Re: Memory leak in libpcap (top of tree) and/or kernel

[Guy Harris <guy () alum mit edu>]

On Jul 10, 2009, at 3:35 PM, Gianluca Varenni wrote:

> I just discovered an interesting leak with the libpcap 1.0 or the  
> current top-of-tree.
>
> On Fedora 10, kernel 2.6.27.5 or 2.6.27.12, there is a memory leak  
> by which a simple program like this one will eventually use all the  
> memory on the system (as reported by top) and eventually the  
> application gets killed by the OS (and as a side effect the  
> graphical system gets killed too and restarts). This happens only if  
> the usbmon devices are listed (I tried on a VM disabling and  
> enabling the virtual USB controller. No VM tools are installed on  
> the guest, we are able to replicate it on a physical machine).
>
> The interesting part is that in top the memory usage of the process  
> is always < 1%, but the total amount of free memory on the system  
> goes down to few megabytes, until the OS finally kills the process.

Spot the potential leaks:

        $ egrep -l 'mmap\(' *.c
        pcap-bpf.c
        pcap-dag.c
        pcap-linux.c
        pcap-usb-linux.c

        $ egrep -l 'munmap\(' *.c
        pcap-bpf.c
        pcap-linux.c

I suspect the close routines for Linux USB devices - and DAG devices -  
need to unmap any buffer they have.

As pcap_findalldevs() checks whether the device can be opened, the USB  
devices will be opened and closed; that leaks address space, and it  
might leak kernel wired memory.  It's not leaking anonymous pages,  
though, so it might not show up as memory usage.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.