From: Russell King <rmk+lkml@arm.linux.org.uk>
To: "David S. Miller" <davem@davemloft.net>,
Robert.Olsson@data.slu.se, akpm@osdl.org, torvalds@osdl.org,
alexn@dsv.su.se, kas@fi.muni.cz, linux-kernel@vger.kernel.org,
netdev@oss.sgi.com
Subject: Re: Memory leak in 2.6.11-rc1?
Date: Sun, 30 Jan 2005 13:23:43 +0000 [thread overview]
Message-ID: <20050130132343.A25000@flint.arm.linux.org.uk> (raw)
In-Reply-To: <20050128085858.B9486@flint.arm.linux.org.uk>; from rmk+lkml@arm.linux.org.uk on Fri, Jan 28, 2005 at 08:58:59AM +0000
On Fri, Jan 28, 2005 at 08:58:59AM +0000, Russell King wrote:
> On Thu, Jan 27, 2005 at 04:34:44PM -0800, David S. Miller wrote:
> > On Fri, 28 Jan 2005 00:17:01 +0000
> > Russell King <rmk+lkml@arm.linux.org.uk> wrote:
> > > Yes. Someone suggested this evening that there may have been a recent
> > > change to do with some IPv6 refcounting which may have caused this
> > > problem. Is that something you can confirm?
> >
> > Yep, it would be this change below. Try backing it out and see
> > if that makes your leak go away.
>
> Thanks. I'll try it, but:
>
> 1. Looking at the date of the change it seems unlikely. The recent
> death occurred with 2.6.10-rc2, booted on 29th November and dying
> on 19th January, which obviously predates this cset.
> 2. It'll take a couple of days to confirm the behaviour of the dst cache.
I have another question whether ip6_output.c is the problem - the leak
is with ip_dst_cache (== IPv4). If the problem were ip6_output, wouldn't
we see ip6_dst_cache leaking instead?
Anyway, I've produced some code which keeps a record of the __refcnt
increments and decrements, and I think it's produced some interesting
results. Essentially, I'm seeing the odd dst entry with a __refcnt of
14000 or so (which is still in active use, so probably ok), and a number
with 4, 7, and 13 which haven't had the refcount touched for at least 14
minutes.
One of these were created via ip_route_input_slow(), the other three via
ip_route_output_slow(). That isn't significant on its own.
However, whenever ip_copy_metadata() appears in the refcount log, I see
half the number of increments due to that still remaining to be
decremented (see the output below). 0 = "mark", positive numbers =
increment refcnt this many times, negative numbers = decrement refcnt
this many times.
I don't know if the code is using fragment lists in ip_fragment(), but
on reading the code a question comes to mind: if we have a list of
fragments, does each fragment skb have a valid (and refcounted) dst
pointer before ip_fragment() does it's job? If yes, then isn't the
first ip_copy_metadata() in ip_fragment() going to overwrite this
pointer without dropping the refcount?
All that said, it's probably far too early to read much into these
results - once the machine has been running for more than 19 minutes
and has a significant number of "stuck" dst cache entries, I think
it'll be far more conclusive. Nevertheless, it looks like food for
thought.
