12:41 p.m.
For a while, I've been seeing a pretty serious leak in slab-32 entries in -mm
kernels. Doing a quilt bisection on -mm calls out git-audit.patch as the
offender.
In kernel/auditsc.c, we have audit_inode_context(), which does:
ctx = kmalloc(len, GFP_KERNEL);
...
context->names[idx].ctx = ctx;
but the only obvious kfree() I can find is in audit_free_names(), but that
one is (a) inside an if statement along with a printk(KERN_ERR) and (b) has
a '#if AUDIT_DEBUG == 2' around it.
[/usr/src/linux-2.6.16-rc4-mm2/kernel]1 grep -n '\.ctx' *.c
auditsc.c:384: kfree(context->names[i].ctx);
auditsc.c:686: if (context->names[i].ctx) {
auditsc.c:688: context->names[i].ctx);
auditsc.c:961: context->names[idx].ctx = ctx;
Is this my memory leak? If so, who is supposed to be freeing it?
1:37 p.m.
On Fri, 2006-02-24 at 13:41 -0500, Valdis.Kletnieks(a)vt.edu wrote:
For a while, I've been seeing a pretty serious leak in slab-32
entries in -mm
kernels. Doing a quilt bisection on -mm calls out git-audit.patch as the
offender.
In kernel/auditsc.c, we have audit_inode_context(), which does:
ctx = kmalloc(len, GFP_KERNEL);
...
context->names[idx].ctx = ctx;
but the only obvious kfree() I can find is in audit_free_names(), but that
one is (a) inside an if statement along with a printk(KERN_ERR) and (b) has
a '#if AUDIT_DEBUG == 2' around it.
[/usr/src/linux-2.6.16-rc4-mm2/kernel]1 grep -n '\.ctx' *.c
auditsc.c:384: kfree(context->names[i].ctx);
auditsc.c:686: if (context->names[i].ctx) {
auditsc.c:688: context->names[i].ctx);
auditsc.c:961: context->names[idx].ctx = ctx;
Is this my memory leak? If so, who is supposed to be freeing it?
It does look to be so, and I'm looking at the proper place to fix this.
Thanks.
:-Dustin
1:40 p.m.
On Fri, Feb 24, 2006 at 01:41:24PM -0500, Valdis.Kletnieks(a)vt.edu wrote:
For a while, I've been seeing a pretty serious leak in slab-32
entries in -mm
kernels. Doing a quilt bisection on -mm calls out git-audit.patch as the
offender.
In kernel/auditsc.c, we have audit_inode_context(), which does:
ctx = kmalloc(len, GFP_KERNEL);
...
context->names[idx].ctx = ctx;
but the only obvious kfree() I can find is in audit_free_names(), but that
one is (a) inside an if statement along with a printk(KERN_ERR) and (b) has
a '#if AUDIT_DEBUG == 2' around it.
[/usr/src/linux-2.6.16-rc4-mm2/kernel]1 grep -n '\.ctx' *.c
auditsc.c:384: kfree(context->names[i].ctx);
auditsc.c:686: if (context->names[i].ctx) {
auditsc.c:688: context->names[i].ctx);
auditsc.c:961: context->names[idx].ctx = ctx;
Is this my memory leak? If so, who is supposed to be freeing it?
That kfree is misplaced. It should be here. Does this solve it on
your end?
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4626c35..1867fc3 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -381,7 +381,6 @@ static inline void audit_free_names(stru
printk(KERN_ERR "names[%d] = %p = %s\n", i,
context->names[i].name,
context->names[i].name ?: "(null)");
- kfree(context->names[i].ctx);
}
dump_stack();
return;
@@ -392,9 +391,11 @@ static inline void audit_free_names(stru
context->ino_count = 0;
#endif
- for (i = 0; i < context->name_count; i++)
+ for (i = 0; i < context->name_count; i++) {
if (context->names[i].name)
__putname(context->names[i].name);
+ kfree(context->names[i].ctx);
+ }
context->name_count = 0;
if (context->pwd)
dput(context->pwd);
1:54 p.m.
On Fri, 2006-02-24 at 14:40 -0500, Amy Griffis wrote:
On Fri, Feb 24, 2006 at 01:41:24PM -0500, Valdis.Kletnieks(a)vt.edu
wrote:
> For a while, I've been seeing a pretty serious leak in slab-32 entries in -mm
> kernels. Doing a quilt bisection on -mm calls out git-audit.patch as the
> offender.
