lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LFD.2.00.1103081713030.2167@dhcp-27-109.brq.redhat.com>
Date:	Tue, 8 Mar 2011 17:13:31 +0100 (CET)
From:	Lukas Czerner <lczerner@...hat.com>
To:	Zhang Huan <zhhuan@...il.com>
cc:	Lukas Czerner <lczerner@...hat.com>, linux-ext4@...r.kernel.org
Subject: Re: potential memory leak on transaction commit

On Tue, 8 Mar 2011, Zhang Huan wrote:

> 
> On Tue, 8 Mar 2011, Lukas Czerner wrote:
> 
> > On Tue, 8 Mar 2011, Zhang Huan wrote:
> > 
> > > Hi all,
> > > 
> > > There is potential memory leak of journal head in function
> > > jbd2_journal_commit_transaction. The problem is that JBD2 will not
> > > reclaim the journal head of commit record if error occurs or journal is
> > > abotred.
> > > 
> > > I use the following script to reproduce this issue, on a RHEL6 system. I
> > > found it very easy to reproduce with async commit enabled.
> > > 
> > > mount /dev/sdb /mnt -o journal_checksum,journal_async_commit
> > > touch /mnt/xxx
> > > echo offline > /sys/block/sdb/device/state
> > > sync
> > > umount /mnt
> > > rmmod ext4
> > > rmmod jbd2
> > > 
> > > Removal of the jbd2 module will make slab complaining that
> > > "cache `jbd2_journal_head': can't free all objects".
> > > 
> > > 
> > > Here is my fix for this issue. The commit record should be reclaimed no
> > > matter error occurs or not.
> > > 
> > > diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
> > > index f3ad159..37a973a 100644
> > > --- a/fs/jbd2/commit.c
> > > +++ b/fs/jbd2/commit.c
> > > @@ -105,6 +105,8 @@ static int journal_submit_commit_record(journal_t
> > > *journal,
> > >  	int ret;
> > >  	struct timespec now = current_kernel_time();
> > > 
> > > +	*cbh = NULL;
> > > +
> > >  	if (is_journal_aborted(journal))
> > >  		return 0;
> > > 
> > > @@ -808,7 +810,7 @@ wait_for_iobuf:
> > >  		if (err)
> > >  			__jbd2_journal_abort_hard(journal);
> > >  	}
> > > -	if (!err && !is_journal_aborted(journal))
> > > +	if (cbh)
> > 
> > Hi,
> > 
> > I wonder if we could do rather this:
> > 
> > 	if (!err && !is_journal_aborted(journal))
> > 		err = journal_wait_on_commit_record(journal, cbh);
> > 	else if (cbh) {
> > 		put_bh(cbh);
> > 		jbd2_journal_put_journal_head(bh2jh(cbh));
> > 	}
> > 
> > I think this is more readable...
> 
> Hi,
> 
> I don't think it is a good idea. Anyway, you need to wait for buffer to
> complete, and then release journal head on it. That is exactly what
> journal_wait_on_commit_record does.

Oh, I see. Ok then ignore me :)

Thanks!
-Lukas

> 
> > 
> > Thanks!
> > -Lukas
> > 
> > >  		err = journal_wait_on_commit_record(journal, cbh);
> > >  	if (JBD2_HAS_INCOMPAT_FEATURE(journal,
> > >  				      JBD2_FEATURE_INCOMPAT_ASYNC_COMMIT) &&
> > > 
> > > 
> > > 
> > > PS: Just out of curiosity, why would journal_submit_commit_record return a
> > > value of 1 instead of an error number if get descriptor buffer is failed.
> > > 
> > > 
> > > Zhang Huan
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> > > the body of a message to majordomo@...r.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > 
> > 
> > -- 
> > 
> 
> Zhang Huan
> 

-- 
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