dst pointer: creation time (200Hz jiffies) last reference time (200Hz jiffies)
c1c66260: ffff6c79 ffff879d:
location count function
c01054f4 0 dst_alloc
c0114a80 1 ip_route_input_slow
c00fa95c -18 __kfree_skb
c0115104 13 ip_route_input
c011ae1c 8 ip_copy_metadata
c01055ac 0 __dst_free
untracked counts
: 0
total
= 4
next=c1c66b60 refcnt=00000004 use=0000000d dst=24f45cc3 src=0f00a8c0
c1c66b60: ffff20fe ffff5066:
c01054f4 0 dst_alloc
c01156e8 1 ip_route_output_slow
c011b854 6813 ip_append_data
c011c7e0 6813 ip_push_pending_frames
c00fa95c -6826 __kfree_skb
c011c8fc -6813 ip_push_pending_frames
c0139dbc -6813 udp_sendmsg
c0115a0c 6814 __ip_route_output_key
c013764c -2 ip4_datagram_connect
c011ae1c 26 ip_copy_metadata
c01055ac 0 __dst_free
: 0
= 13
next=c1c57680 refcnt=0000000d use=00001a9e dst=bbe812d4 src=bae812d4
c1c66960: ffff89ac ffffa42d:
c01054f4 0 dst_alloc
c01156e8 1 ip_route_output_slow
c011b854 3028 ip_append_data
c0139dbc -3028 udp_sendmsg
c011c7e0 3028 ip_push_pending_frames
c011ae1c 8 ip_copy_metadata
c00fa95c -3032 __kfree_skb
c011c8fc -3028 ip_push_pending_frames
c0115a0c 3027 __ip_route_output_key
c01055ac 0 __dst_free
: 0
= 4
next=c16d1080 refcnt=00000004 use=00000bd3 dst=bbe812d4 src=bae812d4
c16d1080: ffff879b ffff89af:
c01054f4 0 dst_alloc
c01156e8 1 ip_route_output_slow
c011b854 240 ip_append_data
c011c7e0 240 ip_push_pending_frames
c00fa95c -247 __kfree_skb
c011c8fc -240 ip_push_pending_frames
c0139dbc -240 udp_sendmsg
c0115a0c 239 __ip_route_output_key
c011ae1c 14 ip_copy_metadata
c01055ac 0 __dst_free
: 0
= 7
next=c1c66260 refcnt=00000007 use=000000ef dst=bbe812d4 src=bae812d4
--
Russell King
Linux kernel 2.6 ARM Linux - http://www.arm.linux.org.uk/
maintainer of: 2.6 PCMCIA - http://pcmcia.arm.linux.org.uk/
2.6 Serial core
next prev parent reply other threads:[~2005-01-30 13:23 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20050121161959.GO3922@fi.muni.cz>
[not found] ` <1106360639.15804.1.camel@boxen>
[not found] ` <20050123091154.GC16648@suse.de>
[not found] ` <20050123011918.295db8e8.akpm@osdl.org>
[not found] ` <20050123095608.GD16648@suse.de>
[not found] ` <20050123023248.263daca9.akpm@osdl.org>
2005-01-23 20:03 ` Memory leak in 2.6.11-rc1? Russell King
2005-01-24 11:48 ` Russell King
2005-01-25 19:32 ` Russell King
2005-01-27 8:28 ` Russell King
2005-01-27 8:47 ` Andrew Morton
2005-01-27 10:19 ` Alessandro Suardi
2005-01-27 12:17 ` Martin Josefsson
2005-01-27 12:56 ` Robert Olsson
2005-01-27 13:03 ` Robert Olsson
2005-01-27 16:49 ` Russell King
2005-01-27 18:37 ` Phil Oester
2005-01-27 19:25 ` Russell King
2005-01-27 20:40 ` Phil Oester
2005-01-28 9:32 ` Russell King
2005-01-27 20:33 ` David S. Miller
2005-01-28 0:17 ` Russell King
2005-01-28 0:34 ` David S. Miller
2005-01-28 8:58 ` Russell King
2005-01-30 13:23 ` Russell King [this message]
2005-01-30 15:34 ` Russell King
2005-01-30 16:57 ` Phil Oester
2005-01-30 17:23 ` Patrick McHardy
2005-01-30 17:26 ` Patrick McHardy
2005-01-30 17:58 ` Patrick McHardy
2005-01-30 18:45 ` Russell King
2005-01-31 2:48 ` David S. Miller
2005-01-31 4:11 ` Herbert Xu
2005-01-31 4:45 ` YOSHIFUJI Hideaki / 吉藤英明
2005-01-31 5:00 ` Patrick McHardy
2005-01-31 5:11 ` David S. Miller
2005-01-31 5:40 ` Herbert Xu
2005-01-31 5:16 ` YOSHIFUJI Hideaki / 吉藤英明
2005-01-31 5:42 ` Yasuyuki KOZAKAI
2005-01-30 18:01 ` Russell King
2005-01-30 18:19 ` Phil Oester
2005-01-28 1:41 ` Phil Oester
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050130132343.A25000@flint.arm.linux.org.uk \
--to=rmk+lkml@arm.linux.org.uk \
--cc=Robert.Olsson@data.slu.se \
--cc=akpm@osdl.org \
--cc=alexn@dsv.su.se \
--cc=davem@davemloft.net \
--cc=kas@fi.muni.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@oss.sgi.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).