From: Jay Cornwall <jay@jcornwall.me>
To: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: linux-kernel@vger.kernel.org
Subject: Re: put_page on transparent huge page leaks?
Date: Sat, 22 Feb 2014 11:44:24 -0600 [thread overview]
Message-ID: <2f724688447dc8c8e599ff07fccb9fa4@jcornwall.me> (raw)
In-Reply-To: <20140222023144.GB18046@node.dhcp.inet.fi>
On 2014-02-21 20:31, Kirill A. Shutemov wrote:
> On Fri, Feb 21, 2014 at 11:23:39AM -0600, Jay Cornwall wrote:
>> I'm tracking a possible memory leak in iommu/amd. The driver uses this
>> logic
>> to fault a page in response to a PRI from a device:
>>
>> npages = get_user_pages(fault->state->task, fault->state->mm,
>> fault->address, 1, write, 0, &page, NULL);
>>
>> if (npages == 1)
>> put_page(page);
>> else
>> ...
>>
>> This works correctly when get_user_pages returns a 4KB page. When
>> transparent huge pages are enabled any 2MB page returned by this call
>> appears to leak on process exit. The non-cached memory usage stays
>> elevated
>> by the set of faulted 2MB pages. This behavior is not observed when
>> the
>> exception handler demand faults 2MB pages.
>
> Could you show output of dump_page() on 2M pages for both points?
get_user_pages():
page:ffffea000ffa00c0 count:0 mapcount:1 mapping: (null)
index:0x0
page flags: 0x2fffe0000008000(tail)
// page_count(page)=3 (head page)
put_page():
page:ffffea000ffa00c0 count:0 mapcount:0 mapping: (null)
index:0x0
page flags: 0x2fffe0000008000(tail)
// page_count(page)=3 (head page)
Repeat on the same page.
get_user_pages():
page:ffffea000ffa00c0 count:0 mapcount:1 mapping: (null)
index:0x0
page flags: 0x2fffe0000008000(tail)
// page_count(page)=4 (head page)
put_page():
page:ffffea000ffa00c0 count:0 mapcount:0 mapping: (null)
index:0x0
page flags: 0x2fffe0000008000(tail)
// page_count(page)=4 (head page)
The head page appears to be leaking a reference. There is *no leak* if
the driver faults the head page directly.
> My guess is that your page is PageTail(). Refcounting for tail pages is
> different: on get_page() we increase *->_mapcount* of tail and increase
> ->_count of relevant head page. ->_count of tail pages should always be
> zero, but it's 3 in your case which is odd.
That's correct, this is a tail page. page_count() references the head
page:
static inline int page_count(struct page *page)
{
return atomic_read(&compound_head(page)->_count);
}
> BTW, I don't see where you take mmap_sem in
> drivers/iommu/amd_iommu_v2.c,
> which is required for gup. Do I miss something?
You're right. I have a patch applied on my local branch to fix this.
next prev parent reply other threads:[~2014-02-22 17:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-21 17:23 put_page on transparent huge page leaks? Jay Cornwall
2014-02-22 2:31 ` Kirill A. Shutemov
2014-02-22 17:44 ` Jay Cornwall [this message]
2014-02-22 19:31 ` Jay Cornwall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2f724688447dc8c8e599ff07fccb9fa4@jcornwall.me \
--to=jay@jcornwall.me \
--cc=kirill@shutemov.name \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox