Merge remote-tracking branch 'docs-next/docs-next' into devel/docs-next

+19 -9

Documentation/CodingStyle

··· 396 396 cleanup needed then just return directly. 397 397 398 398 Choose label names which say what the goto does or why the goto exists. An 399 - example of a good name could be "out_buffer:" if the goto frees "buffer". Avoid 400 - using GW-BASIC names like "err1:" and "err2:". Also don't name them after the 401 - goto location like "err_kmalloc_failed:" 399 + example of a good name could be "out_free_buffer:" if the goto frees "buffer". 400 + Avoid using GW-BASIC names like "err1:" and "err2:", as you would have to 401 + renumber them if you ever add or remove exit paths, and they make correctness 402 + difficult to verify anyway. 403 + 404 + It is advised to indent labels with a single space (not tab), so that 405 + "diff -p" does not confuse labels with functions. 402 406 403 407 The rationale for using gotos is: 404 408 ··· 429 425 goto out_buffer; 430 426 } 431 427 ... 432 - out_buffer: 428 + out_free_buffer: 433 429 kfree(buffer); 434 430 return result; 435 431 } 436 432 437 433 A common type of bug to be aware of is "one err bugs" which look like this: 438 434 439 - err: 435 + err: 440 436 kfree(foo->bar); 441 437 kfree(foo); 442 438 return ret; 443 439 444 440 The bug in this code is that on some exit paths "foo" is NULL. Normally the 445 - fix for this is to split it up into two error labels "err_bar:" and "err_foo:". 441 + fix for this is to split it up into two error labels "err_free_bar:" and 442 + "err_free_foo:": 443 + 444 + err_free_bar: 445 + kfree(foo->bar); 446 + err_free_foo: 447 + kfree(foo); 448 + return ret; 449 + 450 + Ideally you should simulate errors to test all exit paths. 446 451 447 452 448 453 Chapter 8: Commenting ··· 473 460 When commenting the kernel API functions, please use the kernel-doc format. 474 461 See the files Documentation/kernel-documentation.rst and scripts/kernel-doc 475 462 for details. 476 - 477 - Linux style for comments is the C89 "/* ... */" style. 478 - Don't use C99-style "// ..." comments. 479 463 480 464 The preferred style for long (multi-line) comments is: 481 465

+9 -1

Documentation/DocBook/Makefile

··· 22 22 # Skip DocBook build if the user explicitly requested no DOCBOOKS. 23 23 .DEFAULT: 24 24 @echo " SKIP DocBook $@ target (DOCBOOKS=\"\" specified)." 25 - 26 25 else 26 + ifneq ($(SPHINXDIRS),) 27 + 28 + # Skip DocBook build if the user explicitly requested a sphinx dir 29 + .DEFAULT: 30 + @echo " SKIP DocBook $@ target (SPHINXDIRS specified)." 31 + else 32 + 27 33 28 34 ### 29 35 # The build process is as follows (targets): ··· 72 66 73 67 # no-op for the DocBook toolchain 74 68 epubdocs: 69 + latexdocs: 75 70 76 71 ### 77 72 #External programs used ··· 228 221 echo "</programlisting>") > $@ 229 222 230 223 endif # DOCBOOKS="" 224 + endif # SPHINDIR=... 231 225 232 226 ### 233 227 # Help targets as used by the top-level makefile

+49 -15

Documentation/Makefile.sphinx

··· 5 5 # You can set these variables from the command line. 6 6 SPHINXBUILD = sphinx-build 7 7 SPHINXOPTS = 8 + SPHINXDIRS = . 9 + _SPHINXDIRS = $(patsubst $(srctree)/Documentation/%/conf.py,%,$(wildcard $(srctree)/Documentation/*/conf.py)) 10 + SPHINX_CONF = conf.py 8 11 PAPER = 9 12 BUILDDIR = $(obj)/output 10 13 ··· 28 25 29 26 else # HAVE_SPHINX 30 27 31 - # User-friendly check for rst2pdf 32 - HAVE_RST2PDF := $(shell if python -c "import rst2pdf" >/dev/null 2>&1; then echo 1; else echo 0; fi) 28 + # User-friendly check for pdflatex 29 + HAVE_PDFLATEX := $(shell if which xelatex >/dev/null 2>&1; then echo 1; else echo 0; fi) 33 30 34 31 # Internal variables. 35 32 PAPEROPT_a4 = -D latex_paper_size=a4 36 33 PAPEROPT_letter = -D latex_paper_size=letter 37 34 KERNELDOC = $(srctree)/scripts/kernel-doc 38 35 KERNELDOC_CONF = -D kerneldoc_srctree=$(srctree) -D kerneldoc_bin=$(KERNELDOC) 39 - ALLSPHINXOPTS = -D version=$(KERNELVERSION) -D release=$(KERNELRELEASE) -d $(BUILDDIR)/.doctrees $(KERNELDOC_CONF) $(PAPEROPT_$(PAPER)) -c $(srctree)/$(src) $(SPHINXOPTS) $(srctree)/$(src) 36 + ALLSPHINXOPTS = $(KERNELDOC_CONF) $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) 40 37 # the i18n builder cannot share the environment and doctrees with the others 41 38 I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . 42 39 43 - quiet_cmd_sphinx = SPHINX $@ 44 - cmd_sphinx = BUILDDIR=$(BUILDDIR) $(SPHINXBUILD) -b $2 $(ALLSPHINXOPTS) $(BUILDDIR)/$2 40 + # commands; the 'cmd' from scripts/Kbuild.include is not *loopable* 41 + loop_cmd = $(echo-cmd) $(cmd_$(1)) 42 + 43 + # $2 sphinx builder e.g. "html" 44 + # $3 name of the build subfolder / e.g. "media", used as: 45 + # * dest folder relative to $(BUILDDIR) and 46 + # * cache folder relative to $(BUILDDIR)/.doctrees 47 + # $4 dest subfolder e.g. "man" for man pages at media/man 48 + # $5 reST source folder relative to $(srctree)/$(src), 49 + # e.g. "media" for the linux-tv book-set at ./Documentation/media 50 + 51 + quiet_cmd_sphinx = SPHINX $@ --> file://$(abspath $(BUILDDIR)/$3/$4); 52 + cmd_sphinx = $(MAKE) BUILDDIR=$(abspath $(BUILDDIR)) $(build)=Documentation/media all;\ 53 + BUILDDIR=$(abspath $(BUILDDIR)) SPHINX_CONF=$(abspath $(srctree)/$(src)/$5/$(SPHINX_CONF)) \ 54 + $(SPHINXBUILD) \ 55 + -b $2 \ 56 + -c $(abspath $(srctree)/$(src)) \ 57 + -d $(abspath $(BUILDDIR)/.doctrees/$3) \ 58 + -D version=$(KERNELVERSION) -D release=$(KERNELRELEASE) \ 59 + $(ALLSPHINXOPTS) \ 60 + $(abspath $(srctree)/$(src)/$5) \ 61 + $(abspath $(BUILDDIR)/$3/$4); 45 62 46 63 htmldocs: 47 - $(MAKE) BUILDDIR=$(BUILDDIR) -f $(srctree)/Documentation/media/Makefile $@ 48 - $(call cmd,sphinx,html) 64 + @$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,html,$(var),,$(var))) 49 65 50 - pdfdocs: 51 - ifeq ($(HAVE_RST2PDF),0) 52 - $(warning The Python 'rst2pdf' module was not found. Make sure you have the module installed to produce PDF output.) 66 + latexdocs: 67 + ifeq ($(HAVE_PDFLATEX),0) 68 + $(warning The 'xelatex' command was not found. Make sure you have it installed and in PATH to produce PDF output.) 53 69 @echo " SKIP Sphinx $@ target." 54 - else # HAVE_RST2PDF 55 - $(call cmd,sphinx,pdf) 56 - endif # HAVE_RST2PDF 70 + else # HAVE_PDFLATEX 71 + @$(call loop_cmd,sphinx,latex,.,latex,.) 72 + endif # HAVE_PDFLATEX 73 + 74 + pdfdocs: latexdocs 75 + ifneq ($(HAVE_PDFLATEX),0) 76 + $(Q)$(MAKE) PDFLATEX=xelatex LATEXOPTS="-interaction=nonstopmode" -C $(BUILDDIR)/latex 77 + endif # HAVE_PDFLATEX 57 78 58 79 epubdocs: 59 - $(call cmd,sphinx,epub) 80 + @$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,epub,$(var),epub,$(var))) 60 81 61 82 xmldocs: 62 - $(call cmd,sphinx,xml) 83 + @$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,xml,$(var),xml,$(var))) 63 84 64 85 # no-ops for the Sphinx toolchain 65 86 sgmldocs: ··· 99 72 dochelp: 100 73 @echo ' Linux kernel internal documentation in different formats (Sphinx):' 101 74 @echo ' htmldocs - HTML' 75 + @echo ' latexdocs - LaTeX' 102 76 @echo ' pdfdocs - PDF' 103 77 @echo ' epubdocs - EPUB' 104 78 @echo ' xmldocs - XML' 105 79 @echo ' cleandocs - clean all generated files' 80 + @echo 81 + @echo ' make SPHINXDIRS="s1 s2" [target] Generate only docs of folder s1, s2' 82 + @echo ' valid values for SPHINXDIRS are: $(_SPHINXDIRS)' 83 + @echo 84 + @echo ' make SPHINX_CONF={conf-file} [target] use *additional* sphinx-build' 85 + @echo ' configuration. This is e.g. useful to build with nit-picking config.'

