linux-mm-for-4.14.113.patch

From 5c319b949f0a175e798e9ac26a078db1e1bb43e3 Mon Sep 17 00:00:00 2001
From: Dongli Zhang <dongli.zhang0129@gmail.com>
Date: Tue, 11 Feb 2020 14:06:26 -0800
Subject: [PATCH 1/1] linux-mm-for-4.14.113

Signed-off-by: Dongli Zhang <dongli.zhangi0129@gmail.com>
---
 include/linux/memcontrol.h |   14 +
 include/linux/mm.h         |    3 +
 include/linux/mm_types.h   |   34 +
 include/linux/slab.h       |   86 ++
 include/linux/slub_def.h   |   97 ++
 mm/kasan/kasan.c           |    5 +
 mm/slab.h                  |   63 ++
 mm/slab_common.c           |  202 ++++
 mm/slub.c                  | 2078 ++++++++++++++++++++++++++++++++++++
 tools/vm/slabinfo.c        |   10 +
 10 files changed, 2592 insertions(+)

diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h
index 69966c46..4df90172 100644
--- a/include/linux/memcontrol.h
+++ b/include/linux/memcontrol.h
@@ -1118,6 +1118,20 @@ void memcg_put_cache_ids(void);
 #define for_each_memcg_cache_index(_idx)	\
 	for ((_idx) = 0; (_idx) < memcg_nr_cache_ids; (_idx)++)
 
+/*
+ * called by:
+ *   - fs/pipe.c|148| <<anon_pipe_buf_steal>> if (memcg_kmem_enabled())
+ *   - mm/list_lru.c|70| <<mem_cgroup_from_kmem>> if (!memcg_kmem_enabled())
+ *   - mm/page_alloc.c|1049| <<free_pages_prepare>> if (memcg_kmem_enabled() && PageKmemcg(page))
+ *   - mm/page_alloc.c|4201| <<__alloc_pages_nodemask>> if (memcg_kmem_enabled() && (gfp_mask & __GFP_ACCOUNT) && page &&
+ *   - mm/slab.h|277| <<memcg_charge_slab>> if (!memcg_kmem_enabled())
+ *   - mm/slab.h|287| <<memcg_uncharge_slab>> if (!memcg_kmem_enabled())
+ *   - mm/slab.h|366| <<cache_from_obj>> if (!memcg_kmem_enabled() &&
+ *   - mm/slab.h|432| <<slab_pre_alloc_hook>> if (memcg_kmem_enabled() &&
+ *   - mm/slab.h|453| <<slab_post_alloc_hook>> if (memcg_kmem_enabled())
+ *   - mm/vmscan.c|468| <<shrink_slab>> if (memcg && (!memcg_kmem_enabled() || !mem_cgroup_online(memcg)))
+ *   - mm/vmscan.c|497| <<shrink_slab>> if (memcg_kmem_enabled() &&
+ */
 static inline bool memcg_kmem_enabled(void)
 {
 	return static_branch_unlikely(&memcg_kmem_enabled_key);
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 58f2263d..31fc7006 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2425,6 +2425,9 @@ extern void __kernel_map_pages(struct page *page, int numpages, int enable);
 
 static inline bool debug_pagealloc_enabled(void)
 {
+	/*
+	 * _debug_pagealloc_enabled定义在page_alloc.c
+	 */
 	return _debug_pagealloc_enabled;
 }
 
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index e41ef532..26adb790 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -92,6 +92,40 @@ struct page {
 
 				unsigned int active;		/* SLAB */
 				struct {			/* SLUB */
+					/*
+					 * 修改page->inuse的地方:
+					 *   - mm/slub.c|692| <<set_page_slub_counters>> page->inuse = tmp.inuse;
+					 *   - mm/slub.c|1509| <<on_freelist>> page->inuse = page->objects;
+					 *   - mm/slub.c|1807| <<alloc_debug_processing>> page->inuse = page->objects;
+					 *   - mm/slub.c|1534| <<on_freelist>> page->inuse = page->objects - nr;
+					 *   - mm/slub.c|2428| <<allocate_slab>> page->inuse = page->objects;
+					 *   - mm/slub.c|4455| <<early_kmem_cache_node_alloc>> page->inuse = 1;
+					 *   - mm/slub.c|2699| <<acquire_slab>> new.inuse = page->objects;
+					 *   - mm/slub.c|3001| <<deactivate_slab>> new.inuse--;
+					 *   - mm/slub.c|3035| <<deactivate_slab>> new.inuse--;
+					 *   - mm/slub.c|3463| <<get_freelist>> new.inuse = page->objects;
+					 *   - mm/slub.c|3877| <<__slab_free>> new.inuse -= cnt;
+					 *
+					 * 使用page->inuse的地方:
+					 *   - mm/slub.c|1072| <<print_page_info>> page, page->objects, page->inuse, page->freelist, page->flags);
+					 *   - mm/slub.c|1468| <<check_slab>> if (page->inuse > page->objects) {
+					 *   - mm/slub.c|1470| <<check_slab>> page->inuse, page->objects);
+					 *   - mm/slub.c|1531| <<on_freelist>> if (page->inuse != page->objects - nr) {
+					 *   - mm/slub.c|1533| <<on_freelist>> page->inuse, page->objects - nr);
+					 *   - mm/slub.c|1589| <<trace>> object, page->inuse,
+					 *   - mm/slub.c|3233| <<put_cpu_partial>> pobjects += page->objects - page->inuse;
+					 *   - mm/slub.c|3332| <<count_free>> return page->objects - page->inuse;
+					 *   - mm/slub.c|4798| <<free_partial>> if (!page->inuse) {
+					 *   - mm/slub.c|5059| <<__kmem_cache_shrink>> int free = page->objects - page->inuse;
+					 *   - mm/slub.c|5468| <<count_inuse>> return page->inuse;
+					 *   - mm/slub.c|5932| <<show_slab_objects>> x = page->inuse;
+					 *   - mm/slub.c|3043| <<deactivate_slab>> if (!new.inuse && n->nr_partial >= s->min_partial)
+					 *   - mm/slub.c|3163| <<unfreeze_partials>> if (unlikely(!new.inuse && n->nr_partial >= s->min_partial)) {
+					 *   - mm/slub.c|3878| <<__slab_free>> if ((!new.inuse || !prior) && !was_frozen) {
+					 *   - mm/slub.c|3930| <<__slab_free>> if (unlikely(!new.inuse && n->nr_partial >= s->min_partial))
+					 *
+					 * struct page结构体中inuse代表已经使用的obj数量
+					 */
 					unsigned inuse:16;
 					unsigned objects:15;
 					unsigned frozen:1;
diff --git a/include/linux/slab.h b/include/linux/slab.h
index ae5ed649..bb5a55ec 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -21,8 +21,38 @@
  * Flags to pass to kmem_cache_create().
  * The ones marked DEBUG are only valid if CONFIG_DEBUG_SLAB is set.
  */
+/*
+ * slub中使用SLAB_CONSISTENCY_CHECKS的例子 (当slub_debug设置了f的时候):
+ *   - mm/slub.c|313| <<DEBUG_DEFAULT_FLAGS>> #define DEBUG_DEFAULT_FLAGS (SLAB_CONSISTENCY_CHECKS | SLAB_RED_ZONE | \
+ *   - mm/slub.c|320| <<SLAB_NO_CMPXCHG>> #define SLAB_NO_CMPXCHG (SLAB_CONSISTENCY_CHECKS | SLAB_STORE_USER | \
+ *   - mm/slub.c|1786| <<alloc_debug_processing>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+ *   - mm/slub.c|1882| <<free_debug_processing>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+ *   - mm/slub.c|1890| <<free_debug_processing>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+ *   - mm/slub.c|1949| <<setup_slub_debug>> slub_debug |= SLAB_CONSISTENCY_CHECKS;
+ *   - mm/slub.c|2381| <<__free_slab>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+ *   - mm/slub.c|5988| <<sanity_checks_show>> return sprintf(buf, "%d\n", !!(s->flags & SLAB_CONSISTENCY_CHECKS));
+ *   - mm/slub.c|5994| <<sanity_checks_store>> s->flags &= ~SLAB_CONSISTENCY_CHECKS;
+ *   - mm/slub.c|5997| <<sanity_checks_store>> s->flags |= SLAB_CONSISTENCY_CHECKS;
+ *   - mm/slub.c|6532| <<create_unique_id>> if (s->flags & SLAB_CONSISTENCY_CHECKS)
+ */
 #define SLAB_CONSISTENCY_CHECKS	0x00000100UL	/* DEBUG: Perform (expensive) checks on alloc/free */
 #define SLAB_RED_ZONE		0x00000400UL	/* DEBUG: Red zone objs in a cache */
+/*
+ * slub中使用SLAB_POISON的地方:
+ *   - mm/slab_common.c|86| <<SLAB_NEVER_MERGE>> #define SLAB_NEVER_MERGE (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER | \
+ *   - mm/slub.c|326| <<DEBUG_DEFAULT_FLAGS>> SLAB_POISON | SLAB_STORE_USER)
+ *   - mm/slub.c|350| <<DEBUG_METADATA_FLAGS>> #define DEBUG_METADATA_FLAGS (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER)
+ *   - mm/slub.c|1535| <<slab_pad_check>> if (!(s->flags & SLAB_POISON))
+ *   - mm/slub.c|1616| <<check_object>> if ((s->flags & SLAB_POISON) && s->object_size < s->inuse) {
+ *   - mm/slub.c|1623| <<check_object>> if (s->flags & SLAB_POISON) {
+ *   - mm/slub.c|2277| <<setup_slub_debug>> slub_debug |= SLAB_POISON;
+ *   - mm/slub.c|2733| <<allocate_slab>> if (unlikely(s->flags & SLAB_POISON))
+ *   - mm/slub.c|5263| <<calculate_sizes>> if ((flags & SLAB_POISON) && !(flags & SLAB_TYPESAFE_BY_RCU) &&
+ *   - mm/slub.c|5291| <<calculate_sizes>> if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||
+ *   - mm/slub.c|7093| <<poison_show>> return sprintf(buf, "%d\n", !!(s->flags & SLAB_POISON));
+ *   - mm/slub.c|7102| <<poison_store>> s->flags &= ~SLAB_POISON;
+ *   - mm/slub.c|7104| <<poison_store>> s->flags |= SLAB_POISON;
+ */
 #define SLAB_POISON		0x00000800UL	/* DEBUG: Poison objects */
 #define SLAB_HWCACHE_ALIGN	0x00002000UL	/* Align objs on cache lines */
 #define SLAB_CACHE_DMA		0x00004000UL	/* Use GFP_DMA memory */
@@ -65,8 +95,55 @@
  *
  * Note that SLAB_TYPESAFE_BY_RCU was originally named SLAB_DESTROY_BY_RCU.
  */
+/*
+ * 在以下使用SLAB_TYPESAFE_BY_RCU:
+ *   - net/dccp/ipv4.c|961| <<global>> .slab_flags = SLAB_TYPESAFE_BY_RCU,
+ *   - net/dccp/ipv6.c|1048| <<global>> .slab_flags = SLAB_TYPESAFE_BY_RCU,
+ *   - net/ipv4/tcp_ipv4.c|2429| <<global>> .slab_flags = SLAB_TYPESAFE_BY_RCU,
+ *   - net/ipv6/tcp_ipv6.c|1947| <<global>> .slab_flags = SLAB_TYPESAFE_BY_RCU,
+ *   - net/llc/af_llc.c|145| <<global>> .slab_flags = SLAB_TYPESAFE_BY_RCU,
+ *   - net/smc/af_smc.c|104| <<global>> .slab_flags = SLAB_TYPESAFE_BY_RCU,
+ *   - drivers/gpu/drm/i915/i915_gem.c|4913| <<i915_gem_load_init>> SLAB_TYPESAFE_BY_RCU);
+ *   - drivers/gpu/drm/i915/selftests/mock_gem_device.c|203| <<mock_gem_device>> SLAB_TYPESAFE_BY_RCU);
+ *   - drivers/staging/lustre/lustre/ldlm/ldlm_lockd.c|1118| <<ldlm_init>> SLAB_TYPESAFE_BY_RCU, NULL);
+ *   - fs/jbd2/journal.c|2384| <<jbd2_journal_init_journal_head_cache>> SLAB_TEMPORARY | SLAB_TYPESAFE_BY_RCU,
+ *   - fs/kernfs/mount.c|418| <<kernfs_init>> SLAB_PANIC | SLAB_TYPESAFE_BY_RCU,
+ *   - kernel/fork.c|2220| <<proc_caches_init>> SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_TYPESAFE_BY_RCU|
+ *   - mm/kasan/kasan.c|350| <<kasan_cache_create>> if (cache->flags & SLAB_TYPESAFE_BY_RCU || cache->ctor ||
+ *   - mm/kasan/kasan.c|503| <<kasan_poison_slab_free>> if (unlikely(cache->flags & SLAB_TYPESAFE_BY_RCU))
+ *   - mm/kasan/kasan.c|514| <<kasan_slab_free>> if (unlikely(cache->flags & SLAB_TYPESAFE_BY_RCU))
+ *   - mm/rmap.c|435| <<anon_vma_init>> 0, SLAB_TYPESAFE_BY_RCU|SLAB_PANIC|SLAB_ACCOUNT,
+ *   - mm/slab.c|1720| <<slab_destroy>> if (unlikely(cachep->flags & SLAB_TYPESAFE_BY_RCU))
+ *   - mm/slab.c|1916| <<set_objfreelist_slab_cache>> if (cachep->ctor || flags & SLAB_TYPESAFE_BY_RCU)
+ *   - mm/slab.c|2022| <<__kmem_cache_create>> if (!(flags & SLAB_TYPESAFE_BY_RCU))
+ *   - mm/slab.h|130| <<SLAB_CORE_FLAGS>> SLAB_TYPESAFE_BY_RCU | SLAB_DEBUG_OBJECTS )
+ *   - mm/slab.h|409| <<slab_ksize>> if (s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER))
+ *   - mm/slab_common.c|87| <<SLAB_NEVER_MERGE>> SLAB_TRACE | SLAB_TYPESAFE_BY_RCU | SLAB_NOLEAKTRACE | \
+ *   - mm/slab_common.c|703| <<shutdown_cache>> if (s->flags & SLAB_TYPESAFE_BY_RCU) {
+ *   - mm/slob.c|529| <<__kmem_cache_create>> if (flags & SLAB_TYPESAFE_BY_RCU) {
+ *   - mm/slob.c|604| <<kmem_cache_free>> if (unlikely(c->flags & SLAB_TYPESAFE_BY_RCU)) {
+ *   - mm/slub.c|2889| <<free_slab>> if (unlikely(s->flags & SLAB_TYPESAFE_BY_RCU)) {
+ *   - mm/slub.c|4670| <<slab_free>> if (s->flags & SLAB_KASAN && !(s->flags & SLAB_TYPESAFE_BY_RCU))
+ *   - mm/slub.c|5263| <<calculate_sizes>> if ((flags & SLAB_POISON) && !(flags & SLAB_TYPESAFE_BY_RCU) &&
+ *   - mm/slub.c|5291| <<calculate_sizes>> if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||
+ *   - mm/slub.c|5426| <<kmem_cache_open>> if (need_reserve_slab_rcu && (s->flags & SLAB_TYPESAFE_BY_RCU))
+ *   - mm/slub.c|7006| <<destroy_by_rcu_show>> return sprintf(buf, "%d\n", !!(s->flags & SLAB_TYPESAFE_BY_RCU));
+ *   - net/netfilter/nf_conntrack_core.c|2069| <<nf_conntrack_init_start>> SLAB_TYPESAFE_BY_RCU | SLAB_HWCACHE_ALIGN, NULL);
+ */
 #define SLAB_TYPESAFE_BY_RCU	0x00080000UL	/* Defer freeing slabs to RCU */
 #define SLAB_MEM_SPREAD		0x00100000UL	/* Spread some memory over cpuset */
+/*
+ * 在以下使用SLAB_TRACE:
+ *   - mm/slab.h|136| <<SLAB_DEBUG_FLAGS>> SLAB_TRACE | SLAB_CONSISTENCY_CHECKS)
+ *   - mm/slab.h|160| <<SLAB_FLAGS_PERMITTED>> SLAB_TRACE | \
+ *   - mm/slab_common.c|43| <<SLAB_NEVER_MERGE>> SLAB_TRACE | SLAB_TYPESAFE_BY_RCU | SLAB_NOLEAKTRACE | \
+ *   - mm/slub.c|321| <<SLAB_NO_CMPXCHG>> SLAB_TRACE)
+ *   - mm/slub.c|1481| <<trace>> if (s->flags & SLAB_TRACE) {
+ *   - mm/slub.c|1751| <<setup_slub_debug>> slub_debug |= SLAB_TRACE;
+ *   - mm/slub.c|5795| <<trace_show>> return sprintf(buf, "%d\n", !!(s->flags & SLAB_TRACE));
+ *   - mm/slub.c|5809| <<trace_store>> s->flags &= ~SLAB_TRACE;
+ *   - mm/slub.c|5812| <<trace_store>> s->flags |= SLAB_TRACE;
+ */
 #define SLAB_TRACE		0x00200000UL	/* Trace allocations and frees */
 
 /* Flag to prevent checks on free */
@@ -79,6 +156,15 @@
 #define SLAB_NOLEAKTRACE	0x00800000UL	/* Avoid kmemleak tracing */
 
 #ifdef CONFIG_FAILSLAB
+/*
+ * 在以下使用SLAB_FAILSLAB:
+ *   - mm/failslab.c|29| <<should_failslab>> if (failslab.cache_filter && !(s->flags & SLAB_FAILSLAB))
+ *   - mm/slab_common.c|88| <<SLAB_NEVER_MERGE>> SLAB_FAILSLAB | SLAB_KASAN)
+ *   - mm/slub.c|2286| <<setup_slub_debug>> slub_debug |= SLAB_FAILSLAB;
+ *   - mm/slub.c|7175| <<failslab_show>> return sprintf(buf, "%d\n", !!(s->flags & SLAB_FAILSLAB));
+ *   - mm/slub.c|7184| <<failslab_store>> s->flags &= ~SLAB_FAILSLAB;
+ *   - mm/slub.c|7186| <<failslab_store>> s->flags |= SLAB_FAILSLAB;
+ */
 # define SLAB_FAILSLAB		0x02000000UL	/* Fault injection mark */
 #else
 # define SLAB_FAILSLAB		0x00000000UL
diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h
index f8ced87a..1ac4d159 100644
--- a/include/linux/slub_def.h
+++ b/include/linux/slub_def.h
@@ -43,6 +43,14 @@ struct kmem_cache_cpu {
 	unsigned long tid;	/* Globally unique transaction id */
 	struct page *page;	/* The slab from which we are allocating */
 #ifdef CONFIG_SLUB_CPU_PARTIAL
+	/*
+	 * kmem_cache_cpu->partial使用的例子:
+	 *   - include/linux/slub_def.h|54| <<slub_percpu_partial>> #define slub_percpu_partial(c) ((c)->partial)
+	 *   - mm/slub.c|3133| <<unfreeze_partials>> while ((page = c->partial)) {
+	 *   - mm/slub.c|3137| <<unfreeze_partials>> c->partial = page->next;
+	 *   - mm/slub.c|3212| <<put_cpu_partial>> oldpage = this_cpu_read(s->cpu_slab->partial);
+	 *   - mm/slub.c|3240| <<put_cpu_partial>> } while (this_cpu_cmpxchg(s->cpu_slab->partial, oldpage, page)
+	 */
 	struct page *partial;	/* Partially allocated frozen slabs */
 #endif
 #ifdef CONFIG_SLUB_STATS
@@ -51,13 +59,33 @@ struct kmem_cache_cpu {
 };
 
 #ifdef CONFIG_SLUB_CPU_PARTIAL
+/*
+ * 在以下调用slub_percpu_partial():
+ *   - include/linux/slub_def.h|62| <<slub_set_percpu_partial>> slub_percpu_partial(c) = (p)->next; \
+ *   - include/linux/slub_def.h|66| <<slub_percpu_partial_read_once>> #define slub_percpu_partial_read_once(c) READ_ONCE(slub_percpu_partial(c))
+ *   - mm/slub.c|3290| <<has_cpu_slab>> return c->page || slub_percpu_partial(c);
+ *   - mm/slub.c|3565| <<___slab_alloc>> if (slub_percpu_partial(c)) {
+ *   - mm/slub.c|3566| <<___slab_alloc>> page = c->page = slub_percpu_partial(c);
+ *   - mm/slub.c|6207| <<slabs_cpu_partial_show>> page = slub_percpu_partial(per_cpu_ptr(s->cpu_slab, cpu));
+ *   - mm/slub.c|6221| <<slabs_cpu_partial_show>> page = slub_percpu_partial(per_cpu_ptr(s->cpu_slab, cpu));
+ */
 #define slub_percpu_partial(c)		((c)->partial)
 
+/*
+ * called by:
+ *   - mm/slub.c|2608| <<___slab_alloc>> slub_set_percpu_partial(c, page);
+ */
 #define slub_set_percpu_partial(c, p)		\
 ({						\
 	slub_percpu_partial(c) = (p)->next;	\
 })
 
+/*
+ * called by:
+ *   - mm/slub.c|5977| <<show_slab_objects>> page = slub_percpu_partial_read_once(c);
+ *
+ * 如果c->partial存在
+ */
 #define slub_percpu_partial_read_once(c)     READ_ONCE(slub_percpu_partial(c))
 #else
 #define slub_percpu_partial(c)			NULL
@@ -83,9 +111,51 @@ struct kmem_cache {
 	struct kmem_cache_cpu __percpu *cpu_slab;
 	/* Used for retriving partial slabs etc */
 	unsigned long flags;
+	/*
+	 * 在以下使用kmem_cache->min_partial:
+	 *   - mm/slub.c|6558| <<global>> SLAB_ATTR(min_partial);
+	 *   - mm/slub.c|2960| <<get_any_partial>> n->nr_partial > s->min_partial) {
+	 *   - mm/slub.c|3202| <<deactivate_slab>> if (!new.inuse && n->nr_partial >= s->min_partial)
+	 *   - mm/slub.c|3356| <<unfreeze_partials>> if (unlikely(!new.inuse && n->nr_partial >= s->min_partial)) {
+	 *   - mm/slub.c|4267| <<__slab_free>> if (unlikely(!new.inuse && n->nr_partial >= s->min_partial))
+	 *   - mm/slub.c|4896| <<set_min_partial>> s->min_partial = min;
+	 *   - mm/slub.c|5536| <<__kmemcg_cache_deactivate>> s->min_partial = 0;
+	 *   - mm/slub.c|6542| <<min_partial_show>> return sprintf(buf, "%lu\n", s->min_partial);
+	 *
+	 * 根据MIM_PARTIAL猜测Mininum number of partial slabs. These will be left on the partial
+	 * lists even if they are empty. kmem_cache_shrink may reclaim them.
+	 * 根据MAX_PARTIAL猜测Maximum number of desirable partial slabs.
+	 * The existence of more partial slabs makes kmem_cache_shrink
+	 * sort the partial list by the number of objects in use.
+	 */
 	unsigned long min_partial;
 	int size;		/* The size of an object including meta data */
 	int object_size;	/* The size of an object without meta data */
+	/*
+	 * 设置kmem_cache->offset的地方:
+	 *   - mm/slub.c|4905| <<calculate_sizes>> s->offset = size;
+	 *   - mm/slub.c|5000| <<kmem_cache_open>> s->offset = 0
+	 * 其他使用kmem_cache->offset的地方:
+	 *   - mm/slub.c|534| <<get_freepointer>> return freelist_dereference(s, object + s->offset);
+	 *   - mm/slub.c|548| <<prefetch_freepointer>> prefetch(freelist_dereference(s, object + s->offset));
+	 *   - mm/slub.c|574| <<get_freepointer_safe>> freepointer_addr = (unsigned long )object + s->offset;
+	 *   - mm/slub.c|599| <<set_freepointer>> unsigned long freeptr_addr = (unsigned long )object + s->offset;
+	 *   - mm/slub.c|1040| <<get_track>> if (s->offset)
+	 *   - mm/slub.c|1041| <<get_track>> p = object + s->offset + sizeof(void *);
+	 *   - mm/slub.c|1245| <<print_trailer>> if (s->offset)
+	 *   - mm/slub.c|1246| <<print_trailer>> off = s->offset + sizeof(void *);
+	 *   - mm/slub.c|1503| <<check_pad_bytes>> if (s->offset)
+	 *   - mm/slub.c|1641| <<check_object>> if (!s->offset && val == SLUB_RED_ACTIVE)
+	 *   - mm/slub.c|2894| <<free_slab>> int offset = (PAGE_SIZE << order) - s->reserved;
+	 *   - mm/slub.c|5490| <<kmem_cache_open>> oo_order(s->oo), s->offset, flags);
+	 *   - mm/slub.c|5690| <<__check_heap_object>> offset = (ptr - page_address(page)) % s->size;
+	 *
+	 * 就是在calculate_sizes()设置, 在以下条件设置:
+	 * 4898         if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||
+	 * 4899                 s->ctor)) {
+	 * 当slub_debug=ZUF(没有P)的时候, kmalloc-128的s->offset=0
+	 * 当slub_debug=PZUF(有P)的时候, kmalloc-128的s->offset=136
+	 */
 	int offset;		/* Free pointer offset. */
 #ifdef CONFIG_SLUB_CPU_PARTIAL
 	/* Number of per cpu partial objects to keep around */
@@ -99,9 +169,36 @@ struct kmem_cache {
 	gfp_t allocflags;	/* gfp flags to use on each alloc */
 	int refcount;		/* Refcount for slab cache destroy */
 	void (*ctor)(void *);
+	/*
+	 * 修改kmem_cache->inuse的地方:
+	 *   - mm/slub.c|5371| <<__kmem_cache_alias>> s->inuse = max_t(int , s->inuse, ALIGN(size, sizeof(void *)));
+	 *   - mm/slub.c|4607| <<calculate_sizes>> s->inuse = size;
+	 *   - mm/slub.c|1405| <<check_object>> s->inuse - s->object_size);
+	 *   - mm/slub.c|5375| <<__kmem_cache_alias>> c->inuse = max_t(int , c->inuse,
+	 * 使用kmem_cache->inuse的地方:
+	 *   - mm/slub.c|950| <<get_track>> p = object + s->inuse;
+	 *   - mm/slub.c|1143| <<print_trailer>> s->inuse - s->object_size);
+	 *   - mm/slub.c|1148| <<print_trailer>> off = s->inuse;
+	 *   - mm/slub.c|1206| <<init_object>> memset(p + s->object_size, val, s->inuse - s->object_size);
+	 *   - mm/slub.c|1298| <<check_pad_bytes>> unsigned long off = s->inuse;
+	 *   - mm/slub.c|1399| <<check_object>> endobject, val, s->inuse - s->object_size))
+	 *   - mm/slub.c|1402| <<check_object>> if ((s->flags & SLAB_POISON) && s->object_size < s->inuse) {
+	 *   - mm/slub.c|2697| <<acquire_slab>> *objects = new.objects - new.inuse;
+	 *
+	 * Offset to metadata
+	 * With that we have determined the number of bytes in actual use
+	 * by the object. This is the potential offset to the free pointer.
+	 */
 	int inuse;		/* Offset to metadata */
 	int align;		/* Alignment */
 	int reserved;		/* Reserved bytes at the end of slabs */
+	/*
+	 * 修改red_left_pad的地方:
+	 *   - mm/slub.c|5045| <<calculate_sizes>> s->red_left_pad = sizeof(void *);
+	 *   - mm/slub.c|5046| <<calculate_sizes>> s->red_left_pad = ALIGN(s->red_left_pad, s->align);
+	 *
+	 * Left redzone padding size
+	 */
 	int red_left_pad;	/* Left redzone padding size */
 	const char *name;	/* Name (only for display!) */
 	struct list_head list;	/* List of slab caches */
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 71a43192..23e52193 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -453,6 +453,11 @@ static inline depot_stack_handle_t save_stack(gfp_t flags)
 	return depot_save_stack(&trace, flags);
 }
 
