| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ff08f2ccbcd50d2d353392a81defe619@jcornwall.me>
Date: Fri, 21 Feb 2014 11:23:39 -0600
From: Jay Cornwall <jay@...rnwall.me>
To: linux-kernel@...r.kernel.org
Subject: put_page on transparent huge page leaks?
Hi,
I'm tracking a possible memory leak in iommu/amd. The driver uses this
logic to fault a page in response to a PRI from a device:
npages = get_user_pages(fault->state->task, fault->state->mm,
fault->address, 1, write, 0, &page, NULL);
if (npages == 1)
put_page(page);
else
...
This works correctly when get_user_pages returns a 4KB page. When
transparent huge pages are enabled any 2MB page returned by this call
appears to leak on process exit. The non-cached memory usage stays
elevated by the set of faulted 2MB pages. This behavior is not observed
when the exception handler demand faults 2MB pages.
I notice there is a difference in reference count between the 4KB/2MB
paths.
get_user_pages (4KB): page_count()=3, page_mapcount()=1
put_page (4KB): page_count()=2, page_mapcount()=1
get_user_pages (2MB): page_count()=3, page_mapcount()=1
put_page (2MB): page_count()=3, page_mapcount()=0
I'm concerned that the driver appears to be holding a reference count
after put_page(). Am I interpreting this observation correctly?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists