *cachep,
1566                         struct slab *slab)
1567 {
1568     int i;
1569
1570     if (OBJFREELIST_SLAB(cachep) && cachep->flags & SLAB_POISON) {
1571         poison_obj(cachep, slab->freelist - obj_offset(cachep),
1572             POISON_FREE);
1573     }
1574
1575     for (i = 0; i < cachep->num; i++) {
1576         void *objp = index_to_obj(cachep, slab, i);
1577
1578         if (cachep->flags & SLAB_POISON) {
1579             check_poison_obj(cachep, objp);
1580             slab_kernel_map(cachep, objp, 1);
1581         }
1582         if (cachep->flags & SLAB_RED_ZONE) {
1583             if (*dbg_redzone1(cachep, objp) != RED_INACTIVE)
1584                 slab_error(cachep, "start of a freed object was overwritten");
1585             if (*dbg_redzone2(cachep, objp) != RED_INACTIVE)
1586                 slab_error(cachep, "end of a freed object was overwritten");
1587         }
1588     }
1589 }
1590 #else
1591 static void slab_destroy_debugcheck(struct kmem_cache *cachep,
1592                         struct slab *slab)
1593 {
1594 }
1595 #endif
1596
1597 /**
1598  * slab_destroy - destroy and release all objects in a slab
1599  * @cachep: cache pointer being destroyed
1600  * @slab: slab being destroyed
1601  *
1602  * Destroy all the objs in a slab, and release the mem back to the system.
1603  * Before calling the slab must have been unlinked from the cache. The
1604  * kmem_cache_node ->list_lock is not held/needed.
1605  */
1606 static void slab_destroy(struct kmem_cache *cachep, struct slab *slab)
1607 {
1608     void *freelist;
1609
1610     freelist = slab->freelist;
1611     slab_destroy_debugcheck(cachep, slab);
1612     if (unlikely(cachep->flags & SLAB_TYPESAFE_BY_RCU))
1613         call_rcu(&slab->rcu_head, kmem_rcu_free);
1614     else
1615         kmem_freepages(cachep, slab);
1616
1617     /*
1618      * From now on, we don't use freelist
1619      * although actual page can be freed in rcu context
1620      */
1621     if (OFF_SLAB(cachep))
1622         kmem_cache_free(cachep->freelist_cache, freelist);
1623 }
1624
1625 /*
1626  * Update the size of the caches before calling slabs_destroy as it may
1627  * recursively call kfree.
1628  */
1629 static void slabs_destroy(struct kmem_cache *cachep, struct list_head *list)
1630 {
1631     struct slab *slab, *n;
1632
1633     list_for_each_entry_safe(slab, n, list, slab_list) {
1634         list_del(&slab->slab_list);
1635         slab_destroy(cachep, slab);
1636     }
1637 }
1638
1639 /**
1640  * calculate_slab_order - calculate size (page order) of slabs
1641  * @cachep: pointer to the cache that is being created
1642  * @size: size of objects to be created in this cache.
1643  * @flags: slab allocation flags
1644  *
1645  * Also calculates the number of objects per slab.
1646  *
1647  * This could be made much more intelligent.  For now, try to avoid using
1648  * high order pages for slabs.  When the gfp() functions are more friendly
1649  * towards high-order requests, this should be changed.
1650  *
1651  * Return: number of left-over bytes in a slab
1652  */
1653 static size_t calculate_slab_order(struct kmem_cache *cachep,
1654                 size_t size, slab_flags_t flags)
1655 {
1656     size_t left_over = 0;
1657     int gfporder;
1658
1659     for (gfporder = 0; gfporder <= KMALLOC_MAX_ORDER; gfporder++) {
1660         unsigned int num;
1661         size_t remainder;
1662
1663         num = cache_estimate(gfporder, size, flags, &remainder);
1664         if (!num)
1665             continue;
1666
1667         /* Can't handle number of objects more than SLAB_OBJ_MAX_NUM */
1668         if (num > SLAB_OBJ_MAX_NUM)
1669             break;
1670
1671         if (flags & CFLGS_OFF_SLAB) {
1672             struct kmem_cache *freelist_cache;
1673             size_t freelist_size;
1674
1675             freelist_size = num * sizeof(freelist_idx_t);
1676             freelist_cache = kmalloc_slab(freelist_size, 0u);
1677             if (!freelist_cache)
1678                 continue;
1679
1680             /*
1681              * Needed to avoid possible looping condition
1682              * in cache_grow_begin()
1683              */
1684             if (OFF_SLAB(freelist_cache))
1685                 continue;
1686
1687             /* check if off slab has enough benefit */
1688             if (freelist_cache->size > cachep->size / 2)
1689                 continue;
1690         }
1691
1692         /* Found something acceptable - save it away */
1693         cachep->num = num;
1694         cachep->gfporder = gfporder;
1695         left_over = remainder;
1696
1697         /*
1698          * A VFS-reclaimable slab tends to have most allocations
1699          * as GFP_NOFS and we really don't want to have to be allocating
1700          * higher-order pages when we are unable to shrink dcache.
1701          */
1702         if (flags & SLAB_RECLAIM_ACCOUNT)
1703             break;
1704
1705         /*
1706          * Large number of objects is good, but very large slabs are
1707          * currently bad for the gfp()s.
1708          */
1709         if (gfporder >= slab_max_order)
1710             break;
1711
1712         /*
1713          * Acceptable internal fragmentation?
1714          */
1715         if (left_over * 8 <= (PAGE_SIZE << gfporder))
1716             break;
1717     }
1718     return left_over;
1719 }
1720
1721 static struct array_cache __percpu *alloc_kmem_cache_cpus(
1722         struct kmem_cache *cachep, int entries, int batchcount)
1723 {
1724     int cpu;
1725     size_t size;
1726     struct array_cache __percpu *cpu_cache;
1727
1728     size = sizeof(void *) * entries + sizeof(struct array_cache);
1729     cpu_cache = __alloc_percpu(size, sizeof(void *));
1730
1731     if (!cpu_cache)
1732         return NULL;
1733
1734     for_each_possible_cpu(cpu) {
1735         init_arraycache(per_cpu_ptr(cpu_cache, cpu),
1736                 entries, batchcount);
1737     }
1738
1739     return cpu_cache;
1740 }
1741
1742 static int __ref setup_cpu_cache(struct kmem_cache *cachep, gfp_t gfp)
1743 {
1744     if (slab_state >= FULL)
1745         return enable_cpucache(cachep, gfp);
1746
1747     cachep->cpu_cache = alloc_kmem_cache_cpus(cachep, 1, 1);
1748     if (!cachep->cpu_cache)
1749         return 1;
1750
1751     if (slab_state == DOWN) {
1752         /* Creation of first cache (kmem_cache). */
1753         set_up_node(kmem_cache, CACHE_CACHE);
1754     } else if (slab_state == PARTIAL) {
1755         /* For kmem_cache_node */
1756         set_up_node(cachep, SIZE_NODE);
1757     } else {
1758         int node;
1759
1760         for_each_online_node(node) {
1761             cachep->node[node] = kmalloc_node(
1762                 sizeof(struct kmem_cache_node), gfp, node);
1763             BUG_ON(!cachep->node[node]);
1764             kmem_cache_node_init(cachep->node[node]);
1765         }
1766     }
1767
1768     cachep->node[numa_mem_id()]->next_reap =
1769             jiffies + REAPTIMEOUT_NODE +
1770             ((unsigned long)cachep) % REAPTIMEOUT_NODE;
1771
1772     cpu_cache_get(cachep)->avail = 0;
1773     cpu_cache_get(cachep)->limit = BOOT_CPUCACHE_ENTRIES;
1774     cpu_cache_get(cachep)->batchcount = 1;
1775     cpu_cache_get(cachep)->touched = 0;
1776     cachep->batchcount = 1;
1777     cachep->limit = BOOT_CPUCACHE_ENTRIES;
1778     return 0;
1779 }
1780
1781 slab_flags_t kmem_cache_flags(unsigned int object_size,
1782     slab_flags_t flags, const char *name)
1783 {
1784     return flags;
1785 }
1786
1787 struct kmem_cache *
1788 __kmem_cache_alias(const char *name, unsigned int size, unsigned int align,
1789            slab_flags_t flags, void (*ctor)(void *))
1790 {
1791     struct kmem_cache *cachep;
1792
1793     cachep = find_mergeable(size, align, flags, name, ctor);
1794     if (cachep) {
1795         cachep->refcount++;
1796
1797         /*
1798          * Adjust the object sizes so that we clear
1799          * the complete object on kzalloc.
1800          */
1801         cachep->object_size = max_t(int, cachep->object_size, size);
1802     }
1803     return cachep;
1804 }
1805
1806 static bool set_objfreelist_slab_cache(struct kmem_cache *cachep,
1807             size_t size, slab_flags_t flags)
1808 {
1809     size_t left;
1810
1811     cachep->num = 0;
1812
1813     /*
1814      * If slab auto-initialization on free is enabled, store the freelist
1815      * off-slab, so that its contents don't end up in one of the allocated
1816      * objects.
1817      */
1818     if (unlikely(slab_want_init_on_free(cachep)))
1819         return false;
1820
1821     if (cachep->ctor || flags & SLAB_TYPESAFE_BY_RCU)
1822         return false;
1823
1824     left = calculate_slab_order(cachep, size,
1825             flags | CFLGS_OBJFREELIST_SLAB);
1826     if (!cachep->num)
1827         return false;
1828
1829     if (cachep->num * sizeof(freelist_idx_t) > cachep->object_size)
1830         return false;
1831
1832     cachep->colour = left / cachep->colour_off;
1833
1834     return true;
1835 }
1836
1837 static bool set_off_slab_cache(struct kmem_cache *cachep,
1838             size_t size, slab_flags_t flags)
1839 {
1840     size_t left;
1841
1842     cachep->num = 0;
1843
1844     /*
1845      * Always use on-slab management when SLAB_NOLEAKTRACE
1846      * to avoid recursive calls into kmemleak.
1847      */
1848     if (flags & SLAB_NOLEAKTRACE)
1849         return false;
1850
1851     /*
1852      * Size is large, assume best to place the slab management obj
1853      * off-slab (should allow better packing of objs).
1854      */
1855     left = calculate_slab_order(cachep, size, flags | CFLGS_OFF_SLAB);
1856     if (!cachep->num)
1857         return false;
1858
1859     /*
1860      * If the slab has been placed off-slab, and we have enough space then
1861      * move it on-slab. This is at the expense of any extra colouring.
1862      */
1863     if (left >= cachep->num * sizeof(freelist_idx_t))
1864         return false;
1865
1866     cachep->colour = left / cachep->colour_off;
1867
1868     return true;
1869 }
1870
1871 static bool set_on_slab_cache(struct kmem_cache *cachep,
1872             size_t size, slab_flags_t flags)
1873 {
1874     size_t left;
1875
1876     cachep->num = 0;
1877
1878     left = calculate_slab_order(cachep, size, flags);
1879     if (!cachep->num)
1880         return false;
1881
1882     cachep->colour = left / cachep->colour_off;
1883
1884     return true;
1885 }
1886
1887 /**
1888  * __kmem_cache_create - Create a cache.
1889  * @cachep: cache management descriptor
1890  * @flags: SLAB flags
1891  *
1892  * Returns a ptr to the cache on success, NULL on failure.
1893  * Cannot be called within an int, but can be interrupted.
1894  * The @ctor is run when new pages are allocated by the cache.
1895  *
1896  * The flags are
1897  *
1898  * %SLAB_POISON - Poison the slab with a known test pattern (a5a5a5a5)
1899  * to catch references to uninitialised memory.
1900  *
1901  * %SLAB_RED_ZONE - Insert `Red' zones around the allocated memory to check
1902  * for buffer overruns.
1903  *
1904  * %SLAB_HWCACHE_ALIGN - Align the objects in this cache to a hardware
1905  * cacheline.  This can be beneficial if you're counting cycles as closely
1906  * as davem.