+/*
+ * called by:
+ *   - mm/kasan/kasan.c|524| <<kasan_slab_free>> set_track(&get_alloc_info(cache, object)->free_track, GFP_NOWAIT);
+ *   - mm/kasan/kasan.c|551| <<kasan_kmalloc>> set_track(&get_alloc_info(cache, object)->alloc_track, flags);
+ */
 static inline void set_track(struct kasan_track *track, gfp_t flags)
 {
 	track->pid = current->pid;
diff --git a/mm/slab.h b/mm/slab.h
index 485d9fbb..23650fee 100644
--- a/mm/slab.h
+++ b/mm/slab.h
@@ -351,6 +351,13 @@ static inline void memcg_link_cache(struct kmem_cache *s)
 
 #endif /* CONFIG_MEMCG && !CONFIG_SLOB */
 
+/*
+ * called by:
+ *   - mm/slub.c|3033| <<kmem_cache_free>> s = cache_from_obj(s, x);
+ *   - mm/slub.c|3094| <<build_detached_freelist>> df->s = cache_from_obj(s, object);
+ *   - mm/slab.c|3750| <<kmem_cache_free>> cachep = cache_from_obj(cachep, objp);
+ *   - mm/slab.c|3777| <<kmem_cache_free_bulk>> s = cache_from_obj(orig_s, objp);
+ */
 static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x)
 {
 	struct kmem_cache *cachep;
@@ -408,6 +415,14 @@ static inline size_t slab_ksize(const struct kmem_cache *s)
 #endif
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2649| <<slab_alloc_node>> s = slab_pre_alloc_hook(s, gfpflags);
+ *   - mm/slub.c|3117| <<kmem_cache_alloc_bulk>> s = slab_pre_alloc_hook(s, flags);
+ *   - mm/slab.c|3297| <<slab_alloc_node>> cachep = slab_pre_alloc_hook(cachep, flags);
+ *   - mm/slab.c|3376| <<slab_alloc>> cachep = slab_pre_alloc_hook(cachep, flags);
+ *   - mm/slab.c|3575| <<kmem_cache_alloc_bulk>> s = slab_pre_alloc_hook(s, flags);
+ */
 static inline struct kmem_cache *slab_pre_alloc_hook(struct kmem_cache *s,
 						     gfp_t flags)
 {
@@ -428,6 +443,16 @@ static inline struct kmem_cache *slab_pre_alloc_hook(struct kmem_cache *s,
 	return s;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2764| <<slab_alloc_node>> slab_post_alloc_hook(s, gfpflags, 1, &object);
+ *   - mm/slub.c|3200| <<kmem_cache_alloc_bulk>> slab_post_alloc_hook(s, flags, size, p);
+ *   - mm/slub.c|3204| <<kmem_cache_alloc_bulk>> slab_post_alloc_hook(s, flags, i, p);
+ *   - mm/slab.c|3333| <<slab_alloc_node>> slab_post_alloc_hook(cachep, flags, 1, &ptr);
+ *   - mm/slab.c|3390| <<slab_alloc>> slab_post_alloc_hook(cachep, flags, 1, &objp);
+ *   - mm/slab.c|3598| <<kmem_cache_alloc_bulk>> slab_post_alloc_hook(s, flags, size, p);
+ *   - mm/slab.c|3604| <<kmem_cache_alloc_bulk>> slab_post_alloc_hook(s, flags, i, p);
+ */
 static inline void slab_post_alloc_hook(struct kmem_cache *s, gfp_t flags,
 					size_t size, void **p)
 {
@@ -469,10 +494,48 @@ struct kmem_cache_node {
 #endif
 
 #ifdef CONFIG_SLUB
+	/*
+	 * 增加nr_partial的地方:
+	 *   - mm/slub.c|2588| <<__add_partial>> n->nr_partial++;
+	 * 减少nr_partial的地方:
+	 *   - mm/slub.c|2613| <<remove_partial>> n->nr_partial--;
+	 *   - mm/slub.c|4943| <<__kmem_cache_shrink>> n->nr_partial--;
+	 * 其他使用nr_partial的地方:
+	 *   - mm/slub.c|2687| <<get_partial_node>> if (!n || !n->nr_partial)
+	 *   - mm/slub.c|2764| <<get_any_partial>> n->nr_partial > s->min_partial) {
+	 *   - mm/slub.c|2961| <<deactivate_slab>> if (!new.inuse && n->nr_partial >= s->min_partial)
+	 *   - mm/slub.c|3075| <<unfreeze_partials>> if (unlikely(!new.inuse && n->nr_partial >= s->min_partial)) {
+	 *   - mm/slub.c|3807| <<__slab_free>> if (unlikely(!new.inuse && n->nr_partial >= s->min_partial))
+	 *   - mm/slub.c|4273| <<init_kmem_cache_node>> n->nr_partial = 0;
+	 *   - mm/slub.c|4698| <<__kmem_cache_shutdown>> if (n->nr_partial || slabs_node(s, node))
+	 *   - mm/slub.c|5413| <<validate_slab_node>> if (count != n->nr_partial)
+	 *   - mm/slub.c|5415| <<validate_slab_node>> s->name, count, n->nr_partial);
+	 *   - mm/slub.c|5857| <<show_slab_objects>> x = n->nr_partial;
+	 */
 	unsigned long nr_partial;
+	/*
+	 * 比如page->lru是在__add_partial()加入partial的
+	 * 在remove_partial()删除的
+	 */
 	struct list_head partial;
 #ifdef CONFIG_SLUB_DEBUG
+	/*
+	 * 增加和减少nr_slabs的地方:
+	 *   - mm/slub.c|1883| <<inc_slabs_node>> atomic_long_inc(&n->nr_slabs);
+	 *   - mm/slub.c|1895| <<dec_slabs_node>> atomic_long_dec(&n->nr_slabs);
+	 *   - mm/slub.c|4935| <<init_kmem_cache_node>> atomic_long_set(&n->nr_slabs, 0);
+	 */
 	atomic_long_t nr_slabs;
+	/*
+	 * 增加减少和获取total_objects的地方:
+	 *   - mm/slub.c|1713| <<inc_slabs_node>> atomic_long_add(objects, &n->total_objects);
+	 *   - mm/slub.c|1725| <<dec_slabs_node>> atomic_long_sub(objects, &n->total_objects);
+	 *   - mm/slub.c|4756| <<init_kmem_cache_node>> atomic_long_set(&n->total_objects, 0);
+	 *   - mm/slub.c|3558| <<node_nr_objs>> return atomic_long_read(&n->total_objects);
+	 *   - mm/slub.c|6399| <<show_slab_objects>> x = atomic_long_read(&n->total_objects);
+	 *   - mm/slub.c|6401| <<show_slab_objects>> x = atomic_long_read(&n->total_objects) -
+	 *   - mm/slub.c|6444| <<any_slab_objects>> if (atomic_long_read(&n->total_objects))
+	 */
 	atomic_long_t total_objects;
 	struct list_head full;
 #endif
diff --git a/mm/slab_common.c b/mm/slab_common.c
index f6764cf1..1effe69b 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -26,29 +26,83 @@
 
 #include "slab.h"
 
+/*
+ * slub中使用slab_state的例子:
+ *   - mm/slab_common.c|1140| <<create_kmalloc_caches>> slab_state = UP;
+ *   - mm/slub.c|6034| <<kmem_cache_init>> slab_state = PARTIAL;
+ *   - mm/slub.c|7761| <<slab_sysfs_init>> slab_state = FULL;
+ *   - mm/slab_common.c|919| <<slab_is_available>> return slab_state >= UP;
+ *   - mm/slub.c|5100| <<init_kmem_cache_nodes>> if (slab_state == DOWN) {
+ *   - mm/slub.c|5450| <<kmem_cache_open>> if (slab_state >= UP) {
+ *   - mm/slub.c|6134| <<__kmem_cache_create>> if (slab_state <= UP)
+ *   - mm/slub.c|7415| <<slab_attr_store>> if (slab_state >= FULL && err >= 0 && is_root_cache(s)) {
+ *   - mm/slub.c|7681| <<sysfs_slab_remove>> if (slab_state < FULL)
+ *   - mm/slub.c|7694| <<sysfs_slab_unlink>> if (slab_state >= FULL)
+ *   - mm/slub.c|7700| <<sysfs_slab_release>> if (slab_state >= FULL)
+ *   - mm/slub.c|7728| <<sysfs_slab_alias>> if (slab_state == FULL) {
+ *
+ * 猜测可以用来保证kmalloc-xxx比其他先初始化???
+ */
 enum slab_state slab_state;
+/*
+ * slub中使用slab_caches的例子:
+ *   - mm/slab_common.c|92| <<kmem_cache_sanity_check>> list_for_each_entry(s, &slab_caches, list) {
+ *   - mm/slab_common.c|416| <<create_cache>> list_add(&s->list, &slab_caches);
+ *   - mm/slab_common.c|953| <<create_kmalloc_cache>> list_add(&s->list, &slab_caches);
+ *   - mm/slub.c|2571| <<init_freelist_randomization>> list_for_each_entry(s, &slab_caches, list)
+ *   - mm/slub.c|3761| <<slub_cpu_dead>> list_for_each_entry(s, &slab_caches, list) {
+ *   - mm/slub.c|5849| <<slab_mem_going_offline_callback>> list_for_each_entry(s, &slab_caches, list)
+ *   - mm/slub.c|5873| <<slab_mem_offline_callback>> list_for_each_entry(s, &slab_caches, list) {
+ *   - mm/slub.c|5912| <<slab_mem_going_online_callback>> list_for_each_entry(s, &slab_caches, list) {
+ *   - mm/slub.c|5999| <<bootstrap>> list_add(&s->list, &slab_caches);
+ *   - mm/slub.c|7763| <<slab_sysfs_init>> list_for_each_entry(s, &slab_caches, list) {
+ */
 LIST_HEAD(slab_caches);
 DEFINE_MUTEX(slab_mutex);
 struct kmem_cache *kmem_cache;
 
+/*
+ * 在以下使用slab_caches_to_rcu_destroy:
+ *   - mm/slab_common.c|589| <<slab_caches_to_rcu_destroy_workfn>> list_splice_init(&slab_caches_to_rcu_destroy, &to_destroy);
+ *   - mm/slab_common.c|621| <<shutdown_cache>> list_add_tail(&s->list, &slab_caches_to_rcu_destroy);
+ */
 static LIST_HEAD(slab_caches_to_rcu_destroy);
 static void slab_caches_to_rcu_destroy_workfn(struct work_struct *work);
+/*
+ * 调用slab_caches_to_rcu_destroy_work的地方:
+ *   - mm/slab_common.c|622| <<shutdown_cache>> schedule_work(&slab_caches_to_rcu_destroy_work);
+ */
 static DECLARE_WORK(slab_caches_to_rcu_destroy_work,
 		    slab_caches_to_rcu_destroy_workfn);
 
 /*
  * Set of flags that will prevent slab merging
  */
+/*
+ * 在以下使用SLAB_NEVER_MERGE:
+ *   - mm/slab_common.c|311| <<slab_unmergeable>> if (slab_nomerge || (s->flags & SLAB_NEVER_MERGE))
+ *   - mm/slab_common.c|355| <<find_mergeable>> if (flags & SLAB_NEVER_MERGE)
+ */
 #define SLAB_NEVER_MERGE (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER | \
 		SLAB_TRACE | SLAB_TYPESAFE_BY_RCU | SLAB_NOLEAKTRACE | \
 		SLAB_FAILSLAB | SLAB_KASAN)
 
+/*
+ * 在以下使用SLAB_MERGE_SAME:
+ *   - mm/slab_common.c|365| <<find_mergeable>> if ((flags & SLAB_MERGE_SAME) != (s->flags & SLAB_MERGE_SAME))
+ */
 #define SLAB_MERGE_SAME (SLAB_RECLAIM_ACCOUNT | SLAB_CACHE_DMA | \
 			 SLAB_ACCOUNT)
 
 /*
  * Merge control. If this is set then no merging of slab caches will occur.
  */
+/*
+ * 在以下使用slab_nomerge:
+ *   - mm/slab_common.c|86| <<setup_slab_nomerge>> slab_nomerge = true;
+ *   - mm/slab_common.c|311| <<slab_unmergeable>> if (slab_nomerge || (s->flags & SLAB_NEVER_MERGE))
+ *   - mm/slab_common.c|339| <<find_mergeable>> if (slab_nomerge)
+ */
 static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT);
 
 static int __init setup_slab_nomerge(char *str)
@@ -66,6 +120,16 @@ __setup("slab_nomerge", setup_slab_nomerge);
 /*
  * Determine the size of a slab object
  */
+/*
+ * called by:
+ *   - drivers/block/skd_main.c|2914| <<skd_construct>> WARN_ONCE(kmem_cache_size(skdev->msgbuf_cache) < size,
+ *   - drivers/block/skd_main.c|2916| <<skd_construct>> kmem_cache_size(skdev->msgbuf_cache), size);
+ *   - drivers/block/skd_main.c|2922| <<skd_construct>> WARN_ONCE(kmem_cache_size(skdev->sglist_cache) < size,
+ *   - drivers/block/skd_main.c|2924| <<skd_construct>> kmem_cache_size(skdev->sglist_cache), size);
+ *   - drivers/block/skd_main.c|2930| <<skd_construct>> WARN_ONCE(kmem_cache_size(skdev->databuf_cache) < size,
+ *   - drivers/block/skd_main.c|2932| <<skd_construct>> kmem_cache_size(skdev->databuf_cache), size);
+ *   - lib/lru_cache.c|107| <<lc_create>> unsigned cache_obj_size = kmem_cache_size(cache);
+ */
 unsigned int kmem_cache_size(struct kmem_cache *s)
 {
 	return s->object_size;
@@ -73,6 +137,12 @@ unsigned int kmem_cache_size(struct kmem_cache *s)
 EXPORT_SYMBOL(kmem_cache_size);
 
 #ifdef CONFIG_DEBUG_VM
+/*
+ * called by:
+ *   - mm/slab_common.c|456| <<kmem_cache_create>> err = kmem_cache_sanity_check(name, size);
+ *
+ * ol6中uek4没有设置CONFIG_DEBUG_VM
+ */
 static int kmem_cache_sanity_check(const char *name, size_t size)
 {
 	struct kmem_cache *s = NULL;
@@ -110,6 +180,13 @@ static inline int kmem_cache_sanity_check(const char *name, size_t size)
 }
 #endif
 
+/*
+ * called by:
+ *   - mm/slab.c|3605| <<kmem_cache_alloc_bulk>> __kmem_cache_free_bulk(s, i, p);
+ *   - mm/slab_common.c|203| <<__kmem_cache_alloc_bulk>> __kmem_cache_free_bulk(s, i, p);
+ *   - mm/slob.c|619| <<kmem_cache_free_bulk>> __kmem_cache_free_bulk(s, size, p);
+ *   - mm/slub.c|4858| <<kmem_cache_alloc_bulk>> __kmem_cache_free_bulk(s, i, p);
+ */
 void __kmem_cache_free_bulk(struct kmem_cache *s, size_t nr, void **p)
 {
 	size_t i;
@@ -122,6 +199,10 @@ void __kmem_cache_free_bulk(struct kmem_cache *s, size_t nr, void **p)
 	}
 }
 
+/*
+ * 不被slub调用:
+ *   - mm/slob.c|626| <<kmem_cache_alloc_bulk>> return __kmem_cache_alloc_bulk(s, flags, size, p);
+ */
 int __kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t nr,
 								void **p)
 {
@@ -139,6 +220,16 @@ int __kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t nr,
 
 #if defined(CONFIG_MEMCG) && !defined(CONFIG_SLOB)
 
+/*
+ * 在以下使用slab_root_caches:
+ *   - mm/slab_common.c|290| <<memcg_update_all_caches>> list_for_each_entry(s, &slab_root_caches, root_caches_node) {
+ *   - mm/slab_common.c|306| <<memcg_link_cache>> list_add(&s->root_caches_node, &slab_root_caches);
+ *   - mm/slab_common.c|392| <<find_mergeable>> list_for_each_entry_reverse(s, &slab_root_caches, root_caches_node) {
+ *   - mm/slab_common.c|820| <<memcg_deactivate_kmem_caches>> list_for_each_entry(s, &slab_root_caches, root_caches_node) {
+ *   - mm/slab_common.c|1332| <<slab_start>> return seq_list_start(&slab_root_caches, *pos);
+ *   - mm/slab_common.c|1337| <<slab_next>> return seq_list_next(p, &slab_root_caches, pos);
+ *   - mm/slab_common.c|1391| <<slab_show>> if (p == slab_root_caches.next)
+ */
 LIST_HEAD(slab_root_caches);
 
 void slab_init_memcg_params(struct kmem_cache *s)
@@ -270,8 +361,18 @@ static inline void memcg_unlink_cache(struct kmem_cache *s)
 /*
  * Find a mergeable slab cache
  */
+/*
+ * called by:
+ *   - mm/slab_common.c|393| <<find_mergeable>> if (slab_unmergeable(s))
+ *   - mm/slub.c|7617| <<sysfs_slab_add>> int unmergeable = slab_unmergeable(s);
+ */
 int slab_unmergeable(struct kmem_cache *s)
 {
+	/*
+	 * 对于slub_debug=FU,kmalloc-128,会把kmalloc-128的debug设置上
+	 * 于是没有slab可以merge到kmalloc-128了
+	 * 测试的时候新创建的128大小的slab被merge到"pid"了!
+	 */
 	if (slab_nomerge || (s->flags & SLAB_NEVER_MERGE))
 		return 1;
 
@@ -290,32 +391,73 @@ int slab_unmergeable(struct kmem_cache *s)
 	return 0;
 }
 
+/*
+ * 在以下使用kmalloc_info[]来创建kmalloc-128等:
+ *   - mm/slab.c|1297| <<kmem_cache_init>> kmalloc_info[INDEX_NODE].name,
+ *   - mm/slab_common.c|1201| <<new_kmalloc_cache>> kmalloc_caches[idx] = create_kmalloc_cache(kmalloc_info[idx].name,
+ *   - mm/slab_common.c|1202| <<new_kmalloc_cache>> kmalloc_info[idx].size, flags);
+ *
+ * called by:
+ *   - mm/slab.c|1896| <<__kmem_cache_alias>> cachep = find_mergeable(size, align, flags, name, ctor);
+ *   - mm/slub.c|5106| <<__kmem_cache_alias>> s = find_mergeable(size, align, flags, name, ctor);
+ */
 struct kmem_cache *find_mergeable(size_t size, size_t align,
 		unsigned long flags, const char *name, void (*ctor)(void *))
 {
 	struct kmem_cache *s;
 
+	/* 如果内核参数设置了nomerge, 就不用merge这一个了 */
 	if (slab_nomerge)
 		return NULL;
 
 	if (ctor)
 		return NULL;
 
+	/*
+	 * 为什么不用calculate_sizes()计算呢????
+	 */
 	size = ALIGN(size, sizeof(void *));
 	align = calculate_alignment(flags, align, size);
 	size = ALIGN(size, align);
+	/*
+	 * 可能会把一些debug flag一起返回
+	 */
 	flags = kmem_cache_flags(size, flags, name, NULL);
 
+	/*
+	 * #define SLAB_NEVER_MERGE (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER | \
+	 *		SLAB_TRACE | SLAB_TYPESAFE_BY_RCU | SLAB_NOLEAKTRACE | \
+	 *		SLAB_FAILSLAB | SLAB_KASAN)
+	 */
 	if (flags & SLAB_NEVER_MERGE)
 		return NULL;
 
+	/*
+	 * 在以下使用slab_root_caches:
+	 *   - mm/slab_common.c|290| <<memcg_update_all_caches>> list_for_each_entry(s, &slab_root_caches, root_caches_node) {
+	 *   - mm/slab_common.c|306| <<memcg_link_cache>> list_add(&s->root_caches_node, &slab_root_caches);
+	 *   - mm/slab_common.c|392| <<find_mergeable>> list_for_each_entry_reverse(s, &slab_root_caches, root_caches_node) {
+	 *   - mm/slab_common.c|820| <<memcg_deactivate_kmem_caches>> list_for_each_entry(s, &slab_root_caches, root_caches_node) {
+	 *   - mm/slab_common.c|1332| <<slab_start>> return seq_list_start(&slab_root_caches, *pos);
+	 *   - mm/slab_common.c|1337| <<slab_next>> return seq_list_next(p, &slab_root_caches, pos);
+	 *   - mm/slab_common.c|1391| <<slab_show>> if (p == slab_root_caches.next)
+	 */
 	list_for_each_entry_reverse(s, &slab_root_caches, root_caches_node) {
+		/*
+		 * 对于slub_debug=FU,kmalloc-128,会把kmalloc-128的debug设置上
+		 * 于是没有slab可以merge到kmalloc-128了
+		 * 测试的时候新创建的128大小的slab被merge到"pid"了!
+		 */
 		if (slab_unmergeable(s))
 			continue;
 
 		if (size > s->size)
 			continue;
 
+		/*
+		 * #define SLAB_MERGE_SAME (SLAB_RECLAIM_ACCOUNT | SLAB_CACHE_DMA | \
+		 *				SLAB_ACCOUNT)
+		 */
 		if ((flags & SLAB_MERGE_SAME) != (s->flags & SLAB_MERGE_SAME))
 			continue;
 		/*
@@ -341,6 +483,12 @@ struct kmem_cache *find_mergeable(size_t size, size_t align,
  * Figure out what the alignment of the objects will be given a set of
  * flags, a user specified alignment and the size of the objects.
  */
+/*
+ * called by:
+ *   - mm/slab_common.c|420| <<find_mergeable>> align = calculate_alignment(flags, align, size);
+ *   - mm/slab_common.c|638| <<kmem_cache_create>> calculate_alignment(flags, align, size),
+ *   - mm/slab_common.c|1057| <<create_boot_cache>> s->align = calculate_alignment(flags, ARCH_KMALLOC_MINALIGN, size);
+ */
 unsigned long calculate_alignment(unsigned long flags,
 		unsigned long align, unsigned long size)
 {
@@ -364,6 +512,11 @@ unsigned long calculate_alignment(unsigned long flags,
 	return ALIGN(align, sizeof(void *));
 }
 
+/*
+ * called by:
+ *   - mm/slab_common.c|480| <<kmem_cache_create>> s = create_cache(cache_name, size, size,
+ *   - mm/slab_common.c|621| <<memcg_create_kmem_cache>> s = create_cache(cache_name, root_cache->object_size,
+ */
 static struct kmem_cache *create_cache(const char *name,
 		size_t object_size, size_t size, size_t align,
 		unsigned long flags, void (*ctor)(void *),
@@ -443,6 +596,12 @@ kmem_cache_create(const char *name, size_t size, size_t align,
 
 	mutex_lock(&slab_mutex);
 
+	/*
+	 * called by:
+	 *   - mm/slab_common.c|456| <<kmem_cache_create>> err = kmem_cache_sanity_check(name, size);
+	 *
+	 * ol6中uek4没有设置CONFIG_DEBUG_VM
+	 */
 	err = kmem_cache_sanity_check(name, size);
 	if (err) {
 		goto out_unlock;
@@ -462,6 +621,13 @@ kmem_cache_create(const char *name, size_t size, size_t align,
 	 */
 	flags &= CACHE_CREATE_MASK;
 
+	/*
+	 * called by:
+	 *   - mm/slab_common.c|475| <<kmem_cache_create>> s = __kmem_cache_alias(name, size, align, flags, ctor);
+	 *
+	 * 该函数检查已创建的slab是否存在与当前想要创建的slab的对象大小相
+	 * 匹配的,如果有则通过别名合并到一个缓存中进行访问.
+	 */
 	s = __kmem_cache_alias(name, size, align, flags, ctor);
 	if (s)
 		goto out_unlock;
@@ -472,6 +638,11 @@ kmem_cache_create(const char *name, size_t size, size_t align,
 		goto out_unlock;
 	}
 
+	/*
+	 * create_cache()在以下调用:
+	 *   - mm/slab_common.c|480| <<kmem_cache_create>> s = create_cache(cache_name, size, size,
+	 *   - mm/slab_common.c|621| <<memcg_create_kmem_cache>> s = create_cache(cache_name, root_cache->object_size,
+	 */
 	s = create_cache(cache_name, size, size,
 			 calculate_alignment(flags, align, size),
 			 flags, ctor, NULL, NULL);
@@ -880,6 +1051,9 @@ bool slab_is_available(void)
 	return slab_state >= UP;
 }
 
+/*
+ * 注意!!! 下面是ndef, NOT define!!!
+ */
 #ifndef CONFIG_SLOB
 /* Create a cache during boot when no slab services are available yet */
 void __init create_boot_cache(struct kmem_cache *s, const char *name, size_t size,
@@ -902,6 +1076,12 @@ void __init create_boot_cache(struct kmem_cache *s, const char *name, size_t siz
 	s->refcount = -1;	/* Exempt from merging for now */
 }
 
+/*
+ * called by:
+ *   - mm/slab.c|1296| <<kmem_cache_init>> kmalloc_caches[INDEX_NODE] = create_kmalloc_cache(
+ *   - mm/slab_common.c|1201| <<new_kmalloc_cache>> kmalloc_caches[idx] = create_kmalloc_cache(kmalloc_info[idx].name,
+ *   - mm/slab_common.c|1242| <<create_kmalloc_caches>> kmalloc_dma_caches[i] = create_kmalloc_cache(n,
+ */
 struct kmem_cache *__init create_kmalloc_cache(const char *name, size_t size,
 				unsigned long flags)
 {
@@ -997,6 +1177,12 @@ struct kmem_cache *kmalloc_slab(size_t size, gfp_t flags)
  * kmalloc_index() supports up to 2^26=64MB, so the final entry of the table is
  * kmalloc-67108864.
  */
+/*
+ * 在以下使用kmalloc_info[]:
+ *   - mm/slab.c|1297| <<kmem_cache_init>> kmalloc_info[INDEX_NODE].name,
+ *   - mm/slab_common.c|1201| <<new_kmalloc_cache>> kmalloc_caches[idx] = create_kmalloc_cache(kmalloc_info[idx].name,
+ *   - mm/slab_common.c|1202| <<new_kmalloc_cache>> kmalloc_info[idx].size, flags);
+ */
 const struct kmalloc_info_struct kmalloc_info[] __initconst = {
 	{NULL,                      0},		{"kmalloc-96",             96},
 	{"kmalloc-192",           192},		{"kmalloc-8",               8},
@@ -1061,6 +1247,12 @@ void __init setup_kmalloc_cache_index_table(void)
 	}
 }
 
+/*
+ * called by:
+ *   - mm/slab_common.c|1081| <<create_kmalloc_caches>> new_kmalloc_cache(i, flags);
+ *   - mm/slab_common.c|1089| <<create_kmalloc_caches>> new_kmalloc_cache(1, flags);
+ *   - mm/slab_common.c|1091| <<create_kmalloc_caches>> new_kmalloc_cache(2, flags);
+ */
 static void __init new_kmalloc_cache(int idx, unsigned long flags)
 {
 	kmalloc_caches[idx] = create_kmalloc_cache(kmalloc_info[idx].name,
@@ -1072,6 +1264,11 @@ static void __init new_kmalloc_cache(int idx, unsigned long flags)
  * may already have been created because they were needed to
  * enable allocations for slab creation.
  */
+/*
+ * called by:
+ *   - mm/slab.c|1316| <<kmem_cache_init>> create_kmalloc_caches(ARCH_KMALLOC_FLAGS);
+ *   - mm/slub.c|6052| <<kmem_cache_init>> create_kmalloc_caches(0);
+ */
 void __init create_kmalloc_caches(unsigned long flags)
 {
 	int i;
@@ -1254,6 +1451,11 @@ memcg_accumulate_slabinfo(struct kmem_cache *s, struct slabinfo *info)
 	}
 }
 
