From nobody Wed Apr 24 15:39:02 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VPjny4YBHz5HqBN for ; Wed, 24 Apr 2024 15:39:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VPjny3PDgz4gQY for ; Wed, 24 Apr 2024 15:39:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1713973142; a=rsa-sha256; cv=none; b=lVrMbBbqa9huZNgQfFm+BYRvoi9ns+kXo24cbJihr/C9jkXMsJdmfzcFa8jApMnKACeiT9 loeeoRw5ktkhfMs7wHvxJj84P958bqIIynmDN7lc+2InpEr2xkLc2+cYaEyDC+dGo667hQ RmNj1nL6EqPqpNWN/kERltUWrD3Edm7diaLHDqTjQRmtODPOQRDbOETq6ml+FiRg50HVa0 i/cFZfgBgayUPOkKSS09FQMeZyD57i67d091rHAEZ6Dj1uoNle6PEwITvA/otC/UljLQp4 1zxHRmuFoCEYEX+qloAOnGuwEMJfehpmS1HnRdcQ1Velf4BwAMeMR/oEjnFQuw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1713973142; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=19jkUN8bHjptWoqk99aGgYzk22ugmIr0MD3wuk96lHA=; b=XtqMgW8nOS8CVfZ3s3koWIssUNXLmvx1/GuJDq1W4/wG6106eDSb0lPo89j1GrxFh9GkNN w/V4M9/mR35Jd/yoZvuhCAHtKrfYbfsKqNkjxBaSfGixUzE5SIb+QvGSUZOcSvneh0zXGF m8IRi9XMv4ajvnclEPpDlmYl1L43JJRhhxxaDPD6VmRbv1Alk0vEUdEP5UBqloVsdD88zT r/kjsPfjwJwSZxOa/3eCQ7Vx6q85H0ADFH4v6ysTU4NfrIe9L8pImbSvJdcrdNyyUjgHkq LWr4mws2SttbeBRNJO3qHjrlgVpQSzpcRiUqd4kh9DkkB7LPA4r3KdII3c5NOw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VPjny2bLrzLb9 for ; Wed, 24 Apr 2024 15:39:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 43OFd2ST025087 for ; Wed, 24 Apr 2024 15:39:02 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 43OFd2Vv025086 for bugs@FreeBSD.org; Wed, 24 Apr 2024 15:39:02 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 278569] DMA bounce pages are not freed when DMA tag is destroyed Date: Wed, 24 Apr 2024 15:39:02 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dgorecki@sii.pl X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278569 Bug ID: 278569 Summary: DMA bounce pages are not freed when DMA tag is destroyed Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: dgorecki@sii.pl Created attachment 250209 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D250209&action= =3Dedit Kernel module reproducing the issue The bounce pages for allocated DMA maps are never freed properly and leak w= hen destroying DMA tags. The kernel sometimes needs to allocate bounce pages for DMA maps. When unloading the DMA maps with bounce pages those bounce pages are returned to= the pool associated with DMA tag for later reuse when new maps are being loaded. The kernel should free the pages when destroying the DMA tag, but this never happens. The issue is quite easy to reproduce by creating a kernel module, in which a DMA tag is created and mapping the memory that does not meet the alignment restrictions set in DMA tag. After this the map should be unloaded and DMA = tag destroyed. Doing this in a loop should soon crash the system. The code allocating bounce pages can be seen in [1], when grepping the sour= ce I can see that this is the only place when malloc with M_BOUNCE is called, but there is no corresponding free anywhere. I'm attaching a kernel module source for easy reproduction of the issue. The module creates a dma tag which requires 64 alignment, allocates memory alig= ned to 64 bytes and then immediately moves the pointer by 4 bytes to misalign it and loads the DMA map with misaligned pointer. This forces the bounce page = to be created. Everything, including the DMA tag is then cleaned up. This allocation/deallocation loop happens every second. When the module is loade= d, calling `vmstat -m | grep bounce` should show that M_BOUNCE malloc usage is rising, even though everything should be freed properly. Additionally, one = can observe the bounce page malloc by using dtrace with one-liner `dtrace -n 'dtmalloc::bounce: {}'`. Dtrace should print malloc calls but no frees will= be visible. I've seen the issue on arm64 and amd64, but it should be present on every hardware platform. [1] https://cgit.freebsd.org/src/tree/sys/kern/subr_busdma_bounce.c#n293 --=20 You are receiving this mail because: You are the assignee for the bug.=