1907  *
1908  * Return: a pointer to the created cache or %NULL in case of error
1909  */
1910 int __kmem_cache_create(struct kmem_cache *cachep, slab_flags_t flags)
1911 {
1912     size_t ralign = BYTES_PER_WORD;
1913     gfp_t gfp;
1914     int err;
1915     unsigned int size = cachep->size;
1916
1917 #if DEBUG
1918 #if FORCED_DEBUG
1919     /*
1920      * Enable redzoning and last user accounting, except for caches with
1921      * large objects, if the increased size would increase the object size
1922      * above the next power of two: caches with object sizes just above a
1923      * power of two have a significant amount of internal fragmentation.
1924      */
1925     if (size < 4096 || fls(size - 1) == fls(size-1 + REDZONE_ALIGN +
1926                         2 * sizeof(unsigned long long)))
1927         flags |= SLAB_RED_ZONE | SLAB_STORE_USER;
1928     if (!(flags & SLAB_TYPESAFE_BY_RCU))
1929         flags |= SLAB_POISON;
1930 #endif
1931 #endif
1932
1933     /*
1934      * Check that size is in terms of words.  This is needed to avoid
1935      * unaligned accesses for some archs when redzoning is used, and makes
1936      * sure any on-slab bufctl's are also correctly aligned.
1937      */
1938     size = ALIGN(size, BYTES_PER_WORD);
1939
1940     if (flags & SLAB_RED_ZONE) {
1941         ralign = REDZONE_ALIGN;
1942         /* If redzoning, ensure that the second redzone is suitably
1943          * aligned, by adjusting the object size accordingly. */
1944         size = ALIGN(size, REDZONE_ALIGN);
1945     }
1946
1947     /* 3) caller mandated alignment */
1948     if (ralign < cachep->align) {
1949         ralign = cachep->align;
1950     }
1951     /* disable debug if necessary */
1952     if (ralign > __alignof__(unsigned long long))
1953         flags &= ~(SLAB_RED_ZONE | SLAB_STORE_USER);
1954     /*
1955      * 4) Store it.
1956      */
1957     cachep->align = ralign;
1958     cachep->colour_off = cache_line_size();
1959     /* Offset must be a multiple of the alignment. */
1960     if (cachep->colour_off < cachep->align)
1961         cachep->colour_off = cachep->align;
1962
1963     if (slab_is_available())
1964         gfp = GFP_KERNEL;
1965     else
1966         gfp = GFP_NOWAIT;
1967
1968 #if DEBUG
1969
1970     /*
1971      * Both debugging options require word-alignment which is calculated
1972      * into align above.
1973      */
1974     if (flags & SLAB_RED_ZONE) {
1975         /* add space for red zone words */
1976         cachep->obj_offset += sizeof(unsigned long long);
1977         size += 2 * sizeof(unsigned long long);
1978     }
1979     if (flags & SLAB_STORE_USER) {
1980         /* user store requires one word storage behind the end of
1981          * the real object. But if the second red zone needs to be
1982          * aligned to 64 bits, we must allow that much space.
1983          */
1984         if (flags & SLAB_RED_ZONE)
1985             size += REDZONE_ALIGN;
1986         else
1987             size += BYTES_PER_WORD;
1988     }
1989 #endif
1990
1991     kasan_cache_create(cachep, &size, &flags);
1992
1993     size = ALIGN(size, cachep->align);
1994     /*
1995      * We should restrict the number of objects in a slab to implement
1996      * byte sized index. Refer comment on SLAB_OBJ_MIN_SIZE definition.
1997      */
1998     if (FREELIST_BYTE_INDEX && size < SLAB_OBJ_MIN_SIZE)
1999         size = ALIGN(SLAB_OBJ_MIN_SIZE, cachep->align);
2000
2001 #if DEBUG
2002     /*
2003      * To activate debug pagealloc, off-slab management is necessary
2004      * requirement. In early phase of initialization, small sized slab
2005      * doesn't get initialized so it would not be possible. So, we need
2006      * to check size >= 256. It guarantees that all necessary small
2007      * sized slab is initialized in current slab initialization sequence.
2008      */
2009     if (debug_pagealloc_enabled_static() && (flags & SLAB_POISON) &&
2010         size >= 256 && cachep->object_size > cache_line_size()) {
2011         if (size < PAGE_SIZE || size % PAGE_SIZE == 0) {
2012             size_t tmp_size = ALIGN(size, PAGE_SIZE);
2013
2014             if (set_off_slab_cache(cachep, tmp_size, flags)) {
2015                 flags |= CFLGS_OFF_SLAB;
2016                 cachep->obj_offset += tmp_size - size;
2017                 size = tmp_size;
2018                 goto done;
2019             }
2020         }
2021     }
2022 #endif
2023
2024     if (set_objfreelist_slab_cache(cachep, size, flags)) {
2025         flags |= CFLGS_OBJFREELIST_SLAB;
2026         goto done;
2027     }
2028
2029     if (set_off_slab_cache(cachep, size, flags)) {
2030         flags |= CFLGS_OFF_SLAB;
2031         goto done;
2032     }
2033
2034     if (set_on_slab_cache(cachep, size, flags))
2035         goto done;
2036
2037     return -E2BIG;
2038
2039 done:
2040     cachep->freelist_size = cachep->num * sizeof(freelist_idx_t);
2041     cachep->flags = flags;
2042     cachep->allocflags = __GFP_COMP;
2043     if (flags & SLAB_CACHE_DMA)
2044         cachep->allocflags |= GFP_DMA;
2045     if (flags & SLAB_CACHE_DMA32)
2046         cachep->allocflags |= GFP_DMA32;
2047     if (flags & SLAB_RECLAIM_ACCOUNT)
2048         cachep->allocflags |= __GFP_RECLAIMABLE;
2049     cachep->size = size;
2050     cachep->reciprocal_buffer_size = reciprocal_value(size);
2051
2052 #if DEBUG
2053     /*
2054      * If we're going to use the generic kernel_map_pages()
2055      * poisoning, then it's going to smash the contents of
2056      * the redzone and userword anyhow, so switch them off.
2057      */
2058     if (IS_ENABLED(CONFIG_PAGE_POISONING) &&
2059         (cachep->flags & SLAB_POISON) &&
2060         is_debug_pagealloc_cache(cachep))
2061         cachep->flags &= ~(SLAB_RED_ZONE | SLAB_STORE_USER);
2062 #endif
2063
2064     if (OFF_SLAB(cachep)) {
2065         cachep->freelist_cache =
2066             kmalloc_slab(cachep->freelist_size, 0u);
2067     }
2068
2069     err = setup_cpu_cache(cachep, gfp);
2070     if (err) {
2071         __kmem_cache_release(cachep);
2072         return err;
2073     }
2074
2075     return 0;
2076 }
2077
2078 #if DEBUG
2079 static void check_irq_off(void)
2080 {
2081     BUG_ON(!irqs_disabled());
2082 }
2083
2084 static void check_irq_on(void)
2085 {
2086     BUG_ON(irqs_disabled());
2087 }
2088
2089 static void check_mutex_acquired(void)
2090 {
2091     BUG_ON(!mutex_is_locked(&slab_mutex));
2092 }
2093
2094 static void check_spinlock_acquired(struct kmem_cache *cachep)
2095 {
2096 #ifdef CONFIG_SMP
2097     check_irq_off();
2098     assert_spin_locked(&get_node(cachep, numa_mem_id())->list_lock);
2099 #endif
2100 }
2101
2102 static void check_spinlock_acquired_node(struct kmem_cache *cachep, int node)
2103 {
2104 #ifdef CONFIG_SMP
2105     check_irq_off();
2106     assert_spin_locked(&get_node(cachep, node)->list_lock);
2107 #endif
2108 }
2109
2110 #else
2111 #define check_irq_off() do { } while(0)
2112 #define check_irq_on()  do { } while(0)
2113 #define check_mutex_acquired()  do { } while(0)
2114 #define check_spinlock_acquired(x) do { } while(0)
2115 #define check_spinlock_acquired_node(x, y) do { } while(0)
2116 #endif
2117
2118 static void drain_array_locked(struct kmem_cache *cachep, struct array_cache *ac,
2119                 int node, bool free_all, struct list_head *list)
2120 {
2121     int tofree;
2122
2123     if (!ac || !ac->avail)
2124         return;
2125
2126     tofree = free_all ? ac->avail : (ac->limit + 4) / 5;
2127     if (tofree > ac->avail)
2128         tofree = (ac->avail + 1) / 2;
2129
2130     free_block(cachep, ac->entry, tofree, node, list);
2131     ac->avail -= tofree;
2132     memmove(ac->entry, &(ac->entry[tofree]), sizeof(void *) * ac->avail);
2133 }
2134
2135 static void do_drain(void *arg)
2136 {
2137     struct kmem_cache *cachep = arg;
2138     struct array_cache *ac;
2139     int node = numa_mem_id();
2140     struct kmem_cache_node *n;
2141     LIST_HEAD(list);
2142
2143     check_irq_off();
2144     ac = cpu_cache_get(cachep);
2145     n = get_node(cachep, node);
2146     spin_lock(&n->list_lock);
2147     free_block(cachep, ac->entry, ac->avail, node, &list);
2148     spin_unlock(&n->list_lock);
2149     ac->avail = 0;
2150     slabs_destroy(cachep, &list);
2151 }
2152
2153 static void drain_cpu_caches(struct kmem_cache *cachep)
2154 {
2155     struct kmem_cache_node *n;
2156     int node;
2157     LIST_HEAD(list);
2158
2159     on_each_cpu(do_drain, cachep, 1);
2160     check_irq_on();
2161     for_each_kmem_cache_node(cachep, node, n)
2162         if (n->alien)
2163             drain_alien_cache(cachep, n->alien);
2164
2165     for_each_kmem_cache_node(cachep, node, n) {
2166         spin_lock_irq(&n->list_lock);
2167         drain_array_locked(cachep, n->shared, node, true, &list);
2168         spin_unlock_irq(&n->list_lock);
2169
2170         slabs_destroy(cachep, &list);
2171     }
2172 }
2173
2174 /*
2175  * Remove slabs from the list of free slabs.
2176  * Specify the number of slabs to drain in tofree.
2177  *
2178  * Returns the actual number of slabs released.
2179  */
2180 static int drain_freelist(struct kmem_cache *cache,
2181             struct kmem_cache_node *n, int tofree)
2182 {
2183     struct list_head *p;
2184     int nr_freed;
2185     struct slab *slab;
2186
2187     nr_freed = 0;
2188     while (nr_freed < tofree && !list_empty(&n->slabs_free)) {
2189
2190         spin_lock_irq(&n->list_lock);
2191         p = n->slabs_free.prev;
2192         if (p == &n->slabs_free) {
2193             spin_unlock_irq(&n->list_lock);
2194             goto out;
2195         }
2196
2197         slab = list_entry(p, struct slab, slab_list);
2198         list_del(&slab->slab_list);
2199         n->free_slabs--;
2200         n->total_slabs--;
2201         /*
2202          * Safe to drop the lock. The slab is no longer linked
2203          * to the cache.
