Linux内存泄漏检测kmemleak

作者 by adtxl / 2021-12-24 / 暂无评论 / 824 个足迹

kmemleak是内核提供的一种检测内存泄漏工具,它会启动一个内核线程扫描内存,并打印发现新的未引用对象数量。kmemleak有误报的可能性,但它给开发者提供了一个观察内存的路径和视角。

1. 使用

环境: Androd11平台,kernel4.19

1.1 打开config

要使用kmemleak功能,请在defconfig打开如下面的配置,最好使用menuconfig自己配置下

CONFIG_DEBUG_KMEMLEAK=y
CONFIG_DEBUG_KMEMLEAK_TEST=m

由于我打开了CONFIG_DEBUG_KMEMLEAK_TEST=m,编译kernel时会自动编一个测试驱动,位置位于output/linux/mm/kmemleak-test.ko.

如果defconfig中打开了CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y,kmemleak会默认关闭,需要在内核启动的commandline中添加kmemleak=on,或者在defconfig中直接不要加这个config.

1.2 用法

1、挂载debugfs文件系统(如果未挂载)

mount -t debugfs nodev /sys/kernel/debug/

2、开启内核自动检测线程

echo scan > /sys/kernel/debug/kmemleak

3、查看打印信息

cat /sys/kernel/debug/kmemleak

4、清除内核检测报告,新的内存泄露报告将重新写入/sys/kernel/debug/kmemleak

echo clear > /sys/kernel/debug/kmemleak

内存扫描参数可以进行修改通过向/sys/kernel/debug/kmemleak 文件写入。 参数使用如下:

  off 禁用kmemleak(不可逆)

  stack=on 启用任务堆栈扫描(default)

  stack=off 禁用任务堆栈扫描

  scan=on 启动自动记忆扫描线程(default)

  scan=off 停止自动记忆扫描线程

  scan=<secs> 设置n秒内自动记忆扫描,默认600s

  scan 开启内核扫描

  clear 清除内存泄露报告

  dump=<addr> 转存信息对象在<addr>

通过“kmemleak = OFF”,也可以在启动时禁用Kmemleak在内核命令行。在初始化kmemleak之前,内存的分配或释放这些动作被存储在一个前期日志缓冲区。这个缓冲区的大小通过配CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE设置。

1.3 测试驱动

源码路径:linux_kernel/mm/kmemleak-test.c,源码如下


#define pr_fmt(fmt) "kmemleak: " fmt

#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/vmalloc.h>
#include <linux/list.h>
#include <linux/percpu.h>
#include <linux/fdtable.h>

#include <linux/kmemleak.h>

struct test_node {
    long header[25];
    struct list_head list;
    long footer[25];
};

static LIST_HEAD(test_list);
static DEFINE_PER_CPU(void *, kmemleak_test_pointer);

/*
 * Some very simple testing. This function needs to be extended for
 * proper testing.
 */
static int __init kmemleak_test_init(void)
{
    struct test_node *elem;
    int i;

    pr_info("Kmemleak testing\n");

    /* make some orphan objects */
    pr_info("kmalloc(32) = %p\n", kmalloc(32, GFP_KERNEL));
    pr_info("kmalloc(32) = %p\n", kmalloc(32, GFP_KERNEL));
    pr_info("kmalloc(1024) = %p\n", kmalloc(1024, GFP_KERNEL));
    pr_info("kmalloc(1024) = %p\n", kmalloc(1024, GFP_KERNEL));
    pr_info("kmalloc(2048) = %p\n", kmalloc(2048, GFP_KERNEL));
    pr_info("kmalloc(2048) = %p\n", kmalloc(2048, GFP_KERNEL));
    pr_info("kmalloc(4096) = %p\n", kmalloc(4096, GFP_KERNEL));
    pr_info("kmalloc(4096) = %p\n", kmalloc(4096, GFP_KERNEL));
#ifndef CONFIG_MODULES
    pr_info("kmem_cache_alloc(files_cachep) = %p\n",
        kmem_cache_alloc(files_cachep, GFP_KERNEL));
    pr_info("kmem_cache_alloc(files_cachep) = %p\n",
        kmem_cache_alloc(files_cachep, GFP_KERNEL));
#endif
    pr_info("vmalloc(64) = %p\n", vmalloc(64));
    pr_info("vmalloc(64) = %p\n", vmalloc(64));
    pr_info("vmalloc(64) = %p\n", vmalloc(64));
    pr_info("vmalloc(64) = %p\n", vmalloc(64));
    pr_info("vmalloc(64) = %p\n", vmalloc(64));

