1 files changed, 103 insertions, 90 deletions
diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index 8bf765c4f58d..2c0d032ac898 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -72,7 +72,6 @@
 #include <linux/module.h>
 #include <linux/kthread.h>
 #include <linux/prio_tree.h>
-#include <linux/gfp.h>
 #include <linux/fs.h>
 #include <linux/debugfs.h>
 #include <linux/seq_file.h>
@@ -93,6 +92,7 @@
 #include <linux/nodemask.h>
 #include <linux/mm.h>
 #include <linux/workqueue.h>
+#include <linux/crc32.h>
 #include <asm/sections.h>
 #include <asm/processor.h>
@@ -108,7 +108,6 @@
 #define MSECS_MIN_AGE           5000    /* minimum object age for reporting */
 #define SECS_FIRST_SCAN         60      /* delay before the first scan */
 #define SECS_SCAN_WAIT          600     /* subsequent auto scanning delay */
-#define GRAY_LIST_PASSES        25      /* maximum number of gray list scans */
 #define MAX_SCAN_SIZE           4096    /* maximum size of a scanned block */
 #define BYTES_PER_POINTER       sizeof(void *)
@@ -119,8 +118,8 @@
 /* scanning area inside a memory block */
 struct kmemleak_scan_area {
        struct hlist_node node;
-        unsigned long offset;
+        unsigned long start;
-        size_t length;
+        size_t size;
 };
 #define KMEMLEAK_GREY   0
@@ -149,6 +148,8 @@ struct kmemleak_object {
        int min_count;
        /* the total number of pointers found pointing to this object */
        int count;
+        /* checksum for detecting modified objects */
+        u32 checksum;
        /* memory ranges to be scanned inside an object (empty for all) */
        struct hlist_head area_list;
        unsigned long trace[MAX_TRACE];
@@ -164,8 +165,6 @@ struct kmemleak_object {
 #define OBJECT_REPORTED         (1 << 1)
 /* flag set to not scan the object */
 #define OBJECT_NO_SCAN          (1 << 2)
-/* flag set on newly allocated objects */
-#define OBJECT_NEW              (1 << 3)
 /* number of bytes to print per line; must be 16 or 32 */
 #define HEX_ROW_SIZE            16
@@ -241,8 +240,6 @@ struct early_log {
        const void *ptr;                /* allocated/freed memory block */
        size_t size;                    /* memory block size */
        int min_count;                  /* minimum reference count */
-        unsigned long offset;           /* scan area offset */
-        size_t length;                  /* scan area length */
        unsigned long trace[MAX_TRACE]; /* stack trace */
        unsigned int trace_len;         /* stack trace length */
 };
@@ -323,11 +320,6 @@ static bool color_gray(const struct kmemleak_object *object)
                object->count >= object->min_count;
 }
-static bool color_black(const struct kmemleak_object *object)
-{
-        return object->min_count == KMEMLEAK_BLACK;
-}
 /*
 * Objects are considered unreferenced only if their color is white, they have
 * not be deleted and have a minimum age to avoid false positives caused by
@@ -335,7 +327,7 @@ static bool color_black(const struct kmemleak_object *object)
 */
 static bool unreferenced_object(struct kmemleak_object *object)
 {
-        return (object->flags & OBJECT_ALLOCATED) && color_white(object) &&
+        return (color_white(object) && object->flags & OBJECT_ALLOCATED) &&
                time_before_eq(object->jiffies + jiffies_min_age,
                               jiffies_last_scan);
 }
@@ -348,11 +340,13 @@ static void print_unreferenced(struct seq_file *seq,
                               struct kmemleak_object *object)
 {
        int i;
+        unsigned int msecs_age = jiffies_to_msecs(jiffies - object->jiffies);
        seq_printf(seq, "unreferenced object 0x%08lx (size %zu):\n",
                   object->pointer, object->size);
-        seq_printf(seq, "  comm \"%s\", pid %d, jiffies %lu\n",
+        seq_printf(seq, "  comm \"%s\", pid %d, jiffies %lu (age %d.%03ds)\n",
-                   object->comm, object->pid, object->jiffies);
+                   object->comm, object->pid, object->jiffies,
+                   msecs_age / 1000, msecs_age % 1000);
        hex_dump_object(seq, object);
        seq_printf(seq, "  backtrace:\n");
@@ -381,6 +375,7 @@ static void dump_object_info(struct kmemleak_object *object)
        pr_notice("  min_count = %d\n", object->min_count);
        pr_notice("  count = %d\n", object->count);
        pr_notice("  flags = 0x%lx\n", object->flags);
+        pr_notice("  checksum = %d\n", object->checksum);
        pr_notice("  backtrace:\n");
        print_stack_trace(&trace, 4);
 }
@@ -522,12 +517,13 @@ static struct kmemleak_object *create_object(unsigned long ptr, size_t size,
        INIT_HLIST_HEAD(&object->area_list);
        spin_lock_init(&object->lock);
        atomic_set(&object->use_count, 1);
-        object->flags = OBJECT_ALLOCATED | OBJECT_NEW;
+        object->flags = OBJECT_ALLOCATED;
        object->pointer = ptr;
        object->size = size;
        object->min_count = min_count;
-        object->count = -1;                     /* no color initially */
+        object->count = 0;                      /* white color initially */
        object->jiffies = jiffies;
+        object->checksum = 0;
        /* task information */
        if (in_irq()) {
@@ -720,14 +716,13 @@ static void make_black_object(unsigned long ptr)
 * Add a scanning area to the object. If at least one such area is added,
 * kmemleak will only scan these ranges rather than the whole memory block.