2204          */
2205         n->free_objects -= cache->num;
2206         spin_unlock_irq(&n->list_lock);
2207         slab_destroy(cache, slab);
2208         nr_freed++;
2209     }
2210 out:
2211     return nr_freed;
2212 }
2213
2214 bool __kmem_cache_empty(struct kmem_cache *s)
2215 {
2216     int node;
2217     struct kmem_cache_node *n;
2218
2219     for_each_kmem_cache_node(s, node, n)
2220         if (!list_empty(&n->slabs_full) ||
2221             !list_empty(&n->slabs_partial))
2222             return false;
2223     return true;
2224 }
2225
2226 int __kmem_cache_shrink(struct kmem_cache *cachep)
2227 {
2228     int ret = 0;
2229     int node;
2230     struct kmem_cache_node *n;
2231
2232     drain_cpu_caches(cachep);
2233
2234     check_irq_on();
2235     for_each_kmem_cache_node(cachep, node, n) {
2236         drain_freelist(cachep, n, INT_MAX);
2237
2238         ret += !list_empty(&n->slabs_full) ||
2239             !list_empty(&n->slabs_partial);
2240     }
2241     return (ret ? 1 : 0);
2242 }
2243
2244 int __kmem_cache_shutdown(struct kmem_cache *cachep)
2245 {
2246     return __kmem_cache_shrink(cachep);
2247 }
2248
2249 void __kmem_cache_release(struct kmem_cache *cachep)
2250 {
2251     int i;
2252     struct kmem_cache_node *n;
2253
2254     cache_random_seq_destroy(cachep);
2255
2256     free_percpu(cachep->cpu_cache);
2257
2258     /* NUMA: free the node structures */
2259     for_each_kmem_cache_node(cachep, i, n) {
2260         kfree(n->shared);
2261         free_alien_cache(n->alien);
2262         kfree(n);
2263         cachep->node[i] = NULL;
2264     }
2265 }
2266
2267 /*
2268  * Get the memory for a slab management obj.
2269  *
2270  * For a slab cache when the slab descriptor is off-slab, the
2271  * slab descriptor can't come from the same cache which is being created,
2272  * Because if it is the case, that means we defer the creation of
2273  * the kmalloc_{dma,}_cache of size sizeof(slab descriptor) to this point.
2274  * And we eventually call down to __kmem_cache_create(), which
2275  * in turn looks up in the kmalloc_{dma,}_caches for the desired-size one.
2276  * This is a "chicken-and-egg" problem.
2277  *
2278  * So the off-slab slab descriptor shall come from the kmalloc_{dma,}_caches,
2279  * which are all initialized during kmem_cache_init().
2280  */
2281 static void *alloc_slabmgmt(struct kmem_cache *cachep,
2282                    struct slab *slab, int colour_off,
2283                    gfp_t local_flags, int nodeid)
2284 {
2285     void *freelist;
2286     void *addr = slab_address(slab);
2287
2288     slab->s_mem = addr + colour_off;
2289     slab->active = 0;
2290
2291     if (OBJFREELIST_SLAB(cachep))
2292         freelist = NULL;
2293     else if (OFF_SLAB(cachep)) {
2294         /* Slab management obj is off-slab. */
2295         freelist = kmem_cache_alloc_node(cachep->freelist_cache,
2296                           local_flags, nodeid);
2297     } else {
2298         /* We will use last bytes at the slab for freelist */
2299         freelist = addr + (PAGE_SIZE << cachep->gfporder) -
2300                 cachep->freelist_size;
2301     }
2302
2303     return freelist;
2304 }
2305
2306 static inline freelist_idx_t get_free_obj(struct slab *slab, unsigned int idx)
2307 {
2308     return ((freelist_idx_t *) slab->freelist)[idx];
2309 }
2310
2311 static inline void set_free_obj(struct slab *slab,
2312                     unsigned int idx, freelist_idx_t val)
2313 {
2314     ((freelist_idx_t *)(slab->freelist))[idx] = val;
2315 }
2316
2317 static void cache_init_objs_debug(struct kmem_cache *cachep, struct slab *slab)
2318 {
2319 #if DEBUG
2320     int i;
2321
2322     for (i = 0; i < cachep->num; i++) {
2323         void *objp = index_to_obj(cachep, slab, i);
2324
2325         if (cachep->flags & SLAB_STORE_USER)
2326             *dbg_userword(cachep, objp) = NULL;
2327
2328         if (cachep->flags & SLAB_RED_ZONE) {
2329             *dbg_redzone1(cachep, objp) = RED_INACTIVE;
2330             *dbg_redzone2(cachep, objp) = RED_INACTIVE;
2331         }
2332         /*
2333          * Constructors are not allowed to allocate memory from the same
2334          * cache which they are a constructor for.  Otherwise, deadlock.
2335          * They must also be threaded.
2336          */
2337         if (cachep->ctor && !(cachep->flags & SLAB_POISON)) {
2338             kasan_unpoison_object_data(cachep,
2339                            objp + obj_offset(cachep));
2340             cachep->ctor(objp + obj_offset(cachep));
2341             kasan_poison_object_data(
2342                 cachep, objp + obj_offset(cachep));
2343         }
2344
2345         if (cachep->flags & SLAB_RED_ZONE) {
2346             if (*dbg_redzone2(cachep, objp) != RED_INACTIVE)
2347                 slab_error(cachep, "constructor overwrote the end of an object");
2348             if (*dbg_redzone1(cachep, objp) != RED_INACTIVE)
2349                 slab_error(cachep, "constructor overwrote the start of an object");
2350         }
2351         /* need to poison the objs? */
2352         if (cachep->flags & SLAB_POISON) {
2353             poison_obj(cachep, objp, POISON_FREE);
2354             slab_kernel_map(cachep, objp, 0);
2355         }
2356     }
2357 #endif
2358 }
2359
2360 #ifdef CONFIG_SLAB_FREELIST_RANDOM
2361 /* Hold information during a freelist initialization */
2362 union freelist_init_state {
2363     struct {
2364         unsigned int pos;
2365         unsigned int *list;
2366         unsigned int count;
2367     };
2368     struct rnd_state rnd_state;
2369 };
2370
2371 /*
2372  * Initialize the state based on the randomization method available.
2373  * return true if the pre-computed list is available, false otherwise.
2374  */
2375 static bool freelist_state_initialize(union freelist_init_state *state,
2376                 struct kmem_cache *cachep,
2377                 unsigned int count)
2378 {
2379     bool ret;
2380     unsigned int rand;
2381
2382     /* Use best entropy available to define a random shift */
2383     rand = get_random_int();
2384
2385     /* Use a random state if the pre-computed list is not available */
2386     if (!cachep->random_seq) {
2387         prandom_seed_state(&state->rnd_state, rand);
2388         ret = false;
2389     } else {
2390         state->list = cachep->random_seq;
2391         state->count = count;
2392         state->pos = rand % count;
2393         ret = true;
2394     }
2395     return ret;
2396 }
2397
2398 /* Get the next entry on the list and randomize it using a random shift */
2399 static freelist_idx_t next_random_slot(union freelist_init_state *state)
2400 {
2401     if (state->pos >= state->count)
2402         state->pos = 0;
2403     return state->list[state->pos++];
2404 }
2405
2406 /* Swap two freelist entries */
2407 static void swap_free_obj(struct slab *slab, unsigned int a, unsigned int b)
2408 {
2409     swap(((freelist_idx_t *) slab->freelist)[a],
2410         ((freelist_idx_t *) slab->freelist)[b]);
2411 }
2412
2413 /*
2414  * Shuffle the freelist initialization state based on pre-computed lists.
2415  * return true if the list was successfully shuffled, false otherwise.
2416  */
2417 static bool shuffle_freelist(struct kmem_cache *cachep, struct slab *slab)
2418 {
2419     unsigned int objfreelist = 0, i, rand, count = cachep->num;
2420     union freelist_init_state state;
2421     bool precomputed;
2422
2423     if (count < 2)
2424         return false;
2425
2426     precomputed = freelist_state_initialize(&state, cachep, count);
2427
2428     /* Take a random entry as the objfreelist */
2429     if (OBJFREELIST_SLAB(cachep)) {
2430         if (!precomputed)
2431             objfreelist = count - 1;
2432         else
2433             objfreelist = next_random_slot(&state);
2434         slab->freelist = index_to_obj(cachep, slab, objfreelist) +
2435                         obj_offset(cachep);
2436         count--;
2437     }
2438
2439     /*
2440      * On early boot, generate the list dynamically.
2441      * Later use a pre-computed list for speed.
2442      */
2443     if (!precomputed) {
2444         for (i = 0; i < count; i++)
2445             set_free_obj(slab, i, i);
2446
2447         /* Fisher-Yates shuffle */
2448         for (i = count - 1; i > 0; i--) {
2449             rand = prandom_u32_state(&state.rnd_state);
2450             rand %= (i + 1);
2451             swap_free_obj(slab, i, rand);
2452         }
2453     } else {
2454         for (i = 0; i < count; i++)
2455             set_free_obj(slab, i, next_random_slot(&state));
2456     }
2457
2458     if (OBJFREELIST_SLAB(cachep))
2459         set_free_obj(slab, cachep->num - 1, objfreelist);
2460
2461     return true;
2462 }
2463 #else
2464 static inline bool shuffle_freelist(struct kmem_cache *cachep,
2465                 struct slab *slab)
2466 {
2467     return false;
2468 }
2469 #endif /* CONFIG_SLAB_FREELIST_RANDOM */
2470
2471 static void cache_init_objs(struct kmem_cache *cachep,
2472                 struct slab *slab)
2473 {
2474     int i;
2475     void *objp;
2476     bool shuffled;
2477
2478     cache_init_objs_debug(cachep, slab);
2479
2480     /* Try to randomize the freelist if enabled */
2481     shuffled = shuffle_freelist(cachep, slab);
2482
2483     if (!shuffled && OBJFREELIST_SLAB(cachep)) {
2484         slab->freelist = index_to_obj(cachep, slab, cachep->num - 1) +
2485                         obj_offset(cachep);
2486     }
2487
2488     for (i = 0; i < cachep->num; i++) {
2489         objp = index_to_obj(cachep, slab, i);
2490         objp = kasan_init_slab_obj(cachep, objp);
2491
2492         /* constructor could break poison info */
2493         if (DEBUG == 0 && cachep->ctor) {
2494             kasan_unpoison_object_data(cachep, objp);
2495             cachep->ctor(objp);
2496             kasan_poison_object_data(cachep, objp);
2497         }
2498
2499         if (!shuffled)
2500             set_free_obj(slab, i, i);
2501     }
2502 }
2503
2504 static void *slab_get_obj(struct kmem_cache *cachep, struct slab *slab)
2505 {
2506     void *objp;
2507
2508     objp = index_to_obj(cachep, slab, get_free_obj(slab, slab->active));
2509     slab->active++;
2510
2511     return objp;
2512 }
2513
2514 static void slab_put_obj(struct kmem_cache *cachep,
2515             struct slab *slab, void *objp)
2516 {
2517     unsigned int objnr = obj_to_index(cachep, slab, objp);
2518 #if DEBUG
2519     unsigned int i;
2520
2521     /* Verify double free bug */
2522     for (i = slab->active; i < cachep->num; i++) {
2523         if (get_free_obj(slab, i) == objnr) {
2524             pr_err("slab: double free detected in cache '%s', objp %px\n",
2525                    cachep->name, objp);
2526             BUG();
2527         }
2528     }
2529 #endif
2530     slab->active--;
2531     if (!slab->freelist)
2532         slab->freelist = objp + obj_offset(cachep);
2533
2534     set_free_obj(slab, slab->active, objnr);
2535 }
2536
2537 /*
2538  * Grow (by 1) the number of slabs within a cache.  This is called by
2539  * kmem_cache_alloc() when there are no active objs left in a cache.
2540  */
2541 static struct slab *cache_grow_begin(struct kmem_cache *cachep,
2542                 gfp_t flags, int nodeid)
2543 {
2544     void *freelist;
2545     size_t offset;
2546     gfp_t local_flags;
2547     int slab_node;
2548     struct kmem_cache_node *n;
2549     struct slab *slab;
2550
2551     /*
2552      * Be lazy and only check for valid flags here,  keeping it out of the
2553      * critical path in kmem_cache_alloc().
2554      */
2555     if (unlikely(flags & GFP_SLAB_BUG_MASK))
2556         flags = kmalloc_fix_flags(flags);
2557
2558     WARN_ON_ONCE(cachep->ctor && (flags & __GFP_ZERO));
2559     local_flags = flags & (GFP_CONSTRAINT_MASK|GFP_RECLAIM_MASK);
2560
2561     check_irq_off();
2562     if (gfpflags_allow_blocking(local_flags))
2563         local_irq_enable();
2564
2565     /*
2566      * Get mem for the objs.  Attempt to allocate a physical page from
2567      * 'nodeid'.
2568      */
2569     slab = kmem_getpages(cachep, local_flags, nodeid);
2570     if (!slab)
2571         goto failed;
2572
2573     slab_node = slab_nid(slab);
2574     n = get_node(cachep, slab_node);
2575
2576     /* Get colour for the slab, and cal the next value. */
2577     n->colour_next++;
2578     if (n->colour_next >= cachep->colour)
2579         n->colour_next = 0;
2580
2581     offset = n->colour_next;
2582     if (offset >= cachep->colour)
2583         offset = 0;
2584
2585     offset *= cachep->colour_off;
2586
2587     /*
2588      * Call kasan_poison_slab() before calling alloc_slabmgmt(), so
2589      * page_address() in the latter returns a non-tagged pointer,
2590      * as it should be for slab pages.
2591      */
2592     kasan_poison_slab(slab);
2593
2594     /* Get slab management. */
2595     freelist = alloc_slabmgmt(cachep, slab, offset,
2596             local_flags & ~GFP_CONSTRAINT_MASK, slab_node);
2597     if (OFF_SLAB(cachep) && !freelist)
2598         goto opps1;
2599
2600     slab->slab_cache = cachep;
2601     slab->freelist = freelist;
2602
2603     cache_init_objs(cachep, slab);
2604
2605     if (gfpflags_allow_blocking(local_flags))
2606         local_irq_disable();
2607
2608     return slab;
2609
2610 opps1:
2611     kmem_freepages(cachep, slab);
2612 failed:
2613     if (gfpflags_allow_blocking(local_flags))
2614         local_irq_disable();
2615     return NULL;
2616 }
2617
2618 static void cache_grow_end(struct kmem_cache *cachep, struct slab *slab)
2619 {
2620     struct kmem_cache_node *n;
2621     void *list = NULL;
2622
2623     check_irq_off();
2624
2625     if (!slab)
2626         return;
2627
2628     INIT_LIST_HEAD(&slab->slab_list);
2629     n = get_node(cachep, slab_nid(slab));
2630
2631     spin_lock(&n->list_lock);
2632     n->total_slabs++;
2633     if (!slab->active) {
2634         list_add_tail(&slab->slab_list, &n->slabs_free);
2635         n->free_slabs++;
2636     } else
2637         fixup_slab_list(cachep, n, slab, &list);
2638
2639     STATS_INC_GROWN(cachep);
2640     n->free_objects += cachep->num - slab->active;
2641     spin_unlock(&n->list_lock);
2642
2643     fixup_objfreelist_debug(cachep, &list);
2644 }
2645
2646 #if DEBUG
2647
2648 /*
2649  * Perform extra freeing checks:
2650  * - detect bad pointers.
2651  * - POISON/RED_ZONE checking
2652  */
2653 static void kfree_debugcheck(const void *objp)
2654 {
2655     if (!virt_addr_valid(objp)) {
2656         pr_err("kfree_debugcheck: out of range ptr %lxh\n",
2657                (unsigned long)objp);
2658         BUG();
2659     }
2660 }
2661
2662 static inline void verify_redzone_free(struct kmem_cache *cache, void *obj)
2663 {
2664     unsigned long long redzone1, redzone2;
2665
2666     redzone1 = *dbg_redzone1(cache, obj);
2667     redzone2 = *dbg_redzone2(cache, obj);
2668
2669     /*
2670      * Redzone is ok.
2671      */
2672     if (redzone1 == RED_ACTIVE && redzone2 == RED_ACTIVE)
2673         return;
2674
2675     if (redzone1 == RED_INACTIVE && redzone2 == RED_INACTIVE)
2676         slab_error(cache, "double free detected");
2677     else
2678         slab_error(cache, "memory outside object was overwritten");
2679
2680     pr_err("%px: redzone 1:0x%llx, redzone 2:0x%llx\n",
2681            obj, redzone1, redzone2);
2682 }
2683
2684 static void *cache_free_debugcheck(struct kmem_cache *cachep, void *objp,
2685                    unsigned long caller)
2686 {
2687     unsigned int objnr;
2688     struct slab *slab;
2689
2690     BUG_ON(virt_to_cache(objp) != cachep);
2691
2692     objp -= obj_offset(cachep);
2693     kfree_debugcheck(objp);
2694     slab = virt_to_slab(objp);
2695
2696     if (cachep->flags & SLAB_RED_ZONE) {
2697         verify_redzone_free(cachep, objp);
2698         *dbg_redzone1(cachep, objp) = RED_INACTIVE;
2699         *dbg_redzone2(cachep, objp) = RED_INACTIVE;
2700     }
2701     if (cachep->flags & SLAB_STORE_USER)
2702         *dbg_userword(cachep, objp) = (void *)caller;
2703
2704     objnr = obj_to_index(cachep, slab, objp);
2705
2706     BUG_ON(objnr >= cachep->num);
2707     BUG_ON(objp != index_to_obj(cachep, slab, objnr));
2708
2709     if (cachep->flags & SLAB_POISON) {
2710         poison_obj(cachep, objp, POISON_FREE);
2711         slab_kernel_map(cachep, objp, 0);
2712     }
2713     return objp;
2714 }
2715
2716 #else
2717 #define kfree_debugcheck(x) do { } while(0)
2718 #define cache_free_debugcheck(x, objp, z) (objp)
2719 #endif
2720
2721 static inline void fixup_objfreelist_debug(struct kmem_cache *cachep,
2722                         void **list)
2723 {
2724 #if DEBUG
2725     void *next = *list;
2726     void *objp;
2727
2728     while (next) {
2729         objp = next - obj_offset(cachep);
2730         next = *(void **)next;
2731         poison_obj(cachep, objp, POISON_FREE);
2732     }
2733 #endif
2734 }
2735
2736 static inline void fixup_slab_list(struct kmem_cache *cachep,
2737                 struct kmem_cache_node *n, struct slab *slab,
2738                 void **list)
2739 {
2740     /* move slabp to correct slabp list: */
2741     list_del(&slab->slab_list);
2742     if (slab->active == cachep->num) {
2743         list_add(&slab->slab_list, &n->slabs_full);
2744         if (OBJFREELIST_SLAB(cachep)) {
2745 #if DEBUG
2746             /* Poisoning will be done without holding the lock */
2747             if (cachep->flags & SLAB_POISON) {
2748                 void **objp = slab->freelist;
2749
2750                 *objp = *list;
2751                 *list = objp;
2752             }
2753 #endif
2754             slab->freelist = NULL;
2755         }
2756     } else
2757         list_add(&slab->slab_list, &n->slabs_partial);
2758 }
2759
2760 /* Try to find non-pfmemalloc slab if needed */
2761 static noinline struct slab *get_valid_first_slab(struct kmem_cache_node *n,
2762                     struct slab *slab, bool pfmemalloc)
2763 {
2764     if (!slab)
2765         return NULL;
2766
2767     if (pfmemalloc)
2768         return slab;
2769
2770     if (!slab_test_pfmemalloc(slab))
2771         return slab;
2772
2773     /* No need to keep pfmemalloc slab if we have enough free objects */
2774     if (n->free_objects > n->free_limit) {
2775         slab_clear_pfmemalloc(slab);
2776         return slab;
2777     }
2778
2779     /* Move pfmemalloc slab to the end of list to speed up next search */
2780     list_del(&slab->slab_list);
2781     if (!slab->active) {
2782         list_add_tail(&slab->slab_list, &n->slabs_free);
2783         n->free_slabs++;
2784     } else
2785         list_add_tail(&slab->slab_list, &n->slabs_partial);
2786
2787     list_for_each_entry(slab, &n->slabs_partial, slab_list) {
2788         if (!slab_test_pfmemalloc(slab))
2789             return slab;
2790     }
2791
2792     n->free_touched = 1;
2793     list_for_each_entry(slab, &n->slabs_free, slab_list) {
2794         if (!slab_test_pfmemalloc(slab)) {
2795             n->free_slabs--;
2796             return slab;
2797         }
2798     }
2799
2800     return NULL;
2801 }
2802
2803 static struct slab *get_first_slab(struct kmem_cache_node *n, bool pfmemalloc)
2804 {
2805     struct slab *slab;
2806
2807     assert_spin_locked(&n->list_lock);
2808     slab = list_first_entry_or_null(&n->slabs_partial, struct slab,
2809                     slab_list);
2810     if (!slab) {
2811         n->free_touched = 1;
2812         slab = list_first_entry_or_null(&n->slabs_free, struct slab,
2813                         slab_list);
2814         if (slab)
2815             n->free_slabs--;
2816     }
2817
2818     if (sk_memalloc_socks())
2819         slab = get_valid_first_slab(n, slab, pfmemalloc);
2820
2821     return slab;
2822 }
2823
2824 static noinline void *cache_alloc_pfmemalloc(struct kmem_cache *cachep,
2825                 struct kmem_cache_node *n, gfp_t flags)
2826 {
2827     struct slab *slab;
2828     void *obj;
2829     void *list = NULL;
2830
2831     if (!gfp_pfmemalloc_allowed(flags))
2832         return NULL;
2833
2834     spin_lock(&n->list_lock);
2835     slab = get_first_slab(n, true);
2836     if (!slab) {
2837         spin_unlock(&n->list_lock);
2838         return NULL;
2839     }
2840
2841     obj = slab_get_obj(cachep, slab);
2842     n->free_objects--;
2843
2844     fixup_slab_list(cachep, n, slab, &list);
2845
2846     spin_unlock(&n->list_lock);
2847     fixup_objfreelist_debug(cachep, &list);
2848
2849     return obj;
2850 }
2851
2852 /*
2853  * Slab list should be fixed up by fixup_slab_list() for existing slab
2854  * or cache_grow_end() for new slab
2855  */
2856 static __always_inline int alloc_block(struct kmem_cache *cachep,
2857         struct array_cache *ac, struct slab *slab, int batchcount)
2858 {
2859     /*
2860      * There must be at least one object available for
2861      * allocation.
2862      */
2863     BUG_ON(slab->active >= cachep->num);
2864
2865     while (slab->active < cachep->num && batchcount--) {
2866         STATS_INC_ALLOCED(cachep);
2867         STATS_INC_ACTIVE(cachep);
2868         STATS_SET_HIGH(cachep);
2869
2870         ac->entry[ac->avail++] = slab_get_obj(cachep, slab);
2871     }
2872
2873     return batchcount;
2874 }
2875
2876 static void *cache_alloc_refill(struct kmem_cache *cachep, gfp_t flags)
2877 {
2878     int batchcount;
2879     struct kmem_cache_node *n;
2880     struct array_cache *ac, *shared;
2881     int node;
2882     void *list = NULL;
2883     struct slab *slab;
2884
2885     check_irq_off();
2886     node = numa_mem_id();
2887
2888     ac = cpu_cache_get(cachep);
2889     batchcount = ac->batchcount;
2890     if (!ac->touched && batchcount > BATCHREFILL_LIMIT) {
2891         /*
2892          * If there was little recent activity on this cache, then
2893          * perform only a partial refill.  Otherwise we could generate
2894          * refill bouncing.