+/*
+ * called by:
+ *   - mm/slab_common.c|1481| <<slab_show>> cache_show(s, m);
+ *   - mm/slab_common.c|1514| <<memcg_slab_show>> cache_show(s, m);
+ */
 static void cache_show(struct kmem_cache *s, struct seq_file *m)
 {
 	struct slabinfo sinfo;
diff --git a/mm/slub.c b/mm/slub.c
index 220d42e5..d7c13f28 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -40,6 +40,101 @@
 
 #include "internal.h"
 
+/*
+ * NOTES:
+ *
+ * 1. s->offset: Free pointer offset
+ * 就是在calculate_sizes()设置, 在以下条件设置:
+ * 4898         if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||
+ * 4899                 s->ctor)) {
+ * 当slub_debug=ZUF(没有P)的时候, kmalloc-128的s->offset=0
+ * 当slub_debug=PZUF(有P)的时候, kmalloc-128的s->offset=136
+ */
+
+/*
+ * 从high level考虑,SLUB就是利用特殊区域填充特殊的magic num,在每一次
+ * alloc/free的时候检查magic num是否被意外修改.只申请内存而不释放的
+ * 话,是没法检测的.我们只能借助slabinfo工具主动触发检测功能。所以,这
+ * 也是SLUB DEBUG的一个劣势,它不能做到动态监测.它的检测机制是被动的.
+ *
+ * 一共四个debug的选项:
+ * - SLAB_CONSISTENCY_CHECKS
+ * - SLAB_RED_ZONE
+ * - SLAB_POISON
+ * - SLAB_STORE_USER
+ *
+ * SLUB DEBUG检测oob问题原理也很简单,既然为了发现是否越界,那么
+ * 就在分配出去的内存尾部添加一段额外的内存,填充特殊数字(magic num).
+ * 我们只需要检测这块额外的内存的数据是否被修改就可以知道是否发生了
+ * oob情况.而这段额外的内存就叫做Redzone.
+ *
+ * SLUB DEBUG关闭的情况下,free pointer是内嵌在object之中的,但是SLUB DEBUG
+ * 打开之后,free pointer是在object之外,并且多了很多其他的内存,
+ * 例如red zone,trace和red_left_pad等.这里之所以将FP后移就是因为为了检测
+ * use-after-free问题,当free object时会在将object填充magic num(0x6b).
+ * 如果不后移的话,岂不是破坏了object之间的单链表关系.
+ *
+ * 在没有slub_debug的时候:
+ * [Object size(with FP at the beginning 8-byte)][Obj align]
+ *
+ * 在slub_debug=PZU的时候:
+ * [Object size][Red zone][FP][alloc/free track][padding][red_left_pad]
+ *
+ * 其实slub_debug=PZU的时候应该是:
+ * [red_left_pad][Object size][Red zone][FP][alloc/free track][padding]
+ *
+ * - Redzone (主要检测右边oob)
+ * 从图中我们可以看到在object后面紧接着就是Red zone区域,那么Red zone有什
+ * 么作用呢?既然紧随其后,自然是检测右边界越界访问
+ * (right out-of-bounds access).原理很简单,在Red zone区域填充magic num,
+ * 检查Red zone区域数据是否被修改即可知道是否发生right oob. 可能你会想到
+ * 如果越过Redzone,直接改写了FP,岂不是检测不到oob了,并且链表结构也被破坏
+ * 了.其实在check_object()函数中会调用check_valid_pointer()来检查FP是否
+ * valid,如果invalid,同样会print error syslog.
+ *
+ * - padding
+ * padding是sizeof(void *) bytes的填充区域,在分配slab缓存池时,会将所有的内
+ * 存填充0x5a.同样在free/alloc object的时候作为检测的一种途径.如果padding
+ * 区域的数据不是0x5a,就代表发生了"Object padding overwritten"问题.这也是
+ * 有可能,越界跨度很大.
+ *
+ * - red_left_pad (检测左边的oob)
+ * 在struct page结构中有一个freelist指针,freelist会指向第一个available object.
+ * 在构建object之间的单链表的时候,object首地址实际上都会加上一个red_left_pad的
+ * 偏移,这样实际的layout就如同下面转换之后的layout:
+ *
+ * 其实slub_debug=PZU的时候应该是:
+ * [red_left_pad][Object size][Red zone][FP][alloc/free track][padding]
+ *
+ * 填充的magic num和Redzone一样,差别只是检测的区域不一样而已.
+ */
+
+/*
+ * 关于填充
+ *
+ * 从high level考虑,SLUB就是利用特殊区域填充特殊的magic num,在
+ * 每一次alloc/free的时候检查magic num是否被意外修改.
+ *
+ * - SLUB_RED_INACTIVE
+ *
+ * - SLUB_RED_ACTIVE
+ *
+ * - POISON_INUSE
+ *
+ * - POISON_FREE
+ */
+
+/*
+ * To detect out-of-bound:
+ *
+ * To detect use-after-free:
+ */
+
+/*
+ * - https://blog.csdn.net/juS3Ve/article/details/79285745
+ * - http://www.wowotech.net/memory_management/426.html
+ */
+
 /*
  * Lock order:
  *   1. slab_mutex (Global Mutex)
@@ -116,6 +211,20 @@
  * 			the fast path and disables lockless freelists.
  */
 
+ /*
+  * called by:
+  *   - mm/slub.c|130| <<fixup_red_left>> if (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE)
+  *   - mm/slub.c|139| <<kmem_cache_has_cpu_partial>> return !kmem_cache_debug(s);
+  *   - mm/slub.c|2097| <<deactivate_slab>> if (kmem_cache_debug(s) && !lock) {
+  *   - mm/slub.c|2594| <<___slab_alloc>> if (likely(!kmem_cache_debug(s) && pfmemalloc_match(page, gfpflags)))
+  *   - mm/slub.c|2598| <<___slab_alloc>> if (kmem_cache_debug(s) &&
+  *   - mm/slub.c|2814| <<__slab_free>> if (kmem_cache_debug(s) &&
+  *   - mm/slub.c|2889| <<__slab_free>> if (kmem_cache_debug(s))
+  *   - mm/slub.c|3845| <<__check_heap_object>> if (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE) {
+  */
+ /*
+  * 当kmem_cache->flags设置了debug的任何flag的时候返回 true
+  */
 static inline int kmem_cache_debug(struct kmem_cache *s)
 {
 #ifdef CONFIG_SLUB_DEBUG
@@ -125,17 +234,51 @@ static inline int kmem_cache_debug(struct kmem_cache *s)
 #endif
 }
 
+/*
+ * called by:
+ *   - include/linux/slub_def.h|183| <<nearest_obj>> result = fixup_red_left(cache, result);
+ *   - mm/slub.c|432| <<for_each_object>> for (__p = fixup_red_left(__s, __addr); \
+ *   - mm/slub.c|437| <<for_each_object_idx>> for (__p = fixup_red_left(__s, __addr), __idx = 1; \
+ *   - mm/slub.c|1743| <<shuffle_freelist>> start = fixup_red_left(s, page_address(page));
+ *   - mm/slub.c|1841| <<allocate_slab>> page->freelist = fixup_red_left(s, start);
+ *
+ * 如果redzone被使用了,object的地址要往前移动s->red_left_pad
+ */
 void *fixup_red_left(struct kmem_cache *s, void *p)
 {
+	/*
+	 * 修改red_left_pad的地方:
+	 *   - mm/slub.c|5045| <<calculate_sizes>> s->red_left_pad = sizeof(void *);
+	 *   - mm/slub.c|5046| <<calculate_sizes>> s->red_left_pad = ALIGN(s->red_left_pad, s->align);
+	 */
 	if (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE)
 		p += s->red_left_pad;
 
 	return p;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1842| <<get_partial_node>> if (!kmem_cache_has_cpu_partial(s)
+ *   - mm/slub.c|2831| <<__slab_free>> if (kmem_cache_has_cpu_partial(s) && !prior) {
+ *   - mm/slub.c|2888| <<__slab_free>> if (!kmem_cache_has_cpu_partial(s) && unlikely(!prior)) {
+ *   - mm/slub.c|3445| <<set_cpu_partial>> if (!kmem_cache_has_cpu_partial(s))
+ *   - mm/slub.c|4958| <<cpu_partial_store>> if (objects && !kmem_cache_has_cpu_partial(s))
+ *
+ * 使用了CONFIG_SLUB_CPU_PARTIAL的情况下, 当kmem_cache->flags设置了debug的任何flag的时候返回false
+ * 没有CONFIG_SLUB_CPU_PARTIAL直接返回false
+ * ol支持CONFIG_SLUB_CPU_PARTIAL
+ * 说明用debug的时候不支持kmem_cache_has_cpu_partial
+ */
 static inline bool kmem_cache_has_cpu_partial(struct kmem_cache *s)
 {
+/*
+ * 在ol上使用了CONFIG_SLUB_CPU_PARTIAL
+ */
 #ifdef CONFIG_SLUB_CPU_PARTIAL
+	/*
+	 * 当kmem_cache->flags设置了debug的任何flag的时候返回 true
+	 */
 	return !kmem_cache_debug(s);
 #else
 	return false;
@@ -160,6 +303,11 @@ static inline bool kmem_cache_has_cpu_partial(struct kmem_cache *s)
  * Mininum number of partial slabs. These will be left on the partial
  * lists even if they are empty. kmem_cache_shrink may reclaim them.
  */
+/*
+ * 在以下使用MIN_PARTIAL:
+ *   - mm/slub.c|3812| <<set_min_partial>> if (min < MIN_PARTIAL)
+ *   - mm/slub.c|3813| <<set_min_partial>> min = MIN_PARTIAL;
+ */
 #define MIN_PARTIAL 5
 
 /*
@@ -167,6 +315,11 @@ static inline bool kmem_cache_has_cpu_partial(struct kmem_cache *s)
  * The existence of more partial slabs makes kmem_cache_shrink
  * sort the partial list by the number of objects in use.
  */
+/*
+ * 在以下使用MAX_PARTIAL:
+ *   - mm/slub.c|3814| <<set_min_partial>> else if (min > MAX_PARTIAL)
+ *   - mm/slub.c|3815| <<set_min_partial>> min = MAX_PARTIAL;
+ */
 #define MAX_PARTIAL 10
 
 #define DEBUG_DEFAULT_FLAGS (SLAB_CONSISTENCY_CHECKS | SLAB_RED_ZONE | \
@@ -176,6 +329,10 @@ static inline bool kmem_cache_has_cpu_partial(struct kmem_cache *s)
  * These debug flags cannot use CMPXCHG because there might be consistency
  * issues when checking or reading debug information
  */
+/*
+ * 只在以下使用SLAB_NO_CMPXCHG:
+ *   - mm/slub.c|5134| <<kmem_cache_open>> if (system_has_cmpxchg_double() && (s->flags & SLAB_NO_CMPXCHG) == 0)
+ */
 #define SLAB_NO_CMPXCHG (SLAB_CONSISTENCY_CHECKS | SLAB_STORE_USER | \
 				SLAB_TRACE)
 
@@ -185,14 +342,39 @@ static inline bool kmem_cache_has_cpu_partial(struct kmem_cache *s)
  * disabled when slub_debug=O is used and a cache's min order increases with
  * metadata.
  */
+/*
+ * 在以下使用DEBUG_METADATA_FLAGS:
+ *   - mm/slub.c|5125| <<kmem_cache_open>> s->flags &= ~DEBUG_METADATA_FLAGS;
+ *   - mm/slub.c|7322| <<sysfs_slab_add>> (slub_debug & DEBUG_METADATA_FLAGS))
+ */
 #define DEBUG_METADATA_FLAGS (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER)
 
 #define OO_SHIFT	16
+/*
+ * 低16位都是1
+ */
 #define OO_MASK		((1 << OO_SHIFT) - 1)
 #define MAX_OBJS_PER_PAGE	32767 /* since page.objects is u15 */
 
 /* Internal SLUB flags */
+/*
+ * 在以下使用__OBJECT_POISON:
+ *   - mm/slub.c|950| <<init_object>> if (s->flags & __OBJECT_POISON) {
+ *   - mm/slub.c|1116| <<check_object>> if (val != SLUB_RED_ACTIVE && (s->flags & __OBJECT_POISON) &&
+ *   - mm/slub.c|1324| <<setup_object_debug>> if (!(s->flags & (SLAB_STORE_USER|SLAB_RED_ZONE|__OBJECT_POISON)))
+ *   - mm/slub.c|3877| <<calculate_sizes>> s->flags |= __OBJECT_POISON;
+ *   - mm/slub.c|3879| <<calculate_sizes>> s->flags &= ~__OBJECT_POISON;
+ */
 #define __OBJECT_POISON		0x80000000UL /* Poison object */
+/*
+ * 在以下使用__CMPXCHG_DOUBLE:
+ *   - mm/slub.c|548| <<__cmpxchg_double_slab>> if (s->flags & __CMPXCHG_DOUBLE) {
+ *   - mm/slub.c|588| <<cmpxchg_double_slab>> if (s->flags & __CMPXCHG_DOUBLE) {
+ *   - mm/slub.c|4008| <<kmem_cache_open>> s->flags |= __CMPXCHG_DOUBLE;
+ *   - mm/slub.c|5543| <<sanity_checks_store>> s->flags &= ~__CMPXCHG_DOUBLE;
+ *   - mm/slub.c|5568| <<trace_store>> s->flags &= ~__CMPXCHG_DOUBLE;
+ *   - mm/slub.c|5628| <<store_user_store>> s->flags &= ~__CMPXCHG_DOUBLE;
+ */
 #define __CMPXCHG_DOUBLE	0x40000000UL /* Use cmpxchg_double */
 
 /*
@@ -209,6 +391,19 @@ struct track {
 	unsigned long when;	/* When did the operation occur */
 };
 
+/*
+ * 在以下使用TRACK_ALLOC:
+ *   - mm/slub.c|799| <<init_tracking>> set_track(s, object, TRACK_ALLOC, 0UL);
+ *   - mm/slub.c|836| <<print_tracking>> print_track("Allocated", get_track(s, object, TRACK_ALLOC));
+ *   - mm/slub.c|1368| <<alloc_debug_processing>> set_track(s, object, TRACK_ALLOC, addr);
+ *   - mm/slub.c|5659| <<alloc_calls_show>> return list_locations(s, buf, TRACK_ALLOC);
+ *
+ * 在以下使用TRACK_FREE:
+ *   - mm/slub.c|798| <<init_tracking>> set_track(s, object, TRACK_FREE, 0UL);
+ *   - mm/slub.c|837| <<print_tracking>> print_track("Freed", get_track(s, object, TRACK_FREE));
+ *   - mm/slub.c|1448| <<free_debug_processing>> set_track(s, object, TRACK_FREE, addr);
+ *   - mm/slub.c|5667| <<free_calls_show>> return list_locations(s, buf, TRACK_FREE);
+ */
 enum track_item { TRACK_ALLOC, TRACK_FREE };
 
 #ifdef CONFIG_SYSFS
@@ -224,6 +419,41 @@ static inline void memcg_propagate_slab_attrs(struct kmem_cache *s) { }
 static inline void sysfs_slab_remove(struct kmem_cache *s) { }
 #endif
 
+/*
+ * called by:
+ *   - mm/slub.c|568| <<__cmpxchg_double_slab>> stat(s, CMPXCHG_DOUBLE_FAIL);
+ *   - mm/slub.c|613| <<cmpxchg_double_slab>> stat(s, CMPXCHG_DOUBLE_FAIL);
+ *   - mm/slub.c|1859| <<allocate_slab>> stat(s, ORDER_FALLBACK);
+ *   - mm/slub.c|2120| <<get_partial_node>> stat(s, ALLOC_FROM_PARTIAL);
+ *   - mm/slub.c|2124| <<get_partial_node>> stat(s, CPU_PARTIAL_NODE);
+ *   - mm/slub.c|2280| <<note_cmpxchg_failure>> stat(s, CMPXCHG_DOUBLE_CPU_FAIL);
+ *   - mm/slub.c|2314| <<deactivate_slab>> stat(s, DEACTIVATE_REMOTE_FREES);
+ *   - mm/slub.c|2416| <<deactivate_slab>> stat(s, tail);
+ *   - mm/slub.c|2420| <<deactivate_slab>> stat(s, DEACTIVATE_FULL);
+ *   - mm/slub.c|2437| <<deactivate_slab>> stat(s, DEACTIVATE_EMPTY);
+ *   - mm/slub.c|2439| <<deactivate_slab>> stat(s, FREE_SLAB);
+ *   - mm/slub.c|2496| <<unfreeze_partials>> stat(s, FREE_ADD_PARTIAL);
+ *   - mm/slub.c|2507| <<unfreeze_partials>> stat(s, DEACTIVATE_EMPTY);
+ *   - mm/slub.c|2509| <<unfreeze_partials>> stat(s, FREE_SLAB);
+ *   - mm/slub.c|2551| <<put_cpu_partial>> stat(s, CPU_PARTIAL_DRAIN);
+ *   - mm/slub.c|2577| <<flush_slab>> stat(s, CPUSLAB_FLUSH);
+ *   - mm/slub.c|2746| <<new_slab_objects>> stat(s, ALLOC_SLAB);
+ *   - mm/slub.c|2842| <<___slab_alloc>> stat(s, ALLOC_NODE_MISMATCH);
+ *   - mm/slub.c|2867| <<___slab_alloc>> stat(s, DEACTIVATE_BYPASS);
+ *   - mm/slub.c|2871| <<___slab_alloc>> stat(s, ALLOC_REFILL);
+ *   - mm/slub.c|2890| <<___slab_alloc>> stat(s, CPU_PARTIAL_ALLOC);
+ *   - mm/slub.c|3010| <<slab_alloc_node>> stat(s, ALLOC_SLOWPATH);
+ *   - mm/slub.c|3045| <<slab_alloc_node>> stat(s, ALLOC_FASTPATH);
+ *   - mm/slub.c|3150| <<__slab_free>> stat(s, FREE_SLOWPATH);
+ *   - mm/slub.c|3212| <<__slab_free>> stat(s, CPU_PARTIAL_FREE);
+ *   - mm/slub.c|3219| <<__slab_free>> stat(s, FREE_FROZEN);
+ *   - mm/slub.c|3234| <<__slab_free>> stat(s, FREE_ADD_PARTIAL);
+ *   - mm/slub.c|3245| <<__slab_free>> stat(s, FREE_REMOVE_PARTIAL);
+ *   - mm/slub.c|3252| <<__slab_free>> stat(s, FREE_SLAB);
+ *   - mm/slub.c|3332| <<do_slab_free>> stat(s, FREE_FASTPATH);
+ *
+ * 一定要激活CONFIG_SLUB_STATS才行!!!
+ */
 static inline void stat(const struct kmem_cache *s, enum stat_item si)
 {
 #ifdef CONFIG_SLUB_STATS
@@ -244,6 +474,9 @@ static inline void stat(const struct kmem_cache *s, enum stat_item si)
  * with an XOR of the address where the pointer is held and a per-cache
  * random number.
  */
+/*
+ * 没有CONFIG_SLAB_FREELIST_HARDENED(uek4不支持)就返回ptr
+ */
 static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
 				 unsigned long ptr_addr)
 {
@@ -255,6 +488,14 @@ static inline void *freelist_ptr(const struct kmem_cache *s, void *ptr,
 }
 
 /* Returns the freelist pointer recorded at location ptr_addr. */
+/*
+ * called by:
+ *   - mm/slub.c|495| <<get_freepointer>> return freelist_dereference(s, object + s->offset);
+ *   - mm/slub.c|505| <<prefetch_freepointer>> prefetch(freelist_dereference(s, object + s->offset));
+ *
+ * 没有CONFIG_SLAB_FREELIST_HARDENED(uek4不支持)就返回ptr_addr
+ * Returns the freelist pointer recorded at location ptr_addr.
+ */
 static inline void *freelist_dereference(const struct kmem_cache *s,
 					 void *ptr_addr)
 {
@@ -262,30 +503,97 @@ static inline void *freelist_dereference(const struct kmem_cache *s,
 			    (unsigned long)ptr_addr);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|318| <<get_freepointer_safe>> return get_freepointer(s, object);
+ *   - mm/slub.c|519| <<get_map>> for (p = page->freelist; p; p = get_freepointer(s, p))
+ *   - mm/slub.c|728| <<print_trailer>> p, p - addr, get_freepointer(s, p));
+ *   - mm/slub.c|966| <<check_object>> if (!check_valid_pointer(s, page, get_freepointer(s, p))) {
+ *   - mm/slub.c|1041| <<on_freelist>> fp = get_freepointer(s, object);
+ *   - mm/slub.c|1267| <<free_debug_processing>> object = get_freepointer(s, object);
+ *   - mm/slub.c|1445| <<slab_free_hook>> freeptr = get_freepointer(s, x);
+ *   - mm/slub.c|2114| <<deactivate_slab>> while (freelist && (nextfree = get_freepointer(s, freelist))) {
+ *   - mm/slub.c|2665| <<___slab_alloc>> c->freelist = get_freepointer(s, freelist);
+ *   - mm/slub.c|2696| <<___slab_alloc>> deactivate_slab(s, page, get_freepointer(s, freelist), c);
+ *   - mm/slub.c|3316| <<kmem_cache_alloc_bulk>> c->freelist = get_freepointer(s, object);
+ *   - mm/slub.c|3525| <<early_kmem_cache_node_alloc>> page->freelist = get_freepointer(kmem_cache_node, n);
+ *
+ * 没有CONFIG_SLAB_FREELIST_HARDENED(uek4不支持)就返回object + s->offset
+ * Returns the freelist pointer recorded at location ptr_addr.
+ */
 static inline void *get_freepointer(struct kmem_cache *s, void *object)
 {
+	/*
+	 * s->offset: Free pointer offset
+	 * 就是在calculate_sizes()设置, 在以下条件设置:
+	 * 4898         if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||
+	 * 4899                 s->ctor)) {
+	 * 当slub_debug=ZUF(没有P)的时候, kmalloc-128的s->offset=0
+	 * 当slub_debug=PZUF(有P)的时候, kmalloc-128的s->offset=136
+	 */
 	return freelist_dereference(s, object + s->offset);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2757| <<slab_alloc_node>> prefetch_freepointer(s, next_object);
+ */
 static void prefetch_freepointer(const struct kmem_cache *s, void *object)
 {
+	/*
+	 * freelist_dereference():
+	 * 没有CONFIG_SLAB_FREELIST_HARDENED(uek4不支持)就返回object + s->offset
+	 */
 	if (object)
 		prefetch(freelist_dereference(s, object + s->offset));
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2733| <<slab_alloc_node>> void *next_object = get_freepointer_safe(s, object);
+ *
+ * 核心思想是没有CONFIG_SLAB_FREELIST_HARDENED(uek4不支持)就返回object + s->offset的值
+ * 也就是Returns the freelist pointer recorded at location ptr_addr.
+ */
 static inline void *get_freepointer_safe(struct kmem_cache *s, void *object)
 {
 	unsigned long freepointer_addr;
 	void *p;
 
+	/*
+	 * 如果没有debug
+	 *
+	 * object理论是c->freelist
+	 *
+	 * get_freepointer(s, object):
+	 * 没有CONFIG_SLAB_FREELIST_HARDENED(uek4不支持)就返回object + s->offset
+	 */
 	if (!debug_pagealloc_enabled())
 		return get_freepointer(s, object);
 
 	freepointer_addr = (unsigned long)object + s->offset;
 	probe_kernel_read(&p, (void **)freepointer_addr, sizeof(p));
+	/* 没有CONFIG_SLAB_FREELIST_HARDENED(uek4不支持)就返回ptr */
 	return freelist_ptr(s, p, freepointer_addr);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1249| <<check_object>> set_freepointer(s, p, NULL);
+ *   - mm/slub.c|1312| <<on_freelist>> set_freepointer(s, object, NULL);
+ *   - mm/slub.c|1906| <<shuffle_freelist>> set_freepointer(s, cur, next);
+ *   - mm/slub.c|1910| <<shuffle_freelist>> set_freepointer(s, cur, NULL);
+ *   - mm/slub.c|1989| <<allocate_slab>> set_freepointer(s, p, p + s->size);
+ *   - mm/slub.c|1991| <<allocate_slab>> set_freepointer(s, p, NULL);
+ *   - mm/slub.c|2439| <<deactivate_slab>> set_freepointer(s, freelist, prior);
+ *   - mm/slub.c|2476| <<deactivate_slab>> set_freepointer(s, freelist, old.freelist);
+ *   - mm/slub.c|3273| <<__slab_free>> set_freepointer(s, tail, prior);
+ *   - mm/slub.c|3423| <<do_slab_free>> set_freepointer(s, tail_obj, c->freelist);
+ *   - mm/slub.c|3558| <<build_detached_freelist>> set_freepointer(df->s, object, NULL);
+ *   - mm/slub.c|3572| <<build_detached_freelist>> set_freepointer(df->s, object, df->freelist);
+ *
+ * 核心思想是设置object + s->offset的值为fp
+ */
 static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp)
 {
 	unsigned long freeptr_addr = (unsigned long)object + s->offset;
@@ -298,27 +606,72 @@ static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp)
 }
 
 /* Loop over all objects in a slab */
+/*
+ * called by:
+ *   - mm/slub.c|2043| <<__free_slab>> for_each_object(p, s, page_address(page),
+ *   - mm/slub.c|4169| <<list_slab_objects>> for_each_object(p, s, addr, page->objects) {
+ *   - mm/slub.c|4892| <<validate_slab>> for_each_object(p, s, addr, page->objects) {
+ *   - mm/slub.c|4898| <<validate_slab>> for_each_object(p, s, addr, page->objects)
+ *   - mm/slub.c|5118| <<process_slab>> for_each_object(p, s, addr, page->objects)
+ *
+ * Loop over all objects in a slab
+ */
 #define for_each_object(__p, __s, __addr, __objects) \
 	for (__p = fixup_red_left(__s, __addr); \
 		__p < (__addr) + (__objects) * (__s)->size; \
 		__p += (__s)->size)
 
+/*
+ * called by:
+ *   - mm/slub.c|1986| <<allocate_slab>> for_each_object_idx(p, idx, s, start, page->objects) {
+ */
 #define for_each_object_idx(__p, __idx, __s, __addr, __objects) \
 	for (__p = fixup_red_left(__s, __addr), __idx = 1; \
 		__idx <= __objects; \
 		__p += (__s)->size, __idx++)
 
 /* Determine object index from a given position */
+/*
+ * called by:
+ *   - mm/slub.c|464| <<get_map>> set_bit(slab_index(p, s, addr), map);
+ *   - mm/slub.c|3662| <<list_slab_objects>> if (!test_bit(slab_index(p, s, addr), map)) {
+ *   - mm/slub.c|4362| <<validate_slab>> if (test_bit(slab_index(p, s, addr), map))
+ *   - mm/slub.c|4368| <<validate_slab>> if (!test_bit(slab_index(p, s, addr), map))
+ *   - mm/slub.c|4569| <<process_slab>> if (!test_bit(slab_index(p, s, addr), map))
+ *
+ * Determine object index from a given position
+ */
 static inline int slab_index(void *p, struct kmem_cache *s, void *addr)
 {
 	return (p - addr) / s->size;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|642| <<oo_make>> (order << OO_SHIFT) + order_objects(order, size, reserved)
+ *   - mm/slub.c|1493| <<check_slab>> maxobj = order_objects(compound_order(page), s->size, s->reserved);
+ *   - mm/slub.c|1552| <<on_freelist>> max_objects = order_objects(compound_order(page), s->size, s->reserved);
+ *   - mm/slub.c|4686| <<slab_order>> if (order_objects(min_order, size, reserved) > MAX_OBJS_PER_PAGE)
+ *   - mm/slub.c|4725| <<calculate_order>> max_objects = order_objects(slub_max_order, size, reserved);
+ *
+ * 返回order表示的page可以存储多少个size大小的object
+ * order表示page的数目
+ * size表示一个object的大小
+ * reserved表示这些page中预留的内存
+ */
 static inline int order_objects(int order, unsigned long size, int reserved)
 {
 	return ((PAGE_SIZE << order) - reserved) / size;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|4113| <<calculate_sizes>> s->oo = oo_make(order, size, s->reserved);
+ *   - mm/slub.c|4114| <<calculate_sizes>> s->min = oo_make(get_order(size), size, s->reserved);
+ *
+ * 低16位是回order表示的page可以存储多少个size大小的object
+ * 高位是用order表示的page的数目
+ */
 static inline struct kmem_cache_order_objects oo_make(int order,
 		unsigned long size, int reserved)
 {
@@ -329,11 +682,19 @@ static inline struct kmem_cache_order_objects oo_make(int order,
 	return x;
 }
 
