Re: [PATCH] x86/mm/mem_encrypt: fix a crash with kmemleak_scan

[Catalin Marinas]

On Thu, Apr 18, 2019 at 09:45:10AM +0200, Borislav Petkov wrote:
> On Tue, Apr 16, 2019 at 08:38:30PM -0400, Qian Cai wrote:
> > kmemleak_init() will register the data/bss sections (only register
> > .data..ro_after_init if not within .data) and then kmemleak_scan() will scan
> > those address and dereference them looking for pointer referencing. If
> > free_init_pages() free and unmap pages in those sections, kmemleak_scan() will
> > trigger a crash if referencing one of those addresses.
> >
> > I checked other x86 free_init_pages() call sites and don't see anything obvious
> > where another place to free an address in those sections.
> 
> And why is .bss/.data special and why does it need that special handling
> by kmemleak?

Kmemleak is basically a tri-colour marking tracing garbage collector [1]
but without automatic freeing. It relies on a graph of references
(pointers) between various objects and the root of such graph is the
.bss/.data.

free_init_pages() is called on memory regions outside .bss/.data like
smp_locks, initrd, kernel init text which kmemleak does not track
anyway. That said, kmemleak_free_part() is tolerant to unknown pointers,
so we could call it directly from free_init_pages().

> There must be some rule or a heuristic why kmemleak does that. Is that
> documented somewhere?

There is Documentation/dev-tools/kmemleak.rst briefly mentioning the
tracing garbage collector (although the Wikipedia link is no longer
valid, it should be replaced with [1]). It doesn't, however, state why
.bss/.data are special.

-- 
Catalin

[1] https://en.wikipedia.org/wiki/Tracing_garbage_collection#Tri-color_marking