diff options
author | Vegard Nossum <vegard.nossum@gmail.com> | 2008-04-03 18:51:41 -0400 |
---|---|---|
committer | Vegard Nossum <vegard.nossum@gmail.com> | 2009-06-13 09:37:30 -0400 |
commit | dfec072ecd35ba6ecad2d51dde325253ac9a2936 (patch) | |
tree | ccf682a631ef8edc0675d68d004bc3a80b34b648 /arch/x86/mm/kmemcheck/error.c | |
parent | e594c8de3bd4e7732ed3340fb01e18ec94b12df2 (diff) |
kmemcheck: add the kmemcheck core
General description: kmemcheck is a patch to the linux kernel that
detects use of uninitialized memory. It does this by trapping every
read and write to memory that was allocated dynamically (e.g. using
kmalloc()). If a memory address is read that has not previously been
written to, a message is printed to the kernel log.
Thanks to Andi Kleen for the set_memory_4k() solution.
Andrew Morton suggested documenting the shadow member of struct page.
Signed-off-by: Vegard Nossum <vegardno@ifi.uio.no>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
[export kmemcheck_mark_initialized]
[build fix for setup_max_cpus]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
[rebased for mainline inclusion]
Signed-off-by: Vegard Nossum <vegardno@ifi.uio.no>
Diffstat (limited to 'arch/x86/mm/kmemcheck/error.c')
-rw-r--r-- | arch/x86/mm/kmemcheck/error.c | 229 |
1 files changed, 229 insertions, 0 deletions
diff --git a/arch/x86/mm/kmemcheck/error.c b/arch/x86/mm/kmemcheck/error.c new file mode 100644 index 000000000000..5ec9f5a93f47 --- /dev/null +++ b/arch/x86/mm/kmemcheck/error.c | |||
@@ -0,0 +1,229 @@ | |||
1 | #include <linux/interrupt.h> | ||
2 | #include <linux/kdebug.h> | ||
3 | #include <linux/kmemcheck.h> | ||
4 | #include <linux/kernel.h> | ||
5 | #include <linux/types.h> | ||
6 | #include <linux/ptrace.h> | ||
7 | #include <linux/stacktrace.h> | ||
8 | #include <linux/string.h> | ||
9 | |||
10 | #include "error.h" | ||
11 | #include "shadow.h" | ||
12 | |||
13 | enum kmemcheck_error_type { | ||
14 | KMEMCHECK_ERROR_INVALID_ACCESS, | ||
15 | KMEMCHECK_ERROR_BUG, | ||
16 | }; | ||
17 | |||
18 | #define SHADOW_COPY_SIZE (1 << CONFIG_KMEMCHECK_SHADOW_COPY_SHIFT) | ||
19 | |||
20 | struct kmemcheck_error { | ||
21 | enum kmemcheck_error_type type; | ||
22 | |||
23 | union { | ||
24 | /* KMEMCHECK_ERROR_INVALID_ACCESS */ | ||
25 | struct { | ||
26 | /* Kind of access that caused the error */ | ||
27 | enum kmemcheck_shadow state; | ||
28 | /* Address and size of the erroneous read */ | ||
29 | unsigned long address; | ||
30 | unsigned int size; | ||
31 | }; | ||
32 | }; | ||
33 | |||
34 | struct pt_regs regs; | ||
35 | struct stack_trace trace; | ||
36 | unsigned long trace_entries[32]; | ||
37 | |||
38 | /* We compress it to a char. */ | ||
39 | unsigned char shadow_copy[SHADOW_COPY_SIZE]; | ||
40 | unsigned char memory_copy[SHADOW_COPY_SIZE]; | ||
41 | }; | ||
42 | |||
43 | /* | ||
44 | * Create a ring queue of errors to output. We can't call printk() directly | ||
45 | * from the kmemcheck traps, since this may call the console drivers and | ||