+/*
+ * 低16位是回order表示的page可以存储多少个size大小的object
+ * 高位是用order表示的page的数目
+ */
 static inline int oo_order(struct kmem_cache_order_objects x)
 {
 	return x.x >> OO_SHIFT;
 }
 
+/*
+ * 低16位是回order表示的page可以存储多少个size大小的object
+ * 高位是用order表示的page的数目
+ */
 static inline int oo_objects(struct kmem_cache_order_objects x)
 {
 	return x.x & OO_MASK;
@@ -342,18 +703,41 @@ static inline int oo_objects(struct kmem_cache_order_objects x)
 /*
  * Per slab locking using the pagelock
  */
+/*
+ * called by:
+ *   - mm/slub.c|698| <<__cmpxchg_double_slab>> slab_lock(page);
+ *   - mm/slub.c|741| <<cmpxchg_double_slab>> slab_lock(page);
+ *   - mm/slub.c|1574| <<free_debug_processing>> slab_lock(page);
+ *   - mm/slub.c|4202| <<list_slab_objects>> slab_lock(page);
+ *   - mm/slub.c|4949| <<validate_slab_slab>> slab_lock(page);
+ */
 static __always_inline void slab_lock(struct page *page)
 {
 	VM_BUG_ON_PAGE(PageTail(page), page);
 	bit_spin_lock(PG_locked, &page->flags);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|703| <<__cmpxchg_double_slab>> slab_unlock(page);
+ *   - mm/slub.c|706| <<__cmpxchg_double_slab>> slab_unlock(page);
+ *   - mm/slub.c|746| <<cmpxchg_double_slab>> slab_unlock(page);
+ *   - mm/slub.c|750| <<cmpxchg_double_slab>> slab_unlock(page);
+ *   - mm/slub.c|1607| <<free_debug_processing>> slab_unlock(page);
+ *   - mm/slub.c|4212| <<list_slab_objects>> slab_unlock(page);
+ *   - mm/slub.c|4951| <<validate_slab_slab>> slab_unlock(page);
+ */
 static __always_inline void slab_unlock(struct page *page)
 {
 	VM_BUG_ON_PAGE(PageTail(page), page);
 	__bit_spin_unlock(PG_locked, &page->flags);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|666| <<__cmpxchg_double_slab>> set_page_slub_counters(page, counters_new);
+ *   - mm/slub.c|709| <<cmpxchg_double_slab>> set_page_slub_counters(page, counters_new);
+ */
 static inline void set_page_slub_counters(struct page *page, unsigned long counters_new)
 {
 	struct page tmp;
@@ -364,12 +748,27 @@ static inline void set_page_slub_counters(struct page *page, unsigned long count
 	 * we run the risk of losing updates to page->_refcount, so
 	 * be careful and only assign to the fields we need.
 	 */
+	/*
+	 * 下面的frozen和inuse等其实和上面的counters属于union关系
+	 */
 	page->frozen  = tmp.frozen;
 	page->inuse   = tmp.inuse;
 	page->objects = tmp.objects;
 }
 
 /* Interrupts must be disabled (for the fallback code to work right) */
+/*
+ * called by:
+ *   - mm/slub.c|1832| <<acquire_slab>> if (!__cmpxchg_double_slab(s, page,
+ *   - mm/slub.c|2087| <<deactivate_slab>> } while (!__cmpxchg_double_slab(s, page,
+ *   - mm/slub.c|2176| <<deactivate_slab>> if (!__cmpxchg_double_slab(s, page,
+ *   - mm/slub.c|2235| <<unfreeze_partials>> } while (!__cmpxchg_double_slab(s, page,
+ *   - mm/slub.c|2534| <<get_freelist>> } while (!__cmpxchg_double_slab(s, page,
+ *
+ * 我们期待__cmpxchg_double_slab()返回true, 不希望false
+ * 核心思想是判断page->freelist和page->counters是否和old的相等
+ * 如果相等,则吧page->freelist和page->counters都更新成新的
+ */
 static inline bool __cmpxchg_double_slab(struct kmem_cache *s, struct page *page,
 		void *freelist_old, unsigned long counters_old,
 		void *freelist_new, unsigned long counters_new,
@@ -407,6 +806,14 @@ static inline bool __cmpxchg_double_slab(struct kmem_cache *s, struct page *page
 	return false;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2938| <<__slab_free>> } while (!cmpxchg_double_slab(s, page,
+ *
+ * 我们期待cmpxchg_double_slab()返回true, 不希望false
+ * 核心思想是判断page->freelist和page->counters是否和old的相等
+ * 如果相等,则吧page->freelist和page->counters都更新成新的
+ */
 static inline bool cmpxchg_double_slab(struct kmem_cache *s, struct page *page,
 		void *freelist_old, unsigned long counters_old,
 		void *freelist_new, unsigned long counters_new,
@@ -455,6 +862,15 @@ static inline bool cmpxchg_double_slab(struct kmem_cache *s, struct page *page,
  * Node listlock must be held to guarantee that the page does
  * not vanish from under us.
  */
+/*
+ * called by:
+ *   - mm/slub.c|4204| <<list_slab_objects>> get_map(s, page, map);
+ *   - mm/slub.c|4927| <<validate_slab>> get_map(s, page, map);
+ *   - mm/slub.c|5152| <<process_slab>> get_map(s, page, map);
+ *
+ * 把page中可用的object返回到map对应的bit
+ * Determine a map of object in use on a page.
+ */
 static void get_map(struct kmem_cache *s, struct page *page, unsigned long *map)
 {
 	void *p;
@@ -472,6 +888,10 @@ static inline int size_from_object(struct kmem_cache *s)
 	return s->size;
 }
 
+/*
+ * 如果kmem_cache->flags支持SLAB_RED_ZONE, p往左移动s->red_left_pad
+ * 否则直接返回p
+ */
 static inline void *restore_red_left(struct kmem_cache *s, void *p)
 {
 	if (s->flags & SLAB_RED_ZONE)
@@ -489,7 +909,20 @@ static int slub_debug = DEBUG_DEFAULT_FLAGS;
 static int slub_debug;
 #endif
 
+/*
+ * 在以下使用slub_debug_slabs:
+ *   - mm/slub.c|1675| <<setup_slub_debug>> slub_debug_slabs = str + 1;
+ *   - mm/slub.c|1694| <<kmem_cache_flags>> if (slub_debug && (!slub_debug_slabs || (name &&
+ *   - mm/slub.c|1695| <<kmem_cache_flags>> !strncmp(slub_debug_slabs, name, strlen(slub_debug_slabs)))))
+ */
 static char *slub_debug_slabs;
+/*
+ * 在以下使用:
+ *   - mm/slub.c|1728| <<global>> #define disable_higher_order_debug 0
+ *   - mm/slub.c|1665| <<setup_slub_debug>> disable_higher_order_debug = 1;
+ *   - mm/slub.c|4138| <<kmem_cache_open>> if (disable_higher_order_debug) {
+ *   - mm/slub.c|6279| <<sysfs_slab_add>> if (!unmergeable && disable_higher_order_debug &&
+ */
 static int disable_higher_order_debug;
 
 /*
@@ -498,6 +931,18 @@ static int disable_higher_order_debug;
  * be reported by kasan as a bounds error.  metadata_access_enable() is used
  * to tell kasan that these accesses are OK.
  */
+/*
+ * called by:
+ *   - mm/slub.c|857| <<print_section>> metadata_access_enable();
+ *   - mm/slub.c|910| <<set_track>> metadata_access_enable();
+ *   - mm/slub.c|1115| <<check_bytes_and_report>> metadata_access_enable();
+ *   - mm/slub.c|1212| <<slab_pad_check>> metadata_access_enable();
+ *
+ * slub is about to manipulate internal object metadata.  This memory lies
+ * outside the range of the allocated object, so accessing it would normally
+ * be reported by kasan as a bounds error.  metadata_access_enable() is used
+ * to tell kasan that these accesses are OK.
+ */
 static inline void metadata_access_enable(void)
 {
 	kasan_disable_current();
@@ -513,6 +958,15 @@ static inline void metadata_access_disable(void)
  */
 
 /* Verify that a pointer has an address that is valid within a slab page */
+/*
+ * called by:
+ *   - mm/slub.c|1121| <<check_object>> if (!check_valid_pointer(s, page, get_freepointer(s, p))) {
+ *   - mm/slub.c|1181| <<on_freelist>> if (!check_valid_pointer(s, page, fp)) {
+ *   - mm/slub.c|1317| <<alloc_consistency_checks>> if (!check_valid_pointer(s, page, object)) {
+ *   - mm/slub.c|1365| <<free_consistency_checks>> if (!check_valid_pointer(s, page, object)) {
+ *
+ * 核心思想是判断一个object是否在page范围内, 而且object的地址是align正确的地址
+ */
 static inline int check_valid_pointer(struct kmem_cache *s,
 				struct page *page, void *object)
 {
@@ -522,6 +976,10 @@ static inline int check_valid_pointer(struct kmem_cache *s,
 		return 1;
 
 	base = page_address(page);
+	/*
+	 * 如果kmem_cache->flags支持SLAB_RED_ZONE, p往左移动s->red_left_pad
+	 * 否则直接返回p
+	 */
 	object = restore_red_left(s, object);
 	if (object < base || object >= base + page->objects * s->size ||
 		(object - base) % s->size) {
@@ -531,33 +989,93 @@ static inline int check_valid_pointer(struct kmem_cache *s,
 	return 1;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1035| <<print_trailer>> print_section(KERN_ERR, "Redzone ", p - s->red_left_pad,
+ *   - mm/slub.c|1038| <<print_trailer>> print_section(KERN_ERR, "Bytes b4 ", p - 16, 16);
+ *   - mm/slub.c|1040| <<print_trailer>> print_section(KERN_ERR, "Object ", p,
+ *   - mm/slub.c|1043| <<print_trailer>> print_section(KERN_ERR, "Redzone ", p + s->object_size,
+ *   - mm/slub.c|1058| <<print_trailer>> print_section(KERN_ERR, "Padding ", p + off,
+ *   - mm/slub.c|1221| <<slab_pad_check>> print_section(KERN_ERR, "Padding ", end - remainder, remainder);
+ *   - mm/slub.c|1393| <<trace>> print_section(KERN_INFO, "Object ", (void *)object,
+ *
+ * print_section()没有任何修改功能, 就是打印一些hex
+ */
 static void print_section(char *level, char *text, u8 *addr,
 			  unsigned int length)
 {
+	/*
+	 * slub is about to manipulate internal object metadata.  This memory lies
+	 * outside the range of the allocated object, so accessing it would normally
+	 * be reported by kasan as a bounds error.  metadata_access_enable() is used
+	 * to tell kasan that these accesses are OK.
+	 */
 	metadata_access_enable();
 	print_hex_dump(level, text, DUMP_PREFIX_ADDRESS, 16, 1, addr,
 			length, 1);
 	metadata_access_disable();
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|899| <<set_track>> struct track *p = get_track(s, object, alloc);
+ *   - mm/slub.c|978| <<print_tracking>> print_track("Allocated", get_track(s, object, TRACK_ALLOC));
+ *   - mm/slub.c|979| <<print_tracking>> print_track("Freed", get_track(s, object, TRACK_FREE));
+ *   - mm/slub.c|5156| <<process_slab>> add_location(t, s, get_track(s, p, alloc));
+ */
 static struct track *get_track(struct kmem_cache *s, void *object,
 	enum track_item alloc)
 {
 	struct track *p;
 
+	/*
+	 * 设置kmem_cache->offset的地方:
+	 *   - mm/slub.c|4905| <<calculate_sizes>> s->offset = size;
+	 *   - mm/slub.c|5000| <<kmem_cache_open>> s->offset = 0
+	 *
+	 * 就是在calculate_sizes()设置, 在以下条件设置:
+	 * 4898         if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||
+	 * 4899                 s->ctor)) {
+	 * 当slub_debug=ZUF(没有P)的时候, kmalloc-128的s->offset=0
+	 * 当slub_debug=PZUF(有P)的时候, kmalloc-128的s->offset=136
+	 */
 	if (s->offset)
 		p = object + s->offset + sizeof(void *);
 	else
 		p = object + s->inuse;
+	/* inuse是Offset to metadata */
 
 	return p + alloc;
 }
 
+/*
+ * [0] set_track
+ * [0] alloc_debug_processing
+ * [0] ___slab_alloc
+ * [0] __slab_alloc
+ * [0] kmem_cache_alloc
+ * [0] testsys_store
+ * [0] kernfs_fop_write
+ * [0] __vfs_write
+ * [0] vfs_write
+ * [0] SyS_write
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * called by:
+ *   - mm/slub.c|666| <<init_tracking>> set_track(s, object, TRACK_FREE, 0UL);
+ *   - mm/slub.c|667| <<init_tracking>> set_track(s, object, TRACK_ALLOC, 0UL);
+ *   - mm/slub.c|1195| <<alloc_debug_processing>> set_track(s, object, TRACK_ALLOC, addr);
+ *   - mm/slub.c|1275| <<free_debug_processing>> set_track(s, object, TRACK_FREE, addr);
+ */
 static void set_track(struct kmem_cache *s, void *object,
 			enum track_item alloc, unsigned long addr)
 {
 	struct track *p = get_track(s, object, alloc);
 
+	/*
+	 * 注意, init_tracking()进入的时候addr是0
+	 */
 	if (addr) {
 #ifdef CONFIG_STACKTRACE
 		struct stack_trace trace;
@@ -567,6 +1085,12 @@ static void set_track(struct kmem_cache *s, void *object,
 		trace.max_entries = TRACK_ADDRS_COUNT;
 		trace.entries = p->addrs;
 		trace.skip = 3;
+		/*
+		 * slub is about to manipulate internal object metadata.  This memory lies
+		 * outside the range of the allocated object, so accessing it would normally
+		 * be reported by kasan as a bounds error.  metadata_access_enable() is used
+		 * to tell kasan that these accesses are OK.
+		 */
 		metadata_access_enable();
 		save_stack_trace(&trace);
 		metadata_access_disable();
@@ -587,15 +1111,28 @@ static void set_track(struct kmem_cache *s, void *object,
 		memset(p, 0, sizeof(struct track));
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1163| <<setup_object_debug>> init_tracking(s, object);
+ *   - mm/slub.c|3546| <<early_kmem_cache_node_alloc>> init_tracking(kmem_cache_node, n);
+ */
 static void init_tracking(struct kmem_cache *s, void *object)
 {
 	if (!(s->flags & SLAB_STORE_USER))
 		return;
 
+	/*
+	 * set_track()最后一个参数是0的时候, 直接把struct track给memset成0
+	 */
 	set_track(s, object, TRACK_FREE, 0UL);
 	set_track(s, object, TRACK_ALLOC, 0UL);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|711| <<print_tracking>> print_track("Allocated", get_track(s, object, TRACK_ALLOC));
+ *   - mm/slub.c|712| <<print_tracking>> print_track("Freed", get_track(s, object, TRACK_FREE));
+ */
 static void print_track(const char *s, struct track *t)
 {
 	if (!t->addr)
@@ -615,6 +1152,11 @@ static void print_track(const char *s, struct track *t)
 #endif
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|738| <<print_trailer>> print_tracking(s, p);
+ *   - mm/slub.c|3851| <<list_slab_objects>> print_tracking(s, p);
+ */
 static void print_tracking(struct kmem_cache *s, void *object)
 {
 	if (!(s->flags & SLAB_STORE_USER))
@@ -624,6 +1166,13 @@ static void print_tracking(struct kmem_cache *s, void *object)
 	print_track("Freed", get_track(s, object, TRACK_FREE));
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1102| <<print_trailer>> print_page_info(page);
+ *   - mm/slub.c|1154| <<slab_err>> print_page_info(page);
+ *
+ * 就是用pr_err()打印page的信息
+ */
 static void print_page_info(struct page *page)
 {
 	pr_err("INFO: Slab 0x%p objects=%u used=%u fp=0x%p flags=0x%04lx\n",
@@ -631,6 +1180,14 @@ static void print_page_info(struct page *page)
 
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1277| <<object_err>> slab_bug(s, "%s", reason);
+ *   - mm/slub.c|1304| <<slab_err>> slab_bug(s, "%s", buf);
+ *   - mm/slub.c|1451| <<check_bytes_and_report>> slab_bug(s, "%s overwritten", what);
+ *
+ * 主要是打印信息
+ */
 static void slab_bug(struct kmem_cache *s, char *fmt, ...)
 {
 	struct va_format vaf;
@@ -647,6 +1204,17 @@ static void slab_bug(struct kmem_cache *s, char *fmt, ...)
 	va_end(args);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1177| <<restore_bytes>> slab_fix(s, "Restoring 0x%p-0x%p=0x%x\n", from, to - 1, data);
+ *   - mm/slub.c|1426| <<on_freelist>> slab_fix(s, "Freelist cleared");
+ *   - mm/slub.c|1444| <<on_freelist>> slab_fix(s, "Number of objects adjusted.");
+ *   - mm/slub.c|1450| <<on_freelist>> slab_fix(s, "Object count adjusted.");
+ *   - mm/slub.c|1595| <<alloc_debug_processing>> slab_fix(s, "Marking all objects used");
+ *   - mm/slub.c|1683| <<free_debug_processing>> slab_fix(s, "Object at 0x%p not freed", object);
+ *
+ * slab_fix()这个函数就是打印一句错误
+ */
 static void slab_fix(struct kmem_cache *s, char *fmt, ...)
 {
 	struct va_format vaf;
@@ -659,6 +1227,11 @@ static void slab_fix(struct kmem_cache *s, char *fmt, ...)
 	va_end(args);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|779| <<object_err>> print_trailer(s, page, object);
+ *   - mm/slub.c|839| <<check_bytes_and_report>> print_trailer(s, page, object);
+ */
 static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p)
 {
 	unsigned int off;	/* Offset of last byte */
@@ -666,19 +1239,25 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p)
 
 	print_tracking(s, p);
 
+	/* 就是用pr_err()打印page的信息 */
 	print_page_info(page);
 
 	pr_err("INFO: Object 0x%p @offset=%tu fp=0x%p\n\n",
 	       p, p - addr, get_freepointer(s, p));
 
+	/*
+	 * print_section()没有任何修改功能, 就是打印一些hex
+	 */
 	if (s->flags & SLAB_RED_ZONE)
 		print_section(KERN_ERR, "Redzone ", p - s->red_left_pad,
 			      s->red_left_pad);
 	else if (p > addr + 16)
 		print_section(KERN_ERR, "Bytes b4 ", p - 16, 16);
 
+	/* print_section()没有任何修改功能, 就是打印一些hex */
 	print_section(KERN_ERR, "Object ", p,
 		      min_t(unsigned long, s->object_size, PAGE_SIZE));
+	/* print_section()没有任何修改功能, 就是打印一些hex */
 	if (s->flags & SLAB_RED_ZONE)
 		print_section(KERN_ERR, "Redzone ", p + s->object_size,
 			s->inuse - s->object_size);
@@ -695,12 +1274,21 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p)
 
 	if (off != size_from_object(s))
 		/* Beginning of the filler is the free pointer */
+		/* print_section()没有任何修改功能, 就是打印一些hex */
 		print_section(KERN_ERR, "Padding ", p + off,
 			      size_from_object(s) - off);
 
 	dump_stack();
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1539| <<check_object>> object_err(s, page, p, "Freepointer corrupt");
+ *   - mm/slub.c|1611| <<on_freelist>> object_err(s, page, object,
+ *   - mm/slub.c|1879| <<alloc_consistency_checks>> object_err(s, page, object, "Freelist Pointer check fails");
+ *   - mm/slub.c|1974| <<free_consistency_checks>> object_err(s, page, object, "Object already free");
+ *   - mm/slub.c|1990| <<free_consistency_checks>> object_err(s, page, object,
+ */
 void object_err(struct kmem_cache *s, struct page *page,
 			u8 *object, char *reason)
 {
@@ -708,6 +1296,22 @@ void object_err(struct kmem_cache *s, struct page *page,
 	print_trailer(s, page, object);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1444| <<slab_pad_check>> slab_err(s, page, "Padding overwritten. 0x%p-0x%p", fault, end - 1);
+ *   - mm/slub.c|1566| <<check_slab>> slab_err(s, page, "Not a valid slab page");
+ *   - mm/slub.c|1572| <<check_slab>> slab_err(s, page, "objects %u > max %u",
+ *   - mm/slub.c|1577| <<check_slab>> slab_err(s, page, "inuse %u > max %u",
+ *   - mm/slub.c|1615| <<on_freelist>> slab_err(s, page, "Freepointer corrupt");
+ *   - mm/slub.c|1634| <<on_freelist>> slab_err(s, page, "Wrong number of objects. Found %d but should be %d",
+ *   - mm/slub.c|1640| <<on_freelist>> slab_err(s, page, "Wrong object count. Counter is %d but counted were %d",
+ *   - mm/slub.c|1966| <<free_consistency_checks>> slab_err(s, page, "Invalid object pointer 0x%p", object);
+ *   - mm/slub.c|1983| <<free_consistency_checks>> slab_err(s, page, "Attempt to free object(0x%p) outside of slab",
+ *   - mm/slub.c|2075| <<free_debug_processing>> slab_err(s, page, "Bulk freelist count(%d) invalid(%d)\n",
+ *   - mm/slub.c|5262| <<list_slab_objects>> slab_err(s, page, text, s->name);
+ *
+ * slab_err()这个函数除了打印log还打印page信息和callstack, 病没有fix/restore行为
+ */
 static __printf(3, 4) void slab_err(struct kmem_cache *s, struct page *page,
 			const char *fmt, ...)
 {
@@ -722,14 +1326,95 @@ static __printf(3, 4) void slab_err(struct kmem_cache *s, struct page *page,
 	dump_stack();
 }
 
+/*
+ * s->offset是从object base (不是red left base)开始到达下一个fp的距离
+ * s->inuse似乎也是这个意思??
+ *
+ * "kmalloc-128"在slub_debug=PZUF下的layout:
+ * s->offset和s->inuse都是136
+ *
+ * -----------------
+ * 8 (red left pad)
+ * 128 (object)
+ * 8 (redzone pad)
+ * 8 (fp)
+ * 304 (track)
+ * 8 (padding, 尽力防止track或者fp被overwrite)
+ * -----------------
+ * 8 (red left pad)
+ * 128 (object)
+ * 8 (redzone pad)
+ * 8 (fp)
+ * 304 (track)
+ * 8 (padding, 尽力防止track或者fp被overwrite)
+ * -----------------
+ * 8 (red left pad)
+ * 128 (object)
+ * 8 (redzone pad)
+ * 8 (fp)
+ * 304 (track)
+ * 8 (padding, 尽力防止track或者fp被overwrite)
+ * -----------------
+ *
+ * Object layout:
+ *
+ * object address
+ *      Bytes of the object to be managed.
+ *      If the freepointer may overlay the object then the free
+ *      pointer is the first word of the object.
+ *
+ *      Poisoning uses 0x6b (POISON_FREE) and the last byte is
+ *      0xa5 (POISON_END)
+ *
+ * object + s->object_size
+ *      Padding to reach word boundary. This is also used for Redzoning.
+ *      Padding is extended by another word if Redzoning is enabled and
+ *      object_size == inuse.
+ *
+ *      We fill with 0xbb (RED_INACTIVE) for inactive objects and with
+ *      0xcc (RED_ACTIVE) for objects in use.
+ *
+ * object + s->inuse
+ *      Meta data starts here.
+ *
+ *      A. Free pointer (if we cannot overwrite object on free)
+ *      B. Tracking data for SLAB_STORE_USER
+ *      C. Padding to reach required alignment boundary or at mininum
+ *              one word if debugging is on to be able to detect writes
+ *              before the word boundary.
+ *
+ *      Padding is done using 0x5a (POISON_INUSE)
+ *
+ * object + s->size
+ *      Nothing is used beyond s->size.
+ *
+ * If slabcaches are merged then the object_size and inuse boundaries are mostly
+ * ignored. And therefore no slab options that rely on these boundaries
+ * may be used with merged slabcaches.
+ *
+ * called by:
+ *   - mm/slub.c|1565| <<setup_object_debug>> init_object(s, object, SLUB_RED_INACTIVE);
+ *   - mm/slub.c|1608| <<alloc_debug_processing>> init_object(s, object, SLUB_RED_ACTIVE);
+ *   - mm/slub.c|1689| <<free_debug_processing>> init_object(s, object, SLUB_RED_INACTIVE);
+ *   - mm/slub.c|3990| <<early_kmem_cache_node_alloc>> init_object(kmem_cache_node, n, SLUB_RED_ACTIVE);
+ *
+ * 根据有没有SLAB_RED_ZONE和__OBJECT_POISON初始化embed的数据
+ */
 static void init_object(struct kmem_cache *s, void *object, u8 val)
 {
 	u8 *p = object;
 
+	/*
+	 * object的左边设置成val (SLUB_RED_ACTIVE或者SLUB_RED_INACTIVE)
+	 */
 	if (s->flags & SLAB_RED_ZONE)
 		memset(p - s->red_left_pad, val, s->red_left_pad);
 
+	/*
+	 * 把object涂抹成POISON_FREE (最后是POISON_END)
+	 */
 	if (s->flags & __OBJECT_POISON) {
+		/* object_size是The size of an object without meta data */
 		memset(p, POISON_FREE, s->object_size - 1);
 		p[s->object_size - 1] = POISON_END;
 	}
@@ -738,13 +1423,34 @@ static void init_object(struct kmem_cache *s, void *object, u8 val)
 		memset(p + s->object_size, val, s->inuse - s->object_size);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1226| <<check_bytes_and_report>> restore_bytes(s, what, value, fault, end);
+ *   - mm/slub.c|1319| <<slab_pad_check>> restore_bytes(s, "slab padding", POISON_INUSE, end - remainder, end);
+ *
+ * 先用slab_fix()打印log
+ * 再用memset()来fix/restore数据!!!
+ */
 static void restore_bytes(struct kmem_cache *s, char *message, u8 data,
 						void *from, void *to)
 {
+	/* slab_fix()这个函数就是打印一句错误 */
 	slab_fix(s, "Restoring 0x%p-0x%p=0x%x\n", from, to - 1, data);
+	/* 主要是靠memset()来restore!!! */
 	memset(from, data, to - from);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1285| <<check_pad_bytes>> return check_bytes_and_report(s, page, p, "Object padding",
+ *   - mm/slub.c|1338| <<check_object>> if (!check_bytes_and_report(s, page, object, "Redzone",
+ *   - mm/slub.c|1342| <<check_object>> if (!check_bytes_and_report(s, page, object, "Redzone",
+ *   - mm/slub.c|1347| <<check_object>> check_bytes_and_report(s, page, p, "Alignment padding",
+ *   - mm/slub.c|1355| <<check_object>> (!check_bytes_and_report(s, page, p, "Poison", p,
+ *   - mm/slub.c|1357| <<check_object>> !check_bytes_and_report(s, page, p, "Poison",
+ *
+ * 每一种情况(Redzone或者Poison)都会调用这个函数一次
+ */
 static int check_bytes_and_report(struct kmem_cache *s, struct page *page,
 			u8 *object, char *what,
 			u8 *start, unsigned int value, unsigned int bytes)
@@ -753,6 +1459,11 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page,
 	u8 *end;
 
 	metadata_access_enable();
+	/*
+	 * 核心思想是Find an unmatching character in an area of memory.
+	 * returns the address of the first character other than @c, or %NULL
+	 * if the whole buffer contains just @c.
+	 */
 	fault = memchr_inv(start, value, bytes);
 	metadata_access_disable();
 	if (!fault)
@@ -762,9 +1473,11 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page,
 	while (end > fault && end[-1] == value)
 		end--;
 
