1 /*
2 * mm/kmemleak.c
3 *
4 * Copyright (C) 2008 ARM Limited
5 * Written by Catalin Marinas <catalin.marinas@arm.com>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 *
21 * For more information on the algorithm and kmemleak usage, please see
22 * Documentation/kmemleak.txt.
23 *
24 * Notes on locking
25 * ----------------
26 *
27 * The following locks and mutexes are used by kmemleak:
28 *
29 * - kmemleak_lock (rwlock): protects the object_list modifications and
30 * accesses to the object_tree_root. The object_list is the main list
31 * holding the metadata (struct kmemleak_object) for the allocated memory
32 * blocks. The object_tree_root is a red black tree used to look-up
33 * metadata based on a pointer to the corresponding memory block. The
34 * kmemleak_object structures are added to the object_list and
35 * object_tree_root in the create_object() function called from the
36 * kmemleak_alloc() callback and removed in delete_object() called from the
37 * kmemleak_free() callback
38 * - kmemleak_object.lock (spinlock): protects a kmemleak_object. Accesses to
39 * the metadata (e.g. count) are protected by this lock. Note that some
40 * members of this structure may be protected by other means (atomic or
41 * kmemleak_lock). This lock is also held when scanning the corresponding
42 * memory block to avoid the kernel freeing it via the kmemleak_free()
43 * callback. This is less heavyweight than holding a global lock like
44 * kmemleak_lock during scanning
45 * - scan_mutex (mutex): ensures that only one thread may scan the memory for
46 * unreferenced objects at a time. The gray_list contains the objects which
47 * are already referenced or marked as false positives and need to be
48 * scanned. This list is only modified during a scanning episode when the
49 * scan_mutex is held. At the end of a scan, the gray_list is always empty.
50 * Note that the kmemleak_object.use_count is incremented when an object is
51 * added to the gray_list and therefore cannot be freed. This mutex also
52 * prevents multiple users of the "kmemleak" debugfs file together with
53 * modifications to the memory scanning parameters including the scan_thread
54 * pointer
55 *
56 * The kmemleak_object structures have a use_count incremented or decremented
57 * using the get_object()/put_object() functions. When the use_count becomes
58 * 0, this count can no longer be incremented and put_object() schedules the
59 * kmemleak_object freeing via an RCU callback. All calls to the get_object()
60 * function must be protected by rcu_read_lock() to avoid accessing a freed
61 * structure.
62 */
63
64 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
65
66 #include <linux/init.h>
67 #include <linux/kernel.h>
68 #include <linux/list.h>
69 #include <linux/sched.h>
70 #include <linux/jiffies.h>
71 #include <linux/delay.h>
72 #include <linux/export.h>
73 #include <linux/kthread.h>
74 #include <linux/rbtree.h>
75 #include <linux/fs.h>
76 #include <linux/debugfs.h>
77 #include <linux/seq_file.h>
78 #include <linux/cpumask.h>
79 #include <linux/spinlock.h>
80 #include <linux/mutex.h>
81 #include <linux/rcupdate.h>
82 #include <linux/stacktrace.h>
83 #include <linux/cache.h>
84 #include <linux/percpu.h>
85 #include <linux/hardirq.h>
86 #include <linux/mmzone.h>
87 #include <linux/slab.h>
88 #include <linux/thread_info.h>
89 #include <linux/err.h>
90 #include <linux/uaccess.h>
91 #include <linux/string.h>
92 #include <linux/nodemask.h>
93 #include <linux/mm.h>
94 #include <linux/workqueue.h>
95 #include <linux/crc32.h>
96
97 #include <asm/sections.h>
98 #include <asm/processor.h>
99 #include <linux/atomic.h>
100
101 #include <linux/kasan.h>
102 #include <linux/kmemcheck.h>
103 #include <linux/kmemleak.h>
104 #include <linux/memory_hotplug.h>
105
106 /*
107 * Kmemleak configuration and common defines.
108 */
109 #define MAX_TRACE 16 /* stack trace length */
110 #define MSECS_MIN_AGE 5000 /* minimum object age for reporting */
111 #define SECS_FIRST_SCAN 60 /* delay before the first scan */
112 #define SECS_SCAN_WAIT 600 /* subsequent auto scanning delay */
113 #define MAX_SCAN_SIZE 4096 /* maximum size of a scanned block */
114
115 #define BYTES_PER_POINTER sizeof(void *)
116
117 /* GFP bitmask for kmemleak internal allocations */
118 #define gfp_kmemleak_mask(gfp) (((gfp) & (GFP_KERNEL | GFP_ATOMIC | \
119 __GFP_NOACCOUNT)) | \
120 __GFP_NORETRY | __GFP_NOMEMALLOC | \
121 __GFP_NOWARN)
122
123 /* scanning area inside a memory block */
124 struct kmemleak_scan_area {
125 struct hlist_node node;
126 unsigned long start;
127 size_t size;
128 };
129
130 #define KMEMLEAK_GREY 0
131 #define KMEMLEAK_BLACK -1
132
133 /*
134 * Structure holding the metadata for each allocated memory block.
135 * Modifications to such objects should be made while holding the
136 * object->lock. Insertions or deletions from object_list, gray_list or
137 * rb_node are already protected by the corresponding locks or mutex (see
138 * the notes on locking above). These objects are reference-counted
139 * (use_count) and freed using the RCU mechanism.
140 */
141 struct kmemleak_object {
142 spinlock_t lock;
143 unsigned long flags; /* object status flags */
144 struct list_head object_list;
145 struct list_head gray_list;
146 struct rb_node rb_node;
147 struct rcu_head rcu; /* object_list lockless traversal */
148 /* object usage count; object freed when use_count == 0 */
149 atomic_t use_count;
150 unsigned long pointer;
151 size_t size;
152 /* minimum number of a pointers found before it is considered leak */
153 int min_count;
154 /* the total number of pointers found pointing to this object */
155 int count;
156 /* checksum for detecting modified objects */
157 u32 checksum;
158 /* memory ranges to be scanned inside an object (empty for all) */
159 struct hlist_head area_list;
160 unsigned long trace[MAX_TRACE];
161 unsigned int trace_len;
162 unsigned long jiffies; /* creation timestamp */
163 pid_t pid; /* pid of the current task */
164 char comm[TASK_COMM_LEN]; /* executable name */
165 };
166
167 /* flag representing the memory block allocation status */
168 #define OBJECT_ALLOCATED (1 << 0)
169 /* flag set after the first reporting of an unreference object */
170 #define OBJECT_REPORTED (1 << 1)
171 /* flag set to not scan the object */
172 #define OBJECT_NO_SCAN (1 << 2)
173
174 /* number of bytes to print per line; must be 16 or 32 */
175 #define HEX_ROW_SIZE 16
176 /* number of bytes to print at a time (1, 2, 4, 8) */
177 #define HEX_GROUP_SIZE 1
178 /* include ASCII after the hex output */
179 #define HEX_ASCII 1
180 /* max number of lines to be printed */
181 #define HEX_MAX_LINES 2
182
183 /* the list of all allocated objects */
184 static LIST_HEAD(object_list);
185 /* the list of gray-colored objects (see color_gray comment below) */
186 static LIST_HEAD(gray_list);
187 /* search tree for object boundaries */
188 static struct rb_root object_tree_root = RB_ROOT;
189 /* rw_lock protecting the access to object_list and object_tree_root */
190 static DEFINE_RWLOCK(kmemleak_lock);
191
192 /* allocation caches for kmemleak internal data */
193 static struct kmem_cache *object_cache;
194 static struct kmem_cache *scan_area_cache;
195
196 /* set if tracing memory operations is enabled */
197 static int kmemleak_enabled;
198 /* same as above but only for the kmemleak_free() callback */
199 static int kmemleak_free_enabled;
200 /* set in the late_initcall if there were no errors */
201 static int kmemleak_initialized;
202 /* enables or disables early logging of the memory operations */
203 static int kmemleak_early_log = 1;
204 /* set if a kmemleak warning was issued */
205 static int kmemleak_warning;
206 /* set if a fatal kmemleak error has occurred */
207 static int kmemleak_error;
208
209 /* minimum and maximum address that may be valid pointers */
210 static unsigned long min_addr = ULONG_MAX;
211 static unsigned long max_addr;
212
213 static struct task_struct *scan_thread;
214 /* used to avoid reporting of recently allocated objects */
215 static unsigned long jiffies_min_age;
216 static unsigned long jiffies_last_scan;
217 /* delay between automatic memory scannings */
218 static signed long jiffies_scan_wait;
219 /* enables or disables the task stacks scanning */
220 static int kmemleak_stack_scan = 1;
221 /* protects the memory scanning, parameters and debug/kmemleak file access */
222 static DEFINE_MUTEX(scan_mutex);
223 /* setting kmemleak=on, will set this var, skipping the disable */
224 static int kmemleak_skip_disable;
225 /* If there are leaks that can be reported */
226 static bool kmemleak_found_leaks;
227
228 /*
229 * Early object allocation/freeing logging. Kmemleak is initialized after the
230 * kernel allocator. However, both the kernel allocator and kmemleak may
231 * allocate memory blocks which need to be tracked. Kmemleak defines an
232 * arbitrary buffer to hold the allocation/freeing information before it is
233 * fully initialized.
