| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Jan 2024 11:13:21 +0800
From: Ethan Zhao <haifeng.zhao@...ux.intel.com>
To: Ido Schimmel <idosch@...sch.org>, Robin Murphy <robin.murphy@....com>
Cc: joro@...tes.org, will@...nel.org, iommu@...ts.linux.dev,
linux-kernel@...r.kernel.org, zhangzekun11@...wei.com,
john.g.garry@...cle.com, dheerajkumar.srivastava@....com, jsnitsel@...hat.com
Subject: Re: [PATCH v3 0/2] iommu/iova: Make the rcache depot properly
flexible
On 12/28/2023 8:23 PM, Ido Schimmel wrote:
> On Tue, Sep 12, 2023 at 05:28:04PM +0100, Robin Murphy wrote:
>> v2: https://lore.kernel.org/linux-iommu/cover.1692641204.git.robin.murphy@arm.com/
>>
>> Hi all,
>>
>> I hope this is good to go now, just fixed the locking (and threw
>> lockdep at it to confirm, which of course I should have done to begin
>> with...) and picked up tags.
> Hi,
>
> After pulling the v6.7 changes we started seeing the following memory
> leaks [1] of 'struct iova_magazine'. I'm not sure how to reproduce it,
> which is why I didn't perform bisection. However, looking at the
> mentioned code paths, they seem to have been changed in v6.7 as part of
> this patchset. I reverted both patches and didn't see any memory leaks
> when running a full regression (~10 hours), but I will repeat it to be
> sure.
>
> Any idea what could be the problem?
>
> Thanks
>
> [1]
> unreferenced object 0xffff8881a5301000 (size 1024):
> comm "softirq", pid 0, jiffies 4306297099 (age 462.991s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 e7 7d 05 00 00 00 00 00 .........}......
Here the magazine is empty & loaded, size is 0.
> 0f b4 05 00 00 00 00 00 b4 96 05 00 00 00 00 00 ................
> backtrace:
> [<ffffffff819f5f08>] __kmem_cache_alloc_node+0x1e8/0x320
> [<ffffffff818a239a>] kmalloc_trace+0x2a/0x60
> [<ffffffff8231d31e>] free_iova_fast+0x28e/0x4e0
> [<ffffffff82310860>] fq_ring_free_locked+0x1b0/0x310
> [<ffffffff8231225d>] fq_flush_timeout+0x19d/0x2e0
> [<ffffffff813e95ba>] call_timer_fn+0x19a/0x5c0
> [<ffffffff813ea16b>] __run_timers+0x78b/0xb80
> [<ffffffff813ea5bd>] run_timer_softirq+0x5d/0xd0
> [<ffffffff82f1d915>] __do_softirq+0x205/0x8b5
>
> unreferenced object 0xffff8881392ec000 (size 1024):
> comm "softirq", pid 0, jiffies 4306326731 (age 433.359s)
> hex dump (first 32 bytes):
> 00 10 30 a5 81 88 ff ff 50 ff 0f 00 00 00 00 00 ..0.....P.......
The above *unreferenced object 0xffff8881a5301000* is referenced here,
00 10 30 a5 81 88 ff ff -> ff ff 88 81 a5 30 10 00
> f3 99 05 00 00 00 00 00 87 b7 05 00 00 00 00 00 ................
> backtrace:
> [<ffffffff819f5f08>] __kmem_cache_alloc_node+0x1e8/0x320
> [<ffffffff818a239a>] kmalloc_trace+0x2a/0x60
> [<ffffffff8231d31e>] free_iova_fast+0x28e/0x4e0
> [<ffffffff82310860>] fq_ring_free_locked+0x1b0/0x310
> [<ffffffff8231225d>] fq_flush_timeout+0x19d/0x2e0
> [<ffffffff813e95ba>] call_timer_fn+0x19a/0x5c0
> [<ffffffff813ea16b>] __run_timers+0x78b/0xb80
> [<ffffffff813ea5bd>] run_timer_softirq+0x5d/0xd0
> [<ffffffff82f1d915>] __do_softirq+0x205/0x8b5
>
> unreferenced object 0xffff8881411f9000 (size 1024):
> comm "softirq", pid 0, jiffies 4306708887 (age 51.459s)
> hex dump (first 32 bytes):
> 00 10 1c 26 81 88 ff ff 2c 96 05 00 00 00 00 00 ...&....,.......
