Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3540570pxj; Tue, 15 Jun 2021 03:16:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxmwMScDhfx3peydVG+SD0HozDcobtuONzXB6VGb07R0+trK6wcDC4R6NDW9dYy1uItHLtL X-Received: by 2002:a02:8807:: with SMTP id r7mr21313792jai.12.1623752171546; Tue, 15 Jun 2021 03:16:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623752171; cv=none; d=google.com; s=arc-20160816; b=QVmL9S571Em/vFWWcUivru6SP8oqgrRD0uOuxP42eiz2ff5QZqu4U/KKz2uanXxL0B tY9tF67oyzgutn8jpomej9VqjMdxsZ70x+s7aqHSDlVV17sJ4yhnpzu1JdM7Um7INjKd iSbmo0K8ac4uvbm5Mg4oSDTUqtVI9DumRFoDIBGDlboGOv6AXc08Z/ngPuw0yl1dxI2Y E48K8VX9Z9xEGpEhAg8+9xNXX+KyZWSFhX+c/bkaPwtDz5liL3EWvx46UzknHUpicaJJ OKBBFq0OIpPelUOU3qV+BuovMc5jKpaegslD+9vlQcMfC+Sm3oxl4gFdjwfObF+ROhHK jbSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=hGBYdiahzf5+ulYu1R9PsZncCVKVAo9lVYBazkWeBfc=; b=EW3gvnM2Tgm3YzJiFD96HK93pP/L5R2NHVUduEvoMtdWYtYG2m9kznp2b6DMvSoVsb pRqxzO82DYmNm/3SuhN1k7b/XstEpmGsQafez2zZ3RSKO7aqWrgxJfdCa5KIZ4C3waua 97yAQgQHqEuPILhePFs1nTXTFihn6iY0DY4xpQSp7V5W3BLH4Q3LImOh2eSBW6tZmT3G 4/1C/Nn8ursY7WtsO2JnyBx+TBs55ZZEBMk/tIRzlDZhrzE4V7jRiFikd8n7VAKTBlGX 3Gl5pIzO2q0o5QXviQWwptjkpCNWvoAGwkg53WIw83iRtAM41cXY8ODy9tDAXPO/GiNo +0dw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m12si18563943ild.137.2021.06.15.03.15.59; Tue, 15 Jun 2021 03:16:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231403AbhFOKRY (ORCPT + 99 others); Tue, 15 Jun 2021 06:17:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:36224 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231289AbhFOKRX (ORCPT ); Tue, 15 Jun 2021 06:17:23 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 51BB861443; Tue, 15 Jun 2021 10:15:18 +0000 (UTC) Date: Tue, 15 Jun 2021 11:15:15 +0100 From: Catalin Marinas To: Rustam Kovhaev Cc: Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, dvyukov@google.com, gregkh@linuxfoundation.org Subject: Re: kmemleak memory scanning Message-ID: <20210615101515.GC26027@arm.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Rustam, On Mon, Jun 14, 2021 at 01:31:14PM -0700, Rustam Kovhaev wrote: > a) kmemleak scans struct page (kmemleak.c:1462), but it does not scan > the actual contents (page_address(page)) of the page. > if we allocate an object with kmalloc(), then allocate page with > alloc_page(), and if we put kmalloc pointer somewhere inside that page, > kmemleak will report kmalloc pointer as a false positive. > should we improve kmemleak and make it scan page contents? > or will this bring too many false negatives? This is indeed on purpose otherwise (1) we'd get a lot of false negatives and (2) the scanning would take significantly longer. There are a lot more pages allocated for user processes than used in the kernel, we don't need to scan them all. We do have a few places where we explicitly call kmemleak_alloc(): neigh_hash_alloc(), alloc_page_ext(), blk_mq_alloc_rqs(), early_amd_iommu_init(). > b) when kmemleak object gets created (kmemleak.c:598) it gets checksum > of 0, by the time user requests kmemleak "scan" via debugfs the pointer > will be most likely changed to some value by the kernel and during > first scan kmemleak won't report the object as orphan even if it did not > find any reference to it, because it will execute update_checksum() and > after that will proceed to updating object->count (kmemleak.c:1502). > and so the user will have to initiate a second "scan" via debugfs and > only then kmemleak will produce the report. > should we document this? That's a mitigation against false positives. Lot's of objects that get allocated just prior to a memory scan have a tendency to be reported as leaks before they get referenced via e.g. a list (and the in-object list_head structure updated). So you'd need to get the checksum identical in two consecutive scans to report it as a leak. We should probably document this. -- Catalin