Re: 2.6.23-rc8 network problem. Mem leak? ip1000a?

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: David Miller <davem@davemloft.net>
To: linux@horizon.com
Cc: akpm@linux-foundation.org, netdev@vger.kernel.org, romieu@fr.zoreil.com
Subject: Re: 2.6.23-rc8 network problem. Mem leak? ip1000a?
Date: Mon, 07 Jan 2008 23:14:47 -0800 (PST)	[thread overview]
Message-ID: <20080107.231447.08811264.davem@davemloft.net> (raw)
In-Reply-To: <20080107.230709.216880096.davem@davemloft.net>

From: David Miller <davem@davemloft.net>
Date: Mon, 07 Jan 2008 23:07:09 -0800 (PST)

> From: linux@horizon.com
> Date: 8 Jan 2008 01:52:11 -0500
> 
> > @@ -172,6 +172,10 @@ config IP1000
> >  	select MII
> >  	---help---
> >  	  This driver supports IP1000 gigabit Ethernet cards.
> > +	  It works, but suffers from a memory leak.  Signifcant
> > +	  use will consume unswappable kernel memory until the
> > +	  machine runs out of memory and crashes.  Thus, this
> > +	  driver cannot be considered usable at the the present time.
> 
> This is not how we handle and track bugs.
> 
> Such a patch is inappropriate, and I'd like to ask that you just be
> patient until someone has a chance to try and figure out what the
> problem is.  Or even better, you can try to track down the problem
> yourself since you seem to have a specific interest in this problem.

Actually, the bug is amazingly obvious after a quick scan of this
driver.

ipg_nic_rx_free_skb() is called from various places and is given zero
context to work with.  It assumes that the caller wants
"sp->rx_current % IPG_RFCLIST_LENGTH" to be freed.

But that's not right in most cases.  For example, consider the call in
ipg_nic_rx_with_end().  This function is invoked from ipg_nic_rx()
like so:

	unsigned int curr = sp->rx_current;
 ...
	for (i = 0; i < IPG_MAXRFDPROCESS_COUNT; i++, curr++) {
		unsigned int entry = curr % IPG_RFDLIST_LENGTH;
		struct ipg_rx *rxfd = sp->rxd + entry;

		if (!(rxfd->rfs & le64_to_cpu(IPG_RFS_RFDDONE)))
			break;

		switch (ipg_nic_rx_check_frame_type(dev)) {
 ...
		case Frame_WithEnd:
			ipg_nic_rx_with_end(dev, tp, rxfd, entry);
			break;
 ...
		}
	}

	sp->rx_current = curr;

So sp->rx_current does not correspond to the packet being processed
currently, so ipg_nic_rx_free_skb() will only look at and try to free
only the first packet the above loop tries to processe.

WOW!!!!  Amazing!!!

I invested 30 seconds of code reading to figure out the leak.  A much
better investment of time than adding bogus comments to the Kconfig
help text don't you think? :-)

next prev parent reply	other threads:[~2008-01-08  7:14 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-09-28  2:06 2.6.23-rc8 network problem. Mem leak? ip1000a? linux
2007-09-28  9:20 ` Andrew Morton
2007-09-30  7:59   ` linux
2007-09-30  9:23     ` Andrew Morton
2007-09-30 11:40       ` linux
2008-01-08  6:52       ` linux
2008-01-08  7:07         ` David Miller
2008-01-08  7:14           ` David Miller [this message]
2008-01-08  7:51             ` Francois Romieu
2008-01-08 12:28             ` [PATCH 1/3] drivers/net/ipg.c: Fix skbuff leak linux
2008-01-08 13:19               ` linux
2008-01-08 21:36                 ` Francois Romieu
2008-01-08 23:00                   ` David Miller
2008-01-08 23:28                     ` Francois Romieu
2008-01-09  0:38                   ` linux
2008-01-09  8:39                     ` David Miller
2008-01-09 23:34                       ` Francois Romieu
2008-01-09 23:56                         ` David Miller
2008-01-09 23:30                     ` Francois Romieu
2008-01-10  7:28                       ` ipg.c bugs linux

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080107.231447.08811264.davem@davemloft.net \
    --to=davem@davemloft.net \
    --cc=akpm@linux-foundation.org \
    --cc=linux@horizon.com \
    --cc=netdev@vger.kernel.org \
    --cc=romieu@fr.zoreil.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).