1 files changed, 314 insertions, 0 deletions
diff --git a/Documentation/core-api/debug-objects.rst b/Documentation/core-api/debug-objects.rst
new file mode 100644
index 000000000000..50a9707addfe
--- /dev/null
+++ b/Documentation/core-api/debug-objects.rst
@@ -0,0 +1,314 @@
+============================================
+The object-lifetime debugging infrastructure
+============================================
+:Author: Thomas Gleixner
+Introduction
+============
+debugobjects is a generic infrastructure to track the life time of
+kernel objects and validate the operations on those.
+debugobjects is useful to check for the following error patterns:
+-  Activation of uninitialized objects
+-  Initialization of active objects
+-  Usage of freed/destroyed objects
+debugobjects is not changing the data structure of the real object so it
+can be compiled in with a minimal runtime impact and enabled on demand
+with a kernel command line option.
+Howto use debugobjects
+======================
+A kernel subsystem needs to provide a data structure which describes the
+object type and add calls into the debug code at appropriate places. The
+data structure to describe the object type needs at minimum the name of
+the object type. Optional functions can and should be provided to fixup
+detected problems so the kernel can continue to work and the debug
+information can be retrieved from a live system instead of hard core
+debugging with serial consoles and stack trace transcripts from the
+monitor.
+The debug calls provided by debugobjects are:
+-  debug_object_init
+-  debug_object_init_on_stack
+-  debug_object_activate
+-  debug_object_deactivate
+-  debug_object_destroy
+-  debug_object_free
+-  debug_object_assert_init
+Each of these functions takes the address of the real object and a
+pointer to the object type specific debug description structure.
+Each detected error is reported in the statistics and a limited number
+of errors are printk'ed including a full stack trace.
+The statistics are available via /sys/kernel/debug/debug_objects/stats.
+They provide information about the number of warnings and the number of
+successful fixups along with information about the usage of the internal
+tracking objects and the state of the internal tracking objects pool.
+Debug functions
+===============
+Debug object function reference
+-------------------------------
+.. kernel-doc:: lib/debugobjects.c
+   :export:
+debug_object_init
+-------------------
+This function is called whenever the initialization function of a real
+object is called.
+When the real object is already tracked by debugobjects it is checked,
+whether the object can be initialized. Initializing is not allowed for
+active and destroyed objects. When debugobjects detects an error, then
+it calls the fixup_init function of the object type description
+structure if provided by the caller. The fixup function can correct the
+problem before the real initialization of the object happens. E.g. it
+can deactivate an active object in order to prevent damage to the
+subsystem.
+When the real object is not yet tracked by debugobjects, debugobjects
+allocates a tracker object for the real object and sets the tracker
+object state to ODEBUG_STATE_INIT. It verifies that the object is not
+on the callers stack. If it is on the callers stack then a limited
+number of warnings including a full stack trace is printk'ed. The
+calling code must use debug_object_init_on_stack() and remove the
+object before leaving the function which allocated it. See next section.
+debug_object_init_on_stack
+------------------------------
+This function is called whenever the initialization function of a real
+object which resides on the stack is called.
+When the real object is already tracked by debugobjects it is checked,
+whether the object can be initialized. Initializing is not allowed for
+active and destroyed objects. When debugobjects detects an error, then
+it calls the fixup_init function of the object type description
+structure if provided by the caller. The fixup function can correct the
+problem before the real initialization of the object happens. E.g. it
+can deactivate an active object in order to prevent damage to the
+subsystem.
+When the real object is not yet tracked by debugobjects debugobjects
+allocates a tracker object for the real object and sets the tracker
+object state to ODEBUG_STATE_INIT. It verifies that the object is on
+the callers stack.
+An object which is on the stack must be removed from the tracker by
+calling debug_object_free() before the function which allocates the
+object returns. Otherwise we keep track of stale objects.
+debug_object_activate
+-----------------------
+This function is called whenever the activation function of a real
+object is called.
+When the real object is already tracked by debugobjects it is checked,
+whether the object can be activated. Activating is not allowed for
+active and destroyed objects. When debugobjects detects an error, then
+it calls the fixup_activate function of the object type description
+structure if provided by the caller. The fixup function can correct the
+problem before the real activation of the object happens. E.g. it can
+deactivate an active object in order to prevent damage to the subsystem.
