From nobody Sun Feb 8 13:08:55 2026 Received: from out-171.mta0.migadu.com (out-171.mta0.migadu.com [91.218.175.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0AC22FFF8B for ; Tue, 3 Feb 2026 07:31:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770103875; cv=none; b=FlzBCp3t6tg0WinNYvhswGulj7evXZP1gCdTlrwTP/kBc0d4nQE/JsJx0RGLM9pF9Xf8qh+r9xiR4Im8iXd4ZFiA994NSTMIqDjrF17az3GSb1q3ZP7RZFCF4JRJLQfxs5SZKdsJXblYduu0eZKjauRDWFd8DjdQHx4/7mwNtlE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770103875; c=relaxed/simple; bh=BZg4673erfcttUS2a+UHDjL+5SibJRAh7QQjb/S3Tls=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=UwaYHKXwQBLOF9jMAZt8agajbdLuJ0ZKSqPpLVbbW2WflYi+NEJwoZDF+NKN9dCRAqs5mDpPHVOuEsQ8mS/V+uPFmPKcSRbZjw8waXZUwrG8nfrBgaxEAObuCcNcGsQ/qOYR1ON3y+6D7o1WFT2c63VDQ26udDasZX81bgE2lGw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=ePlgGes+; arc=none smtp.client-ip=91.218.175.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="ePlgGes+" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1770103867; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=dlNLgFWBIF4EB9/p/k8at4vL0T3zQ15KzGeAj0aiQj8=; b=ePlgGes+KgT1A6EzhO6gbVgdLyoTFjz4CIFLx1CC3lXfvsbMckC288SfC3t+hpa8zf0KBw gp3izTms3bmyJBHrbA0xTe3nZlHpvzexw9InlzA11qal7XdGrVpxWvbMMkcp1ZN36QM/Yo f2wy6Ku08oZso2ofP//CVsaCVSx4JWo= From: Hao Ge To: Vlastimil Babka , Suren Baghdasaryan , Andrew Morton , Christoph Lameter , David Rientjes , Roman Gushchin , Harry Yoo Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Hao Ge Subject: [PATCH] codetag: Avoid codetag race between same slab object alloc and free Date: Tue, 3 Feb 2026 15:30:06 +0800 Message-Id: <20260203073006.151710-1-hao.ge@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" When CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, the following warning may be noticed: [ 3959.023862] ------------[ cut here ]------------ [ 3959.023891] alloc_tag was not cleared (got tag for lib/xarray.c:378) [ 3959.023947] WARNING: ./include/linux/alloc_tag.h:155 at alloc_tag_add+0x= 128/0x178, CPU#6: mkfs.ntfs/113998 [ 3959.023978] Modules linked in: dns_resolver tun brd overlay exfat btrfs = blake2b libblake2b xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunne= l ext4 crc16 mbcache jbd2 rfkill sunrpc vfat fat sg fuse nfnetlink sr_mod v= irtio_gpu cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_help= er ghash_ce drm sm4 backlight virtio_net net_failover virtio_scsi failover = virtio_console virtio_blk virtio_mmio dm_mirror dm_region_hash dm_log dm_mu= ltipath dm_mod i2c_dev aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inje= ct] [ 3959.024170] CPU: 6 UID: 0 PID: 113998 Comm: mkfs.ntfs Kdump: loaded Tain= ted: G W 6.19.0-rc7+ #7 PREEMPT(voluntary) [ 3959.024182] Tainted: [W]=3DWARN [ 3959.024186] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/20= 22 [ 3959.024192] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE= =3D--) [ 3959.024199] pc : alloc_tag_add+0x128/0x178 [ 3959.024207] lr : alloc_tag_add+0x128/0x178 [ 3959.024214] sp : ffff80008b696d60 [ 3959.024219] x29: ffff80008b696d60 x28: 0000000000000000 x27: 00000000000= 00240 [ 3959.024232] x26: 0000000000000000 x25: 0000000000000240 x24: ffff800085d= 17860 [ 3959.024245] x23: 