234 */
235
236 /* kmemleak operation type for early logging */
237 enum {
238 KMEMLEAK_ALLOC,
239 KMEMLEAK_ALLOC_PERCPU,
240 KMEMLEAK_FREE,
241 KMEMLEAK_FREE_PART,
242 KMEMLEAK_FREE_PERCPU,
243 KMEMLEAK_NOT_LEAK,
244 KMEMLEAK_IGNORE,
245 KMEMLEAK_SCAN_AREA,
246 KMEMLEAK_NO_SCAN
247 };
248
249 /*
250 * Structure holding the information passed to kmemleak callbacks during the
251 * early logging.
252 */
253 struct early_log {
254 int op_type; /* kmemleak operation type */
255 const void *ptr; /* allocated/freed memory block */
256 size_t size; /* memory block size */
257 int min_count; /* minimum reference count */
258 unsigned long trace[MAX_TRACE]; /* stack trace */
259 unsigned int trace_len; /* stack trace length */
260 };
261
262 /* early logging buffer and current position */
263 static struct early_log
264 early_log[CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE] __initdata;
265 static int crt_early_log __initdata;
266
267 static void kmemleak_disable(void);
268
269 /*
270 * Print a warning and dump the stack trace.
271 */
272 #define kmemleak_warn(x...) do { \
273 pr_warning(x); \
274 dump_stack(); \
275 kmemleak_warning = 1; \
276 } while (0)
277
278 /*
279 * Macro invoked when a serious kmemleak condition occurred and cannot be
280 * recovered from. Kmemleak will be disabled and further allocation/freeing
281 * tracing no longer available.
282 */
283 #define kmemleak_stop(x...) do { \
284 kmemleak_warn(x); \
285 kmemleak_disable(); \
286 } while (0)
287
288 /*
289 * Printing of the objects hex dump to the seq file. The number of lines to be
290 * printed is limited to HEX_MAX_LINES to prevent seq file spamming. The
291 * actual number of printed bytes depends on HEX_ROW_SIZE. It must be called
292 * with the object->lock held.
293 */
hex_dump_object(struct seq_file * seq,struct kmemleak_object * object)294 static void hex_dump_object(struct seq_file *seq,
295 struct kmemleak_object *object)
296 {
297 const u8 *ptr = (const u8 *)object->pointer;
298 int i, len, remaining;
299 unsigned char linebuf[HEX_ROW_SIZE * 5];
300
301 /* limit the number of lines to HEX_MAX_LINES */
302 remaining = len =
303 min(object->size, (size_t)(HEX_MAX_LINES * HEX_ROW_SIZE));
304
305 seq_printf(seq, " hex dump (first %d bytes):\n", len);
306 for (i = 0; i < len; i += HEX_ROW_SIZE) {
307 int linelen = min(remaining, HEX_ROW_SIZE);
308
309 remaining -= HEX_ROW_SIZE;
310 hex_dump_to_buffer(ptr + i, linelen, HEX_ROW_SIZE,
311 HEX_GROUP_SIZE, linebuf, sizeof(linebuf),
312 HEX_ASCII);
313 seq_printf(seq, " %s\n", linebuf);
314 }
315 }
316
317 /*
318 * Object colors, encoded with count and min_count:
319 * - white - orphan object, not enough references to it (count < min_count)
320 * - gray - not orphan, not marked as false positive (min_count == 0) or
321 * sufficient references to it (count >= min_count)
322 * - black - ignore, it doesn't contain references (e.g. text section)
323 * (min_count == -1). No function defined for this color.
324 * Newly created objects don't have any color assigned (object->count == -1)
325 * before the next memory scan when they become white.
326 */
color_white(const struct kmemleak_object * object)327 static bool color_white(const struct kmemleak_object *object)
328 {
329 return object->count != KMEMLEAK_BLACK &&
330 object->count < object->min_count;
331 }
332
color_gray(const struct kmemleak_object * object)333 static bool color_gray(const struct kmemleak_object *object)
334 {
335 return object->min_count != KMEMLEAK_BLACK &&
336 object->count >= object->min_count;
337 }
338
339 /*
340 * Objects are considered unreferenced only if their color is white, they have
341 * not be deleted and have a minimum age to avoid false positives caused by
342 * pointers temporarily stored in CPU registers.
343 */
unreferenced_object(struct kmemleak_object * object)344 static bool unreferenced_object(struct kmemleak_object *object)
345 {
346 return (color_white(object) && object->flags & OBJECT_ALLOCATED) &&
347 time_before_eq(object->jiffies + jiffies_min_age,
348 jiffies_last_scan);
349 }
350
351 /*
352 * Printing of the unreferenced objects information to the seq file. The
353 * print_unreferenced function must be called with the object->lock held.
354 */
print_unreferenced(struct seq_file * seq,struct kmemleak_object * object)355 static void print_unreferenced(struct seq_file *seq,
356 struct kmemleak_object *object)
357 {
358 int i;
359 unsigned int msecs_age = jiffies_to_msecs(jiffies - object->jiffies);
360
361 seq_printf(seq, "unreferenced object 0x%08lx (size %zu):\n",
362 object->pointer, object->size);
363 seq_printf(seq, " comm \"%s\", pid %d, jiffies %lu (age %d.%03ds)\n",
364 object->comm, object->pid, object->jiffies,
365 msecs_age / 1000, msecs_age % 1000);
366 hex_dump_object(seq, object);
367 seq_printf(seq, " backtrace:\n");
368
369 for (i = 0; i < object->trace_len; i++) {
370 void *ptr = (void *)object->trace[i];
371 seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
372 }
373 }
374
375 /*
376 * Print the kmemleak_object information. This function is used mainly for
377 * debugging special cases when kmemleak operations. It must be called with
378 * the object->lock held.
379 */
dump_object_info(struct kmemleak_object * object)380 static void dump_object_info(struct kmemleak_object *object)
381 {
382 struct stack_trace trace;
383
384 trace.nr_entries = object->trace_len;
385 trace.entries = object->trace;
386
387 pr_notice("Object 0x%08lx (size %zu):\n",
388 object->pointer, object->size);
389 pr_notice(" comm \"%s\", pid %d, jiffies %lu\n",
390 object->comm, object->pid, object->jiffies);
391 pr_notice(" min_count = %d\n", object->min_count);
392 pr_notice(" count = %d\n", object->count);
393 pr_notice(" flags = 0x%lx\n", object->flags);
394 pr_notice(" checksum = %u\n", object->checksum);
395 pr_notice(" backtrace:\n");
396 print_stack_trace(&trace, 4);
397 }
398
399 /*
400 * Look-up a memory block metadata (kmemleak_object) in the object search
401 * tree based on a pointer value. If alias is 0, only values pointing to the
402 * beginning of the memory block are allowed. The kmemleak_lock must be held
403 * when calling this function.
404 */
lookup_object(unsigned long ptr,int alias)405 static struct kmemleak_object *lookup_object(unsigned long ptr, int alias)
406 {
407 struct rb_node *rb = object_tree_root.rb_node;
408
409 while (rb) {
410 struct kmemleak_object *object =
411 rb_entry(rb, struct kmemleak_object, rb_node);
412 if (ptr < object->pointer)
413 rb = object->rb_node.rb_left;
414 else if (object->pointer + object->size <= ptr)
415 rb = object->rb_node.rb_right;
416 else if (object->pointer == ptr || alias)
417 return object;
418 else {
419 kmemleak_warn("Found object by alias at 0x%08lx\n",
420 ptr);
421 dump_object_info(object);
422 break;
423 }
424 }
425 return NULL;
426 }
427
428 /*
429 * Increment the object use_count. Return 1 if successful or 0 otherwise. Note
430 * that once an object's use_count reached 0, the RCU freeing was already
431 * registered and the object should no longer be used. This function must be
432 * called under the protection of rcu_read_lock().
433 */
get_object(struct kmemleak_object * object)434 static int get_object(struct kmemleak_object *object)
435 {
436 return atomic_inc_not_zero(&object->use_count);
437 }
438
439 /*
440 * RCU callback to free a kmemleak_object.
441 */
free_object_rcu(struct rcu_head * rcu)442 static void free_object_rcu(struct rcu_head *rcu)
443 {
444 struct hlist_node *tmp;
445 struct kmemleak_scan_area *area;
446 struct kmemleak_object *object =
447 container_of(rcu, struct kmemleak_object, rcu);
448
449 /*
450 * Once use_count is 0 (guaranteed by put_object), there is no other
451 * code accessing this object, hence no need for locking.