+	/* 主要是打印信息 */
 	slab_bug(s, "%s overwritten", what);
 	pr_err("INFO: 0x%p-0x%p. First byte 0x%x instead of 0x%x\n",
 					fault, end - 1, fault[0], value);
+	/* 打印log和callstack */
 	print_trailer(s, page, object);
 
 	restore_bytes(s, what, value, fault, end);
@@ -809,6 +1522,10 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page,
  * may be used with merged slabcaches.
  */
 
+/*
+ * called by:
+ *   - mm/slub.c|1613| <<check_object>> check_pad_bytes(s, page, p);
+ */
 static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p)
 {
 	unsigned long off = s->inuse;	/* The end of info */
@@ -831,6 +1548,12 @@ static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p)
 }
 
 /* Check the pad bytes at the end of a slab page */
+/*
+ * called by:
+ *   - mm/slub.c|1676| <<check_slab>> slab_pad_check(s, page);
+ *   - mm/slub.c|2294| <<slab_pad_check>> static inline int slab_pad_check(struct kmem_cache *s, struct page *page)
+ *   - mm/slub.c|2759| <<__free_slab>> slab_pad_check(s, page);
+ */
 static int slab_pad_check(struct kmem_cache *s, struct page *page)
 {
 	u8 *start;
@@ -850,6 +1573,11 @@ static int slab_pad_check(struct kmem_cache *s, struct page *page)
 		return 1;
 
 	metadata_access_enable();
+	/*
+	 * 核心思想是Find an unmatching character in an area of memory.
+	 * returns the address of the first character other than @c, or %NULL
+	 * if the whole buffer contains just @c.
+	 */
 	fault = memchr_inv(end - remainder, POISON_INUSE, remainder);
 	metadata_access_disable();
 	if (!fault)
@@ -864,6 +1592,42 @@ static int slab_pad_check(struct kmem_cache *s, struct page *page)
 	return 0;
 }
 
+/*
+ * [0] check_slab
+ * [0] alloc_debug_processing
+ * [0] ___slab_alloc
+ * [0] __slab_alloc
+ * [0] kmem_cache_alloc
+ * [0] jbd2__journal_start
+ * [0] ext4_dirty_inode
+ * [0] __mark_inode_dirty
+ * [0] generic_update_time
+ * [0] file_update_time
+ * [0] __generic_file_write_iter
+ * [0] ext4_file_write_iter
+ * [0] __vfs_write
+ * [0] vfs_write
+ * [0] SyS_write
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * [0] check_slab
+ * [0] free_debug_processing
+ * [0] __slab_free
+ * [0] kernfs_fop_write
+ * [0] __vfs_write
+ * [0] vfs_write
+ * [0] SyS_write
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * called by:
+ *   - mm/slub.c|1322| <<alloc_consistency_checks>> if (!check_object(s, page, object, SLUB_RED_INACTIVE))
+ *   - mm/slub.c|1375| <<free_consistency_checks>> if (!check_object(s, page, object, SLUB_RED_ACTIVE))
+ *   - mm/slub.c|1914| <<__free_slab>> check_object(s, page, p, SLUB_RED_INACTIVE);
+ *   - mm/slub.c|4754| <<validate_slab>> if (!check_object(s, page, p, SLUB_RED_INACTIVE))
+ *   - mm/slub.c|4760| <<validate_slab>> if (!check_object(s, page, p, SLUB_RED_ACTIVE))
+ */
 static int check_object(struct kmem_cache *s, struct page *page,
 					void *object, u8 val)
 {
@@ -899,6 +1663,11 @@ static int check_object(struct kmem_cache *s, struct page *page,
 		check_pad_bytes(s, page, p);
 	}
 
+	/*
+	 * !!! Object and freepointer overlap. Cannot check
+	 * !!! freepointer while object is allocated.
+	 */
+
 	if (!s->offset && val == SLUB_RED_ACTIVE)
 		/*
 		 * Object and freepointer overlap. Cannot check
@@ -907,6 +1676,13 @@ static int check_object(struct kmem_cache *s, struct page *page,
 		return 1;
 
 	/* Check free pointer validity */
+	/*
+	 * get_freepointer():
+	 * 没有CONFIG_SLAB_FREELIST_HARDENED(uek4不支持)就返回object + s->offset
+	 * Returns the freelist pointer recorded at location ptr_addr.
+	 *
+	 * 核心思想是判断一个object是否在page范围内, 而且object的地址是align正确的地址
+	 */
 	if (!check_valid_pointer(s, page, get_freepointer(s, p))) {
 		object_err(s, page, p, "Freepointer corrupt");
 		/*
@@ -920,6 +1696,14 @@ static int check_object(struct kmem_cache *s, struct page *page,
 	return 1;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1314| <<alloc_consistency_checks>> if (!check_slab(s, page))
+ *   - mm/slub.c|1410| <<free_debug_processing>> if (!check_slab(s, page))
+ *   - mm/slub.c|4744| <<validate_slab>> if (!check_slab(s, page) ||
+ *
+ * 检查某一个page上的object数量是否正确
+ */
 static int check_slab(struct kmem_cache *s, struct page *page)
 {
 	int maxobj;
@@ -951,6 +1735,11 @@ static int check_slab(struct kmem_cache *s, struct page *page)
  * Determine if a certain object on a page is on the freelist. Must hold the
  * slab lock to guarantee that the chains are in a consistent state.
  */
+/*
+ * called by:
+ *   - mm/slub.c|1190| <<free_consistency_checks>> if (on_freelist(s, page, object)) {
+ *   - mm/slub.c|4498| <<validate_slab>> !on_freelist(s, page, NULL))
+ */
 static int on_freelist(struct kmem_cache *s, struct page *page, void *search)
 {
 	int nr = 0;
@@ -962,6 +1751,9 @@ static int on_freelist(struct kmem_cache *s, struct page *page, void *search)
 	while (fp && nr <= page->objects) {
 		if (fp == search)
 			return 1;
+		/*
+		 * 核心思想是判断一个object是否在page范围内, 而且object的地址是align正确的地址
+		 */
 		if (!check_valid_pointer(s, page, fp)) {
 			if (object) {
 				object_err(s, page, object,
@@ -971,12 +1763,14 @@ static int on_freelist(struct kmem_cache *s, struct page *page, void *search)
 				slab_err(s, page, "Freepointer corrupt");
 				page->freelist = NULL;
 				page->inuse = page->objects;
+				/* slab_fix()这个函数就是打印一句错误 */
 				slab_fix(s, "Freelist cleared");
 				return 0;
 			}
 			break;
 		}
 		object = fp;
+		/* 没有CONFIG_SLAB_FREELIST_HARDENED(uek4不支持)就返回object + s->offset */
 		fp = get_freepointer(s, object);
 		nr++;
 	}
@@ -1000,9 +1794,51 @@ static int on_freelist(struct kmem_cache *s, struct page *page, void *search)
 	return search == NULL;
 }
 
+/*
+ * echo 1 > /sys/kernel/slab/kmalloc-128/trace
+ *
+ * [  165.344090] TRACE kmalloc-128 alloc 0xffff9ee275e02578 inuse=17 fp=0x          (null)
+ * [  165.344092] CPU: 1 PID: 15 Comm: kworker/1:0 Not tainted 4.14.113 #4
+ * [  165.344093] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+ * [  165.344096] Workqueue: events_freezable_power_ disk_events_workfn
+ * [  165.344098] Call Trace:
+ * [  165.344102]  dump_stack+0x46/0x64
+ * [  165.344104]  alloc_debug_processing+0xc0/0x127
+ * [  165.344107]  ___slab_alloc+0x476/0x4b0
+ * [  165.344110]  ? scsi_old_init_rq+0xa7/0x170
+ * [  165.344113]  ? bio_alloc_bioset+0x1d0/0x270
+ * [  165.344115]  ? alloc_request_size+0x48/0x60
+ * [  165.344118]  ? mempool_alloc+0x5a/0x150
+ * [  165.344120]  ? bio_alloc_bioset+0x1d0/0x270
+ * [  165.344122]  __slab_alloc+0x9/0xd
+ * [  165.344124]  __kmalloc+0x13b/0x190
+ * [  165.344127]  bio_alloc_bioset+0x1d0/0x270
+ * [  165.344129]  bio_copy_kern+0x62/0x150
+ * [  165.344132]  blk_rq_map_kern+0x63/0x120
+ * [  165.344134]  scsi_execute+0x13c/0x1e0
+ * [  165.344137]  sr_check_events+0xa7/0x290
+ * [  165.344140]  ? __switch_to_asm+0x30/0x60
+ * [  165.344141]  ? __switch_to_asm+0x24/0x60
+ * [  165.344144]  cdrom_check_events+0x15/0x30
+ * [  165.344146]  sr_block_check_events+0x78/0xb0
+ * [  165.344147]  disk_check_events+0x4e/0x130
+ * [  165.344150]  process_one_work+0x139/0x350
+ * [  165.344152]  worker_thread+0x3f/0x3b0
+ * [  165.344155]  kthread+0xfa/0x130
+ * [  165.344156]  ? process_one_work+0x350/0x350
+ * [  165.344158]  ? __kthread_parkme+0x90/0x90
+ * [  165.344160]  ret_from_fork+0x35/0x40
+ *
+ * called by:
+ *   - mm/slub.c|1607| <<alloc_debug_processing>> trace(s, page, object, 1);
+ *   - mm/slub.c|1687| <<free_debug_processing>> trace(s, page, object, 0);
+ */
 static void trace(struct kmem_cache *s, struct page *page, void *object,
 								int alloc)
 {
+	/*
+	 * Trace allocations and frees
+	 */
 	if (s->flags & SLAB_TRACE) {
 		pr_info("TRACE %s %s 0x%p inuse=%d fp=0x%p\n",
 			s->name,
@@ -1021,6 +1857,12 @@ static void trace(struct kmem_cache *s, struct page *page, void *object,
 /*
  * Tracking of fully allocated slabs for debugging purposes.
  */
+/*
+ * called by:
+ *   - mm/slub.c|2763| <<deactivate_slab>> add_full(s, n, page);
+ *
+ * 如果s->flags设置了SLAB_STORE_USER, 则把page->lru加入到kmem_cache_node->full
+ */
 static void add_full(struct kmem_cache *s,
 	struct kmem_cache_node *n, struct page *page)
 {
@@ -1031,6 +1873,14 @@ static void add_full(struct kmem_cache *s,
 	list_add(&page->lru, &n->full);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2753| <<deactivate_slab>> remove_full(s, n, page);
+ *   - mm/slub.c|3574| <<__slab_free>> remove_full(s, n, page);
+ *   - mm/slub.c|3590| <<__slab_free>> remove_full(s, n, page);
+ *
+ * 如果s->flags设置了SLAB_STORE_USER, 则把page->lru从kmem_cache_node->full删除
+ */
 static void remove_full(struct kmem_cache *s, struct kmem_cache_node *n, struct page *page)
 {
 	if (!(s->flags & SLAB_STORE_USER))
@@ -1041,20 +1891,55 @@ static void remove_full(struct kmem_cache *s, struct kmem_cache_node *n, struct
 }
 
 /* Tracking of the number of slabs for debugging purposes */
+/*
+ * called by:
+ *   - mm/slub.c|4456| <<__kmem_cache_shutdown>> if (n->nr_partial || slabs_node(s, node))
+ *   - mm/slub.c|4719| <<__kmem_cache_shrink>> if (slabs_node(s, node))
+ *   - mm/slub.c|4800| <<slab_mem_offline_callback>> BUG_ON(slabs_node(s, offline_node));
+ *
+ * 返回kmem_cache的某个node的slab page的数目?
+ */
 static inline unsigned long slabs_node(struct kmem_cache *s, int node)
 {
 	struct kmem_cache_node *n = get_node(s, node);
 
+	/*
+	 * 增加和减少nr_slabs的地方:
+	 *   - mm/slub.c|1883| <<inc_slabs_node>> atomic_long_inc(&n->nr_slabs);
+	 *   - mm/slub.c|1895| <<dec_slabs_node>> atomic_long_dec(&n->nr_slabs);
+	 *   - mm/slub.c|4935| <<init_kmem_cache_node>> atomic_long_set(&n->nr_slabs, 0);
+	 */
 	return atomic_long_read(&n->nr_slabs);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|3050| <<slab_out_of_memory>> nr_slabs = node_nr_slabs(n);
+ *   - mm/slub.c|6652| <<get_slabinfo>> nr_slabs += node_nr_slabs(n);
+ *
+ * 返回kmem_cache的某个node的slab page的数目?
+ */
 static inline unsigned long node_nr_slabs(struct kmem_cache_node *n)
 {
 	return atomic_long_read(&n->nr_slabs);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2246| <<allocate_slab>> inc_slabs_node(s, page_to_nid(page), page->objects);
+ *   - mm/slub.c|4100| <<early_kmem_cache_node_alloc>> inc_slabs_node(kmem_cache_node, node, page->objects);
+ *
+ * 为kmem_cache的某个node增加:
+ * 1. n->nr_slabs: 某个node的slab page的数目
+ * 2. n->total_objects: 某个node的object的数目
+ */
 static inline void inc_slabs_node(struct kmem_cache *s, int node, int objects)
 {
+	/*
+	 * struct kmem_cache_node *node[MAX_NUMNODES];
+	 *
+	 * 返回s->node[node]
+	 */
 	struct kmem_cache_node *n = get_node(s, node);
 
 	/*
@@ -1068,6 +1953,14 @@ static inline void inc_slabs_node(struct kmem_cache *s, int node, int objects)
 		atomic_long_add(objects, &n->total_objects);
 	}
 }
+/*
+ * called by:
+ *   - mm/slub.c|2336| <<discard_slab>> dec_slabs_node(s, page_to_nid(page), page->objects);
+ *
+ * 为kmem_cache的某个node减少:
+ * 1. n->nr_slabs: 某个node的slab page的数目
+ * 2. n->total_objects: 某个node的object的数目
+ */
 static inline void dec_slabs_node(struct kmem_cache *s, int node, int objects)
 {
 	struct kmem_cache_node *n = get_node(s, node);
@@ -1077,34 +1970,126 @@ static inline void dec_slabs_node(struct kmem_cache *s, int node, int objects)
 }
 
 /* Object debug checks for alloc/free paths */
+/*
+ * [0] setup_object_debug
+ * [0] new_slab
+ * [0] ___slab_alloc
+ * [0] __slab_alloc
+ * [0] kmem_cache_alloc
+ * [0] mempool_alloc
+ * [0] bvec_alloc
+ * [0] bio_alloc_bioset
+ * [0] ext4_bio_write_page
+ * [0] mpage_submit_page
+ * [0] mpage_process_page_bufs
+ * [0] mpage_prepare_extent_to_map
+ * [0] ext4_writepages
+ * [0] do_writepages
+ * [0] __filemap_fdatawrite_range
+ * [0] file_write_and_wait_range
+ * [0] ext4_sync_file
+ * [0] do_fsync
+ * [0] SyS_fsync
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * called by:
+ *   - mm/slub.c|1521| <<setup_object>> setup_object_debug(s, page, object);
+ *
+ * 根据有没有SLAB_RED_ZONE和__OBJECT_POISON初始化embed的数据
+ * 再就是init_tracking(s, object);
+ */
 static void setup_object_debug(struct kmem_cache *s, struct page *page,
 								void *object)
 {
 	if (!(s->flags & (SLAB_STORE_USER|SLAB_RED_ZONE|__OBJECT_POISON)))
 		return;
 
+	/*
+	 * init_object()在以下被调用:
+	 *   - mm/slub.c|1565| <<setup_object_debug>> init_object(s, object, SLUB_RED_INACTIVE);
+	 *   - mm/slub.c|1608| <<alloc_debug_processing>> init_object(s, object, SLUB_RED_ACTIVE);
+	 *   - mm/slub.c|1689| <<free_debug_processing>> init_object(s, object, SLUB_RED_INACTIVE);
+	 *   - mm/slub.c|3990| <<early_kmem_cache_node_alloc>> init_object(kmem_cache_node, n, SLUB_RED_ACTIVE);
+	 *
+	 * 根据有没有SLAB_RED_ZONE和__OBJECT_POISON初始化embed的数据
+	 */
 	init_object(s, object, SLUB_RED_INACTIVE);
 	init_tracking(s, object);
 }
 
+/*
+ * [0] alloc_consistency_checks
+ * [0] alloc_debug_processing
+ * [0] ___slab_alloc
+ * [0] __slab_alloc
+ * [0] kmem_cache_alloc
+ * [0] __split_vma
+ * [0] mprotect_fixup
+ * [0] do_mprotect_pkey
+ * [0] SyS_mprotect
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * called by:
+ *   - mm/slub.c|1337| <<alloc_debug_processing>> if (!alloc_consistency_checks(s, page, object, addr))
+ *
+ * alloc_consistency_checks()
+ *  -> check_valid_pointer(): 核心思想是判断一个object是否在page范围内, 而且object的地址是align正确的地址
+ *  -> check_object()
+ *      -> check_valid_pointer(): 核心思想是判断一个object是否在page范围内, 而且object的地址是align正确的地址(下一个地址)
+ */
 static inline int alloc_consistency_checks(struct kmem_cache *s,
 					struct page *page,
 					void *object, unsigned long addr)
 {
+	/* 检查某一个page上的object数量是否正确 */
 	if (!check_slab(s, page))
 		return 0;
 
+	/* 核心思想是判断一个object是否在page范围内, 而且object的地址是align正确的地址 */
 	if (!check_valid_pointer(s, page, object)) {
 		object_err(s, page, object, "Freelist Pointer check fails");
 		return 0;
 	}
 
+	/*
+	 * 在以下调用check_object():
+	 *   - mm/slub.c|1322| <<alloc_consistency_checks>> if (!check_object(s, page, object, SLUB_RED_INACTIVE))
+	 *   - mm/slub.c|1375| <<free_consistency_checks>> if (!check_object(s, page, object, SLUB_RED_ACTIVE))
+	 *   - mm/slub.c|1914| <<__free_slab>> check_object(s, page, p, SLUB_RED_INACTIVE);
+	 *   - mm/slub.c|4754| <<validate_slab>> if (!check_object(s, page, p, SLUB_RED_INACTIVE))
+	 *   - mm/slub.c|4760| <<validate_slab>> if (!check_object(s, page, p, SLUB_RED_ACTIVE))
+	 */
 	if (!check_object(s, page, object, SLUB_RED_INACTIVE))
 		return 0;
 
 	return 1;
 }
 
+/*
+ * [0] alloc_debug_processing
+ * [0] ___slab_alloc
+ * [0] __slab_alloc
+ * [0] kmem_cache_alloc
+ * [0] jbd2__journal_start
+ * [0] ext4_dirty_inode
+ * [0] __mark_inode_dirty
+ * [0] generic_update_time
+ * [0] file_update_time
+ * [0] ext4_page_mkwrite
+ * [0] do_page_mkwrite
+ * [0] do_wp_page
+ * [0] __handle_mm_fault
+ * [0] handle_mm_fault
+ * [0] __do_page_fault
+ * [0] page_fault
+ *
+ * called by:
+ *   - mm/slub.c|2749| <<___slab_alloc>> !alloc_debug_processing(s, page, freelist, addr))
+ *
+ * 参数中的object是要分配出去的object
+ */
 static noinline int alloc_debug_processing(struct kmem_cache *s,
 					struct page *page,
 					void *object, unsigned long addr)
@@ -1128,6 +2113,7 @@ static noinline int alloc_debug_processing(struct kmem_cache *s,
 		 * to avoid issues in the future. Marking all objects
 		 * as used avoids touching the remaining objects.
 		 */
+		/* slab_fix()这个函数就是打印一句错误 */
 		slab_fix(s, "Marking all objects used");
 		page->inuse = page->objects;
 		page->freelist = NULL;
@@ -1135,14 +2121,39 @@ static noinline int alloc_debug_processing(struct kmem_cache *s,
 	return 0;
 }
 
+/*
+ * [0] free_consistency_checks
+ * [0] free_debug_processing
+ * [0] __slab_free
+ * [0] ext4_ext_map_blocks
+ * [0] ext4_map_blocks
+ * [0] ext4_writepages
+ * [0] do_writepages
+ * [0] __filemap_fdatawrite_range
+ * [0] file_write_and_wait_range
+ * [0] ext4_sync_file
+ * [0] do_fsync
+ * [0] SyS_fsync
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * called by:
+ *   - mm/slub.c|1924| <<free_debug_processing>> if (!free_consistency_checks(s, page, object, addr))
+ */
 static inline int free_consistency_checks(struct kmem_cache *s,
 		struct page *page, void *object, unsigned long addr)
 {
+	/*
+	 * 核心思想是判断一个object是否在page范围内, 而且object的地址是align正确的地址
+	 */
 	if (!check_valid_pointer(s, page, object)) {
 		slab_err(s, page, "Invalid object pointer 0x%p", object);
 		return 0;
 	}
 
+	/*
+	 * Determine if a certain object on a page is on the freelist.
+	 */
 	if (on_freelist(s, page, object)) {
 		object_err(s, page, object, "Object already free");
 		return 0;
@@ -1168,6 +2179,27 @@ static inline int free_consistency_checks(struct kmem_cache *s,
 }
 
 /* Supports checking bulk free of a constructed freelist */
+/*
+ * [0] free_debug_processing
+ * [0] __slab_free
+ * [0] kmem_cache_free
+ * [0] jbd2_journal_stop
+ * [0] __ext4_journal_stop
+ * [0] __mark_inode_dirty
+ * [0] generic_update_time
+ * [0] file_update_time
+ * [0] ext4_page_mkwrite
+ * [0] do_page_mkwrite
+ * [0] __handle_mm_fault
+ * [0] handle_mm_fault
+ * [0] __do_page_fault
+ * [0] page_fault
+ *
+ * called by:
+ *   - mm/slub.c|4422| <<__slab_free>> !free_debug_processing(s, page, head, tail, cnt, addr))
+ *
+ * 会检查每一个free的object
+ */
 static noinline int free_debug_processing(
 	struct kmem_cache *s, struct page *page,
 	void *head, void *tail, int bulk_cnt,
@@ -1188,8 +2220,23 @@ static noinline int free_debug_processing(
 	}
 
 next_object:
+	/* cnt初始是0 */
 	cnt++;
 
+	/*
+	 * slub中使用SLAB_CONSISTENCY_CHECKS的例子 (当slub_debug设置了f的时候):
+	 *   - mm/slub.c|313| <<DEBUG_DEFAULT_FLAGS>> #define DEBUG_DEFAULT_FLAGS (SLAB_CONSISTENCY_CHECKS | SLAB_RED_ZONE | \
+	 *   - mm/slub.c|320| <<SLAB_NO_CMPXCHG>> #define SLAB_NO_CMPXCHG (SLAB_CONSISTENCY_CHECKS | SLAB_STORE_USER | \
+	 *   - mm/slub.c|1786| <<alloc_debug_processing>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+	 *   - mm/slub.c|1882| <<free_debug_processing>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+	 *   - mm/slub.c|1890| <<free_debug_processing>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+	 *   - mm/slub.c|1949| <<setup_slub_debug>> slub_debug |= SLAB_CONSISTENCY_CHECKS;
+	 *   - mm/slub.c|2381| <<__free_slab>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+	 *   - mm/slub.c|5988| <<sanity_checks_show>> return sprintf(buf, "%d\n", !!(s->flags & SLAB_CONSISTENCY_CHECKS));
+	 *   - mm/slub.c|5994| <<sanity_checks_store>> s->flags &= ~SLAB_CONSISTENCY_CHECKS;
+	 *   - mm/slub.c|5997| <<sanity_checks_store>> s->flags |= SLAB_CONSISTENCY_CHECKS;
+	 *   - mm/slub.c|6532| <<create_unique_id>> if (s->flags & SLAB_CONSISTENCY_CHECKS)
+	 */
 	if (s->flags & SLAB_CONSISTENCY_CHECKS) {
 		if (!free_consistency_checks(s, page, object, addr))
 			goto out;
@@ -1199,6 +2246,9 @@ static noinline int free_debug_processing(
 		set_track(s, object, TRACK_FREE, addr);
 	trace(s, page, object, 0);
 	/* Freepointer not overwritten by init_object(), SLAB_POISON moved it */
+	/*
+	 * 根据有没有SLAB_RED_ZONE和__OBJECT_POISON初始化embed的数据
+	 */
 	init_object(s, object, SLUB_RED_INACTIVE);
 
 	/* Reached end of constructed freelist yet? */
@@ -1220,6 +2270,10 @@ static noinline int free_debug_processing(
 	return ret;
 }
 
+/*
+ * 仅在以下使用setup_slub_debug():
+ *   - mm/slub.c|2075| <<global>> __setup("slub_debug", setup_slub_debug);
+ */
 static int __init setup_slub_debug(char *str)
 {
 	slub_debug = DEBUG_DEFAULT_FLAGS;
@@ -1236,6 +2290,7 @@ static int __init setup_slub_debug(char *str)
 		 */
 		goto check_slabs;
 
+	/* 这里会reset!!!!! */
 	slub_debug = 0;
 	if (*str == '-')
 		/*
@@ -1288,6 +2343,24 @@ static int __init setup_slub_debug(char *str)
 
