1Short users guide for SLUB 2-------------------------- 3 4The basic philosophy of SLUB is very different from SLAB. SLAB 5requires rebuilding the kernel to activate debug options for all 6slab caches. SLUB always includes full debugging but it is off by default. 7SLUB can enable debugging only for selected slabs in order to avoid 8an impact on overall system performance which may make a bug more 9difficult to find. 10 11In order to switch debugging on one can add a option "slub_debug" 12to the kernel command line. That will enable full debugging for 13all slabs. 14 15Typically one would then use the "slabinfo" command to get statistical 16data and perform operation on the slabs. By default slabinfo only lists 17slabs that have data in them. See "slabinfo -h" for more options when 18running the command. slabinfo can be compiled with 19 20gcc -o slabinfo tools/slub/slabinfo.c 21 22Some of the modes of operation of slabinfo require that slub debugging 23be enabled on the command line. F.e. no tracking information will be 24available without debugging on and validation can only partially 25be performed if debugging was not switched on. 26 27Some more sophisticated uses of slub_debug: 28------------------------------------------- 29 30Parameters may be given to slub_debug. If none is specified then full 31debugging is enabled. Format: 32 33slub_debug=<Debug-Options> Enable options for all slabs 34slub_debug=<Debug-Options>,<slab name> 35 Enable options only for select slabs 36 37Possible debug options are 38 F Sanity checks on (enables SLAB_DEBUG_FREE. Sorry 39 SLAB legacy issues) 40 Z Red zoning 41 P Poisoning (object and padding) 42 U User tracking (free and alloc) 43 T Trace (please only use on single slabs) 44 A Toggle failslab filter mark for the cache 45 O Switch debugging off for caches that would have 46 caused higher minimum slab orders 47 - Switch all debugging off (useful if the kernel is 48 configured with CONFIG_SLUB_DEBUG_ON) 49 50F.e. in order to boot just with sanity checks and red zoning one would specify: 51 52 slub_debug=FZ 53 54Trying to find an issue in the dentry cache? Try 55 56 slub_debug=,dentry 57 58to only enable debugging on the dentry cache. 59 60Red zoning and tracking may realign the slab. We can just apply sanity checks 61to the dentry cache with 62 63 slub_debug=F,dentry 64 65Debugging options may require the minimum possible slab order to increase as 66a result of storing the metadata (for example, caches with PAGE_SIZE object 67sizes). This has a higher liklihood of resulting in slab allocation errors 68in low memory situations or if there's high fragmentation of memory. To 69switch off debugging for such caches by default, use 70 71 slub_debug=O 72 73In case you forgot to enable debugging on the kernel command line: It is 74possible to enable debugging manually when the kernel is up. Look at the 75contents of: 76 77/sys/kernel/slab/<slab name>/ 78 79Look at the writable files. Writing 1 to them will enable the 80corresponding debug option. All options can be set on a slab that does 81not contain objects. If the slab already contains objects then sanity checks 82and tracing may only be enabled. The other options may cause the realignment 83of objects. 84 85Careful with tracing: It may spew out lots of information and never stop if 86used on the wrong slab. 87 88Slab merging 89------------ 90 91If no debug options are specified then SLUB may merge similar slabs together 92in order to reduce overhead and increase cache hotness of objects. 93slabinfo -a displays which slabs were merged together. 94 95Slab validation 96--------------- 97 98SLUB can validate all object if the kernel was booted with slub_debug. In 99order to do so you must have the slabinfo tool. Then you can do 100 101slabinfo -v 102 103which will test all objects. Output will be generated to the syslog. 104 105This also works in a more limited way if boot was without slab debug. 106In that case slabinfo -v simply tests all reachable objects. Usually 107these are in the cpu slabs and the partial slabs. Full slabs are not 108tracked by SLUB in a non debug situation. 109 110Getting more performance 111------------------------ 112 113To some degree SLUB's performance is limited by the need to take the 114list_lock once in a while to deal with partial slabs. That overhead is 115governed by the order of the allocation for each slab. The allocations 116can be influenced by kernel parameters: 117 118slub_min_objects=x (default 4) 119slub_min_order=x (default 0) 120slub_max_order=x (default 3 (PAGE_ALLOC_COSTLY_ORDER)) 121 122slub_min_objects allows to specify how many objects must at least fit 123into one slab in order for the allocation order to be acceptable. 124In general slub will be able to perform this number of allocations 125on a slab without consulting centralized resources (list_lock) where 126contention may occur. 127 128slub_min_order specifies a minim order of slabs. A similar effect like 129slub_min_objects. 130 131slub_max_order specified the order at which slub_min_objects should no 132longer be checked. This is useful to avoid SLUB trying to generate 133super large order pages to fit slub_min_objects of a slab cache with 134large object sizes into one high order page. Setting command line 135parameter debug_guardpage_minorder=N (N > 0), forces setting 136slub_max_order to 0, what cause minimum possible order of slabs 137allocation. 