 */
-static void add_scan_area(unsigned long ptr, unsigned long offset,
+static void add_scan_area(unsigned long ptr, size_t size, gfp_t gfp)
-                          size_t length, gfp_t gfp)
 {
        unsigned long flags;
        struct kmemleak_object *object;
        struct kmemleak_scan_area *area;
-        object = find_and_get_object(ptr, 0);
+        object = find_and_get_object(ptr, 1);
        if (!object) {
                kmemleak_warn("Adding scan area to unknown object at 0x%08lx\n",
                              ptr);
@@ -741,7 +736,7 @@ static void add_scan_area(unsigned long ptr, unsigned long offset,
        }
        spin_lock_irqsave(&object->lock, flags);
-        if (offset + length > object->size) {
+        if (ptr + size > object->pointer + object->size) {
                kmemleak_warn("Scan area larger than object 0x%08lx\n", ptr);
                dump_object_info(object);
                kmem_cache_free(scan_area_cache, area);
@@ -749,8 +744,8 @@ static void add_scan_area(unsigned long ptr, unsigned long offset,
        }
        INIT_HLIST_NODE(&area->node);
-        area->offset = offset;
+        area->start = ptr;
-        area->length = length;
+        area->size = size;
        hlist_add_head(&area->node, &object->area_list);
 out_unlock:
@@ -786,7 +781,7 @@ static void object_no_scan(unsigned long ptr)
 * processed later once kmemleak is fully initialized.
 */
 static void __init log_early(int op_type, const void *ptr, size_t size,
-                             int min_count, unsigned long offset, size_t length)
+                             int min_count)
 {
        unsigned long flags;
        struct early_log *log;
@@ -808,8 +803,6 @@ static void __init log_early(int op_type, const void *ptr, size_t size,
        log->ptr = ptr;
        log->size = size;
        log->min_count = min_count;
-        log->offset = offset;
-        log->length = length;
        if (op_type == KMEMLEAK_ALLOC)
                log->trace_len = __save_stack_trace(log->trace);
        crt_early_log++;
@@ -858,7 +851,7 @@ void __ref kmemleak_alloc(const void *ptr, size_t size, int min_count,
        if (atomic_read(&kmemleak_enabled) && ptr && !IS_ERR(ptr))
                create_object((unsigned long)ptr, size, min_count, gfp);
        else if (atomic_read(&kmemleak_early_log))
-                log_early(KMEMLEAK_ALLOC, ptr, size, min_count, 0, 0);
+                log_early(KMEMLEAK_ALLOC, ptr, size, min_count);
 }
 EXPORT_SYMBOL_GPL(kmemleak_alloc);
@@ -873,7 +866,7 @@ void __ref kmemleak_free(const void *ptr)
        if (atomic_read(&kmemleak_enabled) && ptr && !IS_ERR(ptr))
                delete_object_full((unsigned long)ptr);
        else if (atomic_read(&kmemleak_early_log))
-                log_early(KMEMLEAK_FREE, ptr, 0, 0, 0, 0);
+                log_early(KMEMLEAK_FREE, ptr, 0, 0);
 }
 EXPORT_SYMBOL_GPL(kmemleak_free);
@@ -888,7 +881,7 @@ void __ref kmemleak_free_part(const void *ptr, size_t size)
        if (atomic_read(&kmemleak_enabled) && ptr && !IS_ERR(ptr))
                delete_object_part((unsigned long)ptr, size);
        else if (atomic_read(&kmemleak_early_log))
-                log_early(KMEMLEAK_FREE_PART, ptr, size, 0, 0, 0);
+                log_early(KMEMLEAK_FREE_PART, ptr, size, 0);
 }
 EXPORT_SYMBOL_GPL(kmemleak_free_part);
@@ -903,7 +896,7 @@ void __ref kmemleak_not_leak(const void *ptr)
        if (atomic_read(&kmemleak_enabled) && ptr && !IS_ERR(ptr))
                make_gray_object((unsigned long)ptr);
        else if (atomic_read(&kmemleak_early_log))
-                log_early(KMEMLEAK_NOT_LEAK, ptr, 0, 0, 0, 0);
+                log_early(KMEMLEAK_NOT_LEAK, ptr, 0, 0);
 }
 EXPORT_SYMBOL(kmemleak_not_leak);
@@ -919,22 +912,21 @@ void __ref kmemleak_ignore(const void *ptr)
        if (atomic_read(&kmemleak_enabled) && ptr && !IS_ERR(ptr))
                make_black_object((unsigned long)ptr);
        else if (atomic_read(&kmemleak_early_log))
-                log_early(KMEMLEAK_IGNORE, ptr, 0, 0, 0, 0);
+                log_early(KMEMLEAK_IGNORE, ptr, 0, 0);
 }
 EXPORT_SYMBOL(kmemleak_ignore);
 /*
 * Limit the range to be scanned in an allocated memory block.
