Bug#850718: linux-image-3.2.0-4-amd64: IPv6 routing/neighbor table suspected memory leak

To: ton wittenberg <ton_wittenberg@hotmail.com>, 850718@bugs.debian.org
Subject: Bug#850718: linux-image-3.2.0-4-amd64: IPv6 routing/neighbor table suspected memory leak
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 09 Jan 2017 16:36:35 +0000
Message-id: <[🔎] 1483979795.3983.137.camel@decadent.org.uk>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 850718@bugs.debian.org
In-reply-to: <[🔎] 20170109155043.9398.65393.reportbug@NL1-WEB213-20>
References: <[🔎] 20170109155043.9398.65393.reportbug@NL1-WEB213-20>

Control: retitle -1 /proc/net/ipv6_route unreadable when number of routes is large
Control: tag -1 fixed-upstream patch moreinfo

As previously discussed on IRC, this is going to cover the issue of
/proc/net/ipv6_route becoming unreadable ('Out of memory' error).  No
memory leak has been identified.  The problem is that the kernel buffer
for this file is allocated in a way that doesn't work reliably when it
gets large.

There is a specific fix for this file (commit 8d2ca1d7b5c3 "ipv6: avoid
high order memory allocations for /proc/net/ipv6_route") but it's
relatively large and complicated.

I'd prefer to apply the more general fixes for virtual files like this,
so please can you test the attached patches?  You can find instructions
for this at:
https://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official

Ben.

-- 
Ben Hutchings
In a hierarchy, every employee tends to rise to his level of
incompetence.

From: Al Viro <viro@ZenIV.linux.org.uk>
Date: Tue, 19 Nov 2013 01:20:43 +0000
Subject: seq_file: always clear m->count when we free m->buf
Origin: https://git.kernel.org/linus/801a76050bcf8d4e500eb8d048ff6265f37a61c8
Bug-Debian: https://bugs.debian.org/850718

Once we'd freed m->buf, m->count should become zero - we have no valid
contents reachable via m->buf.

Reported-by: Charley (Hao Chuan) Chu <charley.chu@broadcom.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 fs/seq_file.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/seq_file.c b/fs/seq_file.c
index 1cd2388ca5bd..1d641bb108d2 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -116,6 +116,7 @@ static int traverse(struct seq_file *m, loff_t offset)
 Eoverflow:
 	m->op->stop(m, p);
 	kfree(m->buf);
+	m->count = 0;
 	m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
 	return !m->buf ? -ENOMEM : -EAGAIN;
 }
@@ -212,10 +213,10 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
 			goto Fill;
 		m->op->stop(m, p);
 		kfree(m->buf);
+		m->count = 0;
 		m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
 		if (!m->buf)
 			goto Enomem;
-		m->count = 0;
 		m->version = 0;
 		pos = m->index;
 		p = m->op->start(m, &pos);

From: Heiko Carstens <heiko.carstens@de.ibm.com>
Date: Wed, 2 Jul 2014 15:22:37 -0700
Subject: fs/seq_file: fallback to vmalloc allocation
Origin: https://git.kernel.org/linus/058504edd02667eef8fac9be27ab3ea74332e9b4
Bug-Debian: https://bugs.debian.org/850718

There are a couple of seq_files which use the single_open() interface.
This interface requires that the whole output must fit into a single
buffer.

E.g.  for /proc/stat allocation failures have been observed because an
order-4 memory allocation failed due to memory fragmentation.  In such
situations reading /proc/stat is not possible anymore.

Therefore change the seq_file code to fallback to vmalloc allocations
which will usually result in a couple of order-0 allocations and hence
also work if memory is fragmented.

