slab: Fix using this_cpu_ptr() in preemptible context

ranxiaokai · tehcaster · commit 83d59d81b20c · 2025-10-06T11:16:51.000+02:00
defer_free() maybe called in preemptible context, this will trigger the below warning message: BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1 caller is defer_free+0x1b/0x60 Call Trace: <TASK> dump_stack_lvl+0xac/0xc0 check_preemption_disabled+0xbe/0xe0 defer_free+0x1b/0x60 kfree_nolock+0x1eb/0x2b0 alloc_slab_obj_exts+0x356/0x390 __alloc_tagging_slab_alloc_hook+0xa0/0x300 __kmalloc_cache_noprof+0x1c4/0x5c0 __set_page_owner+0x10d/0x1c0 post_alloc_hook+0x84/0xf0 get_page_from_freelist+0x73b/0x1380 __alloc_frozen_pages_noprof+0x110/0x2c0 alloc_pages_mpol+0x44/0x140 alloc_slab_page+0xac/0x150 allocate_slab+0x78/0x3a0 ___slab_alloc+0x76b/0xed0 __slab_alloc.constprop.0+0x5a/0xb0 __kmalloc_noprof+0x3dc/0x6d0 __list_lru_init+0x6c/0x210 alloc_super+0x3b6/0x470 sget_fc+0x5f/0x3a0 get_tree_nodev+0x27/0x90 vfs_get_tree+0x26/0xc0 vfs_kern_mount.part.0+0xb6/0x140 kern_mount+0x24/0x40 init_pipe_fs+0x4f/0x70 do_one_initcall+0x62/0x2e0 kernel_init_freeable+0x25b/0x4b0 kernel_init+0x1a/0x1c0 ret_from_fork+0x290/0x2e0 ret_from_fork_asm+0x11/0x20 </TASK> Disable preemption in defer_free() and also defer_deactivate_slab() to make it safe. [vbabka@suse.cz: disable preemption instead of using raw_cpu_ptr() per the discussion ] Fixes: af92793 ("slab: Introduce kmalloc_nolock() and kfree_nolock().") Signed-off-by: Ran Xiaokai <ran.xiaokai@zte.com.cn> Link: https://lore.kernel.org/r/20250930083402.782927-1-ranxiaokai627@163.com Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
diff --git a/mm/slub.c b/mm/slub.c
@@ -6432,17 +6432,24 @@ static void free_deferred_objects(struct irq_work *work)
 
 static void defer_free(struct kmem_cache *s, void *head)
 {
-	struct defer_free *df = this_cpu_ptr(&defer_free_objects);
+	struct defer_free *df;
 
+	guard(preempt)();
+
+	df = this_cpu_ptr(&defer_free_objects);
 	if (llist_add(head + s->offset, &df->objects))
 		irq_work_queue(&df->work);
 }
 
 static void defer_deactivate_slab(struct slab *slab, void *flush_freelist)
 {
-	struct defer_free *df = this_cpu_ptr(&defer_free_objects);
+	struct defer_free *df;
 
 	slab->flush_freelist = flush_freelist;
+
+	guard(preempt)();
+
+	df = this_cpu_ptr(&defer_free_objects);
 	if (llist_add(&slab->llnode, &df->slabs))
 		irq_work_queue(&df->work);
 }

Original file line number	Diff line number	Diff line change
`@@ -6432,17 +6432,24 @@ static void free_deferred_objects(struct irq_work *work)`
`6432`	`6432`
`6433`	`6433`	`static void defer_free(struct kmem_cache s, void head)`
`6434`	`6434`	`{`
`6435`		`- struct defer_free *df = this_cpu_ptr(&defer_free_objects);`
	`6435`	`+ struct defer_free *df;`
`6436`	`6436`
	`6437`	`+ guard(preempt)();`
	`6438`	`+`
	`6439`	`+ df = this_cpu_ptr(&defer_free_objects);`
`6437`	`6440`	`if (llist_add(head + s->offset, &df->objects))`
`6438`	`6441`	`irq_work_queue(&df->work);`
`6439`	`6442`	`}`
`6440`	`6443`
`6441`	`6444`	`static void defer_deactivate_slab(struct slab slab, void flush_freelist)`
`6442`	`6445`	`{`
`6443`		`- struct defer_free *df = this_cpu_ptr(&defer_free_objects);`
	`6446`	`+ struct defer_free *df;`
`6444`	`6447`
`6445`	`6448`	`slab->flush_freelist = flush_freelist;`
	`6449`	`+`
	`6450`	`+ guard(preempt)();`
	`6451`	`+`
	`6452`	`+ df = this_cpu_ptr(&defer_free_objects);`
`6446`	`6453`	`if (llist_add(&slab->llnode, &df->slabs))`
`6447`	`6454`	`irq_work_queue(&df->work);`
`6448`	`6455`	`}`