0000000000402800 x22: ffff0000c0012dc0 x21: 00000000000= 002d0 [ 3959.024257] x20: ffff0000e6ef3318 x19: ffff800085ae0410 x18: 00000000000= 00000 [ 3959.024269] x17: 0000000000000000 x16: 0000000000000000 x15: 00000000000= 00000 [ 3959.024281] x14: 0000000000000000 x13: 0000000000000001 x12: ffff6000641= 01293 [ 3959.024292] x11: 1fffe00064101292 x10: ffff600064101292 x9 : dfff8000000= 00000 [ 3959.024305] x8 : 00009fff9befed6e x7 : ffff000320809493 x6 : 00000000000= 00001 [ 3959.024316] x5 : ffff000320809490 x4 : ffff600064101293 x3 : ffff8000806= 91838 [ 3959.024328] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000d5b= cd640 [ 3959.024340] Call trace: [ 3959.024346] alloc_tag_add+0x128/0x178 (P) [ 3959.024355] __alloc_tagging_slab_alloc_hook+0x11c/0x1a8 [ 3959.024362] kmem_cache_alloc_lru_noprof+0x1b8/0x5e8 [ 3959.024369] xas_alloc+0x304/0x4f0 [ 3959.024381] xas_create+0x1e0/0x4a0 [ 3959.024388] xas_store+0x68/0xda8 [ 3959.024395] __filemap_add_folio+0x5b0/0xbd8 [ 3959.024409] filemap_add_folio+0x16c/0x7e0 [ 3959.024416] __filemap_get_folio_mpol+0x2dc/0x9e8 [ 3959.024424] iomap_get_folio+0xfc/0x180 [ 3959.024435] __iomap_get_folio+0x2f8/0x4b8 [ 3959.024441] iomap_write_begin+0x198/0xc18 [ 3959.024448] iomap_write_iter+0x2ec/0x8f8 [ 3959.024454] iomap_file_buffered_write+0x19c/0x290 [ 3959.024461] blkdev_write_iter+0x38c/0x978 [ 3959.024470] vfs_write+0x4d4/0x928 [ 3959.024482] ksys_write+0xfc/0x1f8 [ 3959.024489] __arm64_sys_write+0x74/0xb0 [ 3959.024496] invoke_syscall+0xd4/0x258 [ 3959.024507] el0_svc_common.constprop.0+0xb4/0x240 [ 3959.024514] do_el0_svc+0x48/0x68 [ 3959.024520] el0_svc+0x40/0xf8 [ 3959.024526] el0t_64_sync_handler+0xa0/0xe8 [ 3959.024533] el0t_64_sync+0x1ac/0x1b0 [ 3959.024540] ---[ end trace 0000000000000000 ]--- This is due to a race condition that occurs when two threads concurrently perform allocation and freeing operations on the same slab object. When a process is preparing to allocate a slab object, another process successfully preempts the CPU, and then proceeds to free a slab object. However, before the freeing process can invoke `alloc_tag_sub()`, it is preempted again by the original allocating process. At this point, the allocating process acquires the same slab object, and subsequently triggers a warning when it invokes `alloc_tag_add()`. Signed-off-by: Hao Ge --- Hi Suren I'm not sure if my solution still has any issues, so I'd like to get your suggestions on it. At the very least, my understanding is that READ_ONCE and WRITE_ONCE should be used in pairs. I look forward to your suggestions. Thanks --- mm/slub.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/mm/slub.c b/mm/slub.c index f77b7407c51b..0d84fc917a89 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -2261,8 +2261,13 @@ __alloc_tagging_slab_alloc_hook(struct kmem_cache *s= , void *object, gfp_t flags) * If other users appear then mem_alloc_profiling_enabled() * check should be added before alloc_tag_add(). */ - if (likely(obj_exts)) + if (likely(obj_exts)) { + + while (!READ_ONCE(obj_exts->ref.ct)) + cpu_relax(); + alloc_tag_add(&obj_exts->ref, current->alloc_tag, s->size); + } else alloc_tag_set_inaccurate(current->alloc_tag); } --=20 2.25.1