452 */
453 hlist_for_each_entry_safe(area, tmp, &object->area_list, node) {
454 hlist_del(&area->node);
455 kmem_cache_free(scan_area_cache, area);
456 }
457 kmem_cache_free(object_cache, object);
458 }
459
460 /*
461 * Decrement the object use_count. Once the count is 0, free the object using
462 * an RCU callback. Since put_object() may be called via the kmemleak_free() ->
463 * delete_object() path, the delayed RCU freeing ensures that there is no
464 * recursive call to the kernel allocator. Lock-less RCU object_list traversal
465 * is also possible.
466 */
put_object(struct kmemleak_object * object)467 static void put_object(struct kmemleak_object *object)
468 {
469 if (!atomic_dec_and_test(&object->use_count))
470 return;
471
472 /* should only get here after delete_object was called */
473 WARN_ON(object->flags & OBJECT_ALLOCATED);
474
475 call_rcu(&object->rcu, free_object_rcu);
476 }
477
478 /*
479 * Look up an object in the object search tree and increase its use_count.
480 */
find_and_get_object(unsigned long ptr,int alias)481 static struct kmemleak_object *find_and_get_object(unsigned long ptr, int alias)
482 {
483 unsigned long flags;
484 struct kmemleak_object *object = NULL;
485
486 rcu_read_lock();
487 read_lock_irqsave(&kmemleak_lock, flags);
488 if (ptr >= min_addr && ptr < max_addr)
489 object = lookup_object(ptr, alias);
490 read_unlock_irqrestore(&kmemleak_lock, flags);
491
492 /* check whether the object is still available */
493 if (object && !get_object(object))
494 object = NULL;
495 rcu_read_unlock();
496
497 return object;
498 }
499
500 /*
501 * Save stack trace to the given array of MAX_TRACE size.
502 */
__save_stack_trace(unsigned long * trace)503 static int __save_stack_trace(unsigned long *trace)
504 {
505 struct stack_trace stack_trace;
506
507 stack_trace.max_entries = MAX_TRACE;
508 stack_trace.nr_entries = 0;
509 stack_trace.entries = trace;
510 stack_trace.skip = 2;
511 save_stack_trace(&stack_trace);
512
513 return stack_trace.nr_entries;
514 }
515
516 /*
517 * Create the metadata (struct kmemleak_object) corresponding to an allocated
518 * memory block and add it to the object_list and object_tree_root.
519 */
create_object(unsigned long ptr,size_t size,int min_count,gfp_t gfp)520 static struct kmemleak_object *create_object(unsigned long ptr, size_t size,
521 int min_count, gfp_t gfp)
522 {
523 unsigned long flags;
524 struct kmemleak_object *object, *parent;
525 struct rb_node **link, *rb_parent;
526
527 object = kmem_cache_alloc(object_cache, gfp_kmemleak_mask(gfp));
528 if (!object) {
529 pr_warning("Cannot allocate a kmemleak_object structure\n");
530 kmemleak_disable();
531 return NULL;
532 }
533
534 INIT_LIST_HEAD(&object->object_list);
535 INIT_LIST_HEAD(&object->gray_list);
536 INIT_HLIST_HEAD(&object->area_list);
537 spin_lock_init(&object->lock);
538 atomic_set(&object->use_count, 1);
539 object->flags = OBJECT_ALLOCATED;
540 object->pointer = ptr;
541 object->size = size;
542 object->min_count = min_count;
543 object->count = 0; /* white color initially */
544 object->jiffies = jiffies;
545 object->checksum = 0;
546
547 /* task information */
548 if (in_irq()) {
549 object->pid = 0;
550 strncpy(object->comm, "hardirq", sizeof(object->comm));
551 } else if (in_softirq()) {
552 object->pid = 0;
553 strncpy(object->comm, "softirq", sizeof(object->comm));
554 } else {
555 object->pid = current->pid;
556 /*
557 * There is a small chance of a race with set_task_comm(),
558 * however using get_task_comm() here may cause locking
559 * dependency issues with current->alloc_lock. In the worst
560 * case, the command line is not correct.
561 */
562 strncpy(object->comm, current->comm, sizeof(object->comm));
563 }
564
565 /* kernel backtrace */
566 object->trace_len = __save_stack_trace(object->trace);
567
568 write_lock_irqsave(&kmemleak_lock, flags);
569
570 min_addr = min(min_addr, ptr);
571 max_addr = max(max_addr, ptr + size);
572 link = &object_tree_root.rb_node;
573 rb_parent = NULL;
574 while (*link) {
575 rb_parent = *link;
576 parent = rb_entry(rb_parent, struct kmemleak_object, rb_node);
577 if (ptr + size <= parent->pointer)
578 link = &parent->rb_node.rb_left;
579 else if (parent->pointer + parent->size <= ptr)
580 link = &parent->rb_node.rb_right;
581 else {
582 kmemleak_stop("Cannot insert 0x%lx into the object "
583 "search tree (overlaps existing)\n",
584 ptr);
585 kmem_cache_free(object_cache, object);
586 object = parent;
587 spin_lock(&object->lock);
588 dump_object_info(object);
589 spin_unlock(&object->lock);
590 goto out;
591 }
592 }
593 rb_link_node(&object->rb_node, rb_parent, link);
594 rb_insert_color(&object->rb_node, &object_tree_root);
595
596 list_add_tail_rcu(&object->object_list, &object_list);
597 out:
598 write_unlock_irqrestore(&kmemleak_lock, flags);
599 return object;
600 }
601
602 /*
603 * Remove the metadata (struct kmemleak_object) for a memory block from the
604 * object_list and object_tree_root and decrement its use_count.
605 */
__delete_object(struct kmemleak_object * object)606 static void __delete_object(struct kmemleak_object *object)
607 {
608 unsigned long flags;
609
610 write_lock_irqsave(&kmemleak_lock, flags);
611 rb_erase(&object->rb_node, &object_tree_root);
612 list_del_rcu(&object->object_list);
613 write_unlock_irqrestore(&kmemleak_lock, flags);
614
615 WARN_ON(!(object->flags & OBJECT_ALLOCATED));
616 WARN_ON(atomic_read(&object->use_count) < 2);
617
618 /*
619 * Locking here also ensures that the corresponding memory block
620 * cannot be freed when it is being scanned.
621 */
622 spin_lock_irqsave(&object->lock, flags);
623 object->flags &= ~OBJECT_ALLOCATED;
624 spin_unlock_irqrestore(&object->lock, flags);
625 put_object(object);
626 }
627
628 /*
629 * Look up the metadata (struct kmemleak_object) corresponding to ptr and
630 * delete it.
631 */
delete_object_full(unsigned long ptr)632 static void delete_object_full(unsigned long ptr)
633 {
634 struct kmemleak_object *object;
635
636 object = find_and_get_object(ptr, 0);
637 if (!object) {
638 #ifdef DEBUG
639 kmemleak_warn("Freeing unknown object at 0x%08lx\n",
640 ptr);
641 #endif
642 return;
643 }
644 __delete_object(object);
645 put_object(object);
646 }
647
648 /*
649 * Look up the metadata (struct kmemleak_object) corresponding to ptr and
650 * delete it. If the memory block is partially freed, the function may create
651 * additional metadata for the remaining parts of the block.
652 */
delete_object_part(unsigned long ptr,size_t size)653 static void delete_object_part(unsigned long ptr, size_t size)
654 {
655 struct kmemleak_object *object;
656 unsigned long start, end;
657
658 object = find_and_get_object(ptr, 1);
659 if (!object) {
660 #ifdef DEBUG
661 kmemleak_warn("Partially freeing unknown object at 0x%08lx "
662 "(size %zu)\n", ptr, size);
663 #endif
664 return;
665 }
666 __delete_object(object);
667
668 /*
669 * Create one or two objects that may result from the memory block
670 * split. Note that partial freeing is only done by free_bootmem() and
671 * this happens before kmemleak_init() is called. The path below is
672 * only executed during early log recording in kmemleak_init(), so
673 * GFP_KERNEL is enough.
674 */
675 start = object->pointer;
676 end = object->pointer + object->size;
677 if (ptr > start)
678 create_object(start, ptr - start, object->min_count,
679 GFP_KERNEL);
680 if (ptr + size < end)
681 create_object(ptr + size, end - ptr - size, object->min_count,
682 GFP_KERNEL);
683
684 put_object(object);
685 }
686
__paint_it(struct kmemleak_object * object,int color)687 static void __paint_it(struct kmemleak_object *object, int color)
688 {
689 object->min_count = color;
690 if (color == KMEMLEAK_BLACK)
691 object->flags |= OBJECT_NO_SCAN;
692 }
693
paint_it(struct kmemleak_object * object,int color)694 static void paint_it(struct kmemleak_object *object, int color)
695 {
696 unsigned long flags;
697
698 spin_lock_irqsave(&object->lock, flags);
699 __paint_it(object, color);
700 spin_unlock_irqrestore(&object->lock, flags);
701 }
702
paint_ptr(unsigned long ptr,int color)703 static void paint_ptr(unsigned long ptr, int color)
704 {
705 struct kmemleak_object *object;
706
707 object = find_and_get_object(ptr, 0);
708 if (!object) {
709 kmemleak_warn("Trying to color unknown object "
710 "at 0x%08lx as %s\n", ptr,
711 (color == KMEMLEAK_GREY) ? "Grey" :
712 (color == KMEMLEAK_BLACK) ? "Black" : "Unknown");
713 return;
714 }
715 paint_it(object, color);
716 put_object(object);
717 }
718
719 /*
720 * Mark an object permanently as gray-colored so that it can no longer be
721 * reported as a leak. This is used in general to mark a false positive.