    /*
     * Add elements to a list. They should only appear as orphan
     * after the module is removed.
     */
    for (i = 0; i < 10; i++) {
        elem = kzalloc(sizeof(*elem), GFP_KERNEL);
        pr_info("kzalloc(sizeof(*elem)) = %p\n", elem);
        if (!elem)
            return -ENOMEM;
        INIT_LIST_HEAD(&elem->list);
        list_add_tail(&elem->list, &test_list);
    }

    for_each_possible_cpu(i) {
        per_cpu(kmemleak_test_pointer, i) = kmalloc(129, GFP_KERNEL);
        pr_info("kmalloc(129) = %p\n",
            per_cpu(kmemleak_test_pointer, i));
    }

    return 0;
}
module_init(kmemleak_test_init);

static void __exit kmemleak_test_exit(void)
{
    struct test_node *elem, *tmp;

    /*
     * Remove the list elements without actually freeing the
     * memory.
     */
    list_for_each_entry_safe(elem, tmp, &test_list, list)
        list_del(&elem->list);
}
module_exit(kmemleak_test_exit);

MODULE_LICENSE("GPL");

kmemleak-test.ko文件使用adb push到开发板。然后insmod kmemleak-test.ko.

console:/ # insmod vendor/kmemleak-test.ko
[   96.993658] kmemleak: Kmemleak testing
[   96.997615] kmemleak: kmalloc(32) = 00000000fb9abb51
[   97.002693] kmemleak: kmalloc(32) = 0000000060c6a314
[   97.007707] kmemleak: kmalloc(1024) = 00000000a108eab7
[   97.013374] kmemleak: kmalloc(1024) = 000000008f94c530
[   97.018697] kmemleak: kmalloc(2048) = 0000000025816114
[   97.023882] kmemleak: kmalloc(2048) = 000000001a77a24a
[   97.029067] kmemleak: kmalloc(4096) = 0000000061daaec3
[   97.034312] kmemleak: kmalloc(4096) = 00000000e69f8dcb
[   97.040508] kmemleak: vmalloc(64) = 00000000d5de7efc
[   97.045630] kmemleak: vmalloc(64) = 000000002309b4b8
[   97.050895] kmemleak: vmalloc(64) = 000000004458636b
[   97.056037] kmemleak: vmalloc(64) = 0000000064c25f36
[   97.061093] kmemleak: vmalloc(64) = 0000000056e55d73
[   97.066174] kmemleak: kzalloc(sizeof(*elem)) = 000000009bb51824
[   97.072202] kmemleak: kzalloc(sizeof(*elem)) = 00000000634fd38b
[   97.078183] kmemleak: kzalloc(sizeof(*elem)) = 000000007a6a715d
[   97.084224] kmemleak: kzalloc(sizeof(*elem)) = 000000007fb332cd
[   97.090341] kmemleak: kzalloc(sizeof(*elem)) = 00000000f7986bfe
[   97.098116] kmemleak: kzalloc(sizeof(*elem)) = 00000000622dff56
[   97.104194] kmemleak: kzalloc(sizeof(*elem)) = 000000004b156af7
[   97.110229] kmemleak: kzalloc(sizeof(*elem)) = 0000000013f1b828
[   97.116247] kmemleak: kzalloc(sizeof(*elem)) = 00000000ac8bf86c
[   97.122222] kmemleak: kzalloc(sizeof(*elem)) = 0000000015240058
[   97.128240] kmemleak: kmalloc(129) = 00000000e7017353
[   97.133349] kmemleak: kmalloc(129) = 00000000ba7abd3d
[   97.138489] kmemleak: kmalloc(129) = 00000000224c9bf1
[   97.143645] kmemleak: kmalloc(129) = 000000005f1f0a94