 __setup("slub_debug", setup_slub_debug);
 
+/*
+ * 创建kmalloc-128的流程:
+ * [0] kmem_cache_flags
+ * [0] __kmem_cache_create
+ * [0] create_boot_cache
+ * [0] create_kmalloc_cache
+ * [0] new_kmalloc_cache
+ * [0] create_kmalloc_caches
+ * [0] kmem_cache_init
+ * [0] start_kernel
+ * [0] secondary_startup_64
+ *
+ * called by:
+ *   - mm/slab_common.c|307| <<find_mergeable>> flags = kmem_cache_flags(size, flags, name, NULL);
+ *   - mm/slub.c|3769| <<kmem_cache_open>> s->flags = kmem_cache_flags(s->size, flags, s->name, s->ctor);
+ *
+ * 可能会把一些debug flag一起返回
+ */
 unsigned long kmem_cache_flags(unsigned long object_size,
 	unsigned long flags, const char *name,
 	void (*ctor)(void *))
@@ -1295,6 +2368,21 @@ unsigned long kmem_cache_flags(unsigned long object_size,
 	/*
 	 * Enable debugging if selected on the kernel commandline.
 	 */
+	/*
+	 * 在以下使用slub_debug_slabs:
+	 *   - mm/slub.c|1675| <<setup_slub_debug>> slub_debug_slabs = str + 1;
+	 *   - mm/slub.c|1694| <<kmem_cache_flags>> if (slub_debug && (!slub_debug_slabs || (name &&
+	 *   - mm/slub.c|1695| <<kmem_cache_flags>> !strncmp(slub_debug_slabs, name, strlen(slub_debug_slabs)))))
+	 *
+	 * 这里的if语句要满足以下2个条件:
+	 * 1. slub_debug
+	 * 2. 剩下大括号里的(或者条件):
+	 *     !slub_debug_slabs或者
+	 *     name && !strncmp(slub_debug_slabs, name, strlen(slub_debug_slabs))
+	 *
+	 * 也就是说,尽管slub_debug有设置的,但是后面的str的内容不是当前name,
+	 * 就不会为这个name激活
+	 */
 	if (slub_debug && (!slub_debug_slabs || (name &&
 		!strncmp(slub_debug_slabs, name, strlen(slub_debug_slabs)))))
 		flags |= slub_debug;
@@ -1346,18 +2434,31 @@ static inline void dec_slabs_node(struct kmem_cache *s, int node,
  * Hooks for other subsystems that check memory allocations. In a typical
  * production configuration these hooks all should produce no code at all.
  */
+/*
+ * called by:
+ *   - mm/slub.c|4641| <<kmalloc_large_node>> kmalloc_large_node_hook(ptr, size, flags);
+ */
 static inline void kmalloc_large_node_hook(void *ptr, size_t size, gfp_t flags)
 {
 	kmemleak_alloc(ptr, size, 1, flags);
 	kasan_kmalloc_large(ptr, size, flags);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|3893| <<build_detached_freelist>> kfree_hook(object);
+ *   - mm/slub.c|4757| <<kfree>> kfree_hook(x);
+ */
 static inline void kfree_hook(const void *x)
 {
 	kmemleak_free(x);
 	kasan_kfree_large(x);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2118| <<slab_free_freelist_hook>> freeptr = slab_free_hook(s, object);
+ */
 static inline void *slab_free_hook(struct kmem_cache *s, void *x)
 {
 	void *freeptr;
@@ -1390,6 +2491,10 @@ static inline void *slab_free_hook(struct kmem_cache *s, void *x)
 	return freeptr;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|3802| <<slab_free>> slab_free_freelist_hook(s, head, tail);
+ */
 static inline void slab_free_freelist_hook(struct kmem_cache *s,
 					   void *head, void *tail)
 {
@@ -1412,9 +2517,24 @@ static inline void slab_free_freelist_hook(struct kmem_cache *s,
 #endif
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|1640| <<shuffle_freelist>> setup_object(s, page, cur);
+ *   - mm/slub.c|1646| <<shuffle_freelist>> setup_object(s, page, cur);
+ *   - mm/slub.c|1724| <<allocate_slab>> setup_object(s, page, p);
+ *
+ * 核心思想有三部分
+ * 1. 根据有没有SLAB_RED_ZONE和__OBJECT_POISON初始化embed的数据
+ * 2. 再就是init_tracking(s, object);
+ * 3. 最后是kasan的部分
+ */
 static void setup_object(struct kmem_cache *s, struct page *page,
 				void *object)
 {
+	/*
+	 * 根据有没有SLAB_RED_ZONE和__OBJECT_POISON初始化embed的数据
+	 * 再就是init_tracking(s, object);
+	 */
 	setup_object_debug(s, page, object);
 	kasan_init_slab_obj(s, object);
 	if (unlikely(s->ctor)) {
@@ -1427,10 +2547,21 @@ static void setup_object(struct kmem_cache *s, struct page *page,
 /*
  * Slab allocation and freeing
  */
+/*
+ * called by:
+ *   - mm/slub.c|2302| <<allocate_slab>> page = alloc_slab_page(s, alloc_gfp, node, oo);
+ *   - mm/slub.c|2310| <<allocate_slab>> page = alloc_slab_page(s, alloc_gfp, node, oo);
+ *
+ * 核心思想是根据参数的oo(struct kmem_cache_order_objects)计算order, 然后分配page
+ */
 static inline struct page *alloc_slab_page(struct kmem_cache *s,
 		gfp_t flags, int node, struct kmem_cache_order_objects oo)
 {
 	struct page *page;
+	/*
+	 * 低16位是回order表示的page可以存储多少个size大小的object
+	 * 高位是用order表示的page的数目
+	 */
 	int order = oo_order(oo);
 
 	if (node == NUMA_NO_NODE)
@@ -1448,6 +2579,13 @@ static inline struct page *alloc_slab_page(struct kmem_cache *s,
 
 #ifdef CONFIG_SLAB_FREELIST_RANDOM
 /* Pre-initialize the random sequence cache */
+/*
+ * called by:
+ *   - mm/slub.c|2197| <<init_freelist_randomization>> init_cache_random_seq(s);
+ *   - mm/slub.c|4484| <<kmem_cache_open>> if (init_cache_random_seq(s))
+ *
+ * ol不支持CONFIG_SLAB_FREELIST_RANDOM
+ */
 static int init_cache_random_seq(struct kmem_cache *s)
 {
 	int err;
@@ -1473,6 +2611,9 @@ static int init_cache_random_seq(struct kmem_cache *s)
 }
 
 /* Initialize each random sequence freelist per cache */
+/*
+ * ol不支持CONFIG_SLAB_FREELIST_RANDOM
+ */
 static void __init init_freelist_randomization(void)
 {
 	struct kmem_cache *s;
@@ -1486,6 +2627,9 @@ static void __init init_freelist_randomization(void)
 }
 
 /* Get the next entry on the pre-computed freelist randomized */
+/*
+ * ol不支持CONFIG_SLAB_FREELIST_RANDOM
+ */
 static void *next_freelist_entry(struct kmem_cache *s, struct page *page,
 				unsigned long *pos, void *start,
 				unsigned long page_limit,
@@ -1508,6 +2652,12 @@ static void *next_freelist_entry(struct kmem_cache *s, struct page *page,
 }
 
 /* Shuffle the single linked freelist based on a random pre-computed sequence */
+/*
+ * called by:
+ *   - mm/slub.c|1720| <<allocate_slab>> shuffle = shuffle_freelist(s, page);
+ *
+ * ol不支持CONFIG_SLAB_FREELIST_RANDOM
+ */
 static bool shuffle_freelist(struct kmem_cache *s, struct page *page)
 {
 	void *start;
@@ -1542,17 +2692,26 @@ static bool shuffle_freelist(struct kmem_cache *s, struct page *page)
 	return true;
 }
 #else
+/* ol不支持CONFIG_SLAB_FREELIST_RANDOM */
 static inline int init_cache_random_seq(struct kmem_cache *s)
 {
 	return 0;
 }
+/* ol不支持CONFIG_SLAB_FREELIST_RANDOM */
 static inline void init_freelist_randomization(void) { }
+/* ol不支持CONFIG_SLAB_FREELIST_RANDOM */
 static inline bool shuffle_freelist(struct kmem_cache *s, struct page *page)
 {
 	return false;
 }
 #endif /* CONFIG_SLAB_FREELIST_RANDOM */
 
+/*
+ * called by:
+ *   - mm/slub.c|1695| <<new_slab>> return allocate_slab(s,
+ *
+ * 核心思想就是分配一个或者一组struct page, 然后制作好page的layout
+ */
 static struct page *allocate_slab(struct kmem_cache *s, gfp_t flags, int node)
 {
 	struct page *page;
@@ -1577,6 +2736,11 @@ static struct page *allocate_slab(struct kmem_cache *s, gfp_t flags, int node)
 	if ((alloc_gfp & __GFP_DIRECT_RECLAIM) && oo_order(oo) > oo_order(s->min))
 		alloc_gfp = (alloc_gfp | __GFP_NOMEMALLOC) & ~(__GFP_RECLAIM|__GFP_NOFAIL);
 
+	/*
+	 * 核心思想是根据参数的oo(struct kmem_cache_order_objects)计算order, 然后分配page
+	 *
+	 * oo来自上面的s->oo
+	 */
 	page = alloc_slab_page(s, alloc_gfp, node, oo);
 	if (unlikely(!page)) {
 		oo = s->min;
@@ -1585,6 +2749,9 @@ static struct page *allocate_slab(struct kmem_cache *s, gfp_t flags, int node)
 		 * Allocation may have failed due to fragmentation.
 		 * Try a lower order alloc if possible
 		 */
+		/*
+		 * 核心思想是根据参数的oo(struct kmem_cache_order_objects)计算order, 然后分配page
+		 */
 		page = alloc_slab_page(s, alloc_gfp, node, oo);
 		if (unlikely(!page))
 			goto out;
@@ -1606,19 +2773,33 @@ static struct page *allocate_slab(struct kmem_cache *s, gfp_t flags, int node)
 
 	kasan_poison_slab(page);
 
+	/* ol不支持CONFIG_SLAB_FREELIST_RANDOM */
 	shuffle = shuffle_freelist(s, page);
 
 	if (!shuffle) {
 		for_each_object_idx(p, idx, s, start, page->objects) {
+			/*
+			 * 核心思想有三部分
+			 * 1. 根据有没有SLAB_RED_ZONE和__OBJECT_POISON初始化embed的数据
+			 * 2. 再就是init_tracking(s, object);
+			 * 3. 最后是kasan的部分
+			 */
 			setup_object(s, page, p);
+			/*
+			 * set_freepointer()核心思想是设置object + s->offset的值为fp
+			 */
 			if (likely(idx < page->objects))
 				set_freepointer(s, p, p + s->size);
 			else
 				set_freepointer(s, p, NULL);
 		}
+		/*
+		 * 如果redzone被使用了,object的地址要往前移动s->red_left_pad
+		 */
 		page->freelist = fixup_red_left(s, start);
 	}
 
+	/* struct page结构体中inuse代表已经使用的obj数量 */
 	page->inuse = page->objects;
 	page->frozen = 1;
 
@@ -1638,6 +2819,13 @@ static struct page *allocate_slab(struct kmem_cache *s, gfp_t flags, int node)
 	return page;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2478| <<new_slab_objects>> page = new_slab(s, flags, node);
+ *   - mm/slub.c|3469| <<early_kmem_cache_node_alloc>> page = new_slab(kmem_cache_node, GFP_NOWAIT, node);
+ *
+ * 核心思想就是分配一个或者一组struct page, 然后制作好page的layout
+ */
 static struct page *new_slab(struct kmem_cache *s, gfp_t flags, int node)
 {
 	if (unlikely(flags & GFP_SLAB_BUG_MASK)) {
@@ -1648,15 +2836,37 @@ static struct page *new_slab(struct kmem_cache *s, gfp_t flags, int node)
 		dump_stack();
 	}
 
+	/* 核心思想就是分配一个或者一组struct page, 然后制作好page的layout */
 	return allocate_slab(s,
 		flags & (GFP_RECLAIM_MASK | GFP_CONSTRAINT_MASK), node);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2507| <<rcu_free_slab>> __free_slab(page->slab_cache, page);
+ *   - mm/slub.c|2527| <<free_slab>> __free_slab(s, page);
+ *
+ * 核心思想是释放参数的page
+ */
 static void __free_slab(struct kmem_cache *s, struct page *page)
 {
 	int order = compound_order(page);
 	int pages = 1 << order;
 
+	/*
+	 * slub中使用SLAB_CONSISTENCY_CHECKS的例子 (当slub_debug设置了f的时候):
+	 *   - mm/slub.c|313| <<DEBUG_DEFAULT_FLAGS>> #define DEBUG_DEFAULT_FLAGS (SLAB_CONSISTENCY_CHECKS | SLAB_RED_ZONE | \
+	 *   - mm/slub.c|320| <<SLAB_NO_CMPXCHG>> #define SLAB_NO_CMPXCHG (SLAB_CONSISTENCY_CHECKS | SLAB_STORE_USER | \
+	 *   - mm/slub.c|1786| <<alloc_debug_processing>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+	 *   - mm/slub.c|1882| <<free_debug_processing>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+	 *   - mm/slub.c|1890| <<free_debug_processing>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+	 *   - mm/slub.c|1949| <<setup_slub_debug>> slub_debug |= SLAB_CONSISTENCY_CHECKS;
+	 *   - mm/slub.c|2381| <<__free_slab>> if (s->flags & SLAB_CONSISTENCY_CHECKS) {
+	 *   - mm/slub.c|5988| <<sanity_checks_show>> return sprintf(buf, "%d\n", !!(s->flags & SLAB_CONSISTENCY_CHECKS));
+	 *   - mm/slub.c|5994| <<sanity_checks_store>> s->flags &= ~SLAB_CONSISTENCY_CHECKS;
+	 *   - mm/slub.c|5997| <<sanity_checks_store>> s->flags |= SLAB_CONSISTENCY_CHECKS;
+	 *   - mm/slub.c|6532| <<create_unique_id>> if (s->flags & SLAB_CONSISTENCY_CHECKS)
+	 */
 	if (s->flags & SLAB_CONSISTENCY_CHECKS) {
 		void *p;
 
@@ -1681,9 +2891,19 @@ static void __free_slab(struct kmem_cache *s, struct page *page)
 	__free_pages(page, order);
 }
 
+/*
+ * 在以下使用need_reserve_slab_rcu:
+ *   - mm/slub.c|2502| <<rcu_free_slab>> if (need_reserve_slab_rcu)
+ *   - mm/slub.c|2519| <<free_slab>> if (need_reserve_slab_rcu) {
+ *   - mm/slub.c|4533| <<kmem_cache_open>> if (need_reserve_slab_rcu && (s->flags & SLAB_TYPESAFE_BY_RCU))
+ */
 #define need_reserve_slab_rcu						\
 	(sizeof(((struct page *)NULL)->lru) < sizeof(struct rcu_head))
 
+/*
+ * 在以下使用rcu_free_slab:
+ *   - mm/slub.c|2525| <<free_slab>> call_rcu(head, rcu_free_slab);
+ */
 static void rcu_free_slab(struct rcu_head *h)
 {
 	struct page *page;
@@ -1696,6 +2916,12 @@ static void rcu_free_slab(struct rcu_head *h)
 	__free_slab(page->slab_cache, page);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2533| <<discard_slab>> free_slab(s, page);
+ *
+ * 核心思想是释放参数的page
+ */
 static void free_slab(struct kmem_cache *s, struct page *page)
 {
 	if (unlikely(s->flags & SLAB_TYPESAFE_BY_RCU)) {
@@ -1716,36 +2942,105 @@ static void free_slab(struct kmem_cache *s, struct page *page)
 		__free_slab(s, page);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2976| <<deactivate_slab>> discard_slab(s, page);
+ *   - mm/slub.c|3046| <<unfreeze_partials>> discard_slab(s, page);
+ *   - mm/slub.c|3791| <<__slab_free>> discard_slab(s, page);
+ *   - mm/slub.c|4637| <<free_partial>> discard_slab(s, page);
+ *   - mm/slub.c|4913| <<__kmem_cache_shrink>> discard_slab(s, page);
+ *
+ * 核心思想是释放参数的page
+ * 还要把page->objects从node的cache减去
+ */
 static void discard_slab(struct kmem_cache *s, struct page *page)
 {
 	dec_slabs_node(s, page_to_nid(page), page->objects);
+	/*
+	 * 核心思想是释放参数的page
+	 */
 	free_slab(s, page);
 }
 
 /*
  * Management of partially allocated slabs.
  */
+/*
+ * called by:
+ *   - mm/slub.c|2559| <<add_partial>> __add_partial(n, page, tail);
+ *   - mm/slub.c|4302| <<early_kmem_cache_node_alloc>> __add_partial(n, page, DEACTIVATE_TO_HEAD);
+ *
+ * 根据参数是否是DEACTIVATE_TO_TAIL决定是否把page->lru加入到n->partial的head还是tail,
+ * 增加n->nr_partial++
+ */
 static inline void
 __add_partial(struct kmem_cache_node *n, struct page *page, int tail)
 {
+	/*
+	 * 增加nr_partial的地方:
+	 *   - mm/slub.c|2588| <<__add_partial>> n->nr_partial++;
+	 * 减少nr_partial的地方:
+	 *   - mm/slub.c|2613| <<remove_partial>> n->nr_partial--;
+	 *   - mm/slub.c|4943| <<__kmem_cache_shrink>> n->nr_partial--;
+	 * 其他使用nr_partial的地方:
+	 *   - mm/slub.c|2687| <<get_partial_node>> if (!n || !n->nr_partial)
+	 *   - mm/slub.c|2764| <<get_any_partial>> n->nr_partial > s->min_partial) {
+	 *   - mm/slub.c|2961| <<deactivate_slab>> if (!new.inuse && n->nr_partial >= s->min_partial)
+	 *   - mm/slub.c|3075| <<unfreeze_partials>> if (unlikely(!new.inuse && n->nr_partial >= s->min_partial)) {
+	 *   - mm/slub.c|3807| <<__slab_free>> if (unlikely(!new.inuse && n->nr_partial >= s->min_partial))
+	 *   - mm/slub.c|4273| <<init_kmem_cache_node>> n->nr_partial = 0;
+	 *   - mm/slub.c|4698| <<__kmem_cache_shutdown>> if (n->nr_partial || slabs_node(s, node))
+	 *   - mm/slub.c|5413| <<validate_slab_node>> if (count != n->nr_partial)
+	 *   - mm/slub.c|5415| <<validate_slab_node>> s->name, count, n->nr_partial);
+	 *   - mm/slub.c|5857| <<show_slab_objects>> x = n->nr_partial;
+	 */
 	n->nr_partial++;
+	/*
+	 * struct kmem_cache_node:
+	 *   unsigned long nr_partial;
+	 *   struct list_head partial;
+	 */
 	if (tail == DEACTIVATE_TO_TAIL)
 		list_add_tail(&page->lru, &n->partial);
 	else
 		list_add(&page->lru, &n->partial);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2164| <<deactivate_slab>> add_partial(n, page, tail);
+ *   - mm/slub.c|2244| <<unfreeze_partials>> add_partial(n, page, DEACTIVATE_TO_TAIL);
+ *   - mm/slub.c|2972| <<__slab_free>> add_partial(n, page, DEACTIVATE_TO_TAIL);
+ *
+ * 根据参数是否是DEACTIVATE_TO_TAIL决定是否把page->lru加入到n->partial的head还是tail,
+ * 增加n->nr_partial++
+ */
 static inline void add_partial(struct kmem_cache_node *n,
 				struct page *page, int tail)
 {
 	lockdep_assert_held(&n->list_lock);
+	/*
+	 * 根据参数是否是DEACTIVATE_TO_TAIL决定是否把page->lru加入到n->partial的head还是tail,
+	 * 增加n->nr_partial++
+	 */
 	__add_partial(n, page, tail);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2657| <<acquire_slab>> remove_partial(n, page);
+ *   - mm/slub.c|2991| <<deactivate_slab>> remove_partial(n, page);
+ *   - mm/slub.c|3828| <<__slab_free>> remove_partial(n, page);
+ *   - mm/slub.c|4673| <<free_partial>> remove_partial(n, page);
+ *
+ * 把page->lru从n->partial移除
+ * 减少n->nr_partial--
+ */
 static inline void remove_partial(struct kmem_cache_node *n,
 					struct page *page)
 {
 	lockdep_assert_held(&n->list_lock);
+	/* 把page->lru从n->partial删除 */
 	list_del(&page->lru);
 	n->nr_partial--;
 }
@@ -1756,6 +3051,15 @@ static inline void remove_partial(struct kmem_cache_node *n,
  *
  * Returns a list of objects or NULL if it fails.
  */
+/*
+ * called by:
+ *   - mm/slub.c|2697| <<get_partial_node>> t = acquire_slab(s, n, page, object == NULL, &objects);
+ *
+ * Remove slab from the partial list, freeze it and
+ * return the pointer to the freelist.
+ * 最后会把page->lru从n->partial移除
+ * 减少n->nr_partial--
+ */
 static inline void *acquire_slab(struct kmem_cache *s,
 		struct kmem_cache_node *n, struct page *page,
 		int mode, int *objects)
@@ -1771,6 +3075,10 @@ static inline void *acquire_slab(struct kmem_cache *s,
 	 * The old freelist is the list of objects for the
 	 * per cpu allocation list.
 	 */
+	/*
+	 * struct page:
+	 *   void *freelist;
+	 */
 	freelist = page->freelist;
 	counters = page->counters;
 	new.counters = counters;
@@ -1785,12 +3093,21 @@ static inline void *acquire_slab(struct kmem_cache *s,
 	VM_BUG_ON(new.frozen);
 	new.frozen = 1;
 
+	/*
+	 * 我们期待__cmpxchg_double_slab()返回true, 不希望false
+	 * 核心思想是判断page->freelist和page->counters是否和old的相等
+	 * 如果相等,则吧page->freelist和page->counters都更新成新的
+	 */
 	if (!__cmpxchg_double_slab(s, page,
 			freelist, counters,
 			new.freelist, new.counters,
 			"acquire_slab"))
 		return NULL;
 
+	/*
+	 * 把page->lru从n->partial移除
+	 * 减少n->nr_partial--
+	 */
 	remove_partial(n, page);
 	WARN_ON(!freelist);
 	return freelist;
@@ -1802,6 +3119,13 @@ static inline bool pfmemalloc_match(struct page *page, gfp_t gfpflags);
 /*
  * Try to allocate a partial slab from a specific node.
  */
+/*
+ * called by:
+ *   - mm/slub.c|2051| <<get_any_partial>> object = get_partial_node(s, n, c, flags);
+ *   - mm/slub.c|2083| <<get_partial>> object = get_partial_node(s, get_node(s, searchnode), c, flags);
+ *
+ * Try to allocate a partial slab from a specific node.
+ */
 static void *get_partial_node(struct kmem_cache *s, struct kmem_cache_node *n,
 				struct kmem_cache_cpu *c, gfp_t flags)
 {
@@ -1816,6 +3140,13 @@ static void *get_partial_node(struct kmem_cache *s, struct kmem_cache_node *n,
 	 * partial slab and there is none available then get_partials()
 	 * will return NULL.
 	 */
+	/*
+	 * 增加nr_partial的地方:
+	 *   - mm/slub.c|2588| <<__add_partial>> n->nr_partial++;
+	 * 减少nr_partial的地方:
+	 *   - mm/slub.c|2613| <<remove_partial>> n->nr_partial--;
+	 *   - mm/slub.c|4943| <<__kmem_cache_shrink>> n->nr_partial--;
+	 */
 	if (!n || !n->nr_partial)
 		return NULL;
 
@@ -1826,6 +3157,12 @@ static void *get_partial_node(struct kmem_cache *s, struct kmem_cache_node *n,
 		if (!pfmemalloc_match(page, flags))
 			continue;
 
+		/*
+		 * Remove slab from the partial list, freeze it and
+		 * return the pointer to the freelist.
+		 * 最后会把page->lru从n->partial移除
+		 * 减少n->nr_partial--
+		 */
 		t = acquire_slab(s, n, page, object == NULL, &objects);
 		if (!t)
 			break;
@@ -1839,6 +3176,12 @@ static void *get_partial_node(struct kmem_cache *s, struct kmem_cache_node *n,
 			put_cpu_partial(s, page, 0);
 			stat(s, CPU_PARTIAL_NODE);
 		}
+		/*
+		 * 使用了CONFIG_SLUB_CPU_PARTIAL的情况下, 当kmem_cache->flags设置了debug的任何flag的时候返回false
+		 * 没有CONFIG_SLUB_CPU_PARTIAL直接返回false
+		 * ol支持CONFIG_SLUB_CPU_PARTIAL
+		 * 说明用debug的时候不支持kmem_cache_has_cpu_partial
+		 */
 		if (!kmem_cache_has_cpu_partial(s)
 			|| available > slub_cpu_partial(s) / 2)
 			break;
@@ -1851,6 +3194,12 @@ static void *get_partial_node(struct kmem_cache *s, struct kmem_cache_node *n,
 /*
  * Get a page from somewhere. Search in increasing NUMA distances.
  */
+/*
+ * called by:
+ *   - mm/slub.c|2918| <<get_partial>> return get_any_partial(s, flags, c);
+ *
+ * Get a page from somewhere. Search in increasing NUMA distances.
+ */
 static void *get_any_partial(struct kmem_cache *s, gfp_t flags,
 		struct kmem_cache_cpu *c)
 {
@@ -1915,6 +3264,10 @@ static void *get_any_partial(struct kmem_cache *s, gfp_t flags,
 /*
  * Get a partial page, lock it and return it.
  */
+/*
+ * called by:
+ *   - mm/slub.c|2594| <<new_slab_objects>> freelist = get_partial(s, flags, node, c);
+ */
 static void *get_partial(struct kmem_cache *s, gfp_t flags, int node,
 		struct kmem_cache_cpu *c)
 {
@@ -1926,10 +3279,16 @@ static void *get_partial(struct kmem_cache *s, gfp_t flags, int node,
 	else if (!node_present_pages(node))
 		searchnode = node_to_mem_node(node);
 
+	/*
+	 * Try to allocate a partial slab from a specific node.
+	 */
 	object = get_partial_node(s, get_node(s, searchnode), c, flags);
 	if (object || node != NUMA_NO_NODE)
 		return object;
 
+	/*
+	 * Get a page from somewhere. Search in increasing NUMA distances.
+	 */
 	return get_any_partial(s, flags, c);
 }
 
@@ -1992,6 +3351,12 @@ static inline void note_cmpxchg_failure(const char *n,
 	stat(s, CMPXCHG_DOUBLE_CPU_FAIL);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|4693| <<alloc_kmem_cache_cpus>> init_kmem_cache_cpus(s);
+ *
+ * 初始化kmem_cache->cpu_slab每一个cpu的tid
+ */
 static void init_kmem_cache_cpus(struct kmem_cache *s)
 {
 	int cpu;
@@ -2003,18 +3368,44 @@ static void init_kmem_cache_cpus(struct kmem_cache *s)
 /*
  * Remove the cpu slab
  */
+/*
+ * called by:
+ *   - mm/slub.c|2359| <<flush_slab>> deactivate_slab(s, c->page, c->freelist, c);
+ *   - mm/slub.c|2617| <<___slab_alloc>> deactivate_slab(s, page, c->freelist, c);
+ *   - mm/slub.c|2628| <<___slab_alloc>> deactivate_slab(s, page, c->freelist, c);
+ *   - mm/slub.c|2684| <<___slab_alloc>> deactivate_slab(s, page, get_freepointer(s, freelist), c);
+ *
+ * Remove the cpu slab
+ * 该函数会将CPU缓存对象的freelist中的对象,还给slab对象(page)
+ * 然后把这个page放入partial或者根据情况释放
+ * 关键最后会进行以下:
+ *   c->page = NULL;
+ *   c->freelist = NULL;
+ *
+ * 假设从___slab_alloc()第一次进入这里, page->freelist=NULL, c->page=page,
+ * freelist是第一个(要分配出去的)object
+ * 第3个参数是get_freepointer(s, freelist), 也就是分配出去的下一个
+ */
 static void deactivate_slab(struct kmem_cache *s, struct page *page,
 				void *freelist, struct kmem_cache_cpu *c)
 {
 	enum slab_modes { M_NONE, M_PARTIAL, M_FULL, M_FREE };
+	/* 返回kmem_cache->node[page_to_nid(page)] */
 	struct kmem_cache_node *n = get_node(s, page_to_nid(page));
 	int lock = 0;
 	enum slab_modes l = M_NONE, m = M_NONE;
 	void *nextfree;
+	/*
+	 * DEACTIVATE_TO_HEAD: Cpu slab was moved to the head of partials
+	 * DEACTIVATE_TO_TAIL: Cpu slab was moved to the tail of partials
+	 */
 	int tail = DEACTIVATE_TO_HEAD;
 	struct page new;
 	struct page old;
 
+	/*
+	 * 在slub_debug第一次分配的时候, page->freelist是NULL
+	 */
 	if (page->freelist) {
 		stat(s, DEACTIVATE_REMOTE_FREES);
 		tail = DEACTIVATE_TO_TAIL;
@@ -2028,18 +3419,32 @@ static void deactivate_slab(struct kmem_cache *s, struct page *page,
 	 * There is no need to take the list->lock because the page
 	 * is still frozen.
 	 */
+	/*
+	 * get_freepointer():
+	 * 没有CONFIG_SLAB_FREELIST_HARDENED(uek4不支持)就返回object + s->offset
+	 */
 	while (freelist && (nextfree = get_freepointer(s, freelist))) {
 		void *prior;
 		unsigned long counters;
 
+		/*
+		 * 这个大while循环就是把freelist的entry都归还到page->freelist
+		 */
+
 		do {
 			prior = page->freelist;
 			counters = page->counters;
+			/* 核心思想是设置object + s->offset的值为fp */
 			set_freepointer(s, freelist, prior);
 			new.counters = counters;
 			new.inuse--;
 			VM_BUG_ON(!new.frozen);
 