722 */
make_gray_object(unsigned long ptr)723 static void make_gray_object(unsigned long ptr)
724 {
725 paint_ptr(ptr, KMEMLEAK_GREY);
726 }
727
728 /*
729 * Mark the object as black-colored so that it is ignored from scans and
730 * reporting.
731 */
make_black_object(unsigned long ptr)732 static void make_black_object(unsigned long ptr)
733 {
734 paint_ptr(ptr, KMEMLEAK_BLACK);
735 }
736
737 /*
738 * Add a scanning area to the object. If at least one such area is added,
739 * kmemleak will only scan these ranges rather than the whole memory block.
740 */
add_scan_area(unsigned long ptr,size_t size,gfp_t gfp)741 static void add_scan_area(unsigned long ptr, size_t size, gfp_t gfp)
742 {
743 unsigned long flags;
744 struct kmemleak_object *object;
745 struct kmemleak_scan_area *area;
746
747 object = find_and_get_object(ptr, 1);
748 if (!object) {
749 kmemleak_warn("Adding scan area to unknown object at 0x%08lx\n",
750 ptr);
751 return;
752 }
753
754 area = kmem_cache_alloc(scan_area_cache, gfp_kmemleak_mask(gfp));
755 if (!area) {
756 pr_warning("Cannot allocate a scan area\n");
757 goto out;
758 }
759
760 spin_lock_irqsave(&object->lock, flags);
761 if (size == SIZE_MAX) {
762 size = object->pointer + object->size - ptr;
763 } else if (ptr + size > object->pointer + object->size) {
764 kmemleak_warn("Scan area larger than object 0x%08lx\n", ptr);
765 dump_object_info(object);
766 kmem_cache_free(scan_area_cache, area);
767 goto out_unlock;
768 }
769
770 INIT_HLIST_NODE(&area->node);
771 area->start = ptr;
772 area->size = size;
773
774 hlist_add_head(&area->node, &object->area_list);
775 out_unlock:
776 spin_unlock_irqrestore(&object->lock, flags);
777 out:
778 put_object(object);
779 }
780
781 /*
782 * Set the OBJECT_NO_SCAN flag for the object corresponding to the give
783 * pointer. Such object will not be scanned by kmemleak but references to it
784 * are searched.
785 */
object_no_scan(unsigned long ptr)786 static void object_no_scan(unsigned long ptr)
787 {
788 unsigned long flags;
789 struct kmemleak_object *object;
790
791 object = find_and_get_object(ptr, 0);
792 if (!object) {
793 kmemleak_warn("Not scanning unknown object at 0x%08lx\n", ptr);
794 return;
795 }
796
797 spin_lock_irqsave(&object->lock, flags);
798 object->flags |= OBJECT_NO_SCAN;
799 spin_unlock_irqrestore(&object->lock, flags);
800 put_object(object);
801 }
802
803 /*
804 * Log an early kmemleak_* call to the early_log buffer. These calls will be
805 * processed later once kmemleak is fully initialized.
806 */
log_early(int op_type,const void * ptr,size_t size,int min_count)807 static void __init log_early(int op_type, const void *ptr, size_t size,
808 int min_count)
809 {
810 unsigned long flags;
811 struct early_log *log;
812
813 if (kmemleak_error) {
814 /* kmemleak stopped recording, just count the requests */
815 crt_early_log++;
816 return;
817 }
818
819 if (crt_early_log >= ARRAY_SIZE(early_log)) {
820 kmemleak_disable();
821 return;
822 }
823
824 /*
825 * There is no need for locking since the kernel is still in UP mode
826 * at this stage. Disabling the IRQs is enough.
827 */
828 local_irq_save(flags);
829 log = &early_log[crt_early_log];
830 log->op_type = op_type;
831 log->ptr = ptr;
832 log->size = size;
833 log->min_count = min_count;
834 log->trace_len = __save_stack_trace(log->trace);
835 crt_early_log++;
836 local_irq_restore(flags);
837 }
838
839 /*
840 * Log an early allocated block and populate the stack trace.
841 */
early_alloc(struct early_log * log)842 static void early_alloc(struct early_log *log)
843 {
844 struct kmemleak_object *object;
845 unsigned long flags;
846 int i;
847
848 if (!kmemleak_enabled || !log->ptr || IS_ERR(log->ptr))
849 return;
850
851 /*
852 * RCU locking needed to ensure object is not freed via put_object().
853 */
854 rcu_read_lock();
855 object = create_object((unsigned long)log->ptr, log->size,
856 log->min_count, GFP_ATOMIC);
857 if (!object)
858 goto out;
859 spin_lock_irqsave(&object->lock, flags);
860 for (i = 0; i < log->trace_len; i++)
861 object->trace[i] = log->trace[i];
862 object->trace_len = log->trace_len;
863 spin_unlock_irqrestore(&object->lock, flags);
864 out:
865 rcu_read_unlock();
866 }
867
868 /*
869 * Log an early allocated block and populate the stack trace.
870 */
early_alloc_percpu(struct early_log * log)871 static void early_alloc_percpu(struct early_log *log)
872 {
873 unsigned int cpu;
874 const void __percpu *ptr = log->ptr;
875
876 for_each_possible_cpu(cpu) {
877 log->ptr = per_cpu_ptr(ptr, cpu);
878 early_alloc(log);
879 }
880 }
881
882 /**
883 * kmemleak_alloc - register a newly allocated object
884 * @ptr: pointer to beginning of the object
885 * @size: size of the object
886 * @min_count: minimum number of references to this object. If during memory
887 * scanning a number of references less than @min_count is found,
888 * the object is reported as a memory leak. If @min_count is 0,
889 * the object is never reported as a leak. If @min_count is -1,
890 * the object is ignored (not scanned and not reported as a leak)
891 * @gfp: kmalloc() flags used for kmemleak internal memory allocations
892 *
893 * This function is called from the kernel allocators when a new object
894 * (memory block) is allocated (kmem_cache_alloc, kmalloc, vmalloc etc.).
895 */
kmemleak_alloc(const void * ptr,size_t size,int min_count,gfp_t gfp)896 void __ref kmemleak_alloc(const void *ptr, size_t size, int min_count,
897 gfp_t gfp)
898 {
899 pr_debug("%s(0x%p, %zu, %d)\n", __func__, ptr, size, min_count);
900
901 if (kmemleak_enabled && ptr && !IS_ERR(ptr))
902 create_object((unsigned long)ptr, size, min_count, gfp);
903 else if (kmemleak_early_log)
904 log_early(KMEMLEAK_ALLOC, ptr, size, min_count);
905 }
906 EXPORT_SYMBOL_GPL(kmemleak_alloc);
907
908 /**
909 * kmemleak_alloc_percpu - register a newly allocated __percpu object
910 * @ptr: __percpu pointer to beginning of the object
911 * @size: size of the object
912 * @gfp: flags used for kmemleak internal memory allocations
913 *
914 * This function is called from the kernel percpu allocator when a new object
915 * (memory block) is allocated (alloc_percpu).
916 */
kmemleak_alloc_percpu(const void __percpu * ptr,size_t size,gfp_t gfp)917 void __ref kmemleak_alloc_percpu(const void __percpu *ptr, size_t size,
918 gfp_t gfp)
919 {
920 unsigned int cpu;
921
922 pr_debug("%s(0x%p, %zu)\n", __func__, ptr, size);
923
924 /*
925 * Percpu allocations are only scanned and not reported as leaks
926 * (min_count is set to 0).
927 */
928 if (kmemleak_enabled && ptr && !IS_ERR(ptr))
929 for_each_possible_cpu(cpu)
930 create_object((unsigned long)per_cpu_ptr(ptr, cpu),
931 size, 0, gfp);
932 else if (kmemleak_early_log)
933 log_early(KMEMLEAK_ALLOC_PERCPU, ptr, size, 0);
934 }
935 EXPORT_SYMBOL_GPL(kmemleak_alloc_percpu);
936
937 /**
938 * kmemleak_free - unregister a previously registered object
939 * @ptr: pointer to beginning of the object
940 *
941 * This function is called from the kernel allocators when an object (memory
942 * block) is freed (kmem_cache_free, kfree, vfree etc.).
943 */
kmemleak_free(const void * ptr)944 void __ref kmemleak_free(const void *ptr)
945 {
946 pr_debug("%s(0x%p)\n", __func__, ptr);
947
948 if (kmemleak_free_enabled && ptr && !IS_ERR(ptr))
949 delete_object_full((unsigned long)ptr);
950 else if (kmemleak_early_log)
951 log_early(KMEMLEAK_FREE, ptr, 0, 0);
952 }
953 EXPORT_SYMBOL_GPL(kmemleak_free);
954
955 /**
956 * kmemleak_free_part - partially unregister a previously registered object
957 * @ptr: pointer to the beginning or inside the object. This also
958 * represents the start of the range to be freed
959 * @size: size to be unregistered
960 *
961 * This function is called when only a part of a memory block is freed
962 * (usually from the bootmem allocator).