+When the real object is not yet tracked by debugobjects then the
+fixup_activate function is called if available. This is necessary to
+allow the legitimate activation of statically allocated and initialized
+objects. The fixup function checks whether the object is valid and calls
+the debug_objects_init() function to initialize the tracking of this
+object.
+When the activation is legitimate, then the state of the associated
+tracker object is set to ODEBUG_STATE_ACTIVE.
+debug_object_deactivate
+-------------------------
+This function is called whenever the deactivation function of a real
+object is called.
+When the real object is tracked by debugobjects it is checked, whether
+the object can be deactivated. Deactivating is not allowed for untracked
+or destroyed objects.
+When the deactivation is legitimate, then the state of the associated
+tracker object is set to ODEBUG_STATE_INACTIVE.
+debug_object_destroy
+----------------------
+This function is called to mark an object destroyed. This is useful to
+prevent the usage of invalid objects, which are still available in
+memory: either statically allocated objects or objects which are freed
+later.
+When the real object is tracked by debugobjects it is checked, whether
+the object can be destroyed. Destruction is not allowed for active and
+destroyed objects. When debugobjects detects an error, then it calls the
+fixup_destroy function of the object type description structure if
+provided by the caller. The fixup function can correct the problem
+before the real destruction of the object happens. E.g. it can
+deactivate an active object in order to prevent damage to the subsystem.
+When the destruction is legitimate, then the state of the associated
+tracker object is set to ODEBUG_STATE_DESTROYED.
+debug_object_free
+-------------------
+This function is called before an object is freed.
+When the real object is tracked by debugobjects it is checked, whether
+the object can be freed. Free is not allowed for active objects. When
+debugobjects detects an error, then it calls the fixup_free function of
+the object type description structure if provided by the caller. The
+fixup function can correct the problem before the real free of the
+object happens. E.g. it can deactivate an active object in order to
+prevent damage to the subsystem.
+Note that debug_object_free removes the object from the tracker. Later
+usage of the object is detected by the other debug checks.
+debug_object_assert_init
+---------------------------
+This function is called to assert that an object has been initialized.
+When the real object is not tracked by debugobjects, it calls
+fixup_assert_init of the object type description structure provided by
+the caller, with the hardcoded object state ODEBUG_NOT_AVAILABLE. The
+fixup function can correct the problem by calling debug_object_init
+and other specific initializing functions.
+When the real object is already tracked by debugobjects it is ignored.
+Fixup functions
+===============
+Debug object type description structure
+---------------------------------------
+.. kernel-doc:: include/linux/debugobjects.h
+   :internal:
+fixup_init
+-----------
+This function is called from the debug code whenever a problem in
+debug_object_init is detected. The function takes the address of the
+object and the state which is currently recorded in the tracker.
+Called from debug_object_init when the object state is:
+-  ODEBUG_STATE_ACTIVE
+The function returns true when the fixup was successful, otherwise
+false. The return value is used to update the statistics.
+Note, that the function needs to call the debug_object_init() function
+again, after the damage has been repaired in order to keep the state
+consistent.
+fixup_activate
+---------------
+This function is called from the debug code whenever a problem in
+debug_object_activate is detected.
+Called from debug_object_activate when the object state is:
+-  ODEBUG_STATE_NOTAVAILABLE
+-  ODEBUG_STATE_ACTIVE
+The function returns true when the fixup was successful, otherwise
+false. The return value is used to update the statistics.
+Note that the function needs to call the debug_object_activate()
+function again after the damage has been repaired in order to keep the
+state consistent.
+The activation of statically initialized objects is a special case. When
+debug_object_activate() has no tracked object for this object address
+then fixup_activate() is called with object state
+ODEBUG_STATE_NOTAVAILABLE. The fixup function needs to check whether
+this is a legitimate case of a statically initialized object or not. In
+case it is it calls debug_object_init() and debug_object_activate()
+to make the object known to the tracker and marked active. In this case
+the function should return false because this is not a real fixup.
+fixup_destroy
+--------------
+This function is called from the debug code whenever a problem in
+debug_object_destroy is detected.
+Called from debug_object_destroy when the object state is:
+-  ODEBUG_STATE_ACTIVE
+The function returns true when the fixup was successful, otherwise
+false. The return value is used to update the statistics.
+fixup_free
+-----------
+This function is called from the debug code whenever a problem in
+debug_object_free is detected. Further it can be called from the debug
+checks in kfree/vfree, when an active object is detected from the
+debug_check_no_obj_freed() sanity checks.
+Called from debug_object_free() or debug_check_no_obj_freed() when
+the object state is:
+-  ODEBUG_STATE_ACTIVE
+The function returns true when the fixup was successful, otherwise
+false. The return value is used to update the statistics.
+fixup_assert_init
+-------------------
+This function is called from the debug code whenever a problem in
+debug_object_assert_init is detected.
+Called from debug_object_assert_init() with a hardcoded state
+ODEBUG_STATE_NOTAVAILABLE when the object is not found in the debug
+bucket.
+The function returns true when the fixup was successful, otherwise
+false. The return value is used to update the statistics.
+Note, this function should make sure debug_object_init() is called
+before returning.
+The handling of statically initialized objects is a special case. The
+fixup function should check if this is a legitimate case of a statically
+initialized object or not. In this case only debug_object_init()
+should be called to make the object known to the tracker. Then the
+function should return false because this is not a real fixup.
+Known Bugs And Assumptions
+==========================
+None (knock on wood).

diff --git a/Documentation/core-api/debug-objects.rst b/Documentation/core-api/debug-objects.rst new file mode 100644 index 000000000000..50a9707addfe --- /dev/null +++ b/Documentation/core-api/debug-objects.rst
@@ -0,0 +1,314 @@
	1	============================================
	2	The object-lifetime debugging infrastructure
	3	============================================
	4
	5	:Author: Thomas Gleixner
	6
	7	Introduction
	8	============
	9
	10	debugobjects is a generic infrastructure to track the life time of
	11	kernel objects and validate the operations on those.
	12
	13	debugobjects is useful to check for the following error patterns:
	14
	15	- Activation of uninitialized objects
	16
	17	- Initialization of active objects
	18
	19	- Usage of freed/destroyed objects
	20
	21	debugobjects is not changing the data structure of the real object so it
	22	can be compiled in with a minimal runtime impact and enabled on demand
	23	with a kernel command line option.
	24
	25	Howto use debugobjects
	26	======================
	27
	28	A kernel subsystem needs to provide a data structure which describes the
	29	object type and add calls into the debug code at appropriate places. The
	30	data structure to describe the object type needs at minimum the name of
	31	the object type. Optional functions can and should be provided to fixup
	32	detected problems so the kernel can continue to work and the debug
	33	information can be retrieved from a live system instead of hard core
	34	debugging with serial consoles and stack trace transcripts from the
	35	monitor.
	36
	37	The debug calls provided by debugobjects are:
	38
	39	- debug_object_init
	40
	41	- debug_object_init_on_stack
	42
	43	- debug_object_activate
	44
	45	- debug_object_deactivate
	46
	47	- debug_object_destroy
	48
	49	- debug_object_free
	50
	51	- debug_object_assert_init
	52
	53	Each of these functions takes the address of the real object and a
	54	pointer to the object type specific debug description structure.
	55
	56	Each detected error is reported in the statistics and a limited number
	57	of errors are printk'ed including a full stack trace.
	58
	59	The statistics are available via /sys/kernel/debug/debug_objects/stats.
	60	They provide information about the number of warnings and the number of
	61	successful fixups along with information about the usage of the internal
	62	tracking objects and the state of the internal tracking objects pool.
	63
	64	Debug functions
	65	===============
	66
	67	Debug object function reference
	68	-------------------------------
	69
	70	.. kernel-doc:: lib/debugobjects.c
	71	:export:
	72
	73	debug_object_init
	74	-------------------
	75
	76	This function is called whenever the initialization function of a real
	77	object is called.
	78
	79	When the real object is already tracked by debugobjects it is checked,
	80	whether the object can be initialized. Initializing is not allowed for
	81	active and destroyed objects. When debugobjects detects an error, then
	82	it calls the fixup_init function of the object type description
	83	structure if provided by the caller. The fixup function can correct the
	84	problem before the real initialization of the object happens. E.g. it
	85	can deactivate an active object in order to prevent damage to the
	86	subsystem.