 */
-void __ref kmemleak_scan_area(const void *ptr, unsigned long offset,
+void __ref kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp)
-                              size_t length, gfp_t gfp)
 {
        pr_debug("%s(0x%p)\n", __func__, ptr);
        if (atomic_read(&kmemleak_enabled) && ptr && !IS_ERR(ptr))
-                add_scan_area((unsigned long)ptr, offset, length, gfp);
+                add_scan_area((unsigned long)ptr, size, gfp);
        else if (atomic_read(&kmemleak_early_log))
-                log_early(KMEMLEAK_SCAN_AREA, ptr, 0, 0, offset, length);
+                log_early(KMEMLEAK_SCAN_AREA, ptr, size, 0);
 }
 EXPORT_SYMBOL(kmemleak_scan_area);
@@ -948,11 +940,25 @@ void __ref kmemleak_no_scan(const void *ptr)
        if (atomic_read(&kmemleak_enabled) && ptr && !IS_ERR(ptr))
                object_no_scan((unsigned long)ptr);
        else if (atomic_read(&kmemleak_early_log))
-                log_early(KMEMLEAK_NO_SCAN, ptr, 0, 0, 0, 0);
+                log_early(KMEMLEAK_NO_SCAN, ptr, 0, 0);
 }
 EXPORT_SYMBOL(kmemleak_no_scan);
 /*
+ * Update an object's checksum and return true if it was modified.
+ */
+static bool update_checksum(struct kmemleak_object *object)
+{
+        u32 old_csum = object->checksum;
+        if (!kmemcheck_is_obj_initialized(object->pointer, object->size))
+                return false;
+        object->checksum = crc32(0, (void *)object->pointer, object->size);
+        return object->checksum != old_csum;
+}
+/*
 * Memory scanning is a long process and it needs to be interruptable. This
 * function checks whether such interrupt condition occured.
 */
@@ -1031,11 +1037,14 @@ static void scan_block(void *_start, void *_end,
                 * added to the gray_list.
                 */
                object->count++;
-                if (color_gray(object))
+                if (color_gray(object)) {
                        list_add_tail(&object->gray_list, &gray_list);
-                else
+                        spin_unlock_irqrestore(&object->lock, flags);
-                        put_object(object);
+                        continue;
+                }
                spin_unlock_irqrestore(&object->lock, flags);
+                put_object(object);
        }
 }
@@ -1050,8 +1059,8 @@ static void scan_object(struct kmemleak_object *object)
        unsigned long flags;
        /*
-         * Once the object->lock is aquired, the corresponding memory block
+         * Once the object->lock is acquired, the corresponding memory block
-         * cannot be freed (the same lock is aquired in delete_object).
+         * cannot be freed (the same lock is acquired in delete_object).
         */
        spin_lock_irqsave(&object->lock, flags);
        if (object->flags & OBJECT_NO_SCAN)
@@ -1075,14 +1084,47 @@ static void scan_object(struct kmemleak_object *object)
                }
        } else
                hlist_for_each_entry(area, elem, &object->area_list, node)
-                        scan_block((void *)(object->pointer + area->offset),
+                        scan_block((void *)area->start,
-                                   (void *)(object->pointer + area->offset
+                                   (void *)(area->start + area->size),
-                                            + area->length), object, 0);
+                                   object, 0);
 out:
        spin_unlock_irqrestore(&object->lock, flags);
 }
 /*
+ * Scan the objects already referenced (gray objects). More objects will be
+ * referenced and, if there are no memory leaks, all the objects are scanned.