963 */
kmemleak_free_part(const void * ptr,size_t size)964 void __ref kmemleak_free_part(const void *ptr, size_t size)
965 {
966 pr_debug("%s(0x%p)\n", __func__, ptr);
967
968 if (kmemleak_enabled && ptr && !IS_ERR(ptr))
969 delete_object_part((unsigned long)ptr, size);
970 else if (kmemleak_early_log)
971 log_early(KMEMLEAK_FREE_PART, ptr, size, 0);
972 }
973 EXPORT_SYMBOL_GPL(kmemleak_free_part);
974
975 /**
976 * kmemleak_free_percpu - unregister a previously registered __percpu object
977 * @ptr: __percpu pointer to beginning of the object
978 *
979 * This function is called from the kernel percpu allocator when an object
980 * (memory block) is freed (free_percpu).
981 */
kmemleak_free_percpu(const void __percpu * ptr)982 void __ref kmemleak_free_percpu(const void __percpu *ptr)
983 {
984 unsigned int cpu;
985
986 pr_debug("%s(0x%p)\n", __func__, ptr);
987
988 if (kmemleak_free_enabled && ptr && !IS_ERR(ptr))
989 for_each_possible_cpu(cpu)
990 delete_object_full((unsigned long)per_cpu_ptr(ptr,
991 cpu));
992 else if (kmemleak_early_log)
993 log_early(KMEMLEAK_FREE_PERCPU, ptr, 0, 0);
994 }
995 EXPORT_SYMBOL_GPL(kmemleak_free_percpu);
996
997 /**
998 * kmemleak_update_trace - update object allocation stack trace
999 * @ptr: pointer to beginning of the object
1000 *
1001 * Override the object allocation stack trace for cases where the actual
1002 * allocation place is not always useful.
1003 */
kmemleak_update_trace(const void * ptr)1004 void __ref kmemleak_update_trace(const void *ptr)
1005 {
1006 struct kmemleak_object *object;
1007 unsigned long flags;
1008
1009 pr_debug("%s(0x%p)\n", __func__, ptr);
1010
1011 if (!kmemleak_enabled || IS_ERR_OR_NULL(ptr))
1012 return;
1013
1014 object = find_and_get_object((unsigned long)ptr, 1);
1015 if (!object) {
1016 #ifdef DEBUG
1017 kmemleak_warn("Updating stack trace for unknown object at %p\n",
1018 ptr);
1019 #endif
1020 return;
1021 }
1022
1023 spin_lock_irqsave(&object->lock, flags);
1024 object->trace_len = __save_stack_trace(object->trace);
1025 spin_unlock_irqrestore(&object->lock, flags);
1026
1027 put_object(object);
1028 }
1029 EXPORT_SYMBOL(kmemleak_update_trace);
1030
1031 /**
1032 * kmemleak_not_leak - mark an allocated object as false positive
1033 * @ptr: pointer to beginning of the object
1034 *
1035 * Calling this function on an object will cause the memory block to no longer
1036 * be reported as leak and always be scanned.
1037 */
kmemleak_not_leak(const void * ptr)1038 void __ref kmemleak_not_leak(const void *ptr)
1039 {
1040 pr_debug("%s(0x%p)\n", __func__, ptr);
1041
1042 if (kmemleak_enabled && ptr && !IS_ERR(ptr))
1043 make_gray_object((unsigned long)ptr);
1044 else if (kmemleak_early_log)
1045 log_early(KMEMLEAK_NOT_LEAK, ptr, 0, 0);
1046 }
1047 EXPORT_SYMBOL(kmemleak_not_leak);
1048
1049 /**
1050 * kmemleak_ignore - ignore an allocated object
1051 * @ptr: pointer to beginning of the object
1052 *
1053 * Calling this function on an object will cause the memory block to be
1054 * ignored (not scanned and not reported as a leak). This is usually done when
1055 * it is known that the corresponding block is not a leak and does not contain
1056 * any references to other allocated memory blocks.
1057 */
kmemleak_ignore(const void * ptr)1058 void __ref kmemleak_ignore(const void *ptr)
1059 {
1060 pr_debug("%s(0x%p)\n", __func__, ptr);
1061
1062 if (kmemleak_enabled && ptr && !IS_ERR(ptr))
1063 make_black_object((unsigned long)ptr);
1064 else if (kmemleak_early_log)
1065 log_early(KMEMLEAK_IGNORE, ptr, 0, 0);
1066 }
1067 EXPORT_SYMBOL(kmemleak_ignore);
1068
1069 /**
1070 * kmemleak_scan_area - limit the range to be scanned in an allocated object
1071 * @ptr: pointer to beginning or inside the object. This also
1072 * represents the start of the scan area
1073 * @size: size of the scan area
1074 * @gfp: kmalloc() flags used for kmemleak internal memory allocations
1075 *
1076 * This function is used when it is known that only certain parts of an object
1077 * contain references to other objects. Kmemleak will only scan these areas
1078 * reducing the number false negatives.
1079 */
kmemleak_scan_area(const void * ptr,size_t size,gfp_t gfp)1080 void __ref kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp)
1081 {
1082 pr_debug("%s(0x%p)\n", __func__, ptr);
1083
1084 if (kmemleak_enabled && ptr && size && !IS_ERR(ptr))
1085 add_scan_area((unsigned long)ptr, size, gfp);
1086 else if (kmemleak_early_log)
1087 log_early(KMEMLEAK_SCAN_AREA, ptr, size, 0);
1088 }
1089 EXPORT_SYMBOL(kmemleak_scan_area);
1090
1091 /**
1092 * kmemleak_no_scan - do not scan an allocated object
1093 * @ptr: pointer to beginning of the object
1094 *
1095 * This function notifies kmemleak not to scan the given memory block. Useful
1096 * in situations where it is known that the given object does not contain any
1097 * references to other objects. Kmemleak will not scan such objects reducing
1098 * the number of false negatives.
1099 */
kmemleak_no_scan(const void * ptr)1100 void __ref kmemleak_no_scan(const void *ptr)
1101 {
1102 pr_debug("%s(0x%p)\n", __func__, ptr);
1103
1104 if (kmemleak_enabled && ptr && !IS_ERR(ptr))
1105 object_no_scan((unsigned long)ptr);
1106 else if (kmemleak_early_log)
1107 log_early(KMEMLEAK_NO_SCAN, ptr, 0, 0);
1108 }
1109 EXPORT_SYMBOL(kmemleak_no_scan);
1110
1111 /*
1112 * Update an object's checksum and return true if it was modified.
1113 */
update_checksum(struct kmemleak_object * object)1114 static bool update_checksum(struct kmemleak_object *object)
1115 {
1116 u32 old_csum = object->checksum;
1117
1118 if (!kmemcheck_is_obj_initialized(object->pointer, object->size))
1119 return false;
1120
1121 kasan_disable_current();
1122 object->checksum = crc32(0, (void *)object->pointer, object->size);
1123 kasan_enable_current();
1124
1125 return object->checksum != old_csum;
1126 }
1127
1128 /*
1129 * Memory scanning is a long process and it needs to be interruptable. This
1130 * function checks whether such interrupt condition occurred.
1131 */
scan_should_stop(void)1132 static int scan_should_stop(void)
1133 {
1134 if (!kmemleak_enabled)
1135 return 1;
1136
1137 /*
1138 * This function may be called from either process or kthread context,
1139 * hence the need to check for both stop conditions.
1140 */
1141 if (current->mm)
1142 return signal_pending(current);
1143 else
1144 return kthread_should_stop();
1145
1146 return 0;
1147 }
1148
1149 /*
1150 * Scan a memory block (exclusive range) for valid pointers and add those
1151 * found to the gray list.
1152 */
scan_block(void * _start,void * _end,struct kmemleak_object * scanned,int allow_resched)1153 static void scan_block(void *_start, void *_end,
1154 struct kmemleak_object *scanned, int allow_resched)
1155 {
1156 unsigned long *ptr;
1157 unsigned long *start = PTR_ALIGN(_start, BYTES_PER_POINTER);
1158 unsigned long *end = _end - (BYTES_PER_POINTER - 1);
1159
1160 for (ptr = start; ptr < end; ptr++) {
1161 struct kmemleak_object *object;
1162 unsigned long flags;
1163 unsigned long pointer;
1164
1165 if (allow_resched)
1166 cond_resched();
1167 if (scan_should_stop())
1168 break;
1169
1170 /* don't scan uninitialized memory */
1171 if (!kmemcheck_is_obj_initialized((unsigned long)ptr,
1172 BYTES_PER_POINTER))
1173 continue;
1174
1175 kasan_disable_current();
1176 pointer = *ptr;
1177 kasan_enable_current();
1178
1179 object = find_and_get_object(pointer, 1);
1180 if (!object)
1181 continue;
1182 if (object == scanned) {
1183 /* self referenced, ignore */
1184 put_object(object);
1185 continue;
1186 }
1187
1188 /*
1189 * Avoid the lockdep recursive warning on object->lock being
1190 * previously acquired in scan_object(). These locks are
1191 * enclosed by scan_mutex.
