From patchwork Fri Mar 29 16:57:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 10877587 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0F7B71708 for ; Fri, 29 Mar 2019 16:59:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EAD31289F4 for ; Fri, 29 Mar 2019 16:59:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DB4B8289F8; Fri, 29 Mar 2019 16:59:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7C581289F4 for ; Fri, 29 Mar 2019 16:59:17 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1h9uoo-00052c-HV; Fri, 29 Mar 2019 16:57:26 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1h9uon-00052T-Eq for xen-devel@lists.xen.org; Fri, 29 Mar 2019 16:57:25 +0000 X-Inumbo-ID: b94f9fd9-5243-11e9-bc90-bc764e045a96 Received: from SMTP03.CITRIX.COM (unknown [162.221.156.55]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id b94f9fd9-5243-11e9-bc90-bc764e045a96; Fri, 29 Mar 2019 16:57:23 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.60,285,1549929600"; d="scan'208";a="82234948" From: Andrew Cooper To: Xen-devel Date: Fri, 29 Mar 2019 16:57:15 +0000 Message-ID: <1553878635-11959-1-git-send-email-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.1.4 MIME-Version: 1.0 Subject: [Xen-devel] [PATCH] xen/timers: Fix memory leak with cpu hot unplug X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Stefano Stabellini , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Tim Deegan , Julien Grall , Jan Beulich , Ian Jackson Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP timer_softirq_action() realloc's itself a larger timer heap whenever necessary, which includes bootstrapping from the empty dummy_heap. Nothing ever freed this allocation. CPU hot unplug and plug has the side effect of zeroing the percpu data area, which clears ts->heap. This in turn causes new timers to be put on the list rather than the heap, and for timer_softirq_action() to bootstrap itself again. This in practice leaks ts->heap every time a CPU is hot unplugged and replugged. In the cpu notifier, free the heap after migrating all other timers away. Signed-off-by: Andrew Cooper --- CC: George Dunlap CC: Ian Jackson CC: Jan Beulich CC: Konrad Rzeszutek Wilk CC: Stefano Stabellini CC: Tim Deegan CC: Wei Liu CC: Julien Grall This texturally depends on "xen/timers: Document and improve the representation of the timer heap metadata" which was necessary to understand the problem well enough to fix it, but isn't backporting over this change isn't too complicated (should the cleanup patch not want to be backported). --- xen/common/timer.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xen/common/timer.c b/xen/common/timer.c index 98f2c48..afcb1b0 100644 --- a/xen/common/timer.c +++ b/xen/common/timer.c @@ -631,6 +631,10 @@ static int cpu_callback( case CPU_UP_CANCELED: case CPU_DEAD: migrate_timers_from_cpu(cpu); + ASSERT(heap_metadata(ts->heap)->size == 0); + if ( heap_metadata(ts->heap)->limit ) + xfree(ts->heap); + ts->heap = dummy_heap; break; default: break;