138 139SLUB Debug output 140----------------- 141 142Here is a sample of slub debug output: 143 144==================================================================== 145BUG kmalloc-8: Redzone overwritten 146-------------------------------------------------------------------- 147 148INFO: 0xc90f6d28-0xc90f6d2b. First byte 0x00 instead of 0xcc 149INFO: Slab 0xc528c530 flags=0x400000c3 inuse=61 fp=0xc90f6d58 150INFO: Object 0xc90f6d20 @offset=3360 fp=0xc90f6d58 151INFO: Allocated in get_modalias+0x61/0xf5 age=53 cpu=1 pid=554 152 153Bytes b4 0xc90f6d10: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ 154 Object 0xc90f6d20: 31 30 31 39 2e 30 30 35 1019.005 155 Redzone 0xc90f6d28: 00 cc cc cc . 156 Padding 0xc90f6d50: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ 157 158 [<c010523d>] dump_trace+0x63/0x1eb 159 [<c01053df>] show_trace_log_lvl+0x1a/0x2f 160 [<c010601d>] show_trace+0x12/0x14 161 [<c0106035>] dump_stack+0x16/0x18 162 [<c017e0fa>] object_err+0x143/0x14b 163 [<c017e2cc>] check_object+0x66/0x234 164 [<c017eb43>] __slab_free+0x239/0x384 165 [<c017f446>] kfree+0xa6/0xc6 166 [<c02e2335>] get_modalias+0xb9/0xf5 167 [<c02e23b7>] dmi_dev_uevent+0x27/0x3c 168 [<c027866a>] dev_uevent+0x1ad/0x1da 169 [<c0205024>] kobject_uevent_env+0x20a/0x45b 170 [<c020527f>] kobject_uevent+0xa/0xf 171 [<c02779f1>] store_uevent+0x4f/0x58 172 [<c027758e>] dev_attr_store+0x29/0x2f 173 [<c01bec4f>] sysfs_write_file+0x16e/0x19c 174 [<c0183ba7>] vfs_write+0xd1/0x15a 175 [<c01841d7>] sys_write+0x3d/0x72 176 [<c0104112>] sysenter_past_esp+0x5f/0x99 177 [<b7f7b410>] 0xb7f7b410 178 ======================= 179 180FIX kmalloc-8: Restoring Redzone 0xc90f6d28-0xc90f6d2b=0xcc 181 182If SLUB encounters a corrupted object (full detection requires the kernel 183to be booted with slub_debug) then the following output will be dumped 184into the syslog: 185 1861. Description of the problem encountered 187 188This will be a message in the system log starting with 189 190=============================================== 191BUG <slab cache affected>: <What went wrong> 192----------------------------------------------- 193 194INFO: <corruption start>-<corruption_end> <more info> 195INFO: Slab <address> <slab information> 196INFO: Object <address> <object information> 197INFO: Allocated in <kernel function> age=<jiffies since alloc> cpu=<allocated by 198 cpu> pid=<pid of the process> 199INFO: Freed in <kernel function> age=<jiffies since free> cpu=<freed by cpu> 200 pid=<pid of the process> 201 202(Object allocation / free information is only available if SLAB_STORE_USER is 203set for the slab. slub_debug sets that option) 204 2052. The object contents if an object was involved. 206 207Various types of lines can follow the BUG SLUB line: 208 209Bytes b4 <address> : <bytes> 210 Shows a few bytes before the object where the problem was detected. 211 Can be useful if the corruption does not stop with the start of the 212 object. 213 214Object <address> : <bytes> 215 The bytes of the object. If the object is inactive then the bytes 216 typically contain poison values. Any non-poison value shows a 217 corruption by a write after free. 218 219Redzone <address> : <bytes> 220 The Redzone following the object. The Redzone is used to detect 221 writes after the object. All bytes should always have the same 222 value. If there is any deviation then it is due to a write after 223 the object boundary. 224 225 (Redzone information is only available if SLAB_RED_ZONE is set. 226 slub_debug sets that option) 227 228Padding <address> : <bytes> 229 Unused data to fill up the space in order to get the next object 230 properly aligned. In the debug case we make sure that there are 231 at least 4 bytes of padding. This allows the detection of writes 232 before the object. 233 2343. A stackdump 235 236The stackdump describes the location where the error was detected. The cause 237of the corruption is may be more likely found by looking at the function that 238allocated or freed the object. 239 2404. Report on how the problem was dealt with in order to ensure the continued 241operation of the system. 242 243These are messages in the system log beginning with 244 245FIX <slab cache affected>: <corrective action taken> 246 247In the above sample SLUB found that the Redzone of an active object has 248been overwritten. Here a string of 8 characters was written into a slab that 249has the length of 8 characters. However, a 8 character string needs a 250terminating 0. That zero has overwritten the first byte of the Redzone field. 251After reporting the details of the issue encountered the FIX SLUB message 252tells us that SLUB has restored the Redzone to its proper value and then 253system operations continue. 254 255Emergency operations: 256--------------------- 257 258Minimal debugging (sanity checks alone) can be enabled by booting with 259 260 slub_debug=F 261 262This will be generally be enough to enable the resiliency features of slub 263which will keep the system running even if a bad kernel component will 264keep corrupting objects. This may be important for production systems. 265Performance will be impacted by the sanity checks and there will be a 266continual stream of error messages to the syslog but no additional memory 267will be used (unlike full debugging). 268 269No guarantees. The kernel component still needs to be fixed. Performance 270may be optimized further by locating the slab that experiences corruption 271and enabling debugging only for that cache 272 273I.e. 274 275 slub_debug=F,dentry 276 277If the corruption occurs by writing after the end of the object then it 278may be advisable to enable a Redzone to avoid corrupting the beginning 279of other objects. 280 281 slub_debug=FZ,dentry 282 283Christoph Lameter, May 30, 2007 284