+10 -1

Documentation/arm/sunxi/README

··· 73 73 * Octa ARM Cortex-A7 based SoCs 74 74 - Allwinner A83T 75 75 + Datasheet 76 - http://dl.linux-sunxi.org/A83T/A83T_datasheet_Revision_1.1.pdf 76 + https://github.com/allwinner-zh/documents/raw/master/A83T/A83T_Datasheet_v1.3_20150510.pdf 77 + + User Manual 78 + https://github.com/allwinner-zh/documents/raw/master/A83T/A83T_User_Manual_v1.5.1_20150513.pdf 79 + 80 + * Quad ARM Cortex-A53 based SoCs 81 + - Allwinner A64 82 + + Datasheet 83 + http://dl.linux-sunxi.org/A64/A64_Datasheet_V1.1.pdf 84 + + User Manual 85 + http://dl.linux-sunxi.org/A64/Allwinner%20A64%20User%20Manual%20v1.0.pdf

+22 -20

Documentation/clk.txt

··· 31 31 hardware-specific bits for the hypothetical "foo" hardware. 32 32 33 33 Tying the two halves of this interface together is struct clk_hw, which 34 - is defined in struct clk_foo and pointed to within struct clk. This 34 + is defined in struct clk_foo and pointed to within struct clk_core. This 35 35 allows for easy navigation between the two discrete halves of the common 36 36 clock interface. 37 37 38 38 Part 2 - common data structures and api 39 39 40 - Below is the common struct clk definition from 41 - include/linux/clk-private.h, modified for brevity: 40 + Below is the common struct clk_core definition from 41 + drivers/clk/clk.c, modified for brevity: 42 42 43 - struct clk { 43 + struct clk_core { 44 44 const char *name; 45 45 const struct clk_ops *ops; 46 46 struct clk_hw *hw; 47 - char **parent_names; 48 - struct clk **parents; 49 - struct clk *parent; 50 - struct hlist_head children; 51 - struct hlist_node child_node; 47 + struct module *owner; 48 + struct clk_core *parent; 49 + const char **parent_names; 50 + struct clk_core **parents; 51 + u8 num_parents; 52 + u8 new_parent_index; 52 53 ... 53 54 }; 54 55 ··· 57 56 api itself defines several driver-facing functions which operate on 58 57 struct clk. That api is documented in include/linux/clk.h. 59 58 60 - Platforms and devices utilizing the common struct clk use the struct 61 - clk_ops pointer in struct clk to perform the hardware-specific parts of 62 - the operations defined in clk.h: 59 + Platforms and devices utilizing the common struct clk_core use the struct 60 + clk_ops pointer in struct clk_core to perform the hardware-specific parts of 61 + the operations defined in clk-provider.h: 63 62 64 63 struct clk_ops { 65 64 int (*prepare)(struct clk_hw *hw); 66 65 void (*unprepare)(struct clk_hw *hw); 66 + int (*is_prepared)(struct clk_hw *hw); 67 + void (*unprepare_unused)(struct clk_hw *hw); 67 68 int (*enable)(struct clk_hw *hw); 68 69 void (*disable)(struct clk_hw *hw); 69 70 int (*is_enabled)(struct clk_hw *hw); 71 + void (*disable_unused)(struct clk_hw *hw); 70 72 unsigned long (*recalc_rate)(struct clk_hw *hw, 71 73 unsigned long parent_rate); 72 74 long (*round_rate)(struct clk_hw *hw, ··· 88 84 u8 index); 89 85 unsigned long (*recalc_accuracy)(struct clk_hw *hw, 90 86 unsigned long parent_accuracy); 87 + int (*get_phase)(struct clk_hw *hw); 88 + int (*set_phase)(struct clk_hw *hw, int degrees); 91 89 void (*init)(struct clk_hw *hw); 92 90 int (*debug_init)(struct clk_hw *hw, 93 91 struct dentry *dentry); ··· 97 91 98 92 Part 3 - hardware clk implementations 99 93 100 - The strength of the common struct clk comes from its .ops and .hw pointers 94 + The strength of the common struct clk_core comes from its .ops and .hw pointers 101 95 which abstract the details of struct clk from the hardware-specific bits, and 102 96 vice versa. To illustrate consider the simple gateable clk implementation in 103 97 drivers/clk/clk-gate.c: ··· 113 107 knowledge about which register and bit controls this clk's gating. 114 108 Nothing about clock topology or accounting, such as enable_count or 115 109 notifier_count, is needed here. That is all handled by the common 116 - framework code and struct clk. 110 + framework code and struct clk_core. 117 111 118 112 Let's walk through enabling this clk from driver code: 119 113 ··· 145 139 146 140 Note that to_clk_gate is defined as: 147 141 148 - #define to_clk_gate(_hw) container_of(_hw, struct clk_gate, clk) 142 + #define to_clk_gate(_hw) container_of(_hw, struct clk_gate, hw) 149 143 150 144 This pattern of abstraction is used for every clock hardware 151 145 representation. 152 146 153 147 Part 4 - supporting your own clk hardware 154 148 155 - When implementing support for a new type of clock it only necessary to 149 + When implementing support for a new type of clock it is only necessary to 156 150 include the following header: 157 151 158 152 #include <linux/clk-provider.h> 159 - 160 - include/linux/clk.h is included within that header and clk-private.h 161 - must never be included from the code which implements the operations for 162 - a clock. More on that below in Part 5. 163 153 164 154 To construct a clk hardware structure for your platform you must define 165 155 the following:

