From: Catalin Marinas <catalin.marinas@arm.com>
To: Jaegeuk Kim <jaegeuk.kim@samsung.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>,
"Linux Kernel, Mailing List" <linux-kernel@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Subject: Re: [BUG] kmemleak on __radix_tree_preload
Date: Thu, 8 May 2014 11:24:36 +0100 [thread overview]
Message-ID: <20140508102436.GC17344@arm.com> (raw)
In-Reply-To: <1399541860.13268.48.camel@kjgkr>
On Thu, May 08, 2014 at 10:37:40AM +0100, Jaegeuk Kim wrote:
> 2014-05-08 (ea(C)), 10:26 +0100, Catalin Marinas:
> > On Thu, May 08, 2014 at 06:16:51PM +0900, Jaegeuk Kim wrote:
> > > 2014-05-07 (i??), 12:39 +0100, Catalin Marinas:
> > > > On Wed, May 07, 2014 at 03:58:08AM +0100, Jaegeuk Kim wrote:
> > > > > unreferenced object 0xffff880004226da0 (size 576):
> > > > > comm "fsstress", pid 14590, jiffies 4295191259 (age 706.308s)
> > > > > hex dump (first 32 bytes):
> > > > > 01 00 00 00 81 ff ff ff 00 00 00 00 00 00 00 00 ................
> > > > > 50 89 34 81 ff ff ff ff b8 6d 22 04 00 88 ff ff P.4......m".....
> > > > > backtrace:
> > > > > [<ffffffff816c02e8>] kmemleak_update_trace+0x58/0x80
> > > > > [<ffffffff81349517>] radix_tree_node_alloc+0x77/0xa0
> > > > > [<ffffffff81349718>] __radix_tree_create+0x1d8/0x230
> > > > > [<ffffffff8113286c>] __add_to_page_cache_locked+0x9c/0x1b0
> > > > > [<ffffffff811329a8>] add_to_page_cache_lru+0x28/0x80
> > > > > [<ffffffff81132f58>] grab_cache_page_write_begin+0x98/0xf0
> > > > > [<ffffffffa02e4bf4>] f2fs_write_begin+0xb4/0x3c0 [f2fs]
> > > > > [<ffffffff81131b77>] generic_perform_write+0xc7/0x1c0
> > > > > [<ffffffff81133b7d>] __generic_file_aio_write+0x1cd/0x3f0
> > > > > [<ffffffff81133dfe>] generic_file_aio_write+0x5e/0xe0
> > > > > [<ffffffff81195c5a>] do_sync_write+0x5a/0x90
> > > > > [<ffffffff811968d2>] vfs_write+0xc2/0x1d0
> > > > > [<ffffffff81196daf>] SyS_write+0x4f/0xb0
> > > > > [<ffffffff816dead2>] system_call_fastpath+0x16/0x1b
> > > > > [<ffffffffffffffff>] 0xffffffffffffffff
> > > >
> > > > OK, it shows that the allocation happens via add_to_page_cache_locked()
> > > > and I guess it's page_cache_tree_insert() which calls
> > > > __radix_tree_create() (the latter reusing the preloaded node). I'm not
> > > > familiar enough to this code (radix-tree.c and filemap.c) to tell where
> > > > the node should have been freed, who keeps track of it.
> > > >
> > > > At a quick look at the hex dump (assuming that the above leak is struct
> > > > radix_tree_node):
> > > >
> > > > .path = 1
> > > > .count = -0x7f (or 0xffffff81 as unsigned int)
> > > > union {
> > > > {
> > > > .parent = NULL
> > > > .private_data = 0xffffffff81348950
> > > > }
> > > > {
> > > > .rcu_head.next = NULL
> > > > .rcu_head.func = 0xffffffff81348950
> > > > }
> > > > }
> > > >
> > > > The count is a bit suspicious.
> > > >
> > > > From the union, it looks most likely like rcu_head information. Is
> > > > radix_tree_node_rcu_free() function at the above rcu_head.func?
> >
> > Thanks for the config. Could you please confirm that 0xffffffff81348950
> > address corresponds to the radix_tree_node_rcu_free() function in your
> > System.map (or something else)?
>
> Yap, the address is matched to radix_tree_node_rcu_free().