> ac fe 0f 00 00 00 00 00 a6 fe 0f 00 00 00 00 00 ................
> backtrace:
> [<ffffffff819f5f08>] __kmem_cache_alloc_node+0x1e8/0x320
> [<ffffffff818a239a>] kmalloc_trace+0x2a/0x60
> [<ffffffff8231d31e>] free_iova_fast+0x28e/0x4e0
> [<ffffffff82310860>] fq_ring_free_locked+0x1b0/0x310
> [<ffffffff8231225d>] fq_flush_timeout+0x19d/0x2e0
> [<ffffffff813e95ba>] call_timer_fn+0x19a/0x5c0
> [<ffffffff813ea16b>] __run_timers+0x78b/0xb80
> [<ffffffff813ea5bd>] run_timer_softirq+0x5d/0xd0
> [<ffffffff82f1d915>] __do_softirq+0x205/0x8b5
>
> unreferenced object 0xffff88812be26400 (size 1024):
> comm "softirq", pid 0, jiffies 4306710027 (age 50.319s)
> hex dump (first 32 bytes):
> 00 c0 2e 39 81 88 ff ff 32 ab 05 00 00 00 00 00 ...9....2.......
> e3 ac 05 00 00 00 00 00 1f b6 05 00 00 00 00 00 ................
> backtrace:
> [<ffffffff819f5f08>] __kmem_cache_alloc_node+0x1e8/0x320
> [<ffffffff818a239a>] kmalloc_trace+0x2a/0x60
> [<ffffffff8231d31e>] free_iova_fast+0x28e/0x4e0
> [<ffffffff82310860>] fq_ring_free_locked+0x1b0/0x310
> [<ffffffff8231225d>] fq_flush_timeout+0x19d/0x2e0
> [<ffffffff813e95ba>] call_timer_fn+0x19a/0x5c0
> [<ffffffff813ea16b>] __run_timers+0x78b/0xb80
> [<ffffffff813ea5bd>] run_timer_softirq+0x5d/0xd0
> [<ffffffff82f1d915>] __do_softirq+0x205/0x8b5
>
> unreferenced object 0xffff8881261c1000 (size 1024):
> comm "softirq", pid 0, jiffies 4306711547 (age 48.799s)
> hex dump (first 32 bytes):
> 00 64 e2 2b 81 88 ff ff c0 7c 05 00 00 00 00 00 .d.+.....|......
The value of first 8 bytes is : ff ff 88 81 2b e2 64 00 (little endian)
this is the address of above object 0xffff88812be26400
so the struct is exactly the
struct iova_magazine { union { unsigned long size; struct iova_magazine
*next; }; unsigned long pfns[IOVA_MAG_SIZE]; };
when the magazine is stored in depot, the member *next is used to
pointer the next magazine.
But when the magzine is loaded, the size member is used,
This report should be *false positive* by kmemleak.
Thanks,
Ethan
> 87 a5 05 00 00 00 00 00 0e 9a 05 00 00 00 00 00 ................
> backtrace:
> [<ffffffff819f5f08>] __kmem_cache_alloc_node+0x1e8/0x320
> [<ffffffff818a239a>] kmalloc_trace+0x2a/0x60
> [<ffffffff8231d31e>] free_iova_fast+0x28e/0x4e0
> [<ffffffff82310860>] fq_ring_free_locked+0x1b0/0x310
> [<ffffffff8231225d>] fq_flush_timeout+0x19d/0x2e0
> [<ffffffff813e95ba>] call_timer_fn+0x19a/0x5c0
> [<ffffffff813ea16b>] __run_timers+0x78b/0xb80
> [<ffffffff813ea5bd>] run_timer_softirq+0x5d/0xd0
> [<ffffffff82f1d915>] __do_softirq+0x205/0x8b5
>
Powered by blists - more mailing lists