lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 22 Feb 2014 04:31:44 +0200
From:	"Kirill A. Shutemov" <kirill@...temov.name>
To:	Jay Cornwall <jay@...rnwall.me>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: put_page on transparent huge page leaks?

On Fri, Feb 21, 2014 at 11:23:39AM -0600, Jay Cornwall wrote:
> Hi,
> 
> I'm tracking a possible memory leak in iommu/amd. The driver uses this logic
> to fault a page in response to a PRI from a device:
> 
> npages = get_user_pages(fault->state->task, fault->state->mm,
>                         fault->address, 1, write, 0, &page, NULL);
> 
> if (npages == 1)
>         put_page(page);
> else
>         ...
> 
> This works correctly when get_user_pages returns a 4KB page. When
> transparent huge pages are enabled any 2MB page returned by this call
> appears to leak on process exit. The non-cached memory usage stays elevated
> by the set of faulted 2MB pages. This behavior is not observed when the
> exception handler demand faults 2MB pages.
> 
> I notice there is a difference in reference count between the 4KB/2MB paths.
> 
> get_user_pages (4KB): page_count()=3, page_mapcount()=1
> put_page       (4KB): page_count()=2, page_mapcount()=1
> 
> get_user_pages (2MB): page_count()=3, page_mapcount()=1
> put_page       (2MB): page_count()=3, page_mapcount()=0
> 
> I'm concerned that the driver appears to be holding a reference count after
> put_page(). Am I interpreting this observation correctly?

Could you show output of dump_page() on 2M pages for both points?

My guess is that your page is PageTail(). Refcounting for tail pages is
different: on get_page() we increase *->_mapcount* of tail and increase
->_count of relevant head page. ->_count of tail pages should always be
zero, but it's 3 in your case which is odd.

BTW, I don't see where you take mmap_sem in drivers/iommu/amd_iommu_v2.c,
which is required for gup. Do I miss something?

-- 
 Kirill A. Shutemov
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