On Thu, Apr 18, 2019 at 09:45:10AM +0200, Borislav Petkov wrote: > On Tue, Apr 16, 2019 at 08:38:30PM -0400, Qian Cai wrote: > > kmemleak_init() will register the data/bss sections (only register > > .data..ro_after_init if not within .data) and then kmemleak_scan() will scan > > those address and dereference them looking for pointer referencing. If > > free_init_pages() free and unmap pages in those sections, kmemleak_scan() > > will > > trigger a crash if referencing one of those addresses. > > > > I checked other x86 free_init_pages() call sites and don't see anything > > obvious > > where another place to free an address in those sections. > > And why is .bss/.data special and why does it need that special handling > by kmemleak?
Kmemleak is basically a tri-colour marking tracing garbage collector [1] but without automatic freeing. It relies on a graph of references (pointers) between various objects and the root of such graph is the .bss/.data. free_init_pages() is called on memory regions outside .bss/.data like smp_locks, initrd, kernel init text which kmemleak does not track anyway. That said, kmemleak_free_part() is tolerant to unknown pointers, so we could call it directly from free_init_pages(). > There must be some rule or a heuristic why kmemleak does that. Is that > documented somewhere? There is Documentation/dev-tools/kmemleak.rst briefly mentioning the tracing garbage collector (although the Wikipedia link is no longer valid, it should be replaced with [1]). It doesn't, however, state why .bss/.data are special. -- Catalin [1] https://en.wikipedia.org/wiki/Tracing_garbage_collection#Tri-color_marking