46 | * result in a recursive fault. | ||
47 | */ | ||
48 | static struct kmemcheck_error error_fifo[CONFIG_KMEMCHECK_QUEUE_SIZE]; | ||
49 | static unsigned int error_count; | ||
50 | static unsigned int error_rd; | ||
51 | static unsigned int error_wr; | ||
52 | static unsigned int error_missed_count; | ||
53 | |||
54 | static struct kmemcheck_error *error_next_wr(void) | ||
55 | { | ||
56 | struct kmemcheck_error *e; | ||
57 | |||
58 | if (error_count == ARRAY_SIZE(error_fifo)) { | ||
59 | ++error_missed_count; | ||
60 | return NULL; | ||
61 | } | ||
62 | |||
63 | e = &error_fifo[error_wr]; | ||
64 | if (++error_wr == ARRAY_SIZE(error_fifo)) | ||
65 | error_wr = 0; | ||
66 | ++error_count; | ||
67 | return e; | ||
68 | } | ||
69 | |||
70 | static struct kmemcheck_error *error_next_rd(void) | ||
71 | { | ||
72 | struct kmemcheck_error *e; | ||
73 | |||
74 | if (error_count == 0) | ||
75 | return NULL; | ||
76 | |||
77 | e = &error_fifo[error_rd]; | ||
78 | if (++error_rd == ARRAY_SIZE(error_fifo)) | ||
79 | error_rd = 0; | ||
80 | --error_count; | ||
81 | return e; | ||
82 | } | ||
83 | |||
84 | static void do_wakeup(unsigned long); | ||
85 | static DECLARE_TASKLET(kmemcheck_tasklet, &do_wakeup, 0); | ||
86 | |||
87 | /* | ||
88 | * Save the context of an error report. | ||
89 | */ | ||
90 | void kmemcheck_error_save(enum kmemcheck_shadow state, | ||
91 | unsigned long address, unsigned int size, struct pt_regs *regs) | ||
92 | { | ||
93 | static unsigned long prev_ip; | ||
94 | |||
95 | struct kmemcheck_error *e; | ||
96 | void *shadow_copy; | ||
97 | void *memory_copy; | ||
98 | |||
99 | /* Don't report several adjacent errors from the same EIP. */ | ||
100 | if (regs->ip == prev_ip) | ||
101 | return; | ||
102 | prev_ip = regs->ip; | ||
103 | |||
104 | e = error_next_wr(); | ||
105 | if (!e) | ||
106 | return; | ||
107 | |||
108 | e->type = KMEMCHECK_ERROR_INVALID_ACCESS; | ||
109 | |||
110 | e->state = state; | ||
111 | e->address = address; | ||
112 | e->size = size; | ||
113 | |||
114 | /* Save regs */ | ||
115 | memcpy(&e->regs, regs, sizeof(*regs)); | ||
116 | |||
117 | /* Save stack trace */ | ||
118 | e->trace.nr_entries = 0; | ||
119 | e->trace.entries = e->trace_entries; | ||
120 | e->trace.max_entries = ARRAY_SIZE(e->trace_entries); | ||
121 | e->trace.skip = 0; | ||
122 | save_stack_trace_bp(&e->trace, regs->bp); | ||
123 | |||
124 | /* Round address down to nearest 16 bytes */ | ||
125 | shadow_copy = kmemcheck_shadow_lookup(address | ||
126 | & ~(SHADOW_COPY_SIZE - 1)); | ||
127 | BUG_ON(!shadow_copy); | ||
128 | |||
129 | memcpy(e->shadow_copy, shadow_copy, SHADOW_COPY_SIZE); | ||
130 | |||
131 | kmemcheck_show_addr(address); | ||
132 | memory_copy = (void *) (address & ~(SHADOW_COPY_SIZE - 1)); | ||
133 | memcpy(e->memory_copy, memory_copy, SHADOW_COPY_SIZE); | ||
134 | kmemcheck_hide_addr(address); | ||
135 | |||
136 | tasklet_hi_schedule_first(&kmemcheck_tasklet); | ||
137 | } | ||
138 | |||
139 | /* | ||