+190 -169

Documentation/coccinelle.txt Documentation/dev-tools/coccinelle.rst

··· 1 - Copyright 2010 Nicolas Palix <npalix@diku.dk> 2 - Copyright 2010 Julia Lawall <julia@diku.dk> 3 - Copyright 2010 Gilles Muller <Gilles.Muller@lip6.fr> 1 + .. Copyright 2010 Nicolas Palix <npalix@diku.dk> 2 + .. Copyright 2010 Julia Lawall <julia@diku.dk> 3 + .. Copyright 2010 Gilles Muller <Gilles.Muller@lip6.fr> 4 4 5 + .. highlight:: none 5 6 6 - Getting Coccinelle 7 - ~~~~~~~~~~~~~~~~~~~~ 7 + Coccinelle 8 + ========== 9 + 10 + Coccinelle is a tool for pattern matching and text transformation that has 11 + many uses in kernel development, including the application of complex, 12 + tree-wide patches and detection of problematic programming patterns. 13 + 14 + Getting Coccinelle 15 + ------------------- 8 16 9 17 The semantic patches included in the kernel use features and options 10 18 which are provided by Coccinelle version 1.0.0-rc11 and above. ··· 30 22 - NetBSD 31 23 - FreeBSD 32 24 33 - 34 25 You can get the latest version released from the Coccinelle homepage at 35 26 http://coccinelle.lip6.fr/ 36 27 37 28 Information and tips about Coccinelle are also provided on the wiki 38 29 pages at http://cocci.ekstranet.diku.dk/wiki/doku.php 39 30 40 - Once you have it, run the following command: 31 + Once you have it, run the following command:: 41 32 42 33 ./configure 43 34 make 44 35 45 - as a regular user, and install it with 36 + as a regular user, and install it with:: 46 37 47 38 sudo make install 48 39 49 - Supplemental documentation 50 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 40 + Supplemental documentation 41 + --------------------------- 51 42 52 43 For supplemental documentation refer to the wiki: 53 44 ··· 54 47 55 48 The wiki documentation always refers to the linux-next version of the script. 56 49 57 - Using Coccinelle on the Linux kernel 58 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 50 + Using Coccinelle on the Linux kernel 51 + ------------------------------------ 59 52 60 53 A Coccinelle-specific target is defined in the top level 61 - Makefile. This target is named 'coccicheck' and calls the 'coccicheck' 62 - front-end in the 'scripts' directory. 54 + Makefile. This target is named ``coccicheck`` and calls the ``coccicheck`` 55 + front-end in the ``scripts`` directory. 63 56 64 - Four basic modes are defined: patch, report, context, and org. The mode to 65 - use is specified by setting the MODE variable with 'MODE=<mode>'. 57 + Four basic modes are defined: ``patch``, ``report``, ``context``, and 58 + ``org``. The mode to use is specified by setting the MODE variable with 59 + ``MODE=<mode>``. 66 60 67 - 'patch' proposes a fix, when possible. 61 + - ``patch`` proposes a fix, when possible. 68 62 69 - 'report' generates a list in the following format: 63 + - ``report`` generates a list in the following format: 70 64 file:line:column-column: message 71 65 72 - 'context' highlights lines of interest and their context in a 73 - diff-like style.Lines of interest are indicated with '-'. 66 + - ``context`` highlights lines of interest and their context in a 67 + diff-like style.Lines of interest are indicated with ``-``. 74 68 75 - 'org' generates a report in the Org mode format of Emacs. 69 + - ``org`` generates a report in the Org mode format of Emacs. 76 70 77 71 Note that not all semantic patches implement all modes. For easy use 78 72 of Coccinelle, the default mode is "report". 79 73 80 74 Two other modes provide some common combinations of these modes. 81 75 82 - 'chain' tries the previous modes in the order above until one succeeds. 76 + - ``chain`` tries the previous modes in the order above until one succeeds. 83 77 84 - 'rep+ctxt' runs successively the report mode and the context mode. 85 - It should be used with the C option (described later) 86 - which checks the code on a file basis. 78 + - ``rep+ctxt`` runs successively the report mode and the context mode. 79 + It should be used with the C option (described later) 80 + which checks the code on a file basis. 87 81 88 - Examples: 89 - To make a report for every semantic patch, run the following command: 82 + Examples 83 + ~~~~~~~~ 84 + 85 + To make a report for every semantic patch, run the following command:: 90 86 91 87 make coccicheck MODE=report 92 88 93 - To produce patches, run: 89 + To produce patches, run:: 94 90 95 91 make coccicheck MODE=patch 96 92 97 93 98 94 The coccicheck target applies every semantic patch available in the 99 - sub-directories of 'scripts/coccinelle' to the entire Linux kernel. 95 + sub-directories of ``scripts/coccinelle`` to the entire Linux kernel. 100 96 101 97 For each semantic patch, a commit message is proposed. It gives a 102 98 description of the problem being checked by the semantic patch, and ··· 109 99 positives. Thus, reports must be carefully checked, and patches 110 100 reviewed. 111 101 112 - To enable verbose messages set the V= variable, for example: 102 + To enable verbose messages set the V= variable, for example:: 113 103 114 104 make coccicheck MODE=report V=1 115 105 116 - Coccinelle parallelization 117 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 106 + Coccinelle parallelization 107 + --------------------------- 118 108 119 109 By default, coccicheck tries to run as parallel as possible. To change 120 - the parallelism, set the J= variable. For example, to run across 4 CPUs: 110 + the parallelism, set the J= variable. For example, to run across 4 CPUs:: 121 111 122 112 make coccicheck MODE=report J=4 123 113 ··· 125 115 if support for this is detected you will benefit from parmap parallelization. 