1Short users guide for SLUB 2-------------------------- 3 4The basic philosophy of SLUB is very different from SLAB. SLAB 5requires rebuilding the kernel to activate debug options for all 6slab caches. SLUB always includes full debugging but it is off by default. 7SLUB can enable debugging only for selected slabs in order to avoid 8an impact on overall system performance which may make a bug more 9difficult to find. 10 11In order to switch debugging on one can add a option "slub_debug" 12to the kernel command line. That will enable full debugging for 13all slabs. 14 15Typically one would then use the "slabinfo" command to get statistical 16data and perform operation on the slabs. By default slabinfo only lists 17slabs that have data in them. See "slabinfo -h" for more options when 18running the command. slabinfo can be compiled with 19 20gcc -o slabinfo Documentation/vm/slabinfo.c 21 22Some of the modes of operation of slabinfo require that slub debugging 23be enabled on the command line. F.e. no tracking information will be 24available without debugging on and validation can only partially 25be performed if debugging was not switched on. 26 27Some more sophisticated uses of slub_debug: 28------------------------------------------- 29 30Parameters may be given to slub_debug. If none is specified then full 31debugging is enabled. Format: 32 33slub_debug=<Debug-Options> Enable options for all slabs 34slub_debug=<Debug-Options>,<slab name> 35 Enable options only for select slabs 36 37Possible debug options are 38 F Sanity checks on (enables SLAB_DEBUG_FREE. Sorry 39 SLAB legacy issues) 40 Z Red zoning 41 P Poisoning (object and padding) 42 U User tracking (free and alloc) 43 T Trace (please only use on single slabs) 44 A Toggle failslab filter mark for the cache 45 O Switch debugging off for caches that would have 46 caused higher minimum slab orders 47 - Switch all debugging off (useful if the kernel is 48 configured with CONFIG_SLUB_DEBUG_ON) 49 50F.e. in order to boot just with sanity checks and red zoning one would specify: 51 52 slub_debug=FZ 53 54Trying to find an issue in the dentry cache? Try 55 56 slub_debug=,dentry 57 58to only enable debugging on the dentry cache. 59 60Red zoning and tracking may realign the slab. We can just apply sanity checks 61to the dentry cache with 62 63 slub_debug=F,dentry 64 65Debugging options may require the minimum possible slab order to increase as 66a result of storing the metadata (for example, caches with PAGE_SIZE object 67sizes). This has a higher liklihood of resulting in slab allocation errors 68in low memory situations or if there's high fragmentation of memory. To 69switch off debugging for such caches by default, use 70 71 slub_debug=O 72 73In case you forgot to enable debugging on the kernel command line: It is 74possible to enable debugging manually when the kernel is up. Look at the 75contents of: 76 77/sys/kernel/slab/<slab name>/ 78 79Look at the writable files. Writing 1 to them will enable the 80corresponding debug option. All options can be set on a slab that does 81not contain objects. If the slab already contains objects then sanity checks 82and tracing may only be enabled. The other options may cause the realignment 83of objects. 84 85Careful with tracing: It may spew out lots of information and never stop if 86used on the wrong slab. 87 88Slab merging 89------------ 90 91If no debug options are specified then SLUB may merge similar slabs together 92in order to reduce overhead and increase cache hotness of objects. 93slabinfo -a displays which slabs were merged together. 94 95Slab validation 96--------------- 97 98SLUB can validate all object if the kernel was booted with slub_debug. In 99order to do so you must have the slabinfo tool. Then you can do 100 101slabinfo -v 102 103which will test all objects. Output will be generated to the syslog. 104 105This also works in a more limited way if boot was without slab debug. 106In that case slabinfo -v simply tests all reachable objects. Usually 107these are in the cpu slabs and the partial slabs. Full slabs are not 108tracked by SLUB in a non debug situation. 109 110Getting more performance 111------------------------ 112 113To some degree SLUB's performance is limited by the need to take the 114list_lock once in a while to deal with partial slabs. That overhead is 115governed by the order of the allocation for each slab. The allocations 116can be influenced by kernel parameters: 117 118slub_min_objects=x (default 4) 119slub_min_order=x (default 0) 120slub_max_order=x (default 1) 121 122slub_min_objects allows to specify how many objects must at least fit 123into one slab in order for the allocation order to be acceptable. 124In general slub will be able to perform this number of allocations 125on a slab without consulting centralized resources (list_lock) where 126contention may occur. 127 128slub_min_order specifies a minim order of slabs. A similar effect like 129slub_min_objects. 130 131slub_max_order specified the order at which slub_min_objects should no 132longer be checked. This is useful to avoid SLUB trying to generate 133super large order pages to fit slub_min_objects of a slab cache with 134large object sizes into one high order page. 135 136SLUB Debug output 137----------------- 138 139Here is a sample of slub debug output: 140 141==================================================================== 142BUG kmalloc-8: Redzone overwritten 143-------------------------------------------------------------------- 144 145INFO: 0xc90f6d28-0xc90f6d2b. First byte 0x00 instead of 0xcc 146INFO: Slab 0xc528c530 flags=0x400000c3 inuse=61 fp=0xc90f6d58 147INFO: Object 0xc90f6d20 @offset=3360 fp=0xc90f6d58 148INFO: Allocated in get_modalias+0x61/0xf5 age=53 cpu=1 pid=554 149 150Bytes b4 0xc90f6d10: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ 151 Object 0xc90f6d20: 31 30 31 39 2e 30 30 35 1019.005 152 Redzone 0xc90f6d28: 00 cc cc cc . 