tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

radix tree test suite: cache recently freed objects

The kmem_cache_alloc implementation simply allocates new memory from
malloc() and calls the ctor, which zeroes out the entire object. This
means it cannot spot bugs where the object isn't properly reinitialised
before being freed.

Add a small (11 objects) cache before freeing objects back to malloc.
This is enough to let us write a test to catch it, although the memory
allocator is now aware of the structure of the radix tree node, since it
chains free objects through ->private_data (like the percpu cache does).

Link: http://lkml.kernel.org/r/1481667692-14500-2-git-send-email-mawilcox@linuxonhyperv.com
Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Matthew Wilcox and committed by
Linus Torvalds bbe9d71f de1af8f6

+41 -12
+41 -7
tools/testing/radix-tree/linux.c
··· 1 1 #include <stdlib.h> 2 2 #include <string.h> 3 3 #include <malloc.h> 4 + #include <pthread.h> 4 5 #include <unistd.h> 5 6 #include <assert.h> 6 7 7 8 #include <linux/mempool.h> 9 + #include <linux/poison.h> 8 10 #include <linux/slab.h> 11 + #include <linux/radix-tree.h> 9 12 #include <urcu/uatomic.h> 10 13 11 14 int nr_allocated; 12 15 int preempt_count; 16 + 17 + struct kmem_cache { 18 + pthread_mutex_t lock; 19 + int size; 20 + int nr_objs; 21 + void *objs; 22 + void (*ctor)(void *); 23 + }; 13 24 14 25 void *mempool_alloc(mempool_t *pool, int gfp_mask) 15 26 { ··· 45 34 46 35 void *kmem_cache_alloc(struct kmem_cache *cachep, int flags) 47 36 { 48 - void *ret; 37 + struct radix_tree_node *node; 49 38 50 39 if (flags & __GFP_NOWARN) 51 40 return NULL; 52 41 53 - ret = malloc(cachep->size); 54 - if (cachep->ctor) 55 - cachep->ctor(ret); 42 + pthread_mutex_lock(&cachep->lock); 43 + if (cachep->nr_objs) { 44 + cachep->nr_objs--; 45 + node = cachep->objs; 46 + cachep->objs = node->private_data; 47 + pthread_mutex_unlock(&cachep->lock); 48 + node->private_data = NULL; 49 + } else { 50 + pthread_mutex_unlock(&cachep->lock); 51 + node = malloc(cachep->size); 52 + if (cachep->ctor) 53 + cachep->ctor(node); 54 + } 55 + 56 56 uatomic_inc(&nr_allocated); 57 - return ret; 57 + return node; 58 58 } 59 59 60 60 void kmem_cache_free(struct kmem_cache *cachep, void *objp) 61 61 { 62 62 assert(objp); 63 63 uatomic_dec(&nr_allocated); 64 - memset(objp, 0, cachep->size); 65 - free(objp); 64 + pthread_mutex_lock(&cachep->lock); 65 + if (cachep->nr_objs > 10) { 66 + memset(objp, POISON_FREE, cachep->size); 67 + free(objp); 68 + } else { 69 + struct radix_tree_node *node = objp; 70 + cachep->nr_objs++; 71 + node->private_data = cachep->objs; 72 + cachep->objs = node; 73 + } 74 + pthread_mutex_unlock(&cachep->lock); 66 75 } 67 76 68 77 void *kmalloc(size_t size, gfp_t gfp) ··· 106 75 { 107 76 struct kmem_cache *ret = malloc(sizeof(*ret)); 108 77 78 + pthread_mutex_init(&ret->lock, NULL); 109 79 ret->size = size; 80 + ret->nr_objs = 0; 81 + ret->objs = NULL; 110 82 ret->ctor = ctor; 111 83 return ret; 112 84 }
-5
tools/testing/radix-tree/linux/slab.h
··· 10 10 void *kmalloc(size_t size, gfp_t); 11 11 void kfree(void *); 12 12 13 - struct kmem_cache { 14 - int size; 15 - void (*ctor)(void *); 16 - }; 17 - 18 13 void *kmem_cache_alloc(struct kmem_cache *cachep, int flags); 19 14 void kmem_cache_free(struct kmem_cache *cachep, void *objp); 20 15