+ */
+static void scan_gray_list(void)
+{
+        struct kmemleak_object *object, *tmp;
+        /*
+         * The list traversal is safe for both tail additions and removals
+         * from inside the loop. The kmemleak objects cannot be freed from
+         * outside the loop because their use_count was incremented.
+         */
+        object = list_entry(gray_list.next, typeof(*object), gray_list);
+        while (&object->gray_list != &gray_list) {
+                cond_resched();
+                /* may add new objects to the list */
+                if (!scan_should_stop())
+                        scan_object(object);
+                tmp = list_entry(object->gray_list.next, typeof(*object),
+                                 gray_list);
+                /* remove the object from the list and release it */
+                list_del(&object->gray_list);
+                put_object(object);
+                object = tmp;
+        }
+        WARN_ON(!list_empty(&gray_list));
+}
+/*
 * Scan data sections and all the referenced memory blocks allocated via the
 * kernel's standard allocators. This function must be called with the
 * scan_mutex held.
@@ -1090,10 +1132,9 @@ out:
 static void kmemleak_scan(void)
 {
        unsigned long flags;
-        struct kmemleak_object *object, *tmp;
+        struct kmemleak_object *object;
        int i;
        int new_leaks = 0;
-        int gray_list_pass = 0;
        jiffies_last_scan = jiffies;
@@ -1114,7 +1155,6 @@ static void kmemleak_scan(void)
 #endif
                /* reset the reference count (whiten the object) */
                object->count = 0;
-                object->flags &= ~OBJECT_NEW;
                if (color_gray(object) && get_object(object))
                        list_add_tail(&object->gray_list, &gray_list);
@@ -1172,62 +1212,36 @@ static void kmemleak_scan(void)
        /*
         * Scan the objects already referenced from the sections scanned
-         * above. More objects will be referenced and, if there are no memory
+         * above.
-         * leaks, all the objects will be scanned. The list traversal is safe
-         * for both tail additions and removals from inside the loop. The
-         * kmemleak objects cannot be freed from outside the loop because their
-         * use_count was increased.
         */
-repeat:
+        scan_gray_list();
-        object = list_entry(gray_list.next, typeof(*object), gray_list);
-        while (&object->gray_list != &gray_list) {
-                cond_resched();
-                /* may add new objects to the list */
-                if (!scan_should_stop())
-                        scan_object(object);
-                tmp = list_entry(object->gray_list.next, typeof(*object),
-                                 gray_list);
-                /* remove the object from the list and release it */
-                list_del(&object->gray_list);
-                put_object(object);
-                object = tmp;
-        }
-        if (scan_should_stop() || ++gray_list_pass >= GRAY_LIST_PASSES)
-                goto scan_end;
        /*
-         * Check for new objects allocated during this scanning and add them
+         * Check for new or unreferenced objects modified since the previous
-         * to the gray list.
+         * scan and color them gray until the next scan.
         */
        rcu_read_lock();
        list_for_each_entry_rcu(object, &object_list, object_list) {
                spin_lock_irqsave(&object->lock, flags);
-                if ((object->flags & OBJECT_NEW) && !color_black(object) &&
+                if (color_white(object) && (object->flags & OBJECT_ALLOCATED)
-                    get_object(object)) {
+                    && update_checksum(object) && get_object(object)) {
-                        object->flags &= ~OBJECT_NEW;
+                        /* color it gray temporarily */
+                        object->count = object->min_count;
                        list_add_tail(&object->gray_list, &gray_list);
                }
                spin_unlock_irqrestore(&object->lock, flags);
        }
        rcu_read_unlock();
-        if (!list_empty(&gray_list))
+        /*
-                goto repeat;
+         * Re-scan the gray list for modified unreferenced objects.
+         */
-scan_end:
+        scan_gray_list();
-        WARN_ON(!list_empty(&gray_list));
        /*
-         * If scanning was stopped or new objects were being allocated at a
+         * If scanning was stopped do not report any new unreferenced objects.
-         * higher rate than gray list scanning, do not report any new
-         * unreferenced objects.
         */
-        if (scan_should_stop() || gray_list_pass >= GRAY_LIST_PASSES)
+        if (scan_should_stop())
                return;
        /*
@@ -1642,8 +1656,7 @@ void __init kmemleak_init(void)
                        kmemleak_ignore(log->ptr);
                        break;
                case KMEMLEAK_SCAN_AREA:
-                        kmemleak_scan_area(log->ptr, log->offset, log->length,
+                        kmemleak_scan_area(log->ptr, log->size, GFP_KERNEL);
-                                           GFP_KERNEL);
                        break;
                case KMEMLEAK_NO_SCAN:
                        kmemleak_no_scan(log->ptr);