140 | * Save the context of a kmemcheck bug. | ||
141 | */ | ||
142 | void kmemcheck_error_save_bug(struct pt_regs *regs) | ||
143 | { | ||
144 | struct kmemcheck_error *e; | ||
145 | |||
146 | e = error_next_wr(); | ||
147 | if (!e) | ||
148 | return; | ||
149 | |||
150 | e->type = KMEMCHECK_ERROR_BUG; | ||
151 | |||
152 | memcpy(&e->regs, regs, sizeof(*regs)); | ||
153 | |||
154 | e->trace.nr_entries = 0; | ||
155 | e->trace.entries = e->trace_entries; | ||
156 | e->trace.max_entries = ARRAY_SIZE(e->trace_entries); | ||
157 | e->trace.skip = 1; | ||
158 | save_stack_trace(&e->trace); | ||
159 | |||
160 | tasklet_hi_schedule_first(&kmemcheck_tasklet); | ||
161 | } | ||
162 | |||
163 | void kmemcheck_error_recall(void) | ||
164 | { | ||
165 | static const char *desc[] = { | ||
166 | [KMEMCHECK_SHADOW_UNALLOCATED] = "unallocated", | ||
167 | [KMEMCHECK_SHADOW_UNINITIALIZED] = "uninitialized", | ||
168 | [KMEMCHECK_SHADOW_INITIALIZED] = "initialized", | ||
169 | [KMEMCHECK_SHADOW_FREED] = "freed", | ||
170 | }; | ||
171 | |||
172 | static const char short_desc[] = { | ||
173 | [KMEMCHECK_SHADOW_UNALLOCATED] = 'a', | ||
174 | [KMEMCHECK_SHADOW_UNINITIALIZED] = 'u', | ||
175 | [KMEMCHECK_SHADOW_INITIALIZED] = 'i', | ||
176 | [KMEMCHECK_SHADOW_FREED] = 'f', | ||
177 | }; | ||
178 | |||
179 | struct kmemcheck_error *e; | ||
180 | unsigned int i; | ||
181 | |||
182 | e = error_next_rd(); | ||
183 | if (!e) | ||
184 | return; | ||
185 | |||
186 | switch (e->type) { | ||
187 | case KMEMCHECK_ERROR_INVALID_ACCESS: | ||
188 | printk(KERN_ERR "WARNING: kmemcheck: Caught %d-bit read " | ||
189 | "from %s memory (%p)\n", | ||
190 | 8 * e->size, e->state < ARRAY_SIZE(desc) ? | ||
191 | desc[e->state] : "(invalid shadow state)", | ||
192 | (void *) e->address); | ||
193 | |||
194 | printk(KERN_INFO); | ||
195 | for (i = 0; i < SHADOW_COPY_SIZE; ++i) | ||
196 | printk("%02x", e->memory_copy[i]); | ||
197 | printk("\n"); | ||
198 | |||
199 | printk(KERN_INFO); | ||
200 | for (i = 0; i < SHADOW_COPY_SIZE; ++i) { | ||
201 | if (e->shadow_copy[i] < ARRAY_SIZE(short_desc)) | ||
202 | printk(" %c", short_desc[e->shadow_copy[i]]); | ||
203 | else | ||
204 | printk(" ?"); | ||
205 | } | ||
206 | printk("\n"); | ||
207 | printk(KERN_INFO "%*c\n", 2 + 2 | ||
208 | * (int) (e->address & (SHADOW_COPY_SIZE - 1)), '^'); | ||
209 | break; | ||
210 | case KMEMCHECK_ERROR_BUG: | ||
211 | printk(KERN_EMERG "ERROR: kmemcheck: Fatal error\n"); | ||
212 | break; | ||
213 | } | ||
214 | |||
215 | __show_regs(&e->regs, 1); | ||
216 | print_stack_trace(&e->trace, 0); | ||
217 | } | ||
218 | |||
219 | static void do_wakeup(unsigned long data) | ||
220 | { | ||
221 | while (error_count > 0) | ||
222 | kmemcheck_error_recall(); | ||
223 | |||
224 | if (error_missed_count > 0) { | ||
225 | printk(KERN_WARNING "kmemcheck: Lost %d error reports because " | ||
226 | "the queue was too small\n", error_missed_count); | ||
227 | error_missed_count = 0; | ||
228 | } | ||
229 | } | ||