+			/*
+			 * 我们期待__cmpxchg_double_slab()返回true, 不希望false
+			 * 核心思想是判断page->freelist和page->counters是否和old的相等
+			 * 如果相等,则吧page->freelist和page->counters都更新成新的
+			 */
 		} while (!__cmpxchg_double_slab(s, page,
 			prior, counters,
 			freelist, new.counters,
@@ -2107,28 +3512,45 @@ static void deactivate_slab(struct kmem_cache *s, struct page *page,
 
 	if (l != m) {
 
+		/*
+		 * 把page->lru从n->partial移除
+		 * 减少n->nr_partial--
+		 */
 		if (l == M_PARTIAL)
 
 			remove_partial(n, page);
 
+		/*
+		 *  如果s->flags设置了SLAB_STORE_USER, 则把page->lru从kmem_cache_node->full删除
+		 */
 		else if (l == M_FULL)
 
 			remove_full(s, n, page);
 
 		if (m == M_PARTIAL) {
 
+			/*
+			 * 根据参数是否是DEACTIVATE_TO_TAIL决定是否把page->lru加入到n->partial的head还是tail,
+			 * 增加n->nr_partial++
+			 */
 			add_partial(n, page, tail);
 			stat(s, tail);
 
 		} else if (m == M_FULL) {
 
 			stat(s, DEACTIVATE_FULL);
+			/* 如果s->flags设置了SLAB_STORE_USER, 则把page->lru加入到kmem_cache_node->full */
 			add_full(s, n, page);
 
 		}
 	}
 
 	l = m;
+	/*
+	 * 我们期待__cmpxchg_double_slab()返回true, 不希望false
+	 * 核心思想是判断page->freelist和page->counters是否和old的相等
+	 * 如果相等,则吧page->freelist和page->counters都更新成新的
+	 */
 	if (!__cmpxchg_double_slab(s, page,
 				old.freelist, old.counters,
 				new.freelist, new.counters,
@@ -2140,6 +3562,10 @@ static void deactivate_slab(struct kmem_cache *s, struct page *page,
 
 	if (m == M_FREE) {
 		stat(s, DEACTIVATE_EMPTY);
+		/*
+		 * 核心思想是释放参数的page
+		 * 还要把page->objects从node的cache减去
+		 */
 		discard_slab(s, page);
 		stat(s, FREE_SLAB);
 	}
@@ -2155,6 +3581,17 @@ static void deactivate_slab(struct kmem_cache *s, struct page *page,
  * for the cpu using c (or some other guarantee must be there
  * to guarantee no concurrent accesses).
  */
+/*
+ * called by:
+ *   - mm/slub.c|3217| <<put_cpu_partial>> unfreeze_partials(s, this_cpu_ptr(s->cpu_slab));
+ *   - mm/slub.c|3239| <<put_cpu_partial>> unfreeze_partials(s, this_cpu_ptr(s->cpu_slab));
+ *   - mm/slub.c|3267| <<__flush_cpu_slab>> unfreeze_partials(s, c);
+ *
+ * Unfreeze all the cpu partial slabs.
+ * 把kmem_cache_cpu->partial的每个page要么释放(比如!page.inuse的情况)
+ * 要么根据参数是否是DEACTIVATE_TO_TAIL决定是否把page->lru加入到n->partial的head还是tail,
+ * 增加n->nr_partial++
+ */
 static void unfreeze_partials(struct kmem_cache *s,
 		struct kmem_cache_cpu *c)
 {
@@ -2188,15 +3625,27 @@ static void unfreeze_partials(struct kmem_cache *s,
 
 			new.frozen = 0;
 
+			/*
+			 * 我们期待__cmpxchg_double_slab()返回true, 不希望false
+			 * 核心思想是判断page->freelist和page->counters是否和old的相等
+			 * 如果相等,则吧page->freelist和page->counters都更新成新的
+			 */
 		} while (!__cmpxchg_double_slab(s, page,
 				old.freelist, old.counters,
 				new.freelist, new.counters,
 				"unfreezing slab"));
 
+		/*
+		 * page->inuse: struct page结构体中inuse代表已经使用的obj数量
+		 */
 		if (unlikely(!new.inuse && n->nr_partial >= s->min_partial)) {
 			page->next = discard_page;
 			discard_page = page;
 		} else {
+			/*
+			 * 根据参数是否是DEACTIVATE_TO_TAIL决定是否把page->lru加入到n->partial的head还是tail,
+			 * 增加n->nr_partial++
+			 */
 			add_partial(n, page, DEACTIVATE_TO_TAIL);
 			stat(s, FREE_ADD_PARTIAL);
 		}
@@ -2210,6 +3659,10 @@ static void unfreeze_partials(struct kmem_cache *s,
 		discard_page = discard_page->next;
 
 		stat(s, DEACTIVATE_EMPTY);
+		/*
+		 * 核心思想是释放参数的page
+		 * 还要把page->objects从node的cache减去
+		 */
 		discard_slab(s, page);
 		stat(s, FREE_SLAB);
 	}
@@ -2225,6 +3678,16 @@ static void unfreeze_partials(struct kmem_cache *s,
  * If we did not find a slot then simply move all the partials to the
  * per node partial list.
  */
+/*
+ * called by:
+ *   - mm/slub.c|2765| <<get_partial_node>> put_cpu_partial(s, page, 0);
+ *   - mm/slub.c|3883| <<__slab_free>> put_cpu_partial(s, page, 1);
+ *
+ * Put a page that was just frozen (in __slab_free) into a partial page
+ * slot if available.
+ * 把一个page加入到cpu cache的partial中
+ * 这个page有可能是在__slab_free()中frozen的
+ */
 static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain)
 {
 #ifdef CONFIG_SLUB_CPU_PARTIAL
@@ -2241,6 +3704,9 @@ static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain)
 		if (oldpage) {
 			pobjects = oldpage->pobjects;
 			pages = oldpage->pages;
+			/*
+			 * Number of per cpu partial objects to keep around
+			 */
 			if (drain && pobjects > s->cpu_partial) {
 				unsigned long flags;
 				/*
@@ -2248,6 +3714,12 @@ static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain)
 				 * set to the per node partial list.
 				 */
 				local_irq_save(flags);
+				/*
+				 * Unfreeze all the cpu partial slabs.
+				 * 把kmem_cache_cpu->partial的每个page要么释放(比如!page.inuse的情况)
+				 * 要么根据参数是否是DEACTIVATE_TO_TAIL决定是否把page->lru加入到n->partial的head还是tail,
+				 * 增加n->nr_partial++
+				 */
 				unfreeze_partials(s, this_cpu_ptr(s->cpu_slab));
 				local_irq_restore(flags);
 				oldpage = NULL;
@@ -2270,6 +3742,12 @@ static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain)
 		unsigned long flags;
 
 		local_irq_save(flags);
+		/*
+		 * Unfreeze all the cpu partial slabs.
+		 * 把kmem_cache_cpu->partial的每个page要么释放(比如!page.inuse的情况)
+		 * 要么根据参数是否是DEACTIVATE_TO_TAIL决定是否把page->lru加入到n->partial的head还是tail,
+		 * 增加n->nr_partial++
+		 */
 		unfreeze_partials(s, this_cpu_ptr(s->cpu_slab));
 		local_irq_restore(flags);
 	}
@@ -2419,6 +3897,16 @@ slab_out_of_memory(struct kmem_cache *s, gfp_t gfpflags, int nid)
 #endif
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2676| <<___slab_alloc>> freelist = new_slab_objects(s, gfpflags, node, &c);
+ *
+ * 核心思想就是分配一个或者一组struct page, 然后制作好page的layout
+ * 如果分配成功, 返回page->freelist,
+ * 设置page->freelist = NULL
+ * c->page = page
+ * !!! 然而, get_partial()可以返回的时候直接从get_partial()返回就好了!!!
+ */
 static inline void *new_slab_objects(struct kmem_cache *s, gfp_t flags,
 			int node, struct kmem_cache_cpu **pc)
 {
@@ -2431,6 +3919,9 @@ static inline void *new_slab_objects(struct kmem_cache *s, gfp_t flags,
 	if (freelist)
 		return freelist;
 
+	/*
+	 * 核心思想就是分配一个或者一组struct page, 然后制作好page的layout
+	 */
 	page = new_slab(s, flags, node);
 	if (page) {
 		c = raw_cpu_ptr(s->cpu_slab);
@@ -2487,6 +3978,11 @@ static inline void *get_freelist(struct kmem_cache *s, struct page *page)
 		new.inuse = page->objects;
 		new.frozen = freelist != NULL;
 
+		/*
+		 * 我们期待__cmpxchg_double_slab()返回true, 不希望false
+		 * 核心思想是判断page->freelist和page->counters是否和old的相等
+		 * 如果相等,则吧page->freelist和page->counters都更新成新的
+		 */
 	} while (!__cmpxchg_double_slab(s, page,
 		freelist, counters,
 		NULL, new.counters,
@@ -2514,12 +4010,28 @@ static inline void *get_freelist(struct kmem_cache *s, struct page *page)
  * Version of __slab_alloc to use when we know that interrupts are
  * already disabled (which is the case for bulk allocation).
  */
+/*
+ * called by:
+ *   - mm/slub.c|2653| <<__slab_alloc>> p = ___slab_alloc(s, gfpflags, node, addr, c);
+ *   - mm/slub.c|3163| <<kmem_cache_alloc_bulk>> p[i] = ___slab_alloc(s, flags, NUMA_NO_NODE,
+ */
 static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
 			  unsigned long addr, struct kmem_cache_cpu *c)
 {
 	void *freelist;
 	struct page *page;
 
+	/*
+	 * deactivate_slab():
+	 * Remove the cpu slab
+	 * 该函数会将CPU缓存对象的freelist中的对象,还给slab对象(page)
+	 * 然后把这个page放入partial或者根据情况释放
+	 * 关键最后会进行以下:
+	 *   c->page = NULL;
+	 *   c->freelist = NULL;
+	 *
+	 * slub_debug=U的时候c->page总是NULL
+	 */
 	page = c->page;
 	if (!page)
 		goto new_slab;
@@ -2533,6 +4045,14 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
 
 		if (unlikely(!node_match(page, searchnode))) {
 			stat(s, ALLOC_NODE_MISMATCH);
+			/*
+			 * Remove the cpu slab
+			 * 该函数会将CPU缓存对象的freelist中的对象,还给slab对象(page)
+			 * 然后把这个page放入partial或者根据情况释放
+			 * 关键最后会进行以下:
+			 *   c->page = NULL;
+			 *   c->freelist = NULL;
+			 */
 			deactivate_slab(s, page, c->freelist, c);
 			goto new_slab;
 		}
@@ -2544,6 +4064,14 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
 	 * information when the page leaves the per-cpu allocator
 	 */
 	if (unlikely(!pfmemalloc_match(page, gfpflags))) {
+		/*
+		 * Remove the cpu slab
+		 * 该函数会将CPU缓存对象的freelist中的对象,还给slab对象(page)
+		 * 然后把这个page放入partial或者根据情况释放
+		 * 关键最后会进行以下:
+		 *   c->page = NULL;
+		 *   c->freelist = NULL;
+		 */
 		deactivate_slab(s, page, c->freelist, c);
 		goto new_slab;
 	}
@@ -2576,6 +4104,20 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
 
 new_slab:
 
+	/*
+	 * 如果c->partial存在
+	 *
+	 * kmem_cache_cpu->partial使用的例子:
+	 *   - include/linux/slub_def.h|54| <<slub_percpu_partial>> #define slub_percpu_partial(c) ((c)->partial)
+	 *   - mm/slub.c|3133| <<unfreeze_partials>> while ((page = c->partial)) {
+	 *   - mm/slub.c|3137| <<unfreeze_partials>> c->partial = page->next;
+	 *   - mm/slub.c|3212| <<put_cpu_partial>> oldpage = this_cpu_read(s->cpu_slab->partial);
+	 *   - mm/slub.c|3240| <<put_cpu_partial>> } while (this_cpu_cmpxchg(s->cpu_slab->partial, oldpage, page)
+	 */
+	/*
+	 * 只设置slub_debug=U就不会执行下面的了
+	 * 看来只要激活了slub_debug就不会走percpu cache了
+	 */
 	if (slub_percpu_partial(c)) {
 		page = c->page = slub_percpu_partial(c);
 		slub_set_percpu_partial(c, page);
@@ -2583,6 +4125,15 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
 		goto redo;
 	}
 
+	/*
+	 * freelist声明的时候是void * *
+	 *
+	 * 核心思想就是分配一个或者一组struct page, 然后制作好page的layout
+	 * 如果分配成功, 返回page->freelist,
+	 * 设置page->freelist = NULL
+	 * c->page = page
+	 * !!! 然而, get_partial()可以返回的时候直接从get_partial()返回就好了!!!
+	 */
 	freelist = new_slab_objects(s, gfpflags, node, &c);
 
 	if (unlikely(!freelist)) {
@@ -2591,14 +4142,34 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
 	}
 
 	page = c->page;
+	/*
+	 * kmem_cache_debug(): 当kmem_cache->flags设置了debug的任何flag的时候返回 true
+	 */
 	if (likely(!kmem_cache_debug(s) && pfmemalloc_match(page, gfpflags)))
 		goto load_freelist;
 
 	/* Only entered in the debug case */
+	/*
+	 * 此时freelist没有从链表中被取出来
+	 */
 	if (kmem_cache_debug(s) &&
 			!alloc_debug_processing(s, page, freelist, addr))
 		goto new_slab;	/* Slab failed checks. Next slab needed */
 
+	/*
+	 * 下面是slub_debug的分配路径的核心!!!!!!
+	 *
+	 * 假设从___slab_alloc()第一次进入这里, page->freelist=NULL, c->page=page,
+	 * freelist是第一个(要分配出去的)object
+	 * 第3个参数是get_freepointer(s, freelist), 也就是分配出去的下一个
+	 *
+	 * Remove the cpu slab
+	 * 该函数会将CPU缓存对象的freelist中的对象,还给slab对象(page)
+	 * 然后把这个page放入partial或者根据情况释放
+	 * 关键最后会进行以下:
+	 *   c->page = NULL;
+	 *   c->freelist = NULL;
+	 */
 	deactivate_slab(s, page, get_freepointer(s, freelist), c);
 	return freelist;
 }
@@ -2607,6 +4178,10 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
  * Another one that disabled interrupt and compensates for possible
  * cpu changes by refetching the per cpu area pointer.
  */
+/*
+ * called by:
+ *   - mm/slub.c|2716| <<slab_alloc_node>> object = __slab_alloc(s, gfpflags, node, addr, c);
+ */
 static void *__slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
 			  unsigned long addr, struct kmem_cache_cpu *c)
 {
@@ -2683,12 +4258,35 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s,
 	 * linked list in between.
 	 */
 
+	/*
+	 * 下面的代码尝试在c->freelist分配一个
+	 * 如果c->freelist已经空了,就要用__slab_alloc()的slow path
+	 *
+	 * c->freelist是NULL说明分配已经到最后了
+	 */
+
+	/*
+	 * deactivate_slab():
+	 * Remove the cpu slab
+	 * 该函数会将CPU缓存对象的freelist中的对象,还给slab对象(page)
+	 * 然后把这个page放入partial或者根据情况释放
+	 * 关键最后会进行以下:
+	 *   c->page = NULL;
+	 *   c->freelist = NULL;
+	 */
 	object = c->freelist;
 	page = c->page;
 	if (unlikely(!object || !node_match(page, node))) {
 		object = __slab_alloc(s, gfpflags, node, addr, c);
+		/*
+		 * # cat /sys/kernel/slab/kmalloc-128/alloc_slowpath 
+		 * 7128 C0=2995 C1=4133
+		 */
 		stat(s, ALLOC_SLOWPATH);
 	} else {
+		/*
+		 * freelist_dereference(s, object + s->offset);
+		 */
 		void *next_object = get_freepointer_safe(s, object);
 
 		/*
@@ -2705,6 +4303,11 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s,
 		 * against code executing on this cpu *not* from access by
 		 * other cpus.
 		 */
+		/*
+		 * 这里用atomic的形式:
+		 * 1. 把s->cpu_slab->freelist从object(c->freelist)换成next_object=get_freepointer_safe(s, object)
+		 * 2. 把s->cpu_slab->tid换成next_tid(tid)
+		 */
 		if (unlikely(!this_cpu_cmpxchg_double(
 				s->cpu_slab->freelist, s->cpu_slab->tid,
 				object, tid,
@@ -2725,6 +4328,13 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s,
 	return object;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|2736| <<kmem_cache_alloc>> void *ret = slab_alloc(s, gfpflags, _RET_IP_);
+ *   - mm/slub.c|2748| <<kmem_cache_alloc_trace>> void *ret = slab_alloc(s, gfpflags, _RET_IP_);
+ *   - mm/slub.c|3756| <<__kmalloc>> ret = slab_alloc(s, flags, _RET_IP_);
+ *   - mm/slub.c|4288| <<__kmalloc_track_caller>> ret = slab_alloc(s, gfpflags, caller);
+ */
 static __always_inline void *slab_alloc(struct kmem_cache *s,
 		gfp_t gfpflags, unsigned long addr)
 {
@@ -2743,6 +4353,11 @@ void *kmem_cache_alloc(struct kmem_cache *s, gfp_t gfpflags)
 EXPORT_SYMBOL(kmem_cache_alloc);
 
 #ifdef CONFIG_TRACING
+/*
+ * called by:
+ *   - include/linux/slab.h|404| <<kmem_cache_alloc_node_trace>> return kmem_cache_alloc_trace(s, gfpflags, size);
+ *   - include/linux/slab.h|514| <<kmalloc>> return kmem_cache_alloc_trace(kmalloc_caches[index],
+ */
 void *kmem_cache_alloc_trace(struct kmem_cache *s, gfp_t gfpflags, size_t size)
 {
 	void *ret = slab_alloc(s, gfpflags, _RET_IP_);
@@ -2754,6 +4369,28 @@ EXPORT_SYMBOL(kmem_cache_alloc_trace);
 #endif
 
 #ifdef CONFIG_NUMA
+/*
+ * called by:
+ *   - arch/powerpc/platforms/pseries/dtl.c|205| <<dtl_enable>> buf = kmem_cache_alloc_node(dtl_cache, GFP_KERNEL, cpu_to_node(dtl->cpu));
+ *   - arch/sparc/mm/tsb.c|424| <<tsb_grow>> new_tsb = kmem_cache_alloc_node(tsb_caches[new_cache_index],
+ *   - block/bfq-iosched.c|3956| <<bfq_get_queue>> bfqq = kmem_cache_alloc_node(bfq_pool,
+ *   - block/blk-core.c|706| <<alloc_request_simple>> return kmem_cache_alloc_node(request_cachep, gfp_mask, q->node);
+ *   - block/blk-core.c|833| <<blk_alloc_queue_node>> q = kmem_cache_alloc_node(blk_requestq_cachep,
+ *   - block/blk-ioc.c|271| <<create_task_io_context>> ioc = kmem_cache_alloc_node(iocontext_cachep, gfp_flags | __GFP_ZERO,
+ *   - block/blk-ioc.c|396| <<ioc_create_icq>> icq = kmem_cache_alloc_node(et->icq_cache, gfp_mask | __GFP_ZERO,
+ *   - block/cfq-iosched.c|3835| <<cfq_get_queue>> cfqq = kmem_cache_alloc_node(cfq_pool,
+ *   - drivers/scsi/scsi_lib.c|65| <<scsi_alloc_sense_buffer>> return kmem_cache_alloc_node(scsi_select_sense_cache(unchecked_isa_dma),
+ *   - include/linux/slab.h|423| <<kmem_cache_alloc_node_trace>> void *ret = kmem_cache_alloc_node(s, gfpflags, node);
+ *   - include/trace/events/kmem.h|109| <<__field>> DEFINE_EVENT(kmem_alloc_node, kmem_cache_alloc_node,
+ *   - kernel/fork.c|156| <<alloc_task_struct_node>> return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);
+ *   - kernel/fork.c|274| <<alloc_thread_stack_node>> return kmem_cache_alloc_node(thread_stack_cache, THREADINFO_GFP, node);
+ *   - kernel/workqueue.c|3559| <<alloc_unbound_pwq>> pwq = kmem_cache_alloc_node(pwq_cache, GFP_KERNEL, pool->node);
+ *   - mm/slab.c|2380| <<alloc_slabmgmt>> freelist = kmem_cache_alloc_node(cachep->freelist_cache,
+ *   - mm/slub.c|4438| <<init_kmem_cache_nodes>> n = kmem_cache_alloc_node(kmem_cache_node,
+ *   - net/core/skbuff.c|193| <<__alloc_skb>> skb = kmem_cache_alloc_node(cache, gfp_mask & ~__GFP_DMA, node);
+ *   - net/openvswitch/flow.c|105| <<ovs_flow_stats_update>> kmem_cache_alloc_node(flow_stats_cache,
+ *   - net/openvswitch/flow_table.c|91| <<ovs_flow_alloc>> stats = kmem_cache_alloc_node(flow_stats_cache,
+ */
 void *kmem_cache_alloc_node(struct kmem_cache *s, gfp_t gfpflags, int node)
 {
 	void *ret = slab_alloc_node(s, gfpflags, node, _RET_IP_);
@@ -2790,6 +4427,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node_trace);
  * lock and free the item. If there is no additional partial page
  * handling required then we can return immediately.
  */
+/*
+ * called by:
+ *   - mm/slub.c|3006| <<do_slab_free>> __slab_free(s, page, head, tail_obj, cnt, addr);
+ *
+ *  kmem_cache_free()间接进来的时候:
+ *   - cnt是1
+ *   - page是virt_to_head_page(x)
+ *   - head是x
+ *   - tail是head=x
+ */
 static void __slab_free(struct kmem_cache *s, struct page *page,
 			void *head, void *tail, int cnt,
 			unsigned long addr)
@@ -2804,23 +4451,53 @@ static void __slab_free(struct kmem_cache *s, struct page *page,
 
 	stat(s, FREE_SLOWPATH);
 
+	/*
+	 * kmem_cache_debug():
+	 * 当kmem_cache->flags设置了debug的任何flag的时候返回 true
+	 *
+	 * free_debug_processing():
+	 * 会检查每一个free的object:
+	 */
 	if (kmem_cache_debug(s) &&
 	    !free_debug_processing(s, page, head, tail, cnt, addr))
 		return;
 
+	/*
+	 * 下面的循环是归还的过程(head到tail之间的object)
+	 */
 	do {
 		if (unlikely(n)) {
 			spin_unlock_irqrestore(&n->list_lock, flags);
 			n = NULL;
 		}
+		/*
+		 * struct page:
+		 *   -> void *freelist; // sl[aou]b first free object
+		 */
 		prior = page->freelist;
 		counters = page->counters;
+		/*
+		 * 核心思想是设置tail + s->offset的值为prior
+		 * 相当于把tail插入到prior之前?
+		 */
 		set_freepointer(s, tail, prior);
 		new.counters = counters;
+		/*
+		 * struct page:
+		 *   unsigned inuse:16;
+		 *   unsigned objects:15;
+		 *   unsigned frozen:1;
+		 */
 		was_frozen = new.frozen;
 		new.inuse -= cnt;
 		if ((!new.inuse || !prior) && !was_frozen) {
 
+			/*
+			 * 使用了CONFIG_SLUB_CPU_PARTIAL的情况下, 当kmem_cache->flags设置了debug的任何flag的时候返回false
+			 * 没有CONFIG_SLUB_CPU_PARTIAL直接返回false
+			 * ol支持CONFIG_SLUB_CPU_PARTIAL
+			 * 说明用debug的时候不支持kmem_cache_has_cpu_partial
+			 */
 			if (kmem_cache_has_cpu_partial(s) && !prior) {
 
 				/*
@@ -2847,6 +4524,11 @@ static void __slab_free(struct kmem_cache *s, struct page *page,
 			}
 		}
 
+		/*
+		 * 我们期待cmpxchg_double_slab()返回true, 不希望false
+		 * 核心思想是判断page->freelist和page->counters是否和old的相等
+		 * 如果相等,则吧page->freelist和page->counters都更新成新的
+		 */
 	} while (!cmpxchg_double_slab(s, page,
 		prior, counters,
 		head, new.counters,
@@ -2859,6 +4541,12 @@ static void __slab_free(struct kmem_cache *s, struct page *page,
 		 * per cpu partial list.
 		 */
 		if (new.frozen && !was_frozen) {
+			/*
+			 * Put a page that was just frozen (in __slab_free) into a partial page
+			 * slot if available.
+			 * 核心思想把一个page加入到cpu cache的partial中
+			 * 这个page有可能是在__slab_free()中frozen的
+			 */
 			put_cpu_partial(s, page, 1);
 			stat(s, CPU_PARTIAL_FREE);
 		}
@@ -2881,6 +4569,10 @@ static void __slab_free(struct kmem_cache *s, struct page *page,
 	if (!kmem_cache_has_cpu_partial(s) && unlikely(!prior)) {
 		if (kmem_cache_debug(s))
 			remove_full(s, n, page);
+		/*
+		 * 根据参数是否是DEACTIVATE_TO_TAIL决定是否把page->lru加入到n->partial的head还是tail,
+		 * 增加n->nr_partial++
+		 */
 		add_partial(n, page, DEACTIVATE_TO_TAIL);
 		stat(s, FREE_ADD_PARTIAL);
 	}
@@ -2892,15 +4584,26 @@ static void __slab_free(struct kmem_cache *s, struct page *page,
 		/*
 		 * Slab on the partial list.
 		 */
+		/*
+		 * 把page->lru从n->partial移除
+		 * 减少n->nr_partial--
+		 */
 		remove_partial(n, page);
 		stat(s, FREE_REMOVE_PARTIAL);
 	} else {
 		/* Slab must be on the full list */
+		/*
+		 * 如果s->flags设置了SLAB_STORE_USER, 则把page->lru从kmem_cache_node->full删除
+		 */
 		remove_full(s, n, page);
 	}
 
 	spin_unlock_irqrestore(&n->list_lock, flags);
 	stat(s, FREE_SLAB);
+	/*
+	 * 核心思想是释放参数的page
+	 * 还要把page->objects从node的cache减去
+	 */
 	discard_slab(s, page);
 }
 
@@ -2919,10 +4622,29 @@ static void __slab_free(struct kmem_cache *s, struct page *page,
  * same page) possible by specifying head and tail ptr, plus objects
  * count (cnt). Bulk free indicated by tail pointer being set.
  */
+/*
+ * called by:
+ *   - mm/slub.c|3021| <<slab_free>> do_slab_free(s, page, head, tail, cnt, addr);
+ *   - mm/slub.c|3027| <<___cache_free>> do_slab_free(cache, virt_to_head_page(x), x, NULL, 1, addr);
+ *
+ * kmem_cache_free()间接进来的时候:
+ *   - cnt是1
+ *   - page是virt_to_head_page(x)
+ *   - head是x
+ *   - tail是NULL
+ */
 static __always_inline void do_slab_free(struct kmem_cache *s,
 				struct page *page, void *head, void *tail,
 				int cnt, unsigned long addr)
 {
+	/*
+	 * kmem_cache_free()间接进来的时候:
+	 *   - cnt是1
+	 *   - page是virt_to_head_page(x)
+	 *   - head是x
+	 *   - tail是NULL
+	 *   - tail_obj是head=x
+	 */
 	void *tail_obj = tail ? : head;
 	struct kmem_cache_cpu *c;
 	unsigned long tid;
@@ -2942,9 +4664,25 @@ static __always_inline void do_slab_free(struct kmem_cache *s,
 	/* Same with comment on barrier() in slab_alloc_node() */
 	barrier();
 
+	/*
+	 * 在slub_debug开启的情况下, 在deactivate_slab()中会:
+	 * Remove the cpu slab
+	 * 该函数会将CPU缓存对象的freelist中的对象,还给slab对象(page)
+	 * 然后把这个page放入partial或者根据情况释放
+	 * 关键最后会进行以下:
+	 *   c->page = NULL;
+	 *   c->freelist = NULL;
+	 *
+	 * (page == c->page)说明当前的freelist的page和要释放的object共享一个page
+	 */
 	if (likely(page == c->page)) {
 		set_freepointer(s, tail_obj, c->freelist);
 