126 116 127 117 When parmap is enabled coccicheck will enable dynamic load balancing by using 128 - '--chunksize 1' argument, this ensures we keep feeding threads with work 118 + ``--chunksize 1`` argument, this ensures we keep feeding threads with work 129 119 one by one, so that we avoid the situation where most work gets done by only 130 120 a few threads. With dynamic load balancing, if a thread finishes early we keep 131 121 feeding it more work. 132 122 133 123 When parmap is enabled, if an error occurs in Coccinelle, this error 134 - value is propagated back, the return value of the 'make coccicheck' 124 + value is propagated back, the return value of the ``make coccicheck`` 135 125 captures this return value. 136 126 137 - Using Coccinelle with a single semantic patch 138 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 127 + Using Coccinelle with a single semantic patch 128 + --------------------------------------------- 139 129 140 130 The optional make variable COCCI can be used to check a single 141 131 semantic patch. In that case, the variable must be initialized with 142 132 the name of the semantic patch to apply. 143 133 144 - For instance: 134 + For instance:: 145 135 146 136 make coccicheck COCCI=<my_SP.cocci> MODE=patch 147 - or 137 + 138 + or:: 139 + 148 140 make coccicheck COCCI=<my_SP.cocci> MODE=report 149 141 150 142 151 - Controlling Which Files are Processed by Coccinelle 152 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 143 + Controlling Which Files are Processed by Coccinelle 144 + --------------------------------------------------- 145 + 153 146 By default the entire kernel source tree is checked. 154 147 155 - To apply Coccinelle to a specific directory, M= can be used. 156 - For example, to check drivers/net/wireless/ one may write: 148 + To apply Coccinelle to a specific directory, ``M=`` can be used. 149 + For example, to check drivers/net/wireless/ one may write:: 157 150 158 151 make coccicheck M=drivers/net/wireless/ 159 152 160 153 To apply Coccinelle on a file basis, instead of a directory basis, the 161 - following command may be used: 154 + following command may be used:: 162 155 163 156 make C=1 CHECK="scripts/coccicheck" 164 157 165 - To check only newly edited code, use the value 2 for the C flag, i.e. 158 + To check only newly edited code, use the value 2 for the C flag, i.e.:: 166 159 167 160 make C=2 CHECK="scripts/coccicheck" 168 161 ··· 179 166 The "report" mode is the default. You can select another one with the 180 167 MODE variable explained above. 181 168 182 - Debugging Coccinelle SmPL patches 183 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 169 + Debugging Coccinelle SmPL patches 170 + --------------------------------- 184 171 185 172 Using coccicheck is best as it provides in the spatch command line 186 173 include options matching the options used when we compile the kernel. ··· 190 177 Alternatively you can debug running Coccinelle against SmPL patches 191 178 by asking for stderr to be redirected to stderr, by default stderr 192 179 is redirected to /dev/null, if you'd like to capture stderr you 193 - can specify the DEBUG_FILE="file.txt" option to coccicheck. For 194 - instance: 180 + can specify the ``DEBUG_FILE="file.txt"`` option to coccicheck. For 181 + instance:: 195 182 196 183 rm -f cocci.err 197 184 make coccicheck COCCI=scripts/coccinelle/free/kfree.cocci MODE=report DEBUG_FILE=cocci.err ··· 199 186 200 187 You can use SPFLAGS to add debugging flags, for instance you may want to 201 188 add both --profile --show-trying to SPFLAGS when debugging. For instance 202 - you may want to use: 189 + you may want to use:: 203 190 204 191 rm -f err.log 205 192 export COCCI=scripts/coccinelle/misc/irqf_oneshot.cocci ··· 211 198 212 199 DEBUG_FILE support is only supported when using coccinelle >= 1.2. 213 200 214 - .cocciconfig support 215 - ~~~~~~~~~~~~~~~~~~~~~~ 201 + .cocciconfig support 202 + -------------------- 216 203 217 204 Coccinelle supports reading .cocciconfig for default Coccinelle options that 218 205 should be used every time spatch is spawned, the order of precedence for 219 206 variables for .cocciconfig is as follows: 220 207 221 - o Your current user's home directory is processed first 222 - o Your directory from which spatch is called is processed next 223 - o The directory provided with the --dir option is processed last, if used 208 + - Your current user's home directory is processed first 209 + - Your directory from which spatch is called is processed next 210 + - The directory provided with the --dir option is processed last, if used 224 211 225 212 Since coccicheck runs through make, it naturally runs from the kernel 226 213 proper dir, as such the second rule above would be implied for picking up a 227 - .cocciconfig when using 'make coccicheck'. 214 + .cocciconfig when using ``make coccicheck``. 228 215 229 - 'make coccicheck' also supports using M= targets.If you do not supply 216 + ``make coccicheck`` also supports using M= targets.If you do not supply 230 217 any M= target, it is assumed you want to target the entire kernel. 231 - The kernel coccicheck script has: 218 + The kernel coccicheck script has:: 232 219 233 220 if [ "$KBUILD_EXTMOD" = "" ] ; then 234 221 OPTIONS="--dir $srctree $COCCIINCLUDE" ··· 248 235 249 236 We help Coccinelle when used against Linux with a set of sensible defaults 250 237 options for Linux with our own Linux .cocciconfig. This hints to coccinelle 251 - git can be used for 'git grep' queries over coccigrep. A timeout of 200 238 + git can be used for ``git grep`` queries over coccigrep. A timeout of 200 252 239 seconds should suffice for now. 253 240 254 241 The options picked up by coccinelle when reading a .cocciconfig do not appear 255 242 as arguments to spatch processes running on your system, to confirm what 256 - options will be used by Coccinelle run: 243 + options will be used by Coccinelle run:: 257 244 258 245 spatch --print-options-only 259 246 ··· 265 252 desired. See below section "Additional flags" for more details on how to use 266 253 idutils. 267 254 268 - Additional flags 269 - ~~~~~~~~~~~~~~~~~~ 255 + Additional flags 256 + ---------------- 270 257 271 258 Additional flags can be passed to spatch through the SPFLAGS 272 259 variable. This works as Coccinelle respects the last flags 273 - given to it when options are in conflict. 