>
> In kernel/auditsc.c, we have audit_inode_context(), which does:
>
> ctx = kmalloc(len, GFP_KERNEL);
> ...
> context->names[idx].ctx = ctx;
>
> but the only obvious kfree() I can find is in audit_free_names(), but that
> one is (a) inside an if statement along with a printk(KERN_ERR) and (b) has
> a '#if AUDIT_DEBUG == 2' around it.
>
> [/usr/src/linux-2.6.16-rc4-mm2/kernel]1 grep -n '\.ctx' *.c
> auditsc.c:384: kfree(context->names[i].ctx);
> auditsc.c:686: if (context->names[i].ctx) {
> auditsc.c:688: context->names[i].ctx);
> auditsc.c:961: context->names[idx].ctx = ctx;
>
> Is this my memory leak? If so, who is supposed to be freeing it?
That kfree is misplaced. It should be here. Does this solve it on
your end?
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4626c35..1867fc3 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -381,7 +381,6 @@ static inline void audit_free_names(stru
printk(KERN_ERR "names[%d] = %p = %s\n", i,
context->names[i].name,
context->names[i].name ?: "(null)");
- kfree(context->names[i].ctx);
}
dump_stack();
return;
@@ -392,9 +391,11 @@ static inline void audit_free_names(stru
context->ino_count = 0;
#endif
- for (i = 0; i < context->name_count; i++)
+ for (i = 0; i < context->name_count; i++) {
if (context->names[i].name)
__putname(context->names[i].name);
+ kfree(context->names[i].ctx);
+ }
context->name_count = 0;
if (context->pwd)
dput(context->pwd);
That's exactly the change I was about to suggest. However, I'm in the
process of figuring out what the heck audit_free_names() does... It
appears to mask its freeing functionality and I'm digging deeper into
it.
:-Dustin
2:11 p.m.
On Fri, 24 Feb 2006 14:40:25 EST, Amy Griffis said:
That kfree is misplaced. It should be here. Does this solve it on
your end?
Seems to, with a small tweak..
if (context->names[i].name)
__putname(context->names[i].name);
+ kfree(context->names[i].ctx);
+ context->names[i].ctx = NULL;
+ }
Can this thing legitimately get called twice for a given object? I needed the
added line above to shut up a huge flood of 'double kfree'. If this doesn't
ring a bell, I'll go back and catch the dmesg so we can troubleshoot it.
2:33 p.m.
Updated patch for Al's sake. Assuming no other arguments, would you
please apply, Al?
:-Dustin
--- a/kernel/auditsc.c 2006-02-24 14:28:39.000000000 -0600
+++ b/kernel/auditsc.c 2006-02-24 14:30:25.000000000 -0600
@@ -380,7 +380,6 @@ static inline void audit_free_names(stru
printk(KERN_ERR "names[%d] = %p = %s\n", i,
context->names[i].name,
context->names[i].name ?: "(null)");
- kfree(context->names[i].ctx);
}
dump_stack();
return;
@@ -391,9 +390,13 @@ static inline void audit_free_names(stru
context->ino_count = 0;
#endif
- for (i = 0; i < context->name_count; i++)
+ for (i = 0; i < context->name_count; i++) {
+ char *p = context->names[i].ctx;
+ context->names[i].ctx = NULL;
+ kfree(p);
if (context->names[i].name)
__putname(context->names[i].name);
+ }
context->name_count = 0;
if (context->pwd)
dput(context->pwd);
2:35 p.m.
On Fri, Feb 24, 2006 at 03:11:44PM -0500, Valdis.Kletnieks(a)vt.edu wrote:
On Fri, 24 Feb 2006 14:40:25 EST, Amy Griffis said:
> That kfree is misplaced. It should be here. Does this solve it on
> your end?
Seems to, with a small tweak..
> if (context->names[i].name)
> __putname(context->names[i].name);
> + kfree(context->names[i].ctx);
+ context->names[i].ctx = NULL;
> + }
Can this thing legitimately get called twice for a given object?
I needed the added line above to shut up a huge flood of 'double
kfree'. If this doesn't ring a bell, I'll go back and catch the
dmesg so we can troubleshoot it.
Ah, yes. Looks like audit_free_names is called on syscall exit and
task termination. Your fix makes sense to me.
Amy
6875
days inactive
6875
days old
linux-audit@lists.linux-audit.osci.io
7 comments
4 participants
participants (4)
-
Amy Griffis -
Dustin Kirkland -
Steve Grubb -
Valdis.Kletnieks@vt.edu