2895          */
2896         batchcount = BATCHREFILL_LIMIT;
2897     }
2898     n = get_node(cachep, node);
2899
2900     BUG_ON(ac->avail > 0 || !n);
2901     shared = READ_ONCE(n->shared);
2902     if (!n->free_objects && (!shared || !shared->avail))
2903         goto direct_grow;
2904
2905     spin_lock(&n->list_lock);
2906     shared = READ_ONCE(n->shared);
2907
2908     /* See if we can refill from the shared array */
2909     if (shared && transfer_objects(ac, shared, batchcount)) {
2910         shared->touched = 1;
2911         goto alloc_done;
2912     }
2913
2914     while (batchcount > 0) {
2915         /* Get slab alloc is to come from. */
2916         slab = get_first_slab(n, false);
2917         if (!slab)
2918             goto must_grow;
2919
2920         check_spinlock_acquired(cachep);
2921
2922         batchcount = alloc_block(cachep, ac, slab, batchcount);
2923         fixup_slab_list(cachep, n, slab, &list);
2924     }
2925
2926 must_grow:
2927     n->free_objects -= ac->avail;
2928 alloc_done:
2929     spin_unlock(&n->list_lock);
2930     fixup_objfreelist_debug(cachep, &list);
2931
2932 direct_grow:
2933     if (unlikely(!ac->avail)) {
2934         /* Check if we can use obj in pfmemalloc slab */
2935         if (sk_memalloc_socks()) {
2936             void *obj = cache_alloc_pfmemalloc(cachep, n, flags);
2937
2938             if (obj)
2939                 return obj;
2940         }
2941
2942         slab = cache_grow_begin(cachep, gfp_exact_node(flags), node);
2943
2944         /*
2945          * cache_grow_begin() can reenable interrupts,
2946          * then ac could change.
2947          */
2948         ac = cpu_cache_get(cachep);
2949         if (!ac->avail && slab)
2950             alloc_block(cachep, ac, slab, batchcount);
2951         cache_grow_end(cachep, slab);
2952
2953         if (!ac->avail)
2954             return NULL;
2955     }
2956     ac->touched = 1;
2957
2958     return ac->entry[--ac->avail];
2959 }
2960
2961 #if DEBUG
2962 static void *cache_alloc_debugcheck_after(struct kmem_cache *cachep,
2963                 gfp_t flags, void *objp, unsigned long caller)
2964 {
2965     WARN_ON_ONCE(cachep->ctor && (flags & __GFP_ZERO));
2966     if (!objp || is_kfence_address(objp))
2967         return objp;
2968     if (cachep->flags & SLAB_POISON) {
2969         check_poison_obj(cachep, objp);
2970         slab_kernel_map(cachep, objp, 1);
2971         poison_obj(cachep, objp, POISON_INUSE);
2972     }
2973     if (cachep->flags & SLAB_STORE_USER)
2974         *dbg_userword(cachep, objp) = (void *)caller;
2975
2976     if (cachep->flags & SLAB_RED_ZONE) {
2977         if (*dbg_redzone1(cachep, objp) != RED_INACTIVE ||
2978                 *dbg_redzone2(cachep, objp) != RED_INACTIVE) {
2979             slab_error(cachep, "double free, or memory outside object was overwritten");
2980             pr_err("%px: redzone 1:0x%llx, redzone 2:0x%llx\n",
2981                    objp, *dbg_redzone1(cachep, objp),
2982                    *dbg_redzone2(cachep, objp));
2983         }
2984         *dbg_redzone1(cachep, objp) = RED_ACTIVE;
2985         *dbg_redzone2(cachep, objp) = RED_ACTIVE;
2986     }
2987
2988     objp += obj_offset(cachep);
2989     if (cachep->ctor && cachep->flags & SLAB_POISON)
2990         cachep->ctor(objp);
2991     if ((unsigned long)objp & (arch_slab_minalign() - 1)) {
2992         pr_err("0x%px: not aligned to arch_slab_minalign()=%u\n", objp,
2993                arch_slab_minalign());
2994     }
2995     return objp;
2996 }
2997 #else
2998 #define cache_alloc_debugcheck_after(a, b, objp, d) (objp)
2999 #endif
3000
3001 static inline void *____cache_alloc(struct kmem_cache *cachep, gfp_t flags)
3002 {
3003     void *objp;
3004     struct array_cache *ac;
3005
3006     check_irq_off();
3007
3008     ac = cpu_cache_get(cachep);
3009     if (likely(ac->avail)) {
3010         ac->touched = 1;
3011         objp = ac->entry[--ac->avail];
3012
3013         STATS_INC_ALLOCHIT(cachep);
3014         goto out;
3015     }
3016
3017     STATS_INC_ALLOCMISS(cachep);
3018     objp = cache_alloc_refill(cachep, flags);
3019     /*
3020      * the 'ac' may be updated by cache_alloc_refill(),
3021      * and kmemleak_erase() requires its correct value.
3022      */
3023     ac = cpu_cache_get(cachep);
3024
3025 out:
3026     /*
3027      * To avoid a false negative, if an object that is in one of the
3028      * per-CPU caches is leaked, we need to make sure kmemleak doesn't
3029      * treat the array pointers as a reference to the object.
3030      */
3031     if (objp)
3032         kmemleak_erase(&ac->entry[ac->avail]);
3033     return objp;
3034 }
3035
3036 #ifdef CONFIG_NUMA
3037 static void *____cache_alloc_node(struct kmem_cache *, gfp_t, int);
3038
3039 /*
3040  * Try allocating on another node if PFA_SPREAD_SLAB is a mempolicy is set.
3041  *
3042  * If we are in_interrupt, then process context, including cpusets and
3043  * mempolicy, may not apply and should not be used for allocation policy.
3044  */
3045 static void *alternate_node_alloc(struct kmem_cache *cachep, gfp_t flags)
3046 {
3047     int nid_alloc, nid_here;
3048
3049     if (in_interrupt() || (flags & __GFP_THISNODE))
3050         return NULL;
3051     nid_alloc = nid_here = numa_mem_id();
3052     if (cpuset_do_slab_mem_spread() && (cachep->flags & SLAB_MEM_SPREAD))
3053         nid_alloc = cpuset_slab_spread_node();
3054     else if (current->mempolicy)
3055         nid_alloc = mempolicy_slab_node();
3056     if (nid_alloc != nid_here)
3057         return ____cache_alloc_node(cachep, flags, nid_alloc);
3058     return NULL;
3059 }
3060
3061 /*
3062  * Fallback function if there was no memory available and no objects on a
3063  * certain node and fall back is permitted. First we scan all the
3064  * available node for available objects. If that fails then we
3065  * perform an allocation without specifying a node. This allows the page
3066  * allocator to do its reclaim / fallback magic. We then insert the
3067  * slab into the proper nodelist and then allocate from it.
3068  */
3069 static void *fallback_alloc(struct kmem_cache *cache, gfp_t flags)
3070 {
3071     struct zonelist *zonelist;
3072     struct zoneref *z;
3073     struct zone *zone;
3074     enum zone_type highest_zoneidx = gfp_zone(flags);
3075     void *obj = NULL;
3076     struct slab *slab;
3077     int nid;
3078     unsigned int cpuset_mems_cookie;
3079
3080     if (flags & __GFP_THISNODE)
3081         return NULL;
3082
3083 retry_cpuset:
3084     cpuset_mems_cookie = read_mems_allowed_begin();
3085     zonelist = node_zonelist(mempolicy_slab_node(), flags);
3086
3087 retry:
3088     /*
3089      * Look through allowed nodes for objects available
3090      * from existing per node queues.
3091      */
3092     for_each_zone_zonelist(zone, z, zonelist, highest_zoneidx) {
3093         nid = zone_to_nid(zone);
3094
3095         if (cpuset_zone_allowed(zone, flags) &&
3096             get_node(cache, nid) &&
3097             get_node(cache, nid)->free_objects) {
3098                 obj = ____cache_alloc_node(cache,
3099                     gfp_exact_node(flags), nid);
3100                 if (obj)
3101                     break;
3102         }
3103     }
3104
3105     if (!obj) {
3106         /*
3107          * This allocation will be performed within the constraints
3108          * of the current cpuset / memory policy requirements.
3109          * We may trigger various forms of reclaim on the allowed
3110          * set and go into memory reserves if necessary.
3111          */
3112         slab = cache_grow_begin(cache, flags, numa_mem_id());
3113         cache_grow_end(cache, slab);
3114         if (slab) {
3115             nid = slab_nid(slab);
3116             obj = ____cache_alloc_node(cache,
3117                 gfp_exact_node(flags), nid);
3118
3119             /*
3120              * Another processor may allocate the objects in
3121              * the slab since we are not holding any locks.
3122              */
3123             if (!obj)
3124                 goto retry;
3125         }
3126     }
3127
3128     if (unlikely(!obj && read_mems_allowed_retry(cpuset_mems_cookie)))
3129         goto retry_cpuset;
3130     return obj;
3131 }
3132
3133 /*
3134  * An interface to enable slab creation on nodeid
3135  */
3136 static void *____cache_alloc_node(struct kmem_cache *cachep, gfp_t flags,
3137                 int nodeid)
3138 {
3139     struct slab *slab;
3140     struct kmem_cache_node *n;
3141     void *obj = NULL;
3142     void *list = NULL;
3143
3144     VM_BUG_ON(nodeid < 0 || nodeid >= MAX_NUMNODES);
3145     n = get_node(cachep, nodeid);
3146     BUG_ON(!n);
3147
3148     check_irq_off();
3149     spin_lock(&n->list_lock);
3150     slab = get_first_slab(n, false);
3151     if (!slab)
3152         goto must_grow;
3153
3154     check_spinlock_acquired_node(cachep, nodeid);
3155
3156     STATS_INC_NODEALLOCS(cachep);
3157     STATS_INC_ACTIVE(cachep);
3158     STATS_SET_HIGH(cachep);
3159
3160     BUG_ON(slab->active == cachep->num);
3161
3162     obj = slab_get_obj(cachep, slab);
3163     n->free_objects--;
3164
3165     fixup_slab_list(cachep, n, slab, &list);
3166
3167     spin_unlock(&n->list_lock);
3168     fixup_objfreelist_debug(cachep, &list);
3169     return obj;
3170
3171 must_grow:
3172     spin_unlock(&n->list_lock);
3173     slab = cache_grow_begin(cachep, gfp_exact_node(flags), nodeid);
3174     if (slab) {
3175         /* This slab isn't counted yet so don't update free_objects */
3176         obj = slab_get_obj(cachep, slab);
3177     }
3178     cache_grow_end(cachep, slab);
3179
3180     return obj ? obj : fallback_alloc(cachep, flags);
3181 }
3182
3183 static __always_inline void *
3184 slab_alloc_node(struct kmem_cache *cachep, gfp_t flags, int nodeid, size_t orig_size,
3185            unsigned long caller)
3186 {
3187     unsigned long save_flags;
3188     void *ptr;
3189     int slab_node = numa_mem_id();
3190     struct obj_cgroup *objcg = NULL;
3191     bool init = false;
3192
3193     flags &= gfp_allowed_mask;
3194     cachep = slab_pre_alloc_hook(cachep, NULL, &objcg, 1, flags);
3195     if (unlikely(!cachep))
3196         return NULL;
3197
3198     ptr = kfence_alloc(cachep, orig_size, flags);
3199     if (unlikely(ptr))
3200         goto out_hooks;
3201
3202     local_irq_save(save_flags);
3203
3204     if (nodeid == NUMA_NO_NODE)
3205         nodeid = slab_node;
3206
3207     if (unlikely(!get_node(cachep, nodeid))) {
3208         /* Node not bootstrapped yet */
3209         ptr = fallback_alloc(cachep, flags);
3210         goto out;
3211     }
3212
3213     if (nodeid == slab_node) {
3214         /*
3215          * Use the locally cached objects if possible.
3216          * However ____cache_alloc does not allow fallback
3217          * to other nodes. It may fail while we still have
3218          * objects on other nodes available.