260 + given to it when options are in conflict. :: 274 261 275 262 make SPFLAGS=--use-glimpse coccicheck 276 263 277 264 Coccinelle supports idutils as well but requires coccinelle >= 1.0.6. 278 265 When no ID file is specified coccinelle assumes your ID database file 279 266 is in the file .id-utils.index on the top level of the kernel, coccinelle 280 - carries a script scripts/idutils_index.sh which creates the database with 267 + carries a script scripts/idutils_index.sh which creates the database with:: 281 268 282 269 mkid -i C --output .id-utils.index 283 270 284 271 If you have another database filename you can also just symlink with this 285 - name. 272 + name. :: 286 273 287 274 make SPFLAGS=--use-idutils coccicheck 288 275 289 276 Alternatively you can specify the database filename explicitly, for 290 - instance: 277 + instance:: 291 278 292 279 make SPFLAGS="--use-idutils /full-path/to/ID" coccicheck 293 280 294 - See spatch --help to learn more about spatch options. 281 + See ``spatch --help`` to learn more about spatch options. 295 282 296 - Note that the '--use-glimpse' and '--use-idutils' options 283 + Note that the ``--use-glimpse`` and ``--use-idutils`` options 297 284 require external tools for indexing the code. None of them is 298 285 thus active by default. However, by indexing the code with 299 286 one of these tools, and according to the cocci file used, 300 287 spatch could proceed the entire code base more quickly. 301 288 302 - SmPL patch specific options 303 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 289 + SmPL patch specific options 290 + --------------------------- 304 291 305 292 SmPL patches can have their own requirements for options passed 306 293 to Coccinelle. SmPL patch specific options can be provided by 307 - providing them at the top of the SmPL patch, for instance: 294 + providing them at the top of the SmPL patch, for instance:: 308 295 309 - // Options: --no-includes --include-headers 296 + // Options: --no-includes --include-headers 310 297 311 - SmPL patch Coccinelle requirements 312 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 298 + SmPL patch Coccinelle requirements 299 + ---------------------------------- 313 300 314 301 As Coccinelle features get added some more advanced SmPL patches 315 302 may require newer versions of Coccinelle. If an SmPL patch requires 316 303 at least a version of Coccinelle, this can be specified as follows, 317 - as an example if requiring at least Coccinelle >= 1.0.5: 304 + as an example if requiring at least Coccinelle >= 1.0.5:: 318 305 319 - // Requires: 1.0.5 306 + // Requires: 1.0.5 320 307 321 - Proposing new semantic patches 322 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 308 + Proposing new semantic patches 309 + ------------------------------- 323 310 324 311 New semantic patches can be proposed and submitted by kernel 325 312 developers. For sake of clarity, they should be organized in the 326 - sub-directories of 'scripts/coccinelle/'. 313 + sub-directories of ``scripts/coccinelle/``. 327 314 328 315 329 - Detailed description of the 'report' mode 330 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 316 + Detailed description of the ``report`` mode 317 + ------------------------------------------- 331 318 332 - 'report' generates a list in the following format: 319 + ``report`` generates a list in the following format:: 320 + 333 321 file:line:column-column: message 334 322 335 - Example: 323 + Example 324 + ~~~~~~~ 336 325 337 - Running 326 + Running:: 338 327 339 328 make coccicheck MODE=report COCCI=scripts/coccinelle/api/err_cast.cocci 340 329 341 - will execute the following part of the SmPL script. 330 + will execute the following part of the SmPL script:: 342 331 343 - <smpl> 344 - @r depends on !context && !patch && (org || report)@ 345 - expression x; 346 - position p; 347 - @@ 332 + <smpl> 333 + @r depends on !context && !patch && (org || report)@ 334 + expression x; 335 + position p; 336 + @@ 348 337 349 - ERR_PTR@p(PTR_ERR(x)) 338 + ERR_PTR@p(PTR_ERR(x)) 350 339 351 - @script:python depends on report@ 352 - p << r.p; 353 - x << r.x; 354 - @@ 340 + @script:python depends on report@ 341 + p << r.p; 342 + x << r.x; 343 + @@ 355 344 356 - msg="ERR_CAST can be used with %s" % (x) 357 - coccilib.report.print_report(p[0], msg) 358 - </smpl> 345 + msg="ERR_CAST can be used with %s" % (x) 346 + coccilib.report.print_report(p[0], msg) 347 + </smpl> 359 348 360 349 This SmPL excerpt generates entries on the standard output, as 361 - illustrated below: 350 + illustrated below:: 362 351 363 - /home/user/linux/crypto/ctr.c:188:9-16: ERR_CAST can be used with alg 364 - /home/user/linux/crypto/authenc.c:619:9-16: ERR_CAST can be used with auth 365 - /home/user/linux/crypto/xts.c:227:9-16: ERR_CAST can be used with alg 352 + /home/user/linux/crypto/ctr.c:188:9-16: ERR_CAST can be used with alg 353 + /home/user/linux/crypto/authenc.c:619:9-16: ERR_CAST can be used with auth 354 + /home/user/linux/crypto/xts.c:227:9-16: ERR_CAST can be used with alg 366 355 367 356 368 - Detailed description of the 'patch' mode 369 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 357 + Detailed description of the ``patch`` mode 358 + ------------------------------------------ 370 359 371 - When the 'patch' mode is available, it proposes a fix for each problem 360 + When the ``patch`` mode is available, it proposes a fix for each problem 372 361 identified. 373 362 374 - Example: 363 + Example 364 + ~~~~~~~ 375 365 376 - Running 366 + Running:: 367 + 377 368 make coccicheck MODE=patch COCCI=scripts/coccinelle/api/err_cast.cocci 378 369 379 - will execute the following part of the SmPL script. 