lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 17 Feb 2017 15:32:22 +0800
From:   "Huang\, Ying" <>
To:     Hugh Dickins <>
Cc:     Tim Chen <>,
        "Huang\, Ying" <>,
        Minchan Kim <>,
        Andrew Morton <>,
        <>, <>
Subject: Re: swap_cluster_info lockdep splat

Hi, Hugh,

Hugh Dickins <> writes:

> On Thu, 16 Feb 2017, Tim Chen wrote:
>> > I do not understand your zest for putting wrappers around every little
>> > thing, making it all harder to follow than it need be.  Here's the patch
>> > I've been running with (but you have a leak somewhere, and I don't have
>> > time to search out and fix it: please try sustained swapping and swapoff).
>> > 
>> Hugh, trying to duplicate your test case.  So you were doing swapping,
>> then swap off, swap on the swap device and restart swapping?
> Repeated pair of make -j20 kernel builds in 700M RAM, 1.5G swap on SSD,
> 8 cpus; one of the builds in tmpfs, other in ext4 on loop on tmpfs file;
> sizes tuned for plenty of swapping but no OOMing (it's an ancient 2.6.24
> kernel I build, modern one needing a lot more space with a lot less in use).
> How much of that is relevant I don't know: hopefully none of it, it's
> hard to get the tunings right from scratch.  To answer your specific
> question: yes, I'm not doing concurrent swapoffs in this test showing
> the leak, just waiting for each of the pair of builds to complete,
> then tearing down the trees, doing swapoff followed by swapon, and
> starting a new pair of builds.
> Sometimes it's the swapoff that fails with ENOMEM, more often it's a
> fork during build that fails with ENOMEM: after 6 or 7 hours of load
> (but timings show it getting slower leading up to that).  /proc/meminfo
> did not give me an immediate clue, Slab didn't look surprising but
> I may not have studied close enough.
> I quilt-bisected it as far as the mm-swap series, good before, bad
> after, but didn't manage to narrow it down further because of hitting
> a presumably different issue inside the series, where swapoff ENOMEMed
> much sooner (after 25 mins one time, during first iteration the next).

I found a memory leak in __read_swap_cache_async() introduced by mm-swap
series, and confirmed it via testing.  Could you verify whether it fixed
your cases?  Thanks a lot for reporting.

Best Regards,
Huang, Ying

>From 4b96423796ab7435104eb2cb4dcf5d525b9e0800 Mon Sep 17 00:00:00 2001
From: Huang Ying <>
Date: Fri, 17 Feb 2017 10:31:37 +0800
Subject: [PATCH] mm, swap: Fix memory leak in __read_swap_cache_async()

The memory may be leaked in __read_swap_cache_async().  For the cases
as below,

CPU 0						CPU 1
-----						-----

find_get_page() == NULL
__swp_swapcount() != 0
new_page = alloc_page_vma()
						swap in swap slot
swapcache_prepare() == -EEXIST
						reclaim the swap slot
find_get_page() == NULL
__swp_swapcount() == 0
return NULL				<- new_page leaked here !!!

The memory leak has been confirmed via checking the value of new_page
when returning inside the loop in __read_swap_cache_async().

This is fixed via replacing return with break inside of loop in
__read_swap_cache_async(), so that there is opportunity for the
new_page to be checked and freed.

Reported-by: Hugh Dickins <>
Cc: Tim Chen <>
Signed-off-by: "Huang, Ying" <>
 mm/swap_state.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/swap_state.c b/mm/swap_state.c
index 2126e9ba23b2..473b71e052a8 100644
--- a/mm/swap_state.c
+++ b/mm/swap_state.c
@@ -333,7 +333,7 @@ struct page *__read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask,
 		 * else swap_off will be aborted if we return NULL.
 		if (!__swp_swapcount(entry) && swap_slot_cache_enabled)
-			return NULL;
+			break;
 		 * Get a new page to read into from swap.

Powered by blists - more mailing lists