3219          */
3220         ptr = ____cache_alloc(cachep, flags);
3221         if (ptr)
3222             goto out;
3223     }
3224     /* ___cache_alloc_node can fall back to other nodes */
3225     ptr = ____cache_alloc_node(cachep, flags, nodeid);
3226 out:
3227     local_irq_restore(save_flags);
3228     ptr = cache_alloc_debugcheck_after(cachep, flags, ptr, caller);
3229     init = slab_want_init_on_alloc(flags, cachep);
3230
3231 out_hooks:
3232     slab_post_alloc_hook(cachep, objcg, flags, 1, &ptr, init);
3233     return ptr;
3234 }
3235
3236 static __always_inline void *
3237 __do_cache_alloc(struct kmem_cache *cache, gfp_t flags)
3238 {
3239     void *objp;
3240
3241     if (current->mempolicy || cpuset_do_slab_mem_spread()) {
3242         objp = alternate_node_alloc(cache, flags);
3243         if (objp)
3244             goto out;
3245     }
3246     objp = ____cache_alloc(cache, flags);
3247
3248     /*
3249      * We may just have run out of memory on the local node.
3250      * ____cache_alloc_node() knows how to locate memory on other nodes
3251      */
3252     if (!objp)
3253         objp = ____cache_alloc_node(cache, flags, numa_mem_id());
3254
3255 out:
3256     return objp;
3257 }
3258 #else
3259
3260 static __always_inline void *
3261 __do_cache_alloc(struct kmem_cache *cachep, gfp_t flags)
3262 {
3263     return ____cache_alloc(cachep, flags);
3264 }
3265
3266 #endif /* CONFIG_NUMA */
3267
3268 static __always_inline void *
3269 slab_alloc(struct kmem_cache *cachep, struct list_lru *lru, gfp_t flags,
3270        size_t orig_size, unsigned long caller)
3271 {
3272     unsigned long save_flags;
3273     void *objp;
3274     struct obj_cgroup *objcg = NULL;
3275     bool init = false;
3276
3277     flags &= gfp_allowed_mask;
3278     cachep = slab_pre_alloc_hook(cachep, lru, &objcg, 1, flags);
3279     if (unlikely(!cachep))
3280         return NULL;
3281
3282     objp = kfence_alloc(cachep, orig_size, flags);
3283     if (unlikely(objp))
3284         goto out;
3285
3286     local_irq_save(save_flags);
3287     objp = __do_cache_alloc(cachep, flags);
3288     local_irq_restore(save_flags);
3289     objp = cache_alloc_debugcheck_after(cachep, flags, objp, caller);
3290     prefetchw(objp);
3291     init = slab_want_init_on_alloc(flags, cachep);
3292
3293 out:
3294     slab_post_alloc_hook(cachep, objcg, flags, 1, &objp, init);
3295     return objp;
3296 }
3297
3298 /*
3299  * Caller needs to acquire correct kmem_cache_node's list_lock
3300  * @list: List of detached free slabs should be freed by caller
3301  */
3302 static void free_block(struct kmem_cache *cachep, void **objpp,
3303             int nr_objects, int node, struct list_head *list)
3304 {
3305     int i;
3306     struct kmem_cache_node *n = get_node(cachep, node);
3307     struct slab *slab;
3308
3309     n->free_objects += nr_objects;
3310
3311     for (i = 0; i < nr_objects; i++) {
3312         void *objp;
3313         struct slab *slab;
3314
3315         objp = objpp[i];
3316
3317         slab = virt_to_slab(objp);
3318         list_del(&slab->slab_list);
3319         check_spinlock_acquired_node(cachep, node);
3320         slab_put_obj(cachep, slab, objp);
3321         STATS_DEC_ACTIVE(cachep);
3322
3323         /* fixup slab chains */
3324         if (slab->active == 0) {
3325             list_add(&slab->slab_list, &n->slabs_free);
3326             n->free_slabs++;
3327         } else {
3328             /* Unconditionally move a slab to the end of the
3329              * partial list on free - maximum time for the
3330              * other objects to be freed, too.
3331              */
3332             list_add_tail(&slab->slab_list, &n->slabs_partial);
3333         }
3334     }
3335
3336     while (n->free_objects > n->free_limit && !list_empty(&n->slabs_free)) {
3337         n->free_objects -= cachep->num;
3338
3339         slab = list_last_entry(&n->slabs_free, struct slab, slab_list);
3340         list_move(&slab->slab_list, list);
3341         n->free_slabs--;
3342         n->total_slabs--;
3343     }
3344 }
3345
3346 static void cache_flusharray(struct kmem_cache *cachep, struct array_cache *ac)
3347 {
3348     int batchcount;
3349     struct kmem_cache_node *n;
3350     int node = numa_mem_id();
3351     LIST_HEAD(list);
3352
3353     batchcount = ac->batchcount;
3354
3355     check_irq_off();
3356     n = get_node(cachep, node);
3357     spin_lock(&n->list_lock);
3358     if (n->shared) {
3359         struct array_cache *shared_array = n->shared;
3360         int max = shared_array->limit - shared_array->avail;
3361         if (max) {
3362             if (batchcount > max)
3363                 batchcount = max;
3364             memcpy(&(shared_array->entry[shared_array->avail]),
3365                    ac->entry, sizeof(void *) * batchcount);
3366             shared_array->avail += batchcount;
3367             goto free_done;
3368         }
3369     }
3370
3371     free_block(cachep, ac->entry, batchcount, node, &list);
3372 free_done:
3373 #if STATS
3374     {
3375         int i = 0;
3376         struct slab *slab;
3377
3378         list_for_each_entry(slab, &n->slabs_free, slab_list) {
3379             BUG_ON(slab->active);
3380
3381             i++;
3382         }
3383         STATS_SET_FREEABLE(cachep, i);
3384     }
3385 #endif
3386     spin_unlock(&n->list_lock);
3387     ac->avail -= batchcount;
3388     memmove(ac->entry, &(ac->entry[batchcount]), sizeof(void *)*ac->avail);
3389     slabs_destroy(cachep, &list);
3390 }
3391
3392 /*
3393  * Release an obj back to its cache. If the obj has a constructed state, it must
3394  * be in this state _before_ it is released.  Called with disabled ints.
3395  */
3396 static __always_inline void __cache_free(struct kmem_cache *cachep, void *objp,
3397                      unsigned long caller)
3398 {
3399     bool init;
3400
3401     memcg_slab_free_hook(cachep, virt_to_slab(objp), &objp, 1);
3402
3403     if (is_kfence_address(objp)) {
3404         kmemleak_free_recursive(objp, cachep->flags);
3405         __kfence_free(objp);
3406         return;
3407     }
3408
3409     /*
3410      * As memory initialization might be integrated into KASAN,
3411      * kasan_slab_free and initialization memset must be
3412      * kept together to avoid discrepancies in behavior.
3413      */
3414     init = slab_want_init_on_free(cachep);
3415     if (init && !kasan_has_integrated_init())
3416         memset(objp, 0, cachep->object_size);
3417     /* KASAN might put objp into memory quarantine, delaying its reuse. */
3418     if (kasan_slab_free(cachep, objp, init))
3419         return;
3420
3421     /* Use KCSAN to help debug racy use-after-free. */
3422     if (!(cachep->flags & SLAB_TYPESAFE_BY_RCU))
3423         __kcsan_check_access(objp, cachep->object_size,
3424                      KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT);
3425
3426     ___cache_free(cachep, objp, caller);
3427 }
3428
3429 void ___cache_free(struct kmem_cache *cachep, void *objp,
3430         unsigned long caller)
3431 {
3432     struct array_cache *ac = cpu_cache_get(cachep);
3433
3434     check_irq_off();
3435     kmemleak_free_recursive(objp, cachep->flags);
3436     objp = cache_free_debugcheck(cachep, objp, caller);
3437
3438     /*
3439      * Skip calling cache_free_alien() when the platform is not numa.
3440      * This will avoid cache misses that happen while accessing slabp (which
3441      * is per page memory  reference) to get nodeid. Instead use a global
3442      * variable to skip the call, which is mostly likely to be present in
3443      * the cache.
3444      */
3445     if (nr_online_nodes > 1 && cache_free_alien(cachep, objp))
3446         return;
3447
3448     if (ac->avail < ac->limit) {
3449         STATS_INC_FREEHIT(cachep);
3450     } else {
3451         STATS_INC_FREEMISS(cachep);
3452         cache_flusharray(cachep, ac);
3453     }
3454
3455     if (sk_memalloc_socks()) {
3456         struct slab *slab = virt_to_slab(objp);
3457
3458         if (unlikely(slab_test_pfmemalloc(slab))) {
3459             cache_free_pfmemalloc(cachep, slab, objp);
3460             return;
3461         }
3462     }
3463
3464     __free_one(ac, objp);
3465 }
3466
3467 static __always_inline
3468 void *__kmem_cache_alloc_lru(struct kmem_cache *cachep, struct list_lru *lru,
3469                  gfp_t flags)
3470 {
3471     void *ret = slab_alloc(cachep, lru, flags, cachep->object_size, _RET_IP_);
3472
3473     trace_kmem_cache_alloc(_RET_IP_, ret, cachep,
3474                    cachep->object_size, cachep->size, flags);
3475
3476     return ret;
3477 }
3478
3479 /**
3480  * kmem_cache_alloc - Allocate an object
3481  * @cachep: The cache to allocate from.
3482  * @flags: See kmalloc().
3483  *
3484  * Allocate an object from this cache.  The flags are only relevant
3485  * if the cache has no available objects.
3486  *
3487  * Return: pointer to the new object or %NULL in case of error
3488  */
3489 void *kmem_cache_alloc(struct kmem_cache *cachep, gfp_t flags)
3490 {
3491     return __kmem_cache_alloc_lru(cachep, NULL, flags);
3492 }
3493 EXPORT_SYMBOL(kmem_cache_alloc);
3494
3495 void *kmem_cache_alloc_lru(struct kmem_cache *cachep, struct list_lru *lru,
3496                gfp_t flags)
3497 {
3498     return __kmem_cache_alloc_lru(cachep, lru, flags);
3499 }
3500 EXPORT_SYMBOL(kmem_cache_alloc_lru);
3501
3502 static __always_inline void
3503 cache_alloc_debugcheck_after_bulk(struct kmem_cache *s, gfp_t flags,
3504                   size_t size, void **p, unsigned long caller)
3505 {
3506     size_t i;
3507
3508     for (i = 0; i < size; i++)
3509         p[i] = cache_alloc_debugcheck_after(s, flags, p[i], caller);
3510 }
3511
3512 int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size,
3513               void **p)
3514 {
3515     size_t i;
3516     struct obj_cgroup *objcg = NULL;
3517
3518     s = slab_pre_alloc_hook(s, NULL, &objcg, size, flags);
3519     if (!s)
3520         return 0;
3521
3522     local_irq_disable();
3523     for (i = 0; i < size; i++) {
3524         void *objp = kfence_alloc(s, s->object_size, flags) ?: __do_cache_alloc(s, flags);
3525
3526         if (unlikely(!objp))
3527             goto error;
3528         p[i] = objp;
3529     }
3530     local_irq_enable();
3531
3532     cache_alloc_debugcheck_after_bulk(s, flags, size, p, _RET_IP_);
3533
3534     /*
3535      * memcg and kmem_cache debug support and memory initialization.
3536      * Done outside of the IRQ disabled section.
3537      */
3538     slab_post_alloc_hook(s, objcg, flags, size, p,
3539                 slab_want_init_on_alloc(flags, s));
3540     /* FIXME: Trace call missing. Christoph would like a bulk variant */
3541     return size;
3542 error:
3543     local_irq_enable();
3544     cache_alloc_debugcheck_after_bulk(s, flags, i, p, _RET_IP_);
3545     slab_post_alloc_hook(s, objcg, flags, i, p, false);
3546     kmem_cache_free_bulk(s, i, p);
3547     return 0;
3548 }
3549 EXPORT_SYMBOL(kmem_cache_alloc_bulk);
3550
3551 #ifdef CONFIG_TRACING
3552 void *
3553 kmem_cache_alloc_trace(struct kmem_cache *cachep, gfp_t flags, size_t size)
3554 {
3555     void *ret;
3556
3557     ret = slab_alloc(cachep, NULL, flags, size, _RET_IP_);
3558
3559     ret = kasan_kmalloc(cachep, ret, size, flags);
3560     trace_kmalloc(_RET_IP_, ret, cachep,
3561               size, cachep->size, flags);
3562     return ret;
3563 }
3564 EXPORT_SYMBOL(kmem_cache_alloc_trace);
3565 #endif
3566
3567 #ifdef CONFIG_NUMA
3568 /**
3569  * kmem_cache_alloc_node - Allocate an object on the specified node
3570  * @cachep: The cache to allocate from.
3571  * @flags: See kmalloc().
3572  * @nodeid: node number of the target node.
3573  *
3574  * Identical to kmem_cache_alloc but it will allocate memory on the given
3575  * node, which can improve the performance for cpu bound structures.
3576  *
3577  * Fallback to other node is possible if __GFP_THISNODE is not set.
3578  *
3579  * Return: pointer to the new object or %NULL in case of error
3580  */
3581 void *kmem_cache_alloc_node(struct kmem_cache *cachep, gfp_t flags, int nodeid)
3582 {
3583     void *ret = slab_alloc_node(cachep, flags, nodeid, cachep->object_size, _RET_IP_);
3584
3585     trace_kmem_cache_alloc_node(_RET_IP_, ret, cachep,
3586                     cachep->object_size, cachep->size,
3587                     flags, nodeid);
3588
3589     return ret;
3590 }
3591 EXPORT_SYMBOL(kmem_cache_alloc_node);
3592
3593 #ifdef CONFIG_TRACING
3594 void *kmem_cache_alloc_node_trace(struct kmem_cache *cachep,
3595                   gfp_t flags,
3596                   int nodeid,
3597                   size_t size)
3598 {
3599     void *ret;
3600
3601     ret = slab_alloc_node(cachep, flags, nodeid, size, _RET_IP_);
3602
3603     ret = kasan_kmalloc(cachep, ret, size, flags);
3604     trace_kmalloc_node(_RET_IP_, ret, cachep,
3605                size, cachep->size,
3606                flags, nodeid);
3607     return ret;
3608 }
3609 EXPORT_SYMBOL(kmem_cache_alloc_node_trace);
3610 #endif
3611
3612 static __always_inline void *
3613 __do_kmalloc_node(size_t size, gfp_t flags, int node, unsigned long caller)
3614 {
3615     struct kmem_cache *cachep;
3616     void *ret;
3617
3618     if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
3619         return NULL;
3620     cachep = kmalloc_slab(size, flags);
3621     if (unlikely(ZERO_OR_NULL_PTR(cachep)))
3622         return cachep;
3623     ret = kmem_cache_alloc_node_trace(cachep, flags, node, size);
3624     ret = kasan_kmalloc(cachep, ret, size, flags);
3625
3626     return ret;
3627 }
3628
3629 void *__kmalloc_node(size_t size, gfp_t flags, int node)
3630 {
3631     return __do_kmalloc_node(size, flags, node, _RET_IP_);
3632 }
3633 EXPORT_SYMBOL(__kmalloc_node);
3634
3635 void *__kmalloc_node_track_caller(size_t size, gfp_t flags,
3636         int node, unsigned long caller)
3637 {
3638     return __do_kmalloc_node(size, flags, node, caller);
3639 }
3640 EXPORT_SYMBOL(__kmalloc_node_track_caller);
3641 #endif /* CONFIG_NUMA */
3642
3643 #ifdef CONFIG_PRINTK
3644 void __kmem_obj_info(struct kmem_obj_info *kpp, void *object, struct slab *slab)
3645 {
3646     struct kmem_cache *cachep;
3647     unsigned int objnr;
3648     void *objp;
3649
3650     kpp->kp_ptr = object;
3651     kpp->kp_slab = slab;
3652     cachep = slab->slab_cache;
3653     kpp->kp_slab_cache = cachep;
3654     objp = object - obj_offset(cachep);
3655     kpp->kp_data_offset = obj_offset(cachep);
3656     slab = virt_to_slab(objp);
3657     objnr = obj_to_index(cachep, slab, objp);
3658     objp = index_to_obj(cachep, slab, objnr);
3659     kpp->kp_objp = objp;
3660     if (DEBUG && cachep->flags & SLAB_STORE_USER)
3661         kpp->kp_ret = *dbg_userword(cachep, objp);
3662 }
3663 #endif
3664
3665 /**
3666  * __do_kmalloc - allocate memory
3667  * @size: how many bytes of memory are required.
3668  * @flags: the type of memory to allocate (see kmalloc).
3669  * @caller: function caller for debug tracking of the caller
3670  *
3671  * Return: pointer to the allocated memory or %NULL in case of error
3672  */
3673 static __always_inline void *__do_kmalloc(size_t size, gfp_t flags,
3674                       unsigned long caller)
3675 {
3676     struct kmem_cache *cachep;
3677     void *ret;
3678
3679     if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
3680         return NULL;
3681     cachep = kmalloc_slab(size, flags);
3682     if (unlikely(ZERO_OR_NULL_PTR(cachep)))
3683         return cachep;
3684     ret = slab_alloc(cachep, NULL, flags, size, caller);
3685
3686     ret = kasan_kmalloc(cachep, ret, size, flags);
3687     trace_kmalloc(caller, ret, cachep,
3688               size, cachep->size, flags);
3689
3690     return ret;
3691 }
3692
3693 void *__kmalloc(size_t size, gfp_t flags)
3694 {
3695     return __do_kmalloc(size, flags, _RET_IP_);
3696 }
3697 EXPORT_SYMBOL(__kmalloc);
3698
3699 void *__kmalloc_track_caller(size_t size, gfp_t flags, unsigned long caller)
3700 {
3701     return __do_kmalloc(size, flags, caller);
3702 }
3703 EXPORT_SYMBOL(__kmalloc_track_caller);
3704
3705 /**
3706  * kmem_cache_free - Deallocate an object
3707  * @cachep: The cache the allocation was from.
3708  * @objp: The previously allocated object.
3709  *
3710  * Free an object which was previously allocated from this
3711  * cache.
3712  */
3713 void kmem_cache_free(struct kmem_cache *cachep, void *objp)
3714 {
3715     unsigned long flags;
3716     cachep = cache_from_obj(cachep, objp);
3717     if (!cachep)
3718         return;
3719
3720     trace_kmem_cache_free(_RET_IP_, objp, cachep->name);
3721     local_irq_save(flags);
3722     debug_check_no_locks_freed(objp, cachep->object_size);
3723     if (!(cachep->flags & SLAB_DEBUG_OBJECTS))
3724         debug_check_no_obj_freed(objp, cachep->object_size);
3725     __cache_free(cachep, objp, _RET_IP_);
3726     local_irq_restore(flags);
3727 }
3728 EXPORT_SYMBOL(kmem_cache_free);
3729
3730 void kmem_cache_free_bulk(struct kmem_cache *orig_s, size_t size, void **p)
3731 {
3732     struct kmem_cache *s;
3733     size_t i;
3734
3735     local_irq_disable();
3736     for (i = 0; i < size; i++) {
3737         void *objp = p[i];
3738
3739         if (!orig_s) /* called via kfree_bulk */
3740             s = virt_to_cache(objp);
3741         else
3742             s = cache_from_obj(orig_s, objp);
3743         if (!s)
3744             continue;
3745
3746         debug_check_no_locks_freed(objp, s->object_size);
3747         if (!(s->flags & SLAB_DEBUG_OBJECTS))
3748             debug_check_no_obj_freed(objp, s->object_size);
3749
3750         __cache_free(s, objp, _RET_IP_);
3751     }
3752     local_irq_enable();
3753
3754     /* FIXME: add tracing */
3755 }
3756 EXPORT_SYMBOL(kmem_cache_free_bulk);
3757
3758 /**
3759  * kfree - free previously allocated memory
3760  * @objp: pointer returned by kmalloc.
3761  *
3762  * If @objp is NULL, no operation is performed.
3763  *
3764  * Don't free memory not originally allocated by kmalloc()
3765  * or you will run into trouble.
3766  */
3767 void kfree(const void *objp)
3768 {
3769     struct kmem_cache *c;
3770     unsigned long flags;
3771
3772     trace_kfree(_RET_IP_, objp);
3773
3774     if (unlikely(ZERO_OR_NULL_PTR(objp)))
3775         return;
3776     local_irq_save(flags);
3777     kfree_debugcheck(objp);
3778     c = virt_to_cache(objp);
3779     if (!c) {
3780         local_irq_restore(flags);
3781         return;
3782     }
3783     debug_check_no_locks_freed(objp, c->object_size);
3784
3785     debug_check_no_obj_freed(objp, c->object_size);
3786     __cache_free(c, (void *)objp, _RET_IP_);
3787     local_irq_restore(flags);
3788 }
3789 EXPORT_SYMBOL(kfree);
3790
3791 /*
3792  * This initializes kmem_cache_node or resizes various caches for all nodes.
3793  */
3794 static int setup_kmem_cache_nodes(struct kmem_cache *cachep, gfp_t gfp)
3795 {
3796     int ret;
3797     int node;
3798     struct kmem_cache_node *n;
3799
3800     for_each_online_node(node) {
3801         ret = setup_kmem_cache_node(cachep, node, gfp, true);
3802         if (ret)
3803             goto fail;
3804
3805     }
3806
3807     return 0;
3808
3809 fail:
3810     if (!cachep->list.next) {
3811         /* Cache is not active yet. Roll back what we did */
3812         node--;
3813         while (node >= 0) {
3814             n = get_node(cachep, node);
3815             if (n) {
3816                 kfree(n->shared);
3817                 free_alien_cache(n->alien);
3818                 kfree(n);
3819                 cachep->node[node] = NULL;
3820             }
3821             node--;
3822         }
3823     }
3824     return -ENOMEM;
3825 }
3826
3827 /* Always called with the slab_mutex held */
3828 static int do_tune_cpucache(struct kmem_cache *cachep, int limit,
3829                 int batchcount, int shared, gfp_t gfp)
3830 {
3831     struct array_cache __percpu *cpu_cache, *prev;
3832     int cpu;
3833
3834     cpu_cache = alloc_kmem_cache_cpus(cachep, limit, batchcount);
3835     if (!cpu_cache)
3836         return -ENOMEM;
3837
3838     prev = cachep->cpu_cache;
3839     cachep->cpu_cache = cpu_cache;
3840     /*
3841      * Without a previous cpu_cache there's no need to synchronize remote
3842      * cpus, so skip the IPIs.
3843      */
3844     if (prev)
3845         kick_all_cpus_sync();
3846
3847     check_irq_on();
3848     cachep->batchcount = batchcount;
3849     cachep->limit = limit;
3850     cachep->shared = shared;
3851
3852     if (!prev)
3853         goto setup_node;
3854
3855     for_each_online_cpu(cpu) {
3856         LIST_HEAD(list);
3857         int node;
3858         struct kmem_cache_node *n;
3859         struct array_cache *ac = per_cpu_ptr(prev, cpu);
3860
3861         node = cpu_to_mem(cpu);
3862         n = get_node(cachep, node);
3863         spin_lock_irq(&n->list_lock);
3864         free_block(cachep, ac->entry, ac->avail, node, &list);
3865         spin_unlock_irq(&n->list_lock);
3866         slabs_destroy(cachep, &list);
3867     }
3868     free_percpu(prev);
3869
3870 setup_node:
3871     return setup_kmem_cache_nodes(cachep, gfp);
3872 }
3873
3874 /* Called with slab_mutex held always */
3875 static int enable_cpucache(struct kmem_cache *cachep, gfp_t gfp)
3876 {
3877     int err;
3878     int limit = 0;
3879     int shared = 0;
3880     int batchcount = 0;
3881
3882     err = cache_random_seq_create(cachep, cachep->num, gfp);
3883     if (err)
3884         goto end;
3885
3886     /*
3887      * The head array serves three purposes:
3888      * - create a LIFO ordering, i.e. return objects that are cache-warm
3889      * - reduce the number of spinlock operations.
3890      * - reduce the number of linked list operations on the slab and
3891      *   bufctl chains: array operations are cheaper.
3892      * The numbers are guessed, we should auto-tune as described by
3893      * Bonwick.
3894      */
3895     if (cachep->size > 131072)
3896         limit = 1;
3897     else if (cachep->size > PAGE_SIZE)
3898         limit = 8;
3899     else if (cachep->size > 1024)
3900         limit = 24;
3901     else if (cachep->size > 256)
3902         limit = 54;
3903     else
3904         limit = 120;
3905
3906     /*
3907      * CPU bound tasks (e.g. network routing) can exhibit cpu bound
3908      * allocation behaviour: Most allocs on one cpu, most free operations
3909      * on another cpu. For these cases, an efficient object passing between
3910      * cpus is necessary. This is provided by a shared array. The array
3911      * replaces Bonwick's magazine layer.
3912      * On uniprocessor, it's functionally equivalent (but less efficient)
3913      * to a larger limit. Thus disabled by default.
3914      */
3915     shared = 0;
3916     if (cachep->size <= PAGE_SIZE && num_possible_cpus() > 1)
3917         shared = 8;
3918
3919 #if DEBUG
3920     /*
3921      * With debugging enabled, large batchcount lead to excessively long
3922      * periods with disabled local interrupts. Limit the batchcount
3923      */
3924     if (limit > 32)
3925         limit = 32;
3926 #endif
3927     batchcount = (limit + 1) / 2;
3928     err = do_tune_cpucache(cachep, limit, batchcount, shared, gfp);
3929 end:
3930     if (err)
3931         pr_err("enable_cpucache failed for %s, error %d\n",
3932                cachep->name, -err);
3933     return err;
3934 }
3935
3936 /*
3937  * Drain an array if it contains any elements taking the node lock only if
3938  * necessary. Note that the node listlock also protects the array_cache
3939  * if drain_array() is used on the shared array.
3940  */
3941 static void drain_array(struct kmem_cache *cachep, struct kmem_cache_node *n,
3942              struct array_cache *ac, int node)
3943 {
3944     LIST_HEAD(list);
3945
3946     /* ac from n->shared can be freed if we don't hold the slab_mutex. */
3947     check_mutex_acquired();
3948
3949     if (!ac || !ac->avail)
3950         return;
3951
3952     if (ac->touched) {
3953         ac->touched = 0;
3954         return;
3955     }
3956
3957     spin_lock_irq(&n->list_lock);
3958     drain_array_locked(cachep, ac, node, false, &list);
3959     spin_unlock_irq(&n->list_lock);
3960
3961     slabs_destroy(cachep, &list);
3962 }
3963
3964 /**
3965  * cache_reap - Reclaim memory from caches.
3966  * @w: work descriptor
3967  *
3968  * Called from workqueue/eventd every few seconds.
3969  * Purpose:
3970  * - clear the per-cpu caches for this CPU.
3971  * - return freeable pages to the main free memory pool.
3972  *
3973  * If we cannot acquire the cache chain mutex then just give up - we'll try
3974  * again on the next iteration.
3975  */
3976 static void cache_reap(struct work_struct *w)
3977 {
3978     struct kmem_cache *searchp;
3979     struct kmem_cache_node *n;
3980     int node = numa_mem_id();
3981     struct delayed_work *work = to_delayed_work(w);
3982
3983     if (!mutex_trylock(&slab_mutex))
3984         /* Give up. Setup the next iteration. */
3985         goto out;
3986
3987     list_for_each_entry(searchp, &slab_caches, list) {
3988         check_irq_on();
3989
3990         /*
3991          * We only take the node lock if absolutely necessary and we
3992          * have established with reasonable certainty that
3993          * we can do some work if the lock was obtained.
3994          */
3995         n = get_node(searchp, node);
3996
3997         reap_alien(searchp, n);
3998
3999         drain_array(searchp, n, cpu_cache_get(searchp), node);
4000
4001         /*
4002          * These are racy checks but it does not matter
4003          * if we skip one check or scan twice.
4004          */
4005         if (time_after(n->next_reap, jiffies))
4006             goto next;
4007
4008         n->next_reap = jiffies + REAPTIMEOUT_NODE;
4009
4010         drain_array(searchp, n, n->shared, node);
4011
4012         if (n->free_touched)
4013             n->free_touched = 0;
4014         else {
4015             int freed;
4016
4017             freed = drain_freelist(searchp, n, (n->free_limit +
4018                 5 * searchp->num - 1) / (5 * searchp->num));
4019             STATS_ADD_REAPED(searchp, freed);
4020         }
4021 next:
4022         cond_resched();
4023     }
4024     check_irq_on();
4025     mutex_unlock(&slab_mutex);
4026     next_reap_node();
4027 out:
4028     /* Set up the next iteration */
4029     schedule_delayed_work_on(smp_processor_id(), work,
4030                 round_jiffies_relative(REAPTIMEOUT_AC));
4031 }
4032
4033 void get_slabinfo(struct kmem_cache *cachep, struct slabinfo *sinfo)
4034 {
4035     unsigned long active_objs, num_objs, active_slabs;
4036     unsigned long total_slabs = 0, free_objs = 0, shared_avail = 0;
4037     unsigned long free_slabs = 0;
4038     int node;
4039     struct kmem_cache_node *n;
4040
4041     for_each_kmem_cache_node(cachep, node, n) {
4042         check_irq_on();
4043         spin_lock_irq(&n->list_lock);
4044
4045         total_slabs += n->total_slabs;
4046         free_slabs += n->free_slabs;
4047         free_objs += n->free_objects;
4048
4049         if (n->shared)
4050             shared_avail += n->shared->avail;
4051
4052         spin_unlock_irq(&n->list_lock);
4053     }
4054     num_objs = total_slabs * cachep->num;
4055     active_slabs = total_slabs - free_slabs;
4056     active_objs = num_objs - free_objs;
4057
4058     sinfo->active_objs = active_objs;
4059     sinfo->num_objs = num_objs;
4060     sinfo->active_slabs = active_slabs;
4061     sinfo->num_slabs = total_slabs;
4062     sinfo->shared_avail = shared_avail;
4063     sinfo->limit = cachep->limit;
4064     sinfo->batchcount = cachep->batchcount;
4065     sinfo->shared = cachep->shared;
4066     sinfo->objects_per_slab = cachep->num;
4067     sinfo->cache_order = cachep->gfporder;
4068 }
4069
4070 void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *cachep)
4071 {
4072 #if STATS
4073     {           /* node stats */
4074         unsigned long high = cachep->high_mark;
4075         unsigned long allocs = cachep->num_allocations;
4076         unsigned long grown = cachep->grown;
4077         unsigned long reaped = cachep->reaped;
4078         unsigned long errors = cachep->errors;
4079         unsigned long max_freeable = cachep->max_freeable;
4080         unsigned long node_allocs = cachep->node_allocs;
4081         unsigned long node_frees = cachep->node_frees;
4082         unsigned long overflows = cachep->node_overflow;
4083
4084         seq_printf(m, " : globalstat %7lu %6lu %5lu %4lu %4lu %4lu %4lu %4lu %4lu",
4085                allocs, high, grown,
4086                reaped, errors, max_freeable, node_allocs,
4087                node_frees, overflows);
4088     }
4089     /* cpu stats */
4090     {
4091         unsigned long allochit = atomic_read(&cachep->allochit);
4092         unsigned long allocmiss = atomic_read(&cachep->allocmiss);
4093         unsigned long freehit = atomic_read(&cachep->freehit);
4094         unsigned long freemiss = atomic_read(&cachep->freemiss);
4095
4096         seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
4097                allochit, allocmiss, freehit, freemiss);
4098     }
4099 #endif
4100 }
4101
4102 #define MAX_SLABINFO_WRITE 128
4103 /**
4104  * slabinfo_write - Tuning for the slab allocator
4105  * @file: unused
4106  * @buffer: user buffer
4107  * @count: data length
4108  * @ppos: unused
4109  *
4110  * Return: %0 on success, negative error code otherwise.
4111  */
4112 ssize_t slabinfo_write(struct file *file, const char __user *buffer,
4113                size_t count, loff_t *ppos)
4114 {
4115     char kbuf[MAX_SLABINFO_WRITE + 1], *tmp;
4116     int limit, batchcount, shared, res;
4117     struct kmem_cache *cachep;
4118
4119     if (count > MAX_SLABINFO_WRITE)
4120         return -EINVAL;
4121     if (copy_from_user(&kbuf, buffer, count))
4122         return -EFAULT;
4123     kbuf[MAX_SLABINFO_WRITE] = '\0';
4124
4125     tmp = strchr(kbuf, ' ');
4126     if (!tmp)
4127         return -EINVAL;
4128     *tmp = '\0';
4129     tmp++;
4130     if (sscanf(tmp, " %d %d %d", &limit, &batchcount, &shared) != 3)
4131         return -EINVAL;
4132
4133     /* Find the cache in the chain of caches. */
4134     mutex_lock(&slab_mutex);
4135     res = -EINVAL;
4136     list_for_each_entry(cachep, &slab_caches, list) {
4137         if (!strcmp(cachep->name, kbuf)) {
4138             if (limit < 1 || batchcount < 1 ||
4139                     batchcount > limit || shared < 0) {
4140                 res = 0;
4141             } else {
4142                 res = do_tune_cpucache(cachep, limit,
4143                                batchcount, shared,
4144                                GFP_KERNEL);
4145             }
4146             break;
4147         }
4148     }
4149     mutex_unlock(&slab_mutex);
4150     if (res >= 0)
4151         res = count;
4152     return res;
4153 }
4154
4155 #ifdef CONFIG_HARDENED_USERCOPY
4156 /*
4157  * Rejects incorrectly sized objects and objects that are to be copied
4158  * to/from userspace but do not fall entirely within the containing slab
4159  * cache's usercopy region.
4160  *
4161  * Returns NULL if check passes, otherwise const char * to name of cache
4162  * to indicate an error.
4163  */
4164 void __check_heap_object(const void *ptr, unsigned long n,
4165              const struct slab *slab, bool to_user)
4166 {
4167     struct kmem_cache *cachep;
4168     unsigned int objnr;
4169     unsigned long offset;
4170
4171     ptr = kasan_reset_tag(ptr);
4172
4173     /* Find and validate object. */
4174     cachep = slab->slab_cache;
4175     objnr = obj_to_index(cachep, slab, (void *)ptr);
4176     BUG_ON(objnr >= cachep->num);
4177
4178     /* Find offset within object. */
4179     if (is_kfence_address(ptr))
4180         offset = ptr - kfence_object_start(ptr);
4181     else
4182         offset = ptr - index_to_obj(cachep, slab, objnr) - obj_offset(cachep);
4183
4184     /* Allow address range falling entirely within usercopy region. */
4185     if (offset >= cachep->useroffset &&
4186         offset - cachep->useroffset <= cachep->usersize &&
4187         n <= cachep->useroffset - offset + cachep->usersize)
4188         return;
4189
4190     usercopy_abort("SLAB object", cachep->name, to_user, offset, n);
4191 }
4192 #endif /* CONFIG_HARDENED_USERCOPY */
4193
4194 /**
4195  * __ksize -- Uninstrumented ksize.
4196  * @objp: pointer to the object
4197  *
4198  * Unlike ksize(), __ksize() is uninstrumented, and does not provide the same
4199  * safety checks as ksize() with KASAN instrumentation enabled.
4200  *
4201  * Return: size of the actual memory used by @objp in bytes
4202  */
4203 size_t __ksize(const void *objp)
4204 {
4205     struct kmem_cache *c;
4206     size_t size;
4207
4208     BUG_ON(!objp);
4209     if (unlikely(objp == ZERO_SIZE_PTR))
4210         return 0;
4211
4212     c = virt_to_cache(objp);
4213     size = c ? c->object_size : 0;
4214
4215     return size;
4216 }
4217 EXPORT_SYMBOL(__ksize);