370 + will execute the following part of the SmPL script:: 380 371 381 - <smpl> 382 - @ depends on !context && patch && !org && !report @ 383 - expression x; 384 - @@ 372 + <smpl> 373 + @ depends on !context && patch && !org && !report @ 374 + expression x; 375 + @@ 385 376 386 - - ERR_PTR(PTR_ERR(x)) 387 - + ERR_CAST(x) 388 - </smpl> 377 + - ERR_PTR(PTR_ERR(x)) 378 + + ERR_CAST(x) 379 + </smpl> 389 380 390 381 This SmPL excerpt generates patch hunks on the standard output, as 391 - illustrated below: 382 + illustrated below:: 392 383 393 - diff -u -p a/crypto/ctr.c b/crypto/ctr.c 394 - --- a/crypto/ctr.c 2010-05-26 10:49:38.000000000 +0200 395 - +++ b/crypto/ctr.c 2010-06-03 23:44:49.000000000 +0200 396 - @@ -185,7 +185,7 @@ static struct crypto_instance *crypto_ct 384 + diff -u -p a/crypto/ctr.c b/crypto/ctr.c 385 + --- a/crypto/ctr.c 2010-05-26 10:49:38.000000000 +0200 386 + +++ b/crypto/ctr.c 2010-06-03 23:44:49.000000000 +0200 387 + @@ -185,7 +185,7 @@ static struct crypto_instance *crypto_ct 397 388 alg = crypto_attr_alg(tb[1], CRYPTO_ALG_TYPE_CIPHER, 398 389 CRYPTO_ALG_TYPE_MASK); 399 390 if (IS_ERR(alg)) 400 - - return ERR_PTR(PTR_ERR(alg)); 401 - + return ERR_CAST(alg); 402 - 391 + - return ERR_PTR(PTR_ERR(alg)); 392 + + return ERR_CAST(alg); 393 + 403 394 /* Block size must be >= 4 bytes. */ 404 395 err = -EINVAL; 405 396 406 - Detailed description of the 'context' mode 407 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 397 + Detailed description of the ``context`` mode 398 + -------------------------------------------- 408 399 409 - 'context' highlights lines of interest and their context 400 + ``context`` highlights lines of interest and their context 410 401 in a diff-like style. 411 402 412 - NOTE: The diff-like output generated is NOT an applicable patch. The 413 - intent of the 'context' mode is to highlight the important lines 414 - (annotated with minus, '-') and gives some surrounding context 403 + **NOTE**: The diff-like output generated is NOT an applicable patch. The 404 + intent of the ``context`` mode is to highlight the important lines 405 + (annotated with minus, ``-``) and gives some surrounding context 415 406 lines around. This output can be used with the diff mode of 416 407 Emacs to review the code. 417 408 418 - Example: 409 + Example 410 + ~~~~~~~ 419 411 420 - Running 412 + Running:: 413 + 421 414 make coccicheck MODE=context COCCI=scripts/coccinelle/api/err_cast.cocci 422 415 423 - will execute the following part of the SmPL script. 416 + will execute the following part of the SmPL script:: 424 417 425 - <smpl> 426 - @ depends on context && !patch && !org && !report@ 427 - expression x; 428 - @@ 418 + <smpl> 419 + @ depends on context && !patch && !org && !report@ 420 + expression x; 421 + @@ 429 422 430 - * ERR_PTR(PTR_ERR(x)) 431 - </smpl> 423 + * ERR_PTR(PTR_ERR(x)) 424 + </smpl> 432 425 433 426 This SmPL excerpt generates diff hunks on the standard output, as 434 - illustrated below: 427 + illustrated below:: 435 428 436 - diff -u -p /home/user/linux/crypto/ctr.c /tmp/nothing 437 - --- /home/user/linux/crypto/ctr.c 2010-05-26 10:49:38.000000000 +0200 438 - +++ /tmp/nothing 439 - @@ -185,7 +185,6 @@ static struct crypto_instance *crypto_ct 429 + diff -u -p /home/user/linux/crypto/ctr.c /tmp/nothing 430 + --- /home/user/linux/crypto/ctr.c 2010-05-26 10:49:38.000000000 +0200 431 + +++ /tmp/nothing 432 + @@ -185,7 +185,6 @@ static struct crypto_instance *crypto_ct 440 433 alg = crypto_attr_alg(tb[1], CRYPTO_ALG_TYPE_CIPHER, 441 434 CRYPTO_ALG_TYPE_MASK); 442 435 if (IS_ERR(alg)) 443 - - return ERR_PTR(PTR_ERR(alg)); 444 - 436 + - return ERR_PTR(PTR_ERR(alg)); 437 + 445 438 /* Block size must be >= 4 bytes. */ 446 439 err = -EINVAL; 447 440 448 - Detailed description of the 'org' mode 449 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 441 + Detailed description of the ``org`` mode 442 + ---------------------------------------- 450 443 451 - 'org' generates a report in the Org mode format of Emacs. 444 + ``org`` generates a report in the Org mode format of Emacs. 452 445 453 - Example: 446 + Example 447 + ~~~~~~~ 454 448 455 - Running 449 + Running:: 450 + 456 451 make coccicheck MODE=org COCCI=scripts/coccinelle/api/err_cast.cocci 457 452 458 - will execute the following part of the SmPL script. 453 + will execute the following part of the SmPL script:: 459 454 460 - <smpl> 461 - @r depends on !context && !patch && (org || report)@ 462 - expression x; 463 - position p; 464 - @@ 455 + <smpl> 456 + @r depends on !context && !patch && (org || report)@ 457 + expression x; 458 + position p; 459 + @@ 465 460 466 - ERR_PTR@p(PTR_ERR(x)) 461 + ERR_PTR@p(PTR_ERR(x)) 467 462 468 - @script:python depends on org@ 469 - p << r.p; 470 - x << r.x; 471 - @@ 463 + @script:python depends on org@ 464 + p << r.p; 465 + x << r.x; 466 + @@ 472 467 473 - msg="ERR_CAST can be used with %s" % (x) 474 - msg_safe=msg.replace("[","@(").replace("]",")") 475 - coccilib.org.print_todo(p[0], msg_safe) 476 - </smpl> 468 + msg="ERR_CAST can be used with %s" % (x) 469 + msg_safe=msg.replace("[","@(").replace("]",")") 470 + coccilib.org.print_todo(p[0], msg_safe) 471 + </smpl> 477 472 478 473 This SmPL excerpt generates Org entries on the standard output, as 479 - illustrated below: 474 + illustrated below:: 480 475 481 - * TODO [[view:/home/user/linux/crypto/ctr.c::face=ovl-face1::linb=188::colb=9::cole=16][ERR_CAST can be used with alg]] 482 - * TODO [[view:/home/user/linux/crypto/authenc.c::face=ovl-face1::linb=619::colb=9::cole=16][ERR_CAST can be used with auth]] 483 - * TODO [[view:/home/user/linux/crypto/xts.c::face=ovl-face1::linb=227::colb=9::cole=16][ERR_CAST can be used with alg]] 476 + * TODO [[view:/home/user/linux/crypto/ctr.c::face=ovl-face1::linb=188::colb=9::cole=16][ERR_CAST can be used with alg]] 477 + * TODO [[view:/home/user/linux/crypto/authenc.c::face=ovl-face1::linb=619::colb=9::cole=16][ERR_CAST can be used with auth]] 478 + * TODO [[view:/home/user/linux/crypto/xts.c::face=ovl-face1::linb=227::colb=9::cole=16][ERR_CAST can be used with alg]]