1192 */
1193 spin_lock_irqsave_nested(&object->lock, flags,
1194 SINGLE_DEPTH_NESTING);
1195 if (!color_white(object)) {
1196 /* non-orphan, ignored or new */
1197 spin_unlock_irqrestore(&object->lock, flags);
1198 put_object(object);
1199 continue;
1200 }
1201
1202 /*
1203 * Increase the object's reference count (number of pointers
1204 * to the memory block). If this count reaches the required
1205 * minimum, the object's color will become gray and it will be
1206 * added to the gray_list.
1207 */
1208 object->count++;
1209 if (color_gray(object)) {
1210 list_add_tail(&object->gray_list, &gray_list);
1211 spin_unlock_irqrestore(&object->lock, flags);
1212 continue;
1213 }
1214
1215 spin_unlock_irqrestore(&object->lock, flags);
1216 put_object(object);
1217 }
1218 }
1219
1220 /*
1221 * Scan a memory block corresponding to a kmemleak_object. A condition is
1222 * that object->use_count >= 1.
1223 */
scan_object(struct kmemleak_object * object)1224 static void scan_object(struct kmemleak_object *object)
1225 {
1226 struct kmemleak_scan_area *area;
1227 unsigned long flags;
1228
1229 /*
1230 * Once the object->lock is acquired, the corresponding memory block
1231 * cannot be freed (the same lock is acquired in delete_object).
1232 */
1233 spin_lock_irqsave(&object->lock, flags);
1234 if (object->flags & OBJECT_NO_SCAN)
1235 goto out;
1236 if (!(object->flags & OBJECT_ALLOCATED))
1237 /* already freed object */
1238 goto out;
1239 if (hlist_empty(&object->area_list)) {
1240 void *start = (void *)object->pointer;
1241 void *end = (void *)(object->pointer + object->size);
1242
1243 while (start < end && (object->flags & OBJECT_ALLOCATED) &&
1244 !(object->flags & OBJECT_NO_SCAN)) {
1245 scan_block(start, min(start + MAX_SCAN_SIZE, end),
1246 object, 0);
1247 start += MAX_SCAN_SIZE;
1248
1249 spin_unlock_irqrestore(&object->lock, flags);
1250 cond_resched();
1251 spin_lock_irqsave(&object->lock, flags);
1252 }
1253 } else
1254 hlist_for_each_entry(area, &object->area_list, node)
1255 scan_block((void *)area->start,
1256 (void *)(area->start + area->size),
1257 object, 0);
1258 out:
1259 spin_unlock_irqrestore(&object->lock, flags);
1260 }
1261
1262 /*
1263 * Scan the objects already referenced (gray objects). More objects will be
1264 * referenced and, if there are no memory leaks, all the objects are scanned.
1265 */
scan_gray_list(void)1266 static void scan_gray_list(void)
1267 {
1268 struct kmemleak_object *object, *tmp;
1269
1270 /*
1271 * The list traversal is safe for both tail additions and removals
1272 * from inside the loop. The kmemleak objects cannot be freed from
1273 * outside the loop because their use_count was incremented.
1274 */
1275 object = list_entry(gray_list.next, typeof(*object), gray_list);
1276 while (&object->gray_list != &gray_list) {
1277 cond_resched();
1278
1279 /* may add new objects to the list */
1280 if (!scan_should_stop())
1281 scan_object(object);
1282
1283 tmp = list_entry(object->gray_list.next, typeof(*object),
1284 gray_list);
1285
1286 /* remove the object from the list and release it */
1287 list_del(&object->gray_list);
1288 put_object(object);
1289
1290 object = tmp;
1291 }
1292 WARN_ON(!list_empty(&gray_list));
1293 }
1294
1295 /*
1296 * Scan data sections and all the referenced memory blocks allocated via the
1297 * kernel's standard allocators. This function must be called with the
1298 * scan_mutex held.
1299 */
kmemleak_scan(void)1300 static void kmemleak_scan(void)
1301 {
1302 unsigned long flags;
1303 struct kmemleak_object *object;
1304 int i;
1305 int new_leaks = 0;
1306
1307 jiffies_last_scan = jiffies;
1308
1309 /* prepare the kmemleak_object's */
1310 rcu_read_lock();
1311 list_for_each_entry_rcu(object, &object_list, object_list) {
1312 spin_lock_irqsave(&object->lock, flags);
1313 #ifdef DEBUG
1314 /*
1315 * With a few exceptions there should be a maximum of
1316 * 1 reference to any object at this point.
1317 */
1318 if (atomic_read(&object->use_count) > 1) {
1319 pr_debug("object->use_count = %d\n",
1320 atomic_read(&object->use_count));
1321 dump_object_info(object);
1322 }
1323 #endif
1324 /* reset the reference count (whiten the object) */
1325 object->count = 0;
1326 if (color_gray(object) && get_object(object))
1327 list_add_tail(&object->gray_list, &gray_list);
1328
1329 spin_unlock_irqrestore(&object->lock, flags);
1330 }
1331 rcu_read_unlock();
1332
1333 /* data/bss scanning */
1334 scan_block(_sdata, _edata, NULL, 1);
1335 scan_block(__bss_start, __bss_stop, NULL, 1);
1336
1337 #ifdef CONFIG_SMP
1338 /* per-cpu sections scanning */
1339 for_each_possible_cpu(i)
1340 scan_block(__per_cpu_start + per_cpu_offset(i),
1341 __per_cpu_end + per_cpu_offset(i), NULL, 1);
1342 #endif
1343
1344 /*
1345 * Struct page scanning for each node.
1346 */
1347 get_online_mems();
1348 for_each_online_node(i) {
1349 unsigned long start_pfn = node_start_pfn(i);
1350 unsigned long end_pfn = node_end_pfn(i);
1351 unsigned long pfn;
1352
1353 for (pfn = start_pfn; pfn < end_pfn; pfn++) {
1354 struct page *page;
1355
1356 if (!pfn_valid(pfn))
1357 continue;
1358 page = pfn_to_page(pfn);
1359 /* only scan if page is in use */
1360 if (page_count(page) == 0)
1361 continue;
1362 scan_block(page, page + 1, NULL, 1);
1363 }
1364 }
1365 put_online_mems();
1366
1367 /*
1368 * Scanning the task stacks (may introduce false negatives).
1369 */
1370 if (kmemleak_stack_scan) {
1371 struct task_struct *p, *g;
1372
1373 read_lock(&tasklist_lock);
1374 do_each_thread(g, p) {
1375 scan_block(task_stack_page(p), task_stack_page(p) +
1376 THREAD_SIZE, NULL, 0);
1377 } while_each_thread(g, p);
1378 read_unlock(&tasklist_lock);
1379 }
1380
1381 /*
1382 * Scan the objects already referenced from the sections scanned
1383 * above.
1384 */
1385 scan_gray_list();
1386
1387 /*
1388 * Check for new or unreferenced objects modified since the previous
1389 * scan and color them gray until the next scan.
1390 */
1391 rcu_read_lock();
1392 list_for_each_entry_rcu(object, &object_list, object_list) {
1393 spin_lock_irqsave(&object->lock, flags);
1394 if (color_white(object) && (object->flags & OBJECT_ALLOCATED)
1395 && update_checksum(object) && get_object(object)) {
1396 /* color it gray temporarily */
1397 object->count = object->min_count;
1398 list_add_tail(&object->gray_list, &gray_list);
1399 }
1400 spin_unlock_irqrestore(&object->lock, flags);
1401 }
1402 rcu_read_unlock();
1403
1404 /*
1405 * Re-scan the gray list for modified unreferenced objects.
1406 */
1407 scan_gray_list();
1408
1409 /*
1410 * If scanning was stopped do not report any new unreferenced objects.
1411 */
1412 if (scan_should_stop())
1413 return;
1414
1415 /*
1416 * Scanning result reporting.
1417 */
1418 rcu_read_lock();
1419 list_for_each_entry_rcu(object, &object_list, object_list) {
1420 spin_lock_irqsave(&object->lock, flags);
1421 if (unreferenced_object(object) &&
1422 !(object->flags & OBJECT_REPORTED)) {
1423 object->flags |= OBJECT_REPORTED;
1424 new_leaks++;
1425 }
1426 spin_unlock_irqrestore(&object->lock, flags);
1427 }
1428 rcu_read_unlock();
1429
1430 if (new_leaks) {
1431 kmemleak_found_leaks = true;
1432
1433 pr_info("%d new suspected memory leaks (see "
1434 "/sys/kernel/debug/kmemleak)\n", new_leaks);
1435 }
1436
1437 }
1438
1439 /*
1440 * Thread function performing automatic memory scanning. Unreferenced objects
1441 * at the end of a memory scan are reported but only the first time.