153 Padding 0xc90f6d50: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ 154 155 [<c010523d>] dump_trace+0x63/0x1eb 156 [<c01053df>] show_trace_log_lvl+0x1a/0x2f 157 [<c010601d>] show_trace+0x12/0x14 158 [<c0106035>] dump_stack+0x16/0x18 159 [<c017e0fa>] object_err+0x143/0x14b 160 [<c017e2cc>] check_object+0x66/0x234 161 [<c017eb43>] __slab_free+0x239/0x384 162 [<c017f446>] kfree+0xa6/0xc6 163 [<c02e2335>] get_modalias+0xb9/0xf5 164 [<c02e23b7>] dmi_dev_uevent+0x27/0x3c 165 [<c027866a>] dev_uevent+0x1ad/0x1da 166 [<c0205024>] kobject_uevent_env+0x20a/0x45b 167 [<c020527f>] kobject_uevent+0xa/0xf 168 [<c02779f1>] store_uevent+0x4f/0x58 169 [<c027758e>] dev_attr_store+0x29/0x2f 170 [<c01bec4f>] sysfs_write_file+0x16e/0x19c 171 [<c0183ba7>] vfs_write+0xd1/0x15a 172 [<c01841d7>] sys_write+0x3d/0x72 173 [<c0104112>] sysenter_past_esp+0x5f/0x99 174 [<b7f7b410>] 0xb7f7b410 175 ======================= 176 177FIX kmalloc-8: Restoring Redzone 0xc90f6d28-0xc90f6d2b=0xcc 178 179If SLUB encounters a corrupted object (full detection requires the kernel 180to be booted with slub_debug) then the following output will be dumped 181into the syslog: 182 1831. Description of the problem encountered 184 185This will be a message in the system log starting with 186 187=============================================== 188BUG <slab cache affected>: <What went wrong> 189----------------------------------------------- 190 191INFO: <corruption start>-<corruption_end> <more info> 192INFO: Slab <address> <slab information> 193INFO: Object <address> <object information> 194INFO: Allocated in <kernel function> age=<jiffies since alloc> cpu=<allocated by 195 cpu> pid=<pid of the process> 196INFO: Freed in <kernel function> age=<jiffies since free> cpu=<freed by cpu> 197 pid=<pid of the process> 198 199(Object allocation / free information is only available if SLAB_STORE_USER is 200set for the slab. slub_debug sets that option) 201 2022. The object contents if an object was involved. 203 204Various types of lines can follow the BUG SLUB line: 205 206Bytes b4 <address> : <bytes> 207 Shows a few bytes before the object where the problem was detected. 208 Can be useful if the corruption does not stop with the start of the 209 object. 210 211Object <address> : <bytes> 212 The bytes of the object. If the object is inactive then the bytes 213 typically contain poison values. Any non-poison value shows a 214 corruption by a write after free. 215 216Redzone <address> : <bytes> 217 The Redzone following the object. The Redzone is used to detect 218 writes after the object. All bytes should always have the same 219 value. If there is any deviation then it is due to a write after 220 the object boundary. 221 222 (Redzone information is only available if SLAB_RED_ZONE is set. 223 slub_debug sets that option) 224 225Padding <address> : <bytes> 226 Unused data to fill up the space in order to get the next object 227 properly aligned. In the debug case we make sure that there are 228 at least 4 bytes of padding. This allows the detection of writes 229 before the object. 230 2313. A stackdump 232 233The stackdump describes the location where the error was detected. The cause 234of the corruption is may be more likely found by looking at the function that 235allocated or freed the object. 236 2374. Report on how the problem was dealt with in order to ensure the continued 238operation of the system. 239 240These are messages in the system log beginning with 241 242FIX <slab cache affected>: <corrective action taken> 243 244In the above sample SLUB found that the Redzone of an active object has 245been overwritten. Here a string of 8 characters was written into a slab that 246has the length of 8 characters. However, a 8 character string needs a 247terminating 0. That zero has overwritten the first byte of the Redzone field. 248After reporting the details of the issue encountered the FIX SLUB message 249tells us that SLUB has restored the Redzone to its proper value and then 250system operations continue. 251 252Emergency operations: 253--------------------- 254 255Minimal debugging (sanity checks alone) can be enabled by booting with 256 257 slub_debug=F 258 259This will be generally be enough to enable the resiliency features of slub 260which will keep the system running even if a bad kernel component will 261keep corrupting objects. This may be important for production systems. 262Performance will be impacted by the sanity checks and there will be a 263continual stream of error messages to the syslog but no additional memory 264will be used (unlike full debugging). 265 266No guarantees. The kernel component still needs to be fixed. Performance 267may be optimized further by locating the slab that experiences corruption 268and enabling debugging only for that cache 269 270I.e. 271 272 slub_debug=F,dentry 273 274If the corruption occurs by writing after the end of the object then it 275may be advisable to enable a Redzone to avoid corrupting the beginning 276of other objects. 277 278 slub_debug=FZ,dentry 279 280Christoph Lameter, May 30, 2007 281