+90 -14

Documentation/conf.py

··· 14 14 15 15 import sys 16 16 import os 17 + import sphinx 18 + 19 + # Get Sphinx version 20 + major, minor, patch = map(int, sphinx.__version__.split(".")) 21 + 17 22 18 23 # If extensions (or modules to document with autodoc) are in another directory, 19 24 # add these directories to sys.path here. If the directory is relative to the 20 25 # documentation root, use os.path.abspath to make it absolute, like shown here. 21 26 sys.path.insert(0, os.path.abspath('sphinx')) 27 + from load_config import loadConfig 22 28 23 29 # -- General configuration ------------------------------------------------ 24 30 ··· 34 28 # Add any Sphinx extension module names here, as strings. They can be 35 29 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom 36 30 # ones. 37 - extensions = ['kernel-doc', 'rstFlatTable', 'kernel_include'] 31 + extensions = ['kernel-doc', 'rstFlatTable', 'kernel_include', 'cdomain'] 38 32 39 - # Gracefully handle missing rst2pdf. 40 - try: 41 - import rst2pdf 42 - extensions += ['rst2pdf.pdfbuilder'] 43 - except ImportError: 44 - pass 33 + # The name of the math extension changed on Sphinx 1.4 34 + if minor > 3: 35 + extensions.append("sphinx.ext.imgmath") 36 + else: 37 + extensions.append("sphinx.ext.pngmath") 45 38 46 39 # Add any paths that contain templates here, relative to this directory. 47 40 templates_path = ['_templates'] ··· 136 131 todo_include_todos = False 137 132 138 133 primary_domain = 'C' 139 - highlight_language = 'C' 134 + highlight_language = 'guess' 140 135 141 136 # -- Options for HTML output ---------------------------------------------- 142 137 ··· 257 252 258 253 latex_elements = { 259 254 # The paper size ('letterpaper' or 'a4paper'). 260 - #'papersize': 'letterpaper', 255 + 'papersize': 'a4paper', 261 256 262 257 # The font size ('10pt', '11pt' or '12pt'). 263 - #'pointsize': '10pt', 264 - 265 - # Additional stuff for the LaTeX preamble. 266 - #'preamble': '', 258 + 'pointsize': '8pt', 267 259 268 260 # Latex figure (float) alignment 269 261 #'figure_align': 'htbp', 262 + 263 + # Don't mangle with UTF-8 chars 264 + 'inputenc': '', 265 + 'utf8extra': '', 266 + 267 + # Additional stuff for the LaTeX preamble. 268 + 'preamble': ''' 269 + % Adjust margins 270 + \\usepackage[margin=0.5in, top=1in, bottom=1in]{geometry} 271 + 272 + % Allow generate some pages in landscape 273 + \\usepackage{lscape} 274 + 275 + % Put notes in color and let them be inside a table 276 + \\definecolor{NoteColor}{RGB}{204,255,255} 277 + \\definecolor{WarningColor}{RGB}{255,204,204} 278 + \\definecolor{AttentionColor}{RGB}{255,255,204} 279 + \\definecolor{OtherColor}{RGB}{204,204,204} 280 + \\newlength{\\mynoticelength} 281 + \\makeatletter\\newenvironment{coloredbox}[1]{% 282 + \\setlength{\\fboxrule}{1pt} 283 + \\setlength{\\fboxsep}{7pt} 284 + \\setlength{\\mynoticelength}{\\linewidth} 285 + \\addtolength{\\mynoticelength}{-2\\fboxsep} 286 + \\addtolength{\\mynoticelength}{-2\\fboxrule} 287 + \\begin{lrbox}{\\@tempboxa}\\begin{minipage}{\\mynoticelength}}{\\end{minipage}\\end{lrbox}% 288 + \\ifthenelse% 289 + {\\equal{\\py@noticetype}{note}}% 290 + {\\colorbox{NoteColor}{\\usebox{\\@tempboxa}}}% 291 + {% 292 + \\ifthenelse% 293 + {\\equal{\\py@noticetype}{warning}}% 294 + {\\colorbox{WarningColor}{\\usebox{\\@tempboxa}}}% 295 + {% 296 + \\ifthenelse% 297 + {\\equal{\\py@noticetype}{attention}}% 298 + {\\colorbox{AttentionColor}{\\usebox{\\@tempboxa}}}% 299 + {\\colorbox{OtherColor}{\\usebox{\\@tempboxa}}}% 300 + }% 301 + }% 302 + }\\makeatother 303 + 304 + \\makeatletter 305 + \\renewenvironment{notice}[2]{% 306 + \\def\\py@noticetype{#1} 307 + \\begin{coloredbox}{#1} 308 + \\bf\\it 309 + \\par\\strong{#2} 310 + \\csname py@noticestart@#1\\endcsname 311 + } 312 + { 313 + \\csname py@noticeend@\\py@noticetype\\endcsname 314 + \\end{coloredbox} 315 + } 316 + \\makeatother 317 + 318 + % Use some font with UTF-8 support with XeLaTeX 319 + \\usepackage{fontspec} 320 + \\setsansfont{DejaVu Serif} 321 + \\setromanfont{DejaVu Sans} 322 + \\setmonofont{DejaVu Sans Mono} 323 + 324 + % To allow adjusting table sizes 325 + \\usepackage{adjustbox} 326 + 327 + ''' 270 328 } 271 329 272 330 # Grouping the document tree into LaTeX files. List of tuples 273 331 # (source start file, target name, title, 274 332 # author, documentclass [howto, manual, or own class]). 275 333 latex_documents = [ 276 - (master_doc, 'TheLinuxKernel.tex', 'The Linux Kernel Documentation', 334 + ('kernel-documentation', 'kernel-documentation.tex', 'The Linux Kernel Documentation', 335 + 'The kernel development community', 'manual'), 336 + ('gpu/index', 'gpu.tex', 'Linux GPU Driver Developer\'s Guide', 277 337 'The kernel development community', 'manual'), 278 338 ] 279 339 ··· 489 419 # line arguments. 490 420 kerneldoc_bin = '../scripts/kernel-doc' 491 421 kerneldoc_srctree = '..' 422 + 423 + # ------------------------------------------------------------------------------ 424 + # Since loadConfig overwrites settings from the global namespace, it has to be 425 + # the last statement in the conf.py file 426 + # ------------------------------------------------------------------------------ 427 + loadConfig(globals())