1442 */
kmemleak_scan_thread(void * arg)1443 static int kmemleak_scan_thread(void *arg)
1444 {
1445 static int first_run = 1;
1446
1447 pr_info("Automatic memory scanning thread started\n");
1448 set_user_nice(current, 10);
1449
1450 /*
1451 * Wait before the first scan to allow the system to fully initialize.
1452 */
1453 if (first_run) {
1454 first_run = 0;
1455 ssleep(SECS_FIRST_SCAN);
1456 }
1457
1458 while (!kthread_should_stop()) {
1459 signed long timeout = jiffies_scan_wait;
1460
1461 mutex_lock(&scan_mutex);
1462 kmemleak_scan();
1463 mutex_unlock(&scan_mutex);
1464
1465 /* wait before the next scan */
1466 while (timeout && !kthread_should_stop())
1467 timeout = schedule_timeout_interruptible(timeout);
1468 }
1469
1470 pr_info("Automatic memory scanning thread ended\n");
1471
1472 return 0;
1473 }
1474
1475 /*
1476 * Start the automatic memory scanning thread. This function must be called
1477 * with the scan_mutex held.
1478 */
start_scan_thread(void)1479 static void start_scan_thread(void)
1480 {
1481 if (scan_thread)
1482 return;
1483 scan_thread = kthread_run(kmemleak_scan_thread, NULL, "kmemleak");
1484 if (IS_ERR(scan_thread)) {
1485 pr_warning("Failed to create the scan thread\n");
1486 scan_thread = NULL;
1487 }
1488 }
1489
1490 /*
1491 * Stop the automatic memory scanning thread. This function must be called
1492 * with the scan_mutex held.
1493 */
stop_scan_thread(void)1494 static void stop_scan_thread(void)
1495 {
1496 if (scan_thread) {
1497 kthread_stop(scan_thread);
1498 scan_thread = NULL;
1499 }
1500 }
1501
1502 /*
1503 * Iterate over the object_list and return the first valid object at or after
1504 * the required position with its use_count incremented. The function triggers
1505 * a memory scanning when the pos argument points to the first position.
1506 */
kmemleak_seq_start(struct seq_file * seq,loff_t * pos)1507 static void *kmemleak_seq_start(struct seq_file *seq, loff_t *pos)
1508 {
1509 struct kmemleak_object *object;
1510 loff_t n = *pos;
1511 int err;
1512
1513 err = mutex_lock_interruptible(&scan_mutex);
1514 if (err < 0)
1515 return ERR_PTR(err);
1516
1517 rcu_read_lock();
1518 list_for_each_entry_rcu(object, &object_list, object_list) {
1519 if (n-- > 0)
1520 continue;
1521 if (get_object(object))
1522 goto out;
1523 }
1524 object = NULL;
1525 out:
1526 return object;
1527 }
1528
1529 /*
1530 * Return the next object in the object_list. The function decrements the
1531 * use_count of the previous object and increases that of the next one.
1532 */
kmemleak_seq_next(struct seq_file * seq,void * v,loff_t * pos)1533 static void *kmemleak_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1534 {
1535 struct kmemleak_object *prev_obj = v;
1536 struct kmemleak_object *next_obj = NULL;
1537 struct kmemleak_object *obj = prev_obj;
1538
1539 ++(*pos);
1540
1541 list_for_each_entry_continue_rcu(obj, &object_list, object_list) {
1542 if (get_object(obj)) {
1543 next_obj = obj;
1544 break;
1545 }
1546 }
1547
1548 put_object(prev_obj);
1549 return next_obj;
1550 }
1551
1552 /*
1553 * Decrement the use_count of the last object required, if any.
1554 */
kmemleak_seq_stop(struct seq_file * seq,void * v)1555 static void kmemleak_seq_stop(struct seq_file *seq, void *v)
1556 {
1557 if (!IS_ERR(v)) {
1558 /*
1559 * kmemleak_seq_start may return ERR_PTR if the scan_mutex
1560 * waiting was interrupted, so only release it if !IS_ERR.
1561 */
1562 rcu_read_unlock();
1563 mutex_unlock(&scan_mutex);
1564 if (v)
1565 put_object(v);
1566 }
1567 }
1568
1569 /*
1570 * Print the information for an unreferenced object to the seq file.
1571 */
kmemleak_seq_show(struct seq_file * seq,void * v)1572 static int kmemleak_seq_show(struct seq_file *seq, void *v)
1573 {
1574 struct kmemleak_object *object = v;
1575 unsigned long flags;
1576
1577 spin_lock_irqsave(&object->lock, flags);
1578 if ((object->flags & OBJECT_REPORTED) && unreferenced_object(object))
1579 print_unreferenced(seq, object);
1580 spin_unlock_irqrestore(&object->lock, flags);
1581 return 0;
1582 }
1583
1584 static const struct seq_operations kmemleak_seq_ops = {
1585 .start = kmemleak_seq_start,
1586 .next = kmemleak_seq_next,
1587 .stop = kmemleak_seq_stop,
1588 .show = kmemleak_seq_show,
1589 };
1590
kmemleak_open(struct inode * inode,struct file * file)1591 static int kmemleak_open(struct inode *inode, struct file *file)
1592 {
1593 return seq_open(file, &kmemleak_seq_ops);
1594 }
1595
dump_str_object_info(const char * str)1596 static int dump_str_object_info(const char *str)
1597 {
1598 unsigned long flags;
1599 struct kmemleak_object *object;
1600 unsigned long addr;
1601
1602 if (kstrtoul(str, 0, &addr))
1603 return -EINVAL;
1604 object = find_and_get_object(addr, 0);
1605 if (!object) {
1606 pr_info("Unknown object at 0x%08lx\n", addr);
1607 return -EINVAL;
1608 }
1609
1610 spin_lock_irqsave(&object->lock, flags);
1611 dump_object_info(object);
1612 spin_unlock_irqrestore(&object->lock, flags);
1613
1614 put_object(object);
1615 return 0;
1616 }
1617
1618 /*
1619 * We use grey instead of black to ensure we can do future scans on the same
1620 * objects. If we did not do future scans these black objects could
1621 * potentially contain references to newly allocated objects in the future and
1622 * we'd end up with false positives.
1623 */
kmemleak_clear(void)1624 static void kmemleak_clear(void)
1625 {
1626 struct kmemleak_object *object;
1627 unsigned long flags;
1628
1629 rcu_read_lock();
1630 list_for_each_entry_rcu(object, &object_list, object_list) {
1631 spin_lock_irqsave(&object->lock, flags);
1632 if ((object->flags & OBJECT_REPORTED) &&
1633 unreferenced_object(object))
1634 __paint_it(object, KMEMLEAK_GREY);
1635 spin_unlock_irqrestore(&object->lock, flags);
1636 }
1637 rcu_read_unlock();
1638
1639 kmemleak_found_leaks = false;
1640 }
1641
1642 static void __kmemleak_do_cleanup(void);
1643
1644 /*
1645 * File write operation to configure kmemleak at run-time. The following
1646 * commands can be written to the /sys/kernel/debug/kmemleak file:
1647 * off - disable kmemleak (irreversible)
1648 * stack=on - enable the task stacks scanning
1649 * stack=off - disable the tasks stacks scanning
1650 * scan=on - start the automatic memory scanning thread
1651 * scan=off - stop the automatic memory scanning thread
1652 * scan=... - set the automatic memory scanning period in seconds (0 to
1653 * disable it)
1654 * scan - trigger a memory scan
1655 * clear - mark all current reported unreferenced kmemleak objects as
1656 * grey to ignore printing them, or free all kmemleak objects
1657 * if kmemleak has been disabled.
