Re: [PATCH for-next v3 5/9] mm/slab: extend deferred free mechanism to handle rcu sheaves

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

New issues:
- [High] Acquiring local_trylock inside __kfree_rcu_sheaf() violates lock nesting rules on PREEMPT_RT, triggering a lockdep "Invalid wait context" warning.

Pre-existing issues:
- [High] Concurrent lockless calls to deferred_work_barrier() cause an rcuwait race on PREEMPT_RT, leading to permanent task hangs.
--

commit b0c903d6396ede7c44ac45135ec7adc7d173391f
Author: Harry Yoo (Oracle) <harry@kernel.org>
Subject: mm/slab: extend deferred free mechanism to handle rcu sheaves

This patch extends the deferred free fallback mechanism so that a full RCU
sheaf can be submitted to call_rcu() via the existing IRQ work when spinning
is not allowed and IRQs are disabled. It also renames the defer_free structs
to deferred_percpu_work and adds deferred_work_barrier() calls to keep the
kvfree_rcu barrier's promise.

> diff --git a/mm/slub.c b/mm/slub.c
> index 6a3552b70683d..ba593c1c53d50 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
[ ... ]
> @@ -6158,12 +6175,6 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj, bool allow_spin)
>  	if (likely(rcu_sheaf->size < s->sheaf_capacity)) {
>  		rcu_sheaf = NULL;
>  	} else {

[Severity: High]
Does acquiring local_trylock inside __kfree_rcu_sheaf() violate lock nesting
rules on PREEMPT_RT?

The kvfree_call_rcu() API is frequently invoked from hardirq context or while
holding a raw_spinlock_t.  This function attempts to acquire a local_trylock:

    if (!local_trylock(&s->cpu_sheaves->lock))

On PREEMPT_RT kernels, local_trylock_t maps to a sleepable spinlock_t.
Attempting to acquire a sleepable lock (even via a trylock operation) while in
a raw_spinlock or hardirq context violates the lock nesting rules.
CONFIG_PROVE_RAW_LOCK_NESTING will catch this and trigger a lockdep warning
for an invalid wait context.

> -		/* call_rcu() disables IRQs to protect percpu data structures */
> -		if (unlikely(!allow_spin && irqs_disabled())) {
> -			rcu_sheaf->size--;
> -			local_unlock(&s->cpu_sheaves->lock);
> -			goto fail;
> -		}
>  		pcs->rcu_free = NULL;
>  		rcu_sheaf->node = numa_node_id();
>  	}
[ ... ]
> @@ -6408,27 +6418,34 @@ static void free_deferred_objects(struct irq_work *work)
[ ... ]
>  static void defer_free(struct kmem_cache *s, void *head)
>  {
> -	struct defer_free *df;
> +	struct deferred_percpu_work *dpw;
>  
>  	guard(preempt)();
>  
>  	head = kasan_reset_tag(head);
>  
> -	df = this_cpu_ptr(&defer_free_objects);
> -	if (llist_add(head + s->offset, &df->objects))
> -		irq_work_queue(&df->work);
> +	dpw = this_cpu_ptr(&deferred_percpu_work);
> +	if (llist_add(head + s->offset, &dpw->objects))
> +		irq_work_queue(&dpw->work);
>  }
>  
> -void defer_free_barrier(void)
> +void deferred_work_barrier(void)
>  {
>  	int cpu;
>  
>  	for_each_possible_cpu(cpu)
> -		irq_work_sync(&per_cpu_ptr(&defer_free_objects, cpu)->work);

[Severity: High]
This is a pre-existing issue, but can concurrent lockless calls to
deferred_work_barrier() cause an rcuwait race on PREEMPT_RT, leading to
permanent task hangs?

The function iterates over all CPUs, invoking irq_work_sync() on each CPU's
deferred work object. On PREEMPT_RT, irq_work_sync() relies on
rcuwait_wait_event() to block until completion, and the rcuwait
synchronization primitive strictly allows only one waiter at a time.

Because deferred_work_barrier() is called without any global serialization
(for instance, in kmem_cache_destroy() and kvfree_rcu_barrier_on_cache(),
and now in flush_all_rcu_sheaves()), multiple threads can enter
irq_work_sync() for the same work object concurrently.

This overwrites the waiter task pointer, meaning only one task will be woken
up when the work completes, leaving the other tasks hanging permanently in an
uninterruptible sleep.

> +		irq_work_sync(&per_cpu_ptr(&deferred_percpu_work, cpu)->work);
>  }
>  
>  static __fastpath_inline

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260615-kfree_rcu_nolock-v3-0-70a54f3775bb@kernel.org?part=5