Cc'ing Paul as well, not that I blame RCU ;), but maybe he could shed
some light on why kmemleak can't track this object.
My summary so far:
- radix_tree_node reported by kmemleak as it cannot find any trace of it
when scanning the memory
- at allocation time, radix_tree_node is memzero'ed by
radix_tree_node_ctor(). Given that node->rcu_head.func ==
radix_tree_node_rcu_free, my guess is that radix_tree_node_free() has
been called
- some time later, kmemleak still hasn't received any callback for
kmem_cache_free(node). Possibly radix_tree_node_rcu_free() hasn't been
called either since node->count is not NULL.
For RCU queued objects, kmemleak should still track references to them
via rcu_sched_state and rcu_head members. But even if this went wrong, I
would expect the object to be freed eventually and kmemleak notified (so
just a temporary leak report which doesn't seem to be the case here).
I still cannot explain the node->count value above and how it can get
there (too many node->count--?). Maybe Johannes could shed some light.
Thanks.
--
Catalin
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Jaegeuk Kim <jaegeuk.kim@samsung.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>,
"Linux Kernel, Mailing List" <linux-kernel@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Subject: Re: [BUG] kmemleak on __radix_tree_preload
Date: Thu, 8 May 2014 11:24:36 +0100 [thread overview]
Message-ID: <20140508102436.GC17344@arm.com> (raw)
In-Reply-To: <1399541860.13268.48.camel@kjgkr>
On Thu, May 08, 2014 at 10:37:40AM +0100, Jaegeuk Kim wrote:
> 2014-05-08 (목), 10:26 +0100, Catalin Marinas:
> > On Thu, May 08, 2014 at 06:16:51PM +0900, Jaegeuk Kim wrote:
> > > 2014-05-07 (수), 12:39 +0100, Catalin Marinas:
> > > > On Wed, May 07, 2014 at 03:58:08AM +0100, Jaegeuk Kim wrote:
> > > > > unreferenced object 0xffff880004226da0 (size 576):
> > > > > comm "fsstress", pid 14590, jiffies 4295191259 (age 706.308s)
> > > > > hex dump (first 32 bytes):
> > > > > 01 00 00 00 81 ff ff ff 00 00 00 00 00 00 00 00 ................
> > > > > 50 89 34 81 ff ff ff ff b8 6d 22 04 00 88 ff ff P.4......m".....
> > > > > backtrace:
> > > > > [<ffffffff816c02e8>] kmemleak_update_trace+0x58/0x80
> > > > > [<ffffffff81349517>] radix_tree_node_alloc+0x77/0xa0
> > > > > [<ffffffff81349718>] __radix_tree_create+0x1d8/0x230
> > > > > [<ffffffff8113286c>] __add_to_page_cache_locked+0x9c/0x1b0
> > > > > [<ffffffff811329a8>] add_to_page_cache_lru+0x28/0x80
> > > > > [<ffffffff81132f58>] grab_cache_page_write_begin+0x98/0xf0
> > > > > [<ffffffffa02e4bf4>] f2fs_write_begin+0xb4/0x3c0 [f2fs]
> > > > > [<ffffffff81131b77>] generic_perform_write+0xc7/0x1c0
> > > > > [<ffffffff81133b7d>] __generic_file_aio_write+0x1cd/0x3f0
> > > > > [<ffffffff81133dfe>] generic_file_aio_write+0x5e/0xe0
> > > > > [<ffffffff81195c5a>] do_sync_write+0x5a/0x90
> > > > > [<ffffffff811968d2>] vfs_write+0xc2/0x1d0
> > > > > [<ffffffff81196daf>] SyS_write+0x4f/0xb0
> > > > > [<ffffffff816dead2>] system_call_fastpath+0x16/0x1b
> > > > > [<ffffffffffffffff>] 0xffffffffffffffff
> > > >
> > > > OK, it shows that the allocation happens via add_to_page_cache_locked()
> > > > and I guess it's page_cache_tree_insert() which calls
> > > > __radix_tree_create() (the latter reusing the preloaded node). I'm not
> > > > familiar enough to this code (radix-tree.c and filemap.c) to tell where
> > > > the node should have been freed, who keeps track of it.
