blob: 9426e94f291ac3f897ed2497aa6683c9276fd257 [file] [log] [blame]
Catalin Marinas04f70332009-06-11 13:22:39 +01001Kernel Memory Leak Detector
2===========================
3
4Introduction
5------------
6
7Kmemleak provides a way of detecting possible kernel memory leaks in a
8way similar to a tracing garbage collector
9(http://en.wikipedia.org/wiki/Garbage_collection_%28computer_science%29#Tracing_garbage_collectors),
10with the difference that the orphan objects are not freed but only
11reported via /sys/kernel/debug/kmemleak. A similar method is used by the
12Valgrind tool (memcheck --leak-check) to detect the memory leaks in
13user-space applications.
14
15Usage
16-----
17
18CONFIG_DEBUG_KMEMLEAK in "Kernel hacking" has to be enabled. A kernel
19thread scans the memory every 10 minutes (by default) and prints any new
20unreferenced objects found. To trigger an intermediate scan and display
21all the possible memory leaks:
22
23 # mount -t debugfs nodev /sys/kernel/debug/
24 # cat /sys/kernel/debug/kmemleak
25
26Note that the orphan objects are listed in the order they were allocated
27and one object at the beginning of the list may cause other subsequent
28objects to be reported as orphan.
29
30Memory scanning parameters can be modified at run-time by writing to the
31/sys/kernel/debug/kmemleak file. The following parameters are supported:
32
33 off - disable kmemleak (irreversible)
Catalin Marinase0a2a162009-06-26 17:38:25 +010034 stack=on - enable the task stacks scanning (default)
Catalin Marinas04f70332009-06-11 13:22:39 +010035 stack=off - disable the tasks stacks scanning
Catalin Marinase0a2a162009-06-26 17:38:25 +010036 scan=on - start the automatic memory scanning thread (default)
Catalin Marinas04f70332009-06-11 13:22:39 +010037 scan=off - stop the automatic memory scanning thread
Catalin Marinase0a2a162009-06-26 17:38:25 +010038 scan=<secs> - set the automatic memory scanning period in seconds
39 (default 600, 0 to stop the automatic scanning)
Catalin Marinas04f70332009-06-11 13:22:39 +010040
41Kmemleak can also be disabled at boot-time by passing "kmemleak=off" on
42the kernel command line.
43
Catalin Marinasa9d90582009-06-25 10:16:11 +010044Memory may be allocated or freed before kmemleak is initialised and
45these actions are stored in an early log buffer. The size of this buffer
46is configured via the CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE option.
47
Catalin Marinas04f70332009-06-11 13:22:39 +010048Basic Algorithm
49---------------
50
51The memory allocations via kmalloc, vmalloc, kmem_cache_alloc and
52friends are traced and the pointers, together with additional
53information like size and stack trace, are stored in a prio search tree.
54The corresponding freeing function calls are tracked and the pointers
55removed from the kmemleak data structures.
56
57An allocated block of memory is considered orphan if no pointer to its
58start address or to any location inside the block can be found by
59scanning the memory (including saved registers). This means that there
60might be no way for the kernel to pass the address of the allocated
61block to a freeing function and therefore the block is considered a
62memory leak.
63
64The scanning algorithm steps:
65
66 1. mark all objects as white (remaining white objects will later be
67 considered orphan)
68 2. scan the memory starting with the data section and stacks, checking
69 the values against the addresses stored in the prio search tree. If
70 a pointer to a white object is found, the object is added to the
71 gray list
72 3. scan the gray objects for matching addresses (some white objects
73 can become gray and added at the end of the gray list) until the
74 gray set is finished
75 4. the remaining white objects are considered orphan and reported via
76 /sys/kernel/debug/kmemleak
77
78Some allocated memory blocks have pointers stored in the kernel's
79internal data structures and they cannot be detected as orphans. To
80avoid this, kmemleak can also store the number of values pointing to an
81address inside the block address range that need to be found so that the
82block is not considered a leak. One example is __vmalloc().
83
84Kmemleak API
85------------
86
87See the include/linux/kmemleak.h header for the functions prototype.
88
89kmemleak_init - initialize kmemleak
90kmemleak_alloc - notify of a memory block allocation
91kmemleak_free - notify of a memory block freeing
92kmemleak_not_leak - mark an object as not a leak
93kmemleak_ignore - do not scan or report an object as leak
94kmemleak_scan_area - add scan areas inside a memory block
95kmemleak_no_scan - do not scan a memory block
96kmemleak_erase - erase an old value in a pointer variable
97kmemleak_alloc_recursive - as kmemleak_alloc but checks the recursiveness
98kmemleak_free_recursive - as kmemleak_free but checks the recursiveness
99
100Dealing with false positives/negatives
101--------------------------------------
102
103The false negatives are real memory leaks (orphan objects) but not
104reported by kmemleak because values found during the memory scanning
105point to such objects. To reduce the number of false negatives, kmemleak
106provides the kmemleak_ignore, kmemleak_scan_area, kmemleak_no_scan and
107kmemleak_erase functions (see above). The task stacks also increase the
108amount of false negatives and their scanning is not enabled by default.
109
110The false positives are objects wrongly reported as being memory leaks
111(orphan). For objects known not to be leaks, kmemleak provides the
112kmemleak_not_leak function. The kmemleak_ignore could also be used if
113the memory block is known not to contain other pointers and it will no
114longer be scanned.
115
116Some of the reported leaks are only transient, especially on SMP
117systems, because of pointers temporarily stored in CPU registers or
118stacks. Kmemleak defines MSECS_MIN_AGE (defaulting to 1000) representing
119the minimum age of an object to be reported as a memory leak.
120
121Limitations and Drawbacks
122-------------------------
123
124The main drawback is the reduced performance of memory allocation and
125freeing. To avoid other penalties, the memory scanning is only performed
126when the /sys/kernel/debug/kmemleak file is read. Anyway, this tool is
127intended for debugging purposes where the performance might not be the
128most important requirement.
129
130To keep the algorithm simple, kmemleak scans for values pointing to any
131address inside a block's address range. This may lead to an increased
132number of false negatives. However, it is likely that a real memory leak
133will eventually become visible.
134
135Another source of false negatives is the data stored in non-pointer
136values. In a future version, kmemleak could only scan the pointer
137members in the allocated structures. This feature would solve many of
138the false negative cases described above.
139
140The tool can report false positives. These are cases where an allocated
141block doesn't need to be freed (some cases in the init_call functions),
142the pointer is calculated by other methods than the usual container_of
143macro or the pointer is stored in a location not scanned by kmemleak.
144
145Page allocations and ioremap are not tracked. Only the ARM and x86
146architectures are currently supported.