1658 * dump=... - dump information about the object found at the given address
1659 */
kmemleak_write(struct file * file,const char __user * user_buf,size_t size,loff_t * ppos)1660 static ssize_t kmemleak_write(struct file *file, const char __user *user_buf,
1661 size_t size, loff_t *ppos)
1662 {
1663 char buf[64];
1664 int buf_size;
1665 int ret;
1666
1667 buf_size = min(size, (sizeof(buf) - 1));
1668 if (strncpy_from_user(buf, user_buf, buf_size) < 0)
1669 return -EFAULT;
1670 buf[buf_size] = 0;
1671
1672 ret = mutex_lock_interruptible(&scan_mutex);
1673 if (ret < 0)
1674 return ret;
1675
1676 if (strncmp(buf, "clear", 5) == 0) {
1677 if (kmemleak_enabled)
1678 kmemleak_clear();
1679 else
1680 __kmemleak_do_cleanup();
1681 goto out;
1682 }
1683
1684 if (!kmemleak_enabled) {
1685 ret = -EBUSY;
1686 goto out;
1687 }
1688
1689 if (strncmp(buf, "off", 3) == 0)
1690 kmemleak_disable();
1691 else if (strncmp(buf, "stack=on", 8) == 0)
1692 kmemleak_stack_scan = 1;
1693 else if (strncmp(buf, "stack=off", 9) == 0)
1694 kmemleak_stack_scan = 0;
1695 else if (strncmp(buf, "scan=on", 7) == 0)
1696 start_scan_thread();
1697 else if (strncmp(buf, "scan=off", 8) == 0)
1698 stop_scan_thread();
1699 else if (strncmp(buf, "scan=", 5) == 0) {
1700 unsigned long secs;
1701
1702 ret = kstrtoul(buf + 5, 0, &secs);
1703 if (ret < 0)
1704 goto out;
1705 stop_scan_thread();
1706 if (secs) {
1707 jiffies_scan_wait = msecs_to_jiffies(secs * 1000);
1708 start_scan_thread();
1709 }
1710 } else if (strncmp(buf, "scan", 4) == 0)
1711 kmemleak_scan();
1712 else if (strncmp(buf, "dump=", 5) == 0)
1713 ret = dump_str_object_info(buf + 5);
1714 else
1715 ret = -EINVAL;
1716
1717 out:
1718 mutex_unlock(&scan_mutex);
1719 if (ret < 0)
1720 return ret;
1721
1722 /* ignore the rest of the buffer, only one command at a time */
1723 *ppos += size;
1724 return size;
1725 }
1726
1727 static const struct file_operations kmemleak_fops = {
1728 .owner = THIS_MODULE,
1729 .open = kmemleak_open,
1730 .read = seq_read,
1731 .write = kmemleak_write,
1732 .llseek = seq_lseek,
1733 .release = seq_release,
1734 };
1735
__kmemleak_do_cleanup(void)1736 static void __kmemleak_do_cleanup(void)
1737 {
1738 struct kmemleak_object *object;
1739
1740 rcu_read_lock();
1741 list_for_each_entry_rcu(object, &object_list, object_list)
1742 delete_object_full(object->pointer);
1743 rcu_read_unlock();
1744 }
1745
1746 /*
1747 * Stop the memory scanning thread and free the kmemleak internal objects if
1748 * no previous scan thread (otherwise, kmemleak may still have some useful
1749 * information on memory leaks).
1750 */
kmemleak_do_cleanup(struct work_struct * work)1751 static void kmemleak_do_cleanup(struct work_struct *work)
1752 {
1753 mutex_lock(&scan_mutex);
1754 stop_scan_thread();
1755
1756 /*
1757 * Once the scan thread has stopped, it is safe to no longer track
1758 * object freeing. Ordering of the scan thread stopping and the memory
1759 * accesses below is guaranteed by the kthread_stop() function.
1760 */
1761 kmemleak_free_enabled = 0;
1762
1763 if (!kmemleak_found_leaks)
1764 __kmemleak_do_cleanup();
1765 else
1766 pr_info("Kmemleak disabled without freeing internal data. "
1767 "Reclaim the memory with \"echo clear > /sys/kernel/debug/kmemleak\"\n");
1768 mutex_unlock(&scan_mutex);
1769 }
1770
1771 static DECLARE_WORK(cleanup_work, kmemleak_do_cleanup);
1772
1773 /*
1774 * Disable kmemleak. No memory allocation/freeing will be traced once this
1775 * function is called. Disabling kmemleak is an irreversible operation.
1776 */
kmemleak_disable(void)1777 static void kmemleak_disable(void)
1778 {
1779 /* atomically check whether it was already invoked */
1780 if (cmpxchg(&kmemleak_error, 0, 1))
1781 return;
1782
1783 /* stop any memory operation tracing */
1784 kmemleak_enabled = 0;
1785
1786 /* check whether it is too early for a kernel thread */
1787 if (kmemleak_initialized)
1788 schedule_work(&cleanup_work);
1789 else
1790 kmemleak_free_enabled = 0;
1791
1792 pr_info("Kernel memory leak detector disabled\n");
1793 }
1794
1795 /*
1796 * Allow boot-time kmemleak disabling (enabled by default).
1797 */
kmemleak_boot_config(char * str)1798 static int kmemleak_boot_config(char *str)
1799 {
1800 if (!str)
1801 return -EINVAL;
1802 if (strcmp(str, "off") == 0)
1803 kmemleak_disable();
1804 else if (strcmp(str, "on") == 0)
1805 kmemleak_skip_disable = 1;
1806 else
1807 return -EINVAL;
1808 return 0;
1809 }
1810 early_param("kmemleak", kmemleak_boot_config);
1811
print_log_trace(struct early_log * log)1812 static void __init print_log_trace(struct early_log *log)
1813 {
1814 struct stack_trace trace;
1815
1816 trace.nr_entries = log->trace_len;
1817 trace.entries = log->trace;
1818
1819 pr_notice("Early log backtrace:\n");
1820 print_stack_trace(&trace, 2);
1821 }
1822
1823 /*
1824 * Kmemleak initialization.
1825 */
kmemleak_init(void)1826 void __init kmemleak_init(void)
1827 {
1828 int i;
1829 unsigned long flags;
1830
1831 #ifdef CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF
1832 if (!kmemleak_skip_disable) {
1833 kmemleak_early_log = 0;
1834 kmemleak_disable();
1835 return;
1836 }
1837 #endif
1838
1839 jiffies_min_age = msecs_to_jiffies(MSECS_MIN_AGE);
1840 jiffies_scan_wait = msecs_to_jiffies(SECS_SCAN_WAIT * 1000);
1841
1842 object_cache = KMEM_CACHE(kmemleak_object, SLAB_NOLEAKTRACE);
1843 scan_area_cache = KMEM_CACHE(kmemleak_scan_area, SLAB_NOLEAKTRACE);
1844
1845 if (crt_early_log >= ARRAY_SIZE(early_log))
1846 pr_warning("Early log buffer exceeded (%d), please increase "
1847 "DEBUG_KMEMLEAK_EARLY_LOG_SIZE\n", crt_early_log);
1848
1849 /* the kernel is still in UP mode, so disabling the IRQs is enough */
1850 local_irq_save(flags);
1851 kmemleak_early_log = 0;
1852 if (kmemleak_error) {
1853 local_irq_restore(flags);
1854 return;
1855 } else {
1856 kmemleak_enabled = 1;
1857 kmemleak_free_enabled = 1;
1858 }
1859 local_irq_restore(flags);
1860
1861 /*
1862 * This is the point where tracking allocations is safe. Automatic
1863 * scanning is started during the late initcall. Add the early logged
1864 * callbacks to the kmemleak infrastructure.
1865 */
1866 for (i = 0; i < crt_early_log; i++) {
1867 struct early_log *log = &early_log[i];
1868
1869 switch (log->op_type) {
1870 case KMEMLEAK_ALLOC:
1871 early_alloc(log);
1872 break;
1873 case KMEMLEAK_ALLOC_PERCPU:
1874 early_alloc_percpu(log);
1875 break;
1876 case KMEMLEAK_FREE:
1877 kmemleak_free(log->ptr);
1878 break;
1879 case KMEMLEAK_FREE_PART:
1880 kmemleak_free_part(log->ptr, log->size);
1881 break;
1882 case KMEMLEAK_FREE_PERCPU:
1883 kmemleak_free_percpu(log->ptr);
1884 break;
1885 case KMEMLEAK_NOT_LEAK:
1886 kmemleak_not_leak(log->ptr);
1887 break;
1888 case KMEMLEAK_IGNORE:
1889 kmemleak_ignore(log->ptr);
1890 break;
1891 case KMEMLEAK_SCAN_AREA:
1892 kmemleak_scan_area(log->ptr, log->size, GFP_KERNEL);
1893 break;
1894 case KMEMLEAK_NO_SCAN:
1895 kmemleak_no_scan(log->ptr);
1896 break;
1897 default:
1898 kmemleak_warn("Unknown early log operation: %d\n",
1899 log->op_type);
1900 }
1901
1902 if (kmemleak_warning) {
1903 print_log_trace(log);
1904 kmemleak_warning = 0;
1905 }
1906 }
1907 }
1908
1909 /*
1910 * Late initialization function.
1911 */
kmemleak_late_init(void)1912 static int __init kmemleak_late_init(void)
1913 {
1914 struct dentry *dentry;
1915
1916 kmemleak_initialized = 1;
1917
1918 if (kmemleak_error) {
1919 /*
1920 * Some error occurred and kmemleak was disabled. There is a
1921 * small chance that kmemleak_disable() was called immediately
1922 * after setting kmemleak_initialized and we may end up with
1923 * two clean-up threads but serialized by scan_mutex.
1924 */
1925 schedule_work(&cleanup_work);
1926 return -ENOMEM;
1927 }
1928
1929 dentry = debugfs_create_file("kmemleak", S_IRUGO, NULL, NULL,
1930 &kmemleak_fops);
1931 if (!dentry)
1932 pr_warning("Failed to create the debugfs kmemleak file\n");
1933 mutex_lock(&scan_mutex);
1934 start_scan_thread();
1935 mutex_unlock(&scan_mutex);
1936
1937 pr_info("Kernel memory leak detector initialized\n");
1938
1939 return 0;
1940 }
1941 late_initcall(kmemleak_late_init);
1942