| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Feb 2017 15:32:22 +0800
From: "Huang\, Ying" <ying.huang@...el.com>
To: Hugh Dickins <hughd@...gle.com>
Cc: Tim Chen <tim.c.chen@...ux.intel.com>,
"Huang\, Ying" <ying.huang@...el.com>,
Minchan Kim <minchan@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
<linux-kernel@...r.kernel.org>, <linux-mm@...ck.org>
Subject: Re: swap_cluster_info lockdep splat
Hi, Hugh,
Hugh Dickins <hughd@...gle.com> writes:
> On Thu, 16 Feb 2017, Tim Chen wrote:
>>
>> > I do not understand your zest for putting wrappers around every little
>> > thing, making it all harder to follow than it need be. Here's the patch
>> > I've been running with (but you have a leak somewhere, and I don't have
>> > time to search out and fix it: please try sustained swapping and swapoff).
>> >
>>
>> Hugh, trying to duplicate your test case. So you were doing swapping,
>> then swap off, swap on the swap device and restart swapping?
>
> Repeated pair of make -j20 kernel builds in 700M RAM, 1.5G swap on SSD,
> 8 cpus; one of the builds in tmpfs, other in ext4 on loop on tmpfs file;
> sizes tuned for plenty of swapping but no OOMing (it's an ancient 2.6.24
> kernel I build, modern one needing a lot more space with a lot less in use).
>
> How much of that is relevant I don't know: hopefully none of it, it's
> hard to get the tunings right from scratch. To answer your specific
> question: yes, I'm not doing concurrent swapoffs in this test showing
> the leak, just waiting for each of the pair of builds to complete,
> then tearing down the trees, doing swapoff followed by swapon, and
> starting a new pair of builds.
>
> Sometimes it's the swapoff that fails with ENOMEM, more often it's a
> fork during build that fails with ENOMEM: after 6 or 7 hours of load
> (but timings show it getting slower leading up to that). /proc/meminfo
> did not give me an immediate clue, Slab didn't look surprising but
> I may not have studied close enough.
>
> I quilt-bisected it as far as the mm-swap series, good before, bad
> after, but didn't manage to narrow it down further because of hitting
> a presumably different issue inside the series, where swapoff ENOMEMed
> much sooner (after 25 mins one time, during first iteration the next).
I found a memory leak in __read_swap_cache_async() introduced by mm-swap
series, and confirmed it via testing. Could you verify whether it fixed
your cases? Thanks a lot for reporting.
Best Regards,
Huang, Ying
------------------------------------------------------------------------->
>From 4b96423796ab7435104eb2cb4dcf5d525b9e0800 Mon Sep 17 00:00:00 2001
From: Huang Ying <ying.huang@...el.com>
Date: Fri, 17 Feb 2017 10:31:37 +0800
Subject: [PATCH] mm, swap: Fix memory leak in __read_swap_cache_async()
The memory may be leaked in __read_swap_cache_async(). For the cases
as below,
CPU 0 CPU 1
----- -----
find_get_page() == NULL
__swp_swapcount() != 0
new_page = alloc_page_vma()
radix_tree_maybe_preload()
swap in swap slot
swapcache_prepare() == -EEXIST
cond_resched()
reclaim the swap slot
find_get_page() == NULL
__swp_swapcount() == 0
return NULL <- new_page leaked here !!!
The memory leak has been confirmed via checking the value of new_page
when returning inside the loop in __read_swap_cache_async().
This is fixed via replacing return with break inside of loop in
__read_swap_cache_async(), so that there is opportunity for the
new_page to be checked and freed.
Reported-by: Hugh Dickins <hughd@...gle.com>
Cc: Tim Chen <tim.c.chen@...ux.intel.com>
Signed-off-by: "Huang, Ying" <ying.huang@...el.com>
---
mm/swap_state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/swap_state.c b/mm/swap_state.c
index 2126e9ba23b2..473b71e052a8 100644
--- a/mm/swap_state.c
+++ b/mm/swap_state.c
@@ -333,7 +333,7 @@ struct page *__read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask,
* else swap_off will be aborted if we return NULL.
*/
if (!__swp_swapcount(entry) && swap_slot_cache_enabled)
- return NULL;
+ break;
/*
* Get a new page to read into from swap.
--
2.11.0
Powered by blists - more mailing lists