For reference a call trace where reading from /proc/stat failed:

  sadc: page allocation failure: order:4, mode:0x1040d0
  CPU: 1 PID: 192063 Comm: sadc Not tainted 3.10.0-123.el7.s390x #1
  [...]
  Call Trace:
    show_stack+0x6c/0xe8
    warn_alloc_failed+0xd6/0x138
    __alloc_pages_nodemask+0x9da/0xb68
    __get_free_pages+0x2e/0x58
    kmalloc_order_trace+0x44/0xc0
    stat_open+0x5a/0xd8
    proc_reg_open+0x8a/0x140
    do_dentry_open+0x1bc/0x2c8
    finish_open+0x46/0x60
    do_last+0x382/0x10d0
    path_openat+0xc8/0x4f8
    do_filp_open+0x46/0xa8
    do_sys_open+0x114/0x1f0
    sysc_tracego+0x14/0x1a

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Tested-by: David Rientjes <rientjes@google.com>
Cc: Ian Kent <raven@themaw.net>
Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Cc: Thorsten Diehl <thorsten.diehl@de.ibm.com>
Cc: Andrea Righi <andrea@betterlinux.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Stefan Bader <stefan.bader@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.2:
 - Drop changes to seq_open_size()
 - Adjust context]
---
 fs/seq_file.c | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/fs/seq_file.c b/fs/seq_file.c
index 1d641bb108d2..3857b720cb1b 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -8,11 +8,23 @@
 #include <linux/fs.h>
 #include <linux/module.h>
 #include <linux/seq_file.h>
+#include <linux/vmalloc.h>
 #include <linux/slab.h>
+#include <linux/mm.h>
 
 #include <asm/uaccess.h>
 #include <asm/page.h>
 
+static void *seq_buf_alloc(unsigned long size)
+{
+	void *buf;
+
+	buf = kmalloc(size, GFP_KERNEL | __GFP_NOWARN);
+	if (!buf && size > PAGE_SIZE)
+		buf = vmalloc(size);
+	return buf;
+}
+
 /**
  *	seq_open -	initialize sequential file
  *	@file: file we initialize
@@ -76,7 +88,7 @@ static int traverse(struct seq_file *m, loff_t offset)
 		return 0;
 	}
 	if (!m->buf) {
-		m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
+		m->buf = seq_buf_alloc(m->size = PAGE_SIZE);
 		if (!m->buf)
 			return -ENOMEM;
 	}
@@ -115,9 +127,9 @@ static int traverse(struct seq_file *m, loff_t offset)
 
 Eoverflow:
 	m->op->stop(m, p);
-	kfree(m->buf);
+	kvfree(m->buf);
 	m->count = 0;
-	m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
+	m->buf = seq_buf_alloc(m->size <<= 1);
 	return !m->buf ? -ENOMEM : -EAGAIN;
 }
 
@@ -170,7 +182,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
 	m->version = file->f_version;
 	/* grab buffer if we didn't have one */
 	if (!m->buf) {
-		m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
+		m->buf = seq_buf_alloc(m->size = PAGE_SIZE);
 		if (!m->buf)
 			goto Enomem;
 	}
@@ -212,9 +224,9 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
 		if (m->count < m->size)
 			goto Fill;
 		m->op->stop(m, p);
-		kfree(m->buf);
+		kvfree(m->buf);
 		m->count = 0;
-		m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
+		m->buf = seq_buf_alloc(m->size <<= 1);
 		if (!m->buf)
 			goto Enomem;
 		m->version = 0;
@@ -328,7 +340,7 @@ EXPORT_SYMBOL(seq_lseek);
 int seq_release(struct inode *inode, struct file *file)
 {
 	struct seq_file *m = file->private_data;
-	kfree(m->buf);
+	kvfree(m->buf);
 	kfree(m);
 	return 0;
 }

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#850718: linux-image-3.2.0-4-amd64: IPv6 routing/neighbor table suspected memory leak
  - From: Ben Hutchings <ben@decadent.org.uk>

References:
- Bug#850718: (no subject)
  - From: ton wittenberg <ton_wittenberg@hotmail.com>

Prev by Date: Bug#850713: linux-image-4.8.0-0.bpo.2-amd64: can't mount NFS shares via nfs referrals
Next by Date: Processed: Bug#850718: linux-image-3.2.0-4-amd64: IPv6 routing/neighbor table suspected memory leak
Previous by thread: Bug#850718: (no subject)
Next by thread: Bug#850718: linux-image-3.2.0-4-amd64: IPv6 routing/neighbor table suspected memory leak
Index(es):
- Date
- Thread