使用下面的命令开启内核自动检测线程
echo scan > /sys/kernel/debug/kmemleak
然后使用cat /sys/kernel/debug/kmemleak命令查看打印信息,

console:/ # cat /sys/kernel/debug/kmemleak
console:/ # echo scan > /sys/kernel/debug/kmemleak
[ 6948.177431] kmemleak: 3 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
console:/ # cat /sys/kernel/debug/kmemleak
unreferenced object 0xffffff800a075000 (size 4096):
  comm "insmod", pid 4232, jiffies 4296623932 (age 26.728s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000000c27f362>] __vmalloc_node_range+0x1a0/0x2c0
    [<0000000082d1c28c>] vmalloc+0x8c/0xb0
    [<00000000807cda68>] 0xffffff8000e491b0
    [<00000000a9781cee>] do_one_initcall+0x5c/0x260
    [<00000000abdd5e1f>] do_init_module+0x64/0x1ec
    [<00000000a4fb186d>] load_module+0x1c7c/0x1ec0
    [<00000000f06272a6>] __se_sys_finit_module+0xa0/0x100
    [<00000000a2a2d4e6>] __arm64_sys_finit_module+0x24/0x30
    [<0000000067f72428>] el0_svc_common.constprop.0+0x7c/0x198
    [<000000002ad15fe6>] el0_svc_compat_handler+0x2c/0x38
    [<00000000bc639d92>] el0_svc_compat+0x8/0x34
    [<000000001101d87c>] 0xffffffffffffffff
unreferenced object 0xffffff800a07d000 (size 4096):
  comm "insmod", pid 4232, jiffies 4296623934 (age 26.720s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000000c27f362>] __vmalloc_node_range+0x1a0/0x2c0
    [<0000000082d1c28c>] vmalloc+0x8c/0xb0
    [<00000000a06073c9>] 0xffffff8000e491c4
    [<00000000a9781cee>] do_one_initcall+0x5c/0x260
    [<00000000abdd5e1f>] do_init_module+0x64/0x1ec
    [<00000000a4fb186d>] load_module+0x1c7c/0x1ec0
    [<00000000f06272a6>] __se_sys_finit_module+0xa0/0x100
    [<00000000a2a2d4e6>] __arm64_sys_finit_module+0x24/0x30
    [<0000000067f72428>] el0_svc_common.constprop.0+0x7c/0x198
    [<000000002ad15fe6>] el0_svc_compat_handler+0x2c/0x38
    [<00000000bc639d92>] el0_svc_compat+0x8/0x34
    [<000000001101d87c>] 0xffffffffffffffff
unreferenced object 0xffffff800a085000 (size 4096):
  comm "insmod", pid 4232, jiffies 4296623936 (age 26.712s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000000c27f362>] __vmalloc_node_range+0x1a0/0x2c0
    [<0000000082d1c28c>] vmalloc+0x8c/0xb0
    [<000000008094e7a4>] 0xffffff8000e491d8
    [<00000000a9781cee>] do_one_initcall+0x5c/0x260
    [<00000000abdd5e1f>] do_init_module+0x64/0x1ec
    [<00000000a4fb186d>] load_module+0x1c7c/0x1ec0
    [<00000000f06272a6>] __se_sys_finit_module+0xa0/0x100
    [<00000000a2a2d4e6>] __arm64_sys_finit_module+0x24/0x30
    [<0000000067f72428>] el0_svc_common.constprop.0+0x7c/0x198
    [<000000002ad15fe6>] el0_svc_compat_handler+0x2c/0x38
    [<00000000bc639d92>] el0_svc_compat+0x8/0x34
    [<000000001101d87c>] 0xffffffffffffffff

独特见解