+		/*
+		 * 用atomic的方式:
+		 * 1. 把s->cpu_slab->freelist从c->freelist换成head
+		 * 2. 把s->cpu_slab->tid从tid换成next_tid(tid)
+		 */
 		if (unlikely(!this_cpu_cmpxchg_double(
 				s->cpu_slab->freelist, s->cpu_slab->tid,
 				c->freelist, tid,
@@ -2959,6 +4697,12 @@ static __always_inline void do_slab_free(struct kmem_cache *s,
 
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|3036| <<kmem_cache_free>> slab_free(s, virt_to_head_page(x), x, NULL, 1, _RET_IP_);
+ *   - mm/slub.c|3145| <<kmem_cache_free_bulk>> slab_free(df.s, df.page, df.freelist, df.tail, df.cnt,_RET_IP_);
+ *   - mm/slub.c|3945| <<kfree>> slab_free(page->slab_cache, page, object, NULL, 1, _RET_IP_);
+ */
 static __always_inline void slab_free(struct kmem_cache *s, struct page *page,
 				      void *head, void *tail, int cnt,
 				      unsigned long addr)
@@ -2968,8 +4712,18 @@ static __always_inline void slab_free(struct kmem_cache *s, struct page *page,
 	 * slab_free_freelist_hook() could have put the items into quarantine.
 	 * If so, no need to free them.
 	 */
+	/*
+	 * 如果KASAN激活了,退出
+	 */
 	if (s->flags & SLAB_KASAN && !(s->flags & SLAB_TYPESAFE_BY_RCU))
 		return;
+	/*
+	 * kmem_cache_free()进来的时候:
+	 *   - cnt是1
+	 *   - page是virt_to_head_page(x)
+	 *   - head是x
+	 *   - tail是NULL
+	 */
 	do_slab_free(s, page, head, tail, cnt, addr);
 }
 
@@ -2980,11 +4734,20 @@ void ___cache_free(struct kmem_cache *cache, void *x, unsigned long addr)
 }
 #endif
 
+/*
+ * 调用的一个例子:
+ *   - drivers/scsi/scsi_lib.c|58| <<scsi_free_sense_buffer>> kmem_cache_free(scsi_select_sense_cache(unchecked_isa_dma),
+ */
 void kmem_cache_free(struct kmem_cache *s, void *x)
 {
+	/*
+	 * 有cgroup是否激活两种判断方式
+	 * 这里就是查看还给哪个slab
+	 */
 	s = cache_from_obj(s, x);
 	if (!s)
 		return;
+	/* virt_to_head_page(x)是一个struct page * */
 	slab_free(s, virt_to_head_page(x), x, NULL, 1, _RET_IP_);
 	trace_kmem_cache_free(_RET_IP_, x);
 }
@@ -3232,6 +4995,10 @@ static inline int slab_order(int size, int min_objects,
 	return order;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|4660| <<calculate_sizes>> order = calculate_order(size, s->reserved);
+ */
 static inline int calculate_order(int size, int reserved)
 {
 	int order;
@@ -3295,6 +5062,10 @@ init_kmem_cache_node(struct kmem_cache_node *n)
 #endif
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|5056| <<kmem_cache_open>> if (alloc_kmem_cache_cpus(s))
+ */
 static inline int alloc_kmem_cache_cpus(struct kmem_cache *s)
 {
 	BUILD_BUG_ON(PERCPU_DYNAMIC_EARLY_SIZE <
@@ -3406,6 +5177,11 @@ static int init_kmem_cache_nodes(struct kmem_cache *s)
 	return 1;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|4015| <<kmem_cache_open>> set_min_partial(s, ilog2(s->size) / 2);
+ *   - mm/slub.c|5378| <<min_partial_store>> set_min_partial(s, min);
+ */
 static void set_min_partial(struct kmem_cache *s, unsigned long min)
 {
 	if (min < MIN_PARTIAL)
@@ -3435,6 +5211,12 @@ static void set_cpu_partial(struct kmem_cache *s)
 	 *    per node list when we run out of per cpu objects. We only fetch
 	 *    50% to keep some capacity around for frees.
 	 */
+	/*
+	 * 使用了CONFIG_SLUB_CPU_PARTIAL的情况下, 当kmem_cache->flags设置了debug的任何flag的时候返回false
+	 * 没有CONFIG_SLUB_CPU_PARTIAL直接返回false
+	 * ol支持CONFIG_SLUB_CPU_PARTIAL
+	 * 说明用debug的时候不支持kmem_cache_has_cpu_partial
+	 */
 	if (!kmem_cache_has_cpu_partial(s))
 		s->cpu_partial = 0;
 	else if (s->size >= PAGE_SIZE)
@@ -3452,9 +5234,63 @@ static void set_cpu_partial(struct kmem_cache *s)
  * calculate_sizes() determines the order and the distribution of data within
  * a slab object.
  */
+/*
+ * [0] calculate_sizes
+ * [0] __kmem_cache_create
+ * [0] create_boot_cache
+ * [0] create_kmalloc_cache
+ * [0] new_kmalloc_cache
+ * [0] create_kmalloc_caches
+ * [0] kmem_cache_init
+ * [0] start_kernel
+ * [0] secondary_startup_64
+ *
+ * called by:
+ *   - mm/slub.c|4701| <<kmem_cache_open>> if (!calculate_sizes(s, -1))
+ *   - mm/slub.c|4711| <<kmem_cache_open>> if (!calculate_sizes(s, -1))
+ *   - mm/slub.c|6068| <<order_store>> calculate_sizes(s, order);
+ *   - mm/slub.c|6305| <<red_zone_store>> calculate_sizes(s, -1);
+ *   - mm/slub.c|6325| <<poison_store>> calculate_sizes(s, -1);
+ *   - mm/slub.c|6346| <<store_user_store>> calculate_sizes(s, -1);
+ *
+ * s->offset是从object base (不是red left base)开始到达下一个fp的距离
+ * s->inuse似乎也是这个意思??
+ *
+ * "kmalloc-128"在slub_debug=PZUF下的layout:
+ * s->offset和s->inuse都是136
+ *
+ * -----------------
+ * 8 (red left pad)
+ * 128 (object)
+ * 8 (redzone pad)
+ * 8 (fp)
+ * 304 (track)
+ * 8 (padding, 尽力防止track或者fp被overwrite)
+ * -----------------
+ * 8 (red left pad)
+ * 128 (object)
+ * 8 (redzone pad)
+ * 8 (fp)
+ * 304 (track)
+ * 8 (padding, 尽力防止track或者fp被overwrite)
+ * -----------------
+ * 8 (red left pad)
+ * 128 (object)
+ * 8 (redzone pad)
+ * 8 (fp)
+ * 304 (track)
+ * 8 (padding, 尽力防止track或者fp被overwrite)
+ * -----------------
+ */
 static int calculate_sizes(struct kmem_cache *s, int forced_order)
 {
 	unsigned long flags = s->flags;
+	/*
+	 * kmem_cache->size: The size of an object including meta data
+	 * kmem_cache->object_size: The size of an object without meta data
+	 *
+	 * 对于"kmalloc-128" (slub_debug=PZUF), 此时object_size=128
+	 */
 	size_t size = s->object_size;
 	int order;
 
@@ -3463,6 +5299,7 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
 	 * place the free pointer at word boundaries and this determines
 	 * the possible location of the free pointer.
 	 */
+	/* 对于"kmalloc-128" (slub_debug=PZUF), 此时size是128 */
 	size = ALIGN(size, sizeof(void *));
 
 #ifdef CONFIG_SLUB_DEBUG
@@ -3471,6 +5308,14 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
 	 * the slab may touch the object after free or before allocation
 	 * then we should never poison the object itself.
 	 */
+	/*
+	 * 在以下使用__OBJECT_POISON:
+	 *   - mm/slub.c|950| <<init_object>> if (s->flags & __OBJECT_POISON) {
+	 *   - mm/slub.c|1116| <<check_object>> if (val != SLUB_RED_ACTIVE && (s->flags & __OBJECT_POISON) &&
+	 *   - mm/slub.c|1324| <<setup_object_debug>> if (!(s->flags & (SLAB_STORE_USER|SLAB_RED_ZONE|__OBJECT_POISON)))
+	 *   - mm/slub.c|3877| <<calculate_sizes>> s->flags |= __OBJECT_POISON;
+	 *   - mm/slub.c|3879| <<calculate_sizes>> s->flags &= ~__OBJECT_POISON;
+	 */
 	if ((flags & SLAB_POISON) && !(flags & SLAB_TYPESAFE_BY_RCU) &&
 			!s->ctor)
 		s->flags |= __OBJECT_POISON;
@@ -3483,6 +5328,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
 	 * end of the object and the free pointer. If not then add an
 	 * additional word to have some bytes to store Redzone information.
 	 */
+	/*
+	 * 对于"kmalloc-128" (slub_debug=PZUF), 此时size是136 (sizeof(void *)是8)
+	 */
 	if ((flags & SLAB_RED_ZONE) && size == s->object_size)
 		size += sizeof(void *);
 #endif
@@ -3491,6 +5339,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
 	 * With that we have determined the number of bytes in actual use
 	 * by the object. This is the potential offset to the free pointer.
 	 */
+	/*
+	 * 对于"kmalloc-128" (slub_debug=PZUF), 此时inuse是136
+	 */
 	s->inuse = size;
 
 	if (((flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ||
@@ -3503,11 +5354,23 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
 		 * This is the case if we do RCU, have a constructor or
 		 * destructor or are poisoning the objects.
 		 */
+		/*
+		 * 当slub_debug=ZUF(没有P)的时候, kmalloc-128的s->offset=0
+		 * 当slub_debug=PZUF(有P)的时候, kmalloc-128的s->offset=136
+		 *
+		 * fp位移
+		 */
 		s->offset = size;
+		/*
+		 * 对于"kmalloc-128" (slub_debug=PZUF), 此时size是144
+		 */
 		size += sizeof(void *);
 	}
 
 #ifdef CONFIG_SLUB_DEBUG
+	/*
+	 * 对于"kmalloc-128" (slub_debug=PZUF), 执行完下面size是448
+	 */
 	if (flags & SLAB_STORE_USER)
 		/*
 		 * Need to store information about allocs and frees after
@@ -3526,8 +5389,16 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
 		 * corrupted if a user writes before the start
 		 * of the object.
 		 */
+		/*
+		 * 对于"kmalloc-128" (slub_debug=PZUF), 执行完下面size是456
+		 */
 		size += sizeof(void *);
 
+		/*
+		 * s->red_left_pad: Left redzone padding size
+		 *
+		 * 对于"kmalloc-128" (slub_debug=PZUF), 执行完下面size是464, s->red_left_pad=8
+		 */
 		s->red_left_pad = sizeof(void *);
 		s->red_left_pad = ALIGN(s->red_left_pad, s->align);
 		size += s->red_left_pad;
@@ -3540,6 +5411,13 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
 	 * each object to conform to the alignment.
 	 */
 	size = ALIGN(size, s->align);
+	/*
+	 * 对于"kmalloc-128" (slub_debug=PZUF), 执行完下面size是464
+	 * 再下面的order=1, s->reserved=0, forced_order=-1
+	 *
+	 * kmem_cache->size: The size of an object including meta data
+	 * kmem_cache->object_size: The size of an object without meta data
+	 */
 	s->size = size;
 	if (forced_order >= 0)
 		order = forced_order;
@@ -3562,14 +5440,37 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
 	/*
 	 * Determine the number of objects per slab
 	 */
+	/*
+	 * 低16位是回order表示的page可以存储多少个size大小的object
+	 * 高位是用order表示的page的数目
+	 */
 	s->oo = oo_make(order, size, s->reserved);
 	s->min = oo_make(get_order(size), size, s->reserved);
+	/*
+	 * 低16位是回order表示的page可以存储多少个size大小的object
+	 * 高位是用order表示的page的数目
+	 */
 	if (oo_objects(s->oo) > oo_objects(s->max))
 		s->max = s->oo;
 
 	return !!oo_objects(s->oo);
 }
 
+/*
+ * 初始化kmalloc-128:
+ * [0] kmem_cach_open
+ * [0] __kmem_cache_create
+ * [0] create_boot_cache
+ * [0] create_kmalloc_cache
+ * [0] new_kmalloc_cache
+ * [0] create_kmalloc_caches
+ * [0] kmem_cache_init
+ * [0] start_kernel
+ * [0] secondary_startup_64
+ *
+ * called by:
+ *   - mm/slub.c|4537| <<__kmem_cache_create>> err = kmem_cache_open(s, flags);
+ */
 static int kmem_cache_open(struct kmem_cache *s, unsigned long flags)
 {
 	s->flags = kmem_cache_flags(s->size, flags, s->name, s->ctor);
@@ -3583,6 +5484,13 @@ static int kmem_cache_open(struct kmem_cache *s, unsigned long flags)
 
 	if (!calculate_sizes(s, -1))
 		goto error;
+	/*
+	 * 在以下使用:
+	 *   - mm/slub.c|1728| <<global>> #define disable_higher_order_debug 0
+	 *   - mm/slub.c|1665| <<setup_slub_debug>> disable_higher_order_debug = 1;
+	 *   - mm/slub.c|4138| <<kmem_cache_open>> if (disable_higher_order_debug) {
+	 *   - mm/slub.c|6279| <<sysfs_slab_add>> if (!unmergeable && disable_higher_order_debug &&
+	 */
 	if (disable_higher_order_debug) {
 		/*
 		 * Disable debugging flags that store metadata if the min slab
@@ -3624,6 +5532,9 @@ static int kmem_cache_open(struct kmem_cache *s, unsigned long flags)
 	if (!init_kmem_cache_nodes(s))
 		goto error;
 
+	/*
+	 * 似乎成功了返回1
+	 */
 	if (alloc_kmem_cache_cpus(s))
 		return 0;
 
@@ -3636,6 +5547,10 @@ static int kmem_cache_open(struct kmem_cache *s, unsigned long flags)
 	return -EINVAL;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|5561| <<free_partial>> list_slab_objects(s, page,
+ */
 static void list_slab_objects(struct kmem_cache *s, struct page *page,
 							const char *text)
 {
@@ -4167,8 +6082,21 @@ static struct kmem_cache * __init bootstrap(struct kmem_cache *static_cache)
 	return s;
 }
 
+/*
+ * called by:
+ *   - init/main.c|503| <<mm_init>> kmem_cache_init();
+ */
 void __init kmem_cache_init(void)
 {
+	/*
+	 * 在以下使用boot_kmem_cache:
+	 *   - mm/slub.c|4217| <<kmem_cache_init>> kmem_cache = &boot_kmem_cache;
+	 *   - mm/slub.c|4232| <<kmem_cache_init>> kmem_cache = bootstrap(&boot_kmem_cache);
+	 *
+	 * 在以下使用boot_kmem_cache_node:
+	 *   - mm/slub.c|4216| <<kmem_cache_init>> kmem_cache_node = &boot_kmem_cache_node;
+	 *   - mm/slub.c|4239| <<kmem_cache_init>> kmem_cache_node = bootstrap(&boot_kmem_cache_node);
+	 */
 	static __initdata struct kmem_cache boot_kmem_cache,
 		boot_kmem_cache_node;
 
@@ -4220,6 +6148,42 @@ void __init kmem_cache_init_late(void)
 {
 }
 
+/*
+ * s->offset是从object base (不是red left base)开始到达下一个fp的距离
+ * s->inuse似乎也是这个意思??
+ *
+ * "kmalloc-128"在slub_debug=PZUF下的layout:
+ * s->offset和s->inuse都是136
+ *
+ * -----------------
+ * 8 (red left pad)
+ * 128 (object)
+ * 8 (redzone pad)
+ * 8 (fp)
+ * 304 (track)
+ * 8 (padding, 尽力防止track或者fp被overwrite)
+ * -----------------
+ * 8 (red left pad)
+ * 128 (object)
+ * 8 (redzone pad)
+ * 8 (fp)
+ * 304 (track)
+ * 8 (padding, 尽力防止track或者fp被overwrite)
+ * -----------------
+ * 8 (red left pad)
+ * 128 (object)
+ * 8 (redzone pad)
+ * 8 (fp)
+ * 304 (track)
+ * 8 (padding, 尽力防止track或者fp被overwrite)
+ * -----------------
+
+ * called by:
+ *   - mm/slab_common.c|475| <<kmem_cache_create>> s = __kmem_cache_alias(name, size, align, flags, ctor);
+ *
+ * 该函数检查已创建的slab是否存在与当前想要创建的slab的对象大小相
+ * 匹配的,如果有则通过别名合并到一个缓存中进行访问.
+ */
 struct kmem_cache *
 __kmem_cache_alias(const char *name, size_t size, size_t align,
 		   unsigned long flags, void (*ctor)(void *))
@@ -4252,6 +6216,22 @@ __kmem_cache_alias(const char *name, size_t size, size_t align,
 	return s;
 }
 
+/*
+ * 初始化kmalloc-128:
+ * [0] kmem_cach_open
+ * [0] __kmem_cache_create
+ * [0] create_boot_cache
+ * [0] create_kmalloc_cache
+ * [0] new_kmalloc_cache
+ * [0] create_kmalloc_caches
+ * [0] kmem_cache_init
+ * [0] start_kernel
+ * [0] secondary_startup_64
+ *
+ * called by:
+ *   - mm/slab_common.c|390| <<create_cache>> err = __kmem_cache_create(s, flags);
+ *   - mm/slab_common.c|896| <<create_boot_cache>> err = __kmem_cache_create(s, flags);
+ */
 int __kmem_cache_create(struct kmem_cache *s, unsigned long flags)
 {
 	int err;
@@ -4337,6 +6317,15 @@ static int count_total(struct page *page)
 #endif
 
 #ifdef CONFIG_SLUB_DEBUG
+/*
+ * called by:
+ *   - mm/slub.c|4794| <<validate_slab_slab>> validate_slab(s, page, map);
+ *
+ * validate_slab_cache()
+ *  -> validate_slab_node()
+ *      -> validate_slab_slab()
+ *          -> validate_slab()
+ */
 static int validate_slab(struct kmem_cache *s, struct page *page,
 						unsigned long *map)
 {
@@ -4364,6 +6353,11 @@ static int validate_slab(struct kmem_cache *s, struct page *page,
 	return 1;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|4808| <<validate_slab_node>> validate_slab_slab(s, page, map);
+ *   - mm/slub.c|4819| <<validate_slab_node>> validate_slab_slab(s, page, map);
+ */
 static void validate_slab_slab(struct kmem_cache *s, struct page *page,
 						unsigned long *map)
 {
@@ -4372,6 +6366,10 @@ static void validate_slab_slab(struct kmem_cache *s, struct page *page,
 	slab_unlock(page);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|4844| <<validate_slab_cache>> count += validate_slab_node(s, n, map);
+ */
 static int validate_slab_node(struct kmem_cache *s,
 		struct kmem_cache_node *n, unsigned long *map)
 {
@@ -4405,6 +6403,16 @@ static int validate_slab_node(struct kmem_cache *s,
 	return count;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|5091| <<resiliency_test>> validate_slab_cache(kmalloc_caches[4]);
+ *   - mm/slub.c|5100| <<resiliency_test>> validate_slab_cache(kmalloc_caches[5]);
+ *   - mm/slub.c|5107| <<resiliency_test>> validate_slab_cache(kmalloc_caches[6]);
+ *   - mm/slub.c|5114| <<resiliency_test>> validate_slab_cache(kmalloc_caches[7]);
+ *   - mm/slub.c|5120| <<resiliency_test>> validate_slab_cache(kmalloc_caches[8]);
+ *   - mm/slub.c|5126| <<resiliency_test>> validate_slab_cache(kmalloc_caches[9]);
+ *   - mm/slub.c|5624| <<validate_store>> ret = validate_slab_cache(s);
+ */
 static long validate_slab_cache(struct kmem_cache *s)
 {
 	int node;
@@ -4472,6 +6480,10 @@ static int alloc_loc_track(struct loc_track *t, unsigned long max, gfp_t flags)
 	return 1;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|6076| <<process_slab>> add_location(t, s, get_track(s, p, alloc));
+ */
 static int add_location(struct loc_track *t, struct kmem_cache *s,
 				const struct track *track)
 {
@@ -4548,6 +6560,11 @@ static int add_location(struct loc_track *t, struct kmem_cache *s,
 	return 1;
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|6107| <<list_locations>> process_slab(&t, s, page, alloc, map);
+ *   - mm/slub.c|6109| <<list_locations>> process_slab(&t, s, page, alloc, map);
+ */
 static void process_slab(struct loc_track *t, struct kmem_cache *s,
 		struct page *page, enum track_item alloc,
 		unsigned long *map)
@@ -4563,6 +6580,11 @@ static void process_slab(struct loc_track *t, struct kmem_cache *s,
 			add_location(t, s, get_track(s, p, alloc));
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|6726| <<alloc_calls_show>> return list_locations(s, buf, TRACK_ALLOC);
+ *   - mm/slub.c|6734| <<free_calls_show>> return list_locations(s, buf, TRACK_FREE);
+ */
 static int list_locations(struct kmem_cache *s, char *buf,
 					enum track_item alloc)
 {
@@ -4837,11 +6859,27 @@ static ssize_t show_slab_objects(struct kmem_cache *s,
 }
 
 #ifdef CONFIG_SLUB_DEBUG
+/*
+ * called by:
+ *   - mm/slub.c|6735| <<red_zone_store>> if (any_slab_objects(s))
+ *   - mm/slub.c|6755| <<poison_store>> if (any_slab_objects(s))
+ *   - mm/slub.c|6775| <<store_user_store>> if (any_slab_objects(s))
+ */
 static int any_slab_objects(struct kmem_cache *s)
 {
 	int node;
 	struct kmem_cache_node *n;
 
+	/*
+	 * 增加减少和获取total_objects的地方:
+	 *   - mm/slub.c|1713| <<inc_slabs_node>> atomic_long_add(objects, &n->total_objects);
+	 *   - mm/slub.c|1725| <<dec_slabs_node>> atomic_long_sub(objects, &n->total_objects);
+	 *   - mm/slub.c|4756| <<init_kmem_cache_node>> atomic_long_set(&n->total_objects, 0);
+	 *   - mm/slub.c|3558| <<node_nr_objs>> return atomic_long_read(&n->total_objects);
+	 *   - mm/slub.c|6399| <<show_slab_objects>> x = atomic_long_read(&n->total_objects);
+	 *   - mm/slub.c|6401| <<show_slab_objects>> x = atomic_long_read(&n->total_objects) -
+	 *   - mm/slub.c|6444| <<any_slab_objects>> if (atomic_long_read(&n->total_objects))
+	 */
 	for_each_kmem_cache_node(s, node, n)
 		if (atomic_long_read(&n->total_objects))
 			return 1;
@@ -5182,6 +7220,10 @@ static ssize_t store_user_store(struct kmem_cache *s,
 		s->flags &= ~__CMPXCHG_DOUBLE;
 		s->flags |= SLAB_STORE_USER;
 	}
+	/*
+	 * calculate_sizes() determines the order and the distribution of data within
+	 * a slab object.
+	 */
 	calculate_sizes(s, -1);
 	return length;
 }
@@ -5437,6 +7479,10 @@ static struct attribute *slab_attrs[] = {
 	NULL
 };
 
+/*
+ * 在以下使用slab_attr_group:
+ *   - mm/slub.c|7305| <<sysfs_slab_add>> err = sysfs_create_group(&s->kobj, &slab_attr_group);
+ */
 static const struct attribute_group slab_attr_group = {
 	.attrs = slab_attrs,
 };
@@ -5611,6 +7657,10 @@ static inline struct kset *cache_kset(struct kmem_cache *s)
  *
  * Format	:[flags-]size
  */
+/*
+ * called by:
+ *   - mm/slub.c|7325| <<sysfs_slab_add>> name = create_unique_id(s);
+ */
 static char *create_unique_id(struct kmem_cache *s)
 {
 	char *name = kmalloc(ID_STR_LENGTH, GFP_KERNEL);
@@ -5664,6 +7714,11 @@ static void sysfs_slab_remove_workfn(struct work_struct *work)
 	kobject_put(&s->kobj);
 }
 
+/*
+ * called by:
+ *   - mm/slub.c|4268| <<__kmem_cache_create>> err = sysfs_slab_add(s);
+ *   - mm/slub.c|5811| <<slab_sysfs_init>> err = sysfs_slab_add(s);
+ */
 static int sysfs_slab_add(struct kmem_cache *s)
 {
 	int err;
@@ -5766,6 +7821,14 @@ struct saved_alias {
 	struct saved_alias *next;
 };
 
+/*
+ * 在以下使用alias_list:
+ *   - mm/slub.c|7420| <<sysfs_slab_alias>> al->next = alias_list; 
+ *   - mm/slub.c|7421| <<sysfs_slab_alias>> alias_list = al;
+ *   - mm/slub.c|7448| <<slab_sysfs_init>> while (alias_list) {
+ *   - mm/slub.c|7449| <<slab_sysfs_init>> struct saved_alias *al = alias_list;
+ *   - mm/slub.c|7451| <<slab_sysfs_init>> alias_list = alias_list->next;
+ */
 static struct saved_alias *alias_list;
 
 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
@@ -5837,6 +7900,11 @@ __initcall(slab_sysfs_init);
  * The /proc/slabinfo ABI
  */
 #ifdef CONFIG_SLABINFO
+/*
+ * called by:
+ *   - mm/slab_common.c|1247| <<memcg_accumulate_slabinfo>> get_slabinfo(c, &sinfo);
+ *   - mm/slab_common.c|1262| <<cache_show>> get_slabinfo(s, &sinfo);
+ */
 void get_slabinfo(struct kmem_cache *s, struct slabinfo *sinfo)
 {
 	unsigned long nr_slabs = 0;
@@ -5845,6 +7913,9 @@ void get_slabinfo(struct kmem_cache *s, struct slabinfo *sinfo)
 	int node;
 	struct kmem_cache_node *n;
 
+	/*
+	 * 对于s中的每一个struct kmem_cache_node *node[MAX_NUMNODES];
+	 */
 	for_each_kmem_cache_node(s, node, n) {
 		nr_slabs += node_nr_slabs(n);
 		nr_objs += node_nr_objs(n);
@@ -5859,10 +7930,17 @@ void get_slabinfo(struct kmem_cache *s, struct slabinfo *sinfo)
 	sinfo->cache_order = oo_order(s->oo);
 }
 
+/*
+ * called by:
+ *   - mm/slab_common.c|1471| <<cache_show>> slabinfo_show_stats(m, s);
+ */
 void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *s)
 {
 }
 
+/*
+ * struct file_operations proc_slabinfo_operations.write = slabinfo_write()
+ */
 ssize_t slabinfo_write(struct file *file, const char __user *buffer,
 		       size_t count, loff_t *ppos)
 {
diff --git a/tools/vm/slabinfo.c b/tools/vm/slabinfo.c
index 3fe09325..f05d12fd 100644
--- a/tools/vm/slabinfo.c
+++ b/tools/vm/slabinfo.c
@@ -702,6 +702,10 @@ static int slab_empty(struct slabinfo *s)
 	return 1;
 }
 
+/*
+ * called by:
+ *   - tools/vm/slabinfo.c|1292| <<output_slabs>> slab_debug(slab);
+ */
 static void slab_debug(struct slabinfo *s)
 {
 	if (strcmp(s->name, "*") == 0)
@@ -1266,6 +1270,12 @@ static void read_slab_dir(void)
 		fatal("Too many aliases\n");
 }
 
+/*
+ * called by:
+ *   - tools/vm/slabinfo.c|1314| <<xtotals>> output_slabs();
+ *   - tools/vm/slabinfo.c|1322| <<xtotals>> output_slabs();
+ *   - tools/vm/slabinfo.c|1471| <<main>> output_slabs();
+ */
 static void output_slabs(void)
 {
 	struct slabinfo *slab;
-- 
2.17.1