Bug 235747 - vmem_bt_alloc() may leak reserved boundary tags
Summary: vmem_bt_alloc() may leak reserved boundary tags
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: powerpc Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-14 17:21 UTC by Mark Johnston
Modified: 2019-02-14 17:25 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Johnston freebsd_committer 2019-02-14 17:21:09 UTC
vmem_bt_alloc() is somewhat magical in that it must use the vmem allocator to allocate boundary tags for the vmem allocator.  It uses a reserve of boundary tags and a global mutex to avoid infinite recursion.  If the reserve somehow gets depleted, vmem_bt_alloc() effectively gets stuck and the system will grind to a halt; jhibbits has observed this happening on a powerpc64 platform.

I think this can happen in the following scenario: vmem_bt_alloc() calls vmem_xalloc() on the per-domain kernel arena and puts some reserved boundary tags into the arena's pool.  The attempt to allocate a KVA range subsequently fails because the per-domain arena has no free ranges and we cannot import from kernel_arena because it is too fragmented to satisfy a KVA_QUANTUM-sized allocation.  So, vmem_xalloc() fails, leaving the reserved boundary tags up for grabs.  Later, even if the per-domain kernel arena can satisfy an allocation for vmem_bt_alloc(), we may not have any boundary tags left to actually perform the allocation, and we're stuck.