> > > >
> > > > At a quick look at the hex dump (assuming that the above leak is struct
> > > > radix_tree_node):
> > > >
> > > > .path = 1
> > > > .count = -0x7f (or 0xffffff81 as unsigned int)
> > > > union {
> > > > {
> > > > .parent = NULL
> > > > .private_data = 0xffffffff81348950
> > > > }
> > > > {
> > > > .rcu_head.next = NULL
> > > > .rcu_head.func = 0xffffffff81348950
> > > > }
> > > > }
> > > >
> > > > The count is a bit suspicious.
> > > >
> > > > From the union, it looks most likely like rcu_head information. Is
> > > > radix_tree_node_rcu_free() function at the above rcu_head.func?
> >
> > Thanks for the config. Could you please confirm that 0xffffffff81348950
> > address corresponds to the radix_tree_node_rcu_free() function in your
> > System.map (or something else)?
>
> Yap, the address is matched to radix_tree_node_rcu_free().
Cc'ing Paul as well, not that I blame RCU ;), but maybe he could shed
some light on why kmemleak can't track this object.
My summary so far:
- radix_tree_node reported by kmemleak as it cannot find any trace of it
when scanning the memory
- at allocation time, radix_tree_node is memzero'ed by
radix_tree_node_ctor(). Given that node->rcu_head.func ==
radix_tree_node_rcu_free, my guess is that radix_tree_node_free() has
been called
- some time later, kmemleak still hasn't received any callback for
kmem_cache_free(node). Possibly radix_tree_node_rcu_free() hasn't been
called either since node->count is not NULL.
For RCU queued objects, kmemleak should still track references to them
via rcu_sched_state and rcu_head members. But even if this went wrong, I
would expect the object to be freed eventually and kmemleak notified (so
just a temporary leak report which doesn't seem to be the case here).
I still cannot explain the node->count value above and how it can get
there (too many node->count--?). Maybe Johannes could shed some light.
Thanks.
--
Catalin
next prev parent reply other threads:[~2014-05-08 10:25 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-25 1:45 [BUG] kmemleak on __radix_tree_preload Jaegeuk Kim
2014-04-25 1:45 ` Jaegeuk Kim
2014-05-01 17:06 ` Catalin Marinas
2014-05-01 17:06 ` Catalin Marinas
2014-05-01 18:41 ` Johannes Weiner
2014-05-01 18:41 ` Johannes Weiner
2014-05-07 2:58 ` Jaegeuk Kim
2014-05-07 2:58 ` Jaegeuk Kim
2014-05-07 11:39 ` Catalin Marinas
2014-05-07 11:39 ` Catalin Marinas
2014-05-08 9:16 ` Jaegeuk Kim
2014-05-08 9:16 ` Jaegeuk Kim
2014-05-08 9:26 ` Catalin Marinas
2014-05-08 9:26 ` Catalin Marinas
2014-05-08 9:37 ` Jaegeuk Kim
2014-05-08 9:37 ` Jaegeuk Kim
2014-05-08 10:24 ` Catalin Marinas [this message]
2014-05-08 10:24 ` Catalin Marinas
2014-05-08 15:00 ` Paul E. McKenney
2014-05-08 15:00 ` Paul E. McKenney
2014-05-08 15:29 ` Catalin Marinas
2014-05-08 15:29 ` Catalin Marinas
2014-05-08 15:53 ` Paul E. McKenney
2014-05-08 15:53 ` Paul E. McKenney
2014-05-08 16:52 ` Catalin Marinas
2014-05-08 16:52 ` Catalin Marinas
2014-05-09 0:06 ` Jaegeuk Kim
2014-05-09 0:06 ` Jaegeuk Kim
2014-05-08 17:52 ` Johannes Weiner
2014-05-08 17:52 ` Johannes Weiner
2014-05-08 21:40 ` Catalin Marinas
2014-05-08 21:40 ` Catalin Marinas
2014-05-09 0:01 ` Jaegeuk Kim
2014-05-09 0:01 ` Jaegeuk Kim
2014-05-09 9:45 ` Catalin Marinas
2014-05-09 9:45 ` Catalin Marinas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140508102436.GC17344@arm.com \
--to=catalin.marinas@arm.com \
--cc=hannes@cmpxchg.org \
--cc=jaegeuk.kim@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=paulmck@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.