	87
	88	When the real object is not yet tracked by debugobjects, debugobjects
	89	allocates a tracker object for the real object and sets the tracker
	90	object state to ODEBUG_STATE_INIT. It verifies that the object is not
	91	on the callers stack. If it is on the callers stack then a limited
	92	number of warnings including a full stack trace is printk'ed. The
	93	calling code must use debug_object_init_on_stack() and remove the
	94	object before leaving the function which allocated it. See next section.
	95
	96	debug_object_init_on_stack
	97	------------------------------
	98
	99	This function is called whenever the initialization function of a real
	100	object which resides on the stack is called.
	101
	102	When the real object is already tracked by debugobjects it is checked,
	103	whether the object can be initialized. Initializing is not allowed for
	104	active and destroyed objects. When debugobjects detects an error, then
	105	it calls the fixup_init function of the object type description
	106	structure if provided by the caller. The fixup function can correct the
	107	problem before the real initialization of the object happens. E.g. it
	108	can deactivate an active object in order to prevent damage to the
	109	subsystem.
	110
	111	When the real object is not yet tracked by debugobjects debugobjects
	112	allocates a tracker object for the real object and sets the tracker
	113	object state to ODEBUG_STATE_INIT. It verifies that the object is on
	114	the callers stack.
	115
	116	An object which is on the stack must be removed from the tracker by
	117	calling debug_object_free() before the function which allocates the
	118	object returns. Otherwise we keep track of stale objects.
	119
	120	debug_object_activate
	121	-----------------------
	122
	123	This function is called whenever the activation function of a real
	124	object is called.
	125
	126	When the real object is already tracked by debugobjects it is checked,
	127	whether the object can be activated. Activating is not allowed for
	128	active and destroyed objects. When debugobjects detects an error, then
	129	it calls the fixup_activate function of the object type description
	130	structure if provided by the caller. The fixup function can correct the
	131	problem before the real activation of the object happens. E.g. it can
	132	deactivate an active object in order to prevent damage to the subsystem.
	133
	134	When the real object is not yet tracked by debugobjects then the
	135	fixup_activate function is called if available. This is necessary to
	136	allow the legitimate activation of statically allocated and initialized
	137	objects. The fixup function checks whether the object is valid and calls
	138	the debug_objects_init() function to initialize the tracking of this
	139	object.
	140
	141	When the activation is legitimate, then the state of the associated
	142	tracker object is set to ODEBUG_STATE_ACTIVE.
	143
	144	debug_object_deactivate
	145	-------------------------
	146
	147	This function is called whenever the deactivation function of a real
	148	object is called.
	149
	150	When the real object is tracked by debugobjects it is checked, whether
	151	the object can be deactivated. Deactivating is not allowed for untracked
	152	or destroyed objects.
	153
	154	When the deactivation is legitimate, then the state of the associated
	155	tracker object is set to ODEBUG_STATE_INACTIVE.
	156
	157	debug_object_destroy
	158	----------------------
	159
	160	This function is called to mark an object destroyed. This is useful to
	161	prevent the usage of invalid objects, which are still available in
	162	memory: either statically allocated objects or objects which are freed
	163	later.
	164
	165	When the real object is tracked by debugobjects it is checked, whether
	166	the object can be destroyed. Destruction is not allowed for active and
	167	destroyed objects. When debugobjects detects an error, then it calls the
	168	fixup_destroy function of the object type description structure if
	169	provided by the caller. The fixup function can correct the problem
	170	before the real destruction of the object happens. E.g. it can
	171	deactivate an active object in order to prevent damage to the subsystem.
	172
	173	When the destruction is legitimate, then the state of the associated
	174	tracker object is set to ODEBUG_STATE_DESTROYED.
	175
	176	debug_object_free
	177	-------------------
	178
	179	This function is called before an object is freed.
	180
	181	When the real object is tracked by debugobjects it is checked, whether
	182	the object can be freed. Free is not allowed for active objects. When
	183	debugobjects detects an error, then it calls the fixup_free function of
	184	the object type description structure if provided by the caller. The
	185	fixup function can correct the problem before the real free of the
	186	object happens. E.g. it can deactivate an active object in order to
	187	prevent damage to the subsystem.
	188
	189	Note that debug_object_free removes the object from the tracker. Later
	190	usage of the object is detected by the other debug checks.
	191
	192	debug_object_assert_init
	193	---------------------------
	194
	195	This function is called to assert that an object has been initialized.
	196
	197	When the real object is not tracked by debugobjects, it calls
	198	fixup_assert_init of the object type description structure provided by
	199	the caller, with the hardcoded object state ODEBUG_NOT_AVAILABLE. The
	200	fixup function can correct the problem by calling debug_object_init
	201	and other specific initializing functions.
	202
	203	When the real object is already tracked by debugobjects it is ignored.
	204
	205	Fixup functions
	206	===============
	207
	208	Debug object type description structure
	209	---------------------------------------
	210
	211	.. kernel-doc:: include/linux/debugobjects.h
	212	:internal:
	213
	214	fixup_init
	215	-----------
	216
	217	This function is called from the debug code whenever a problem in
	218	debug_object_init is detected. The function takes the address of the
	219	object and the state which is currently recorded in the tracker.
	220
	221	Called from debug_object_init when the object state is:
	222
	223	- ODEBUG_STATE_ACTIVE
	224
	225	The function returns true when the fixup was successful, otherwise
	226	false. The return value is used to update the statistics.
	227
	228	Note, that the function needs to call the debug_object_init() function
	229	again, after the damage has been repaired in order to keep the state
	230	consistent.
	231
	232	fixup_activate
	233	---------------
	234
	235	This function is called from the debug code whenever a problem in
	236	debug_object_activate is detected.
	237
	238	Called from debug_object_activate when the object state is:
	239
	240	- ODEBUG_STATE_NOTAVAILABLE
	241
	242	- ODEBUG_STATE_ACTIVE
	243
	244	The function returns true when the fixup was successful, otherwise
	245	false. The return value is used to update the statistics.
	246
	247	Note that the function needs to call the debug_object_activate()
	248	function again after the damage has been repaired in order to keep the
	249	state consistent.
	250
	251	The activation of statically initialized objects is a special case. When
	252	debug_object_activate() has no tracked object for this object address
	253	then fixup_activate() is called with object state
	254	ODEBUG_STATE_NOTAVAILABLE. The fixup function needs to check whether
	255	this is a legitimate case of a statically initialized object or not. In
	256	case it is it calls debug_object_init() and debug_object_activate()
	257	to make the object known to the tracker and marked active. In this case
	258	the function should return false because this is not a real fixup.
	259
	260	fixup_destroy
	261	--------------
	262
	263	This function is called from the debug code whenever a problem in
	264	debug_object_destroy is detected.
	265
	266	Called from debug_object_destroy when the object state is:
	267
	268	- ODEBUG_STATE_ACTIVE
	269
	270	The function returns true when the fixup was successful, otherwise
	271	false. The return value is used to update the statistics.
	272
	273	fixup_free
	274	-----------
	275
	276	This function is called from the debug code whenever a problem in
	277	debug_object_free is detected. Further it can be called from the debug
	278	checks in kfree/vfree, when an active object is detected from the
	279	debug_check_no_obj_freed() sanity checks.
	280
	281	Called from debug_object_free() or debug_check_no_obj_freed() when
	282	the object state is:
	283
	284	- ODEBUG_STATE_ACTIVE
	285
	286	The function returns true when the fixup was successful, otherwise
	287	false. The return value is used to update the statistics.
	288
	289	fixup_assert_init
	290	-------------------
	291
	292	This function is called from the debug code whenever a problem in
	293	debug_object_assert_init is detected.
	294
	295	Called from debug_object_assert_init() with a hardcoded state
	296	ODEBUG_STATE_NOTAVAILABLE when the object is not found in the debug
	297	bucket.
	298
	299	The function returns true when the fixup was successful, otherwise
	300	false. The return value is used to update the statistics.
	301
	302	Note, this function should make sure debug_object_init() is called
	303	before returning.
	304
	305	The handling of statically initialized objects is a special case. The
	306	fixup function should check if this is a legitimate case of a statically
	307	initialized object or not. In this case only debug_object_init()
	308	should be called to make the object known to the tracker. Then the
	309	function should return false because this is not a real fixup.
	310
	311	Known Bugs And Assumptions
	312	==========================
	313
	314	None (knock on wood).