+256

Documentation/dev-tools/gcov.rst

··· 1 + Using gcov with the Linux kernel 2 + ================================ 3 + 4 + gcov profiling kernel support enables the use of GCC's coverage testing 5 + tool gcov_ with the Linux kernel. Coverage data of a running kernel 6 + is exported in gcov-compatible format via the "gcov" debugfs directory. 7 + To get coverage data for a specific file, change to the kernel build 8 + directory and use gcov with the ``-o`` option as follows (requires root):: 9 + 10 + # cd /tmp/linux-out 11 + # gcov -o /sys/kernel/debug/gcov/tmp/linux-out/kernel spinlock.c 12 + 13 + This will create source code files annotated with execution counts 14 + in the current directory. In addition, graphical gcov front-ends such 15 + as lcov_ can be used to automate the process of collecting data 16 + for the entire kernel and provide coverage overviews in HTML format. 17 + 18 + Possible uses: 19 + 20 + * debugging (has this line been reached at all?) 21 + * test improvement (how do I change my test to cover these lines?) 22 + * minimizing kernel configurations (do I need this option if the 23 + associated code is never run?) 24 + 25 + .. _gcov: http://gcc.gnu.org/onlinedocs/gcc/Gcov.html 26 + .. _lcov: http://ltp.sourceforge.net/coverage/lcov.php 27 + 28 + 29 + Preparation 30 + ----------- 31 + 32 + Configure the kernel with:: 33 + 34 + CONFIG_DEBUG_FS=y 35 + CONFIG_GCOV_KERNEL=y 36 + 37 + select the gcc's gcov format, default is autodetect based on gcc version:: 38 + 39 + CONFIG_GCOV_FORMAT_AUTODETECT=y 40 + 41 + and to get coverage data for the entire kernel:: 42 + 43 + CONFIG_GCOV_PROFILE_ALL=y 44 + 45 + Note that kernels compiled with profiling flags will be significantly 46 + larger and run slower. Also CONFIG_GCOV_PROFILE_ALL may not be supported 47 + on all architectures. 48 + 49 + Profiling data will only become accessible once debugfs has been 50 + mounted:: 51 + 52 + mount -t debugfs none /sys/kernel/debug 53 + 54 + 55 + Customization 56 + ------------- 57 + 58 + To enable profiling for specific files or directories, add a line 59 + similar to the following to the respective kernel Makefile: 60 + 61 + - For a single file (e.g. main.o):: 62 + 63 + GCOV_PROFILE_main.o := y 64 + 65 + - For all files in one directory:: 66 + 67 + GCOV_PROFILE := y 68 + 69 + To exclude files from being profiled even when CONFIG_GCOV_PROFILE_ALL 70 + is specified, use:: 71 + 72 + GCOV_PROFILE_main.o := n 73 + 74 + and:: 75 + 76 + GCOV_PROFILE := n 77 + 78 + Only files which are linked to the main kernel image or are compiled as 79 + kernel modules are supported by this mechanism. 80 + 81 + 82 + Files 83 + ----- 84 + 85 + The gcov kernel support creates the following files in debugfs: 86 + 87 + ``/sys/kernel/debug/gcov`` 88 + Parent directory for all gcov-related files. 89 + 90 + ``/sys/kernel/debug/gcov/reset`` 91 + Global reset file: resets all coverage data to zero when 92 + written to. 93 + 94 + ``/sys/kernel/debug/gcov/path/to/compile/dir/file.gcda`` 95 + The actual gcov data file as understood by the gcov 96 + tool. Resets file coverage data to zero when written to. 97 + 98 + ``/sys/kernel/debug/gcov/path/to/compile/dir/file.gcno`` 99 + Symbolic link to a static data file required by the gcov 100 + tool. This file is generated by gcc when compiling with 101 + option ``-ftest-coverage``. 102 + 103 + 104 + Modules 105 + ------- 106 + 107 + Kernel modules may contain cleanup code which is only run during 108 + module unload time. The gcov mechanism provides a means to collect 109 + coverage data for such code by keeping a copy of the data associated 110 + with the unloaded module. This data remains available through debugfs. 111 + Once the module is loaded again, the associated coverage counters are 112 + initialized with the data from its previous instantiation. 113 + 114 + This behavior can be deactivated by specifying the gcov_persist kernel 115 + parameter:: 116 + 117 + gcov_persist=0 118 + 119 + At run-time, a user can also choose to discard data for an unloaded 120 + module by writing to its data file or the global reset file. 121 + 122 + 123 + Separated build and test machines 124 + --------------------------------- 125 + 126 + The gcov kernel profiling infrastructure is designed to work out-of-the 127 + box for setups where kernels are built and run on the same machine. In 128 + cases where the kernel runs on a separate machine, special preparations 129 + must be made, depending on where the gcov tool is used: 130 + 131 + a) gcov is run on the TEST machine 132 + 133 + The gcov tool version on the test machine must be compatible with the 134 + gcc version used for kernel build. Also the following files need to be 135 + copied from build to test machine: 136 + 137 + from the source tree: 138 + - all C source files + headers 139 + 140 + from the build tree: 141 + - all C source files + headers 142 + - all .gcda and .gcno files 143 + - all links to directories 144 + 145 + It is important to note that these files need to be placed into the 146 + exact same file system location on the test machine as on the build 147 + machine. If any of the path components is symbolic link, the actual 148 + directory needs to be used instead (due to make's CURDIR handling). 149 + 150 + b) gcov is run on the BUILD machine 151 + 152 + The following files need to be copied after each test case from test 153 + to build machine: 154 + 155 + from the gcov directory in sysfs: 156 + - all .gcda files 157 + - all links to .gcno files 158 + 159 + These files can be copied to any location on the build machine. gcov 160 + must then be called with the -o option pointing to that directory. 161 + 162 + Example directory setup on the build machine:: 163 + 164 + /tmp/linux: kernel source tree 165 + /tmp/out: kernel build directory as specified by make O= 166 + /tmp/coverage: location of the files copied from the test machine 167 + 168 + [user@build] cd /tmp/out 169 + [user@build] gcov -o /tmp/coverage/tmp/out/init main.c 170 + 171 + 172 + Troubleshooting 173 + --------------- 174 + 175 + Problem 176 + Compilation aborts during linker step. 177 + 178 + Cause 179 + Profiling flags are specified for source files which are not 180 + linked to the main kernel or which are linked by a custom 181 + linker procedure. 182 + 183 + Solution 184 + Exclude affected source files from profiling by specifying 185 + ``GCOV_PROFILE := n`` or ``GCOV_PROFILE_basename.o := n`` in the 186 + corresponding Makefile. 187 + 188 + Problem 189 + Files copied from sysfs appear empty or incomplete. 190 + 191 + Cause 192 + Due to the way seq_file works, some tools such as cp or tar 193 + may not correctly copy files from sysfs. 194 + 195 + Solution 196 + Use ``cat``' to read ``.gcda`` files and ``cp -d`` to copy links. 197 + Alternatively use the mechanism shown in Appendix B. 198 + 199 + 200 + Appendix A: gather_on_build.sh 201 + ------------------------------ 202 + 203 + Sample script to gather coverage meta files on the build machine 204 + (see 6a):: 205 + 206 + #!/bin/bash 207 + 208 + KSRC=$1 209 + KOBJ=$2 210 + DEST=$3 211 + 212 + if [ -z "$KSRC" ] || [ -z "$KOBJ" ] || [ -z "$DEST" ]; then 213 + echo "Usage: $0 <ksrc directory> <kobj directory> <output.tar.gz>" >&2 214 + exit 1 215 + fi 216 + 217 + KSRC=$(cd $KSRC; printf "all:\n\t@echo \${CURDIR}\n" | make -f -) 218 + KOBJ=$(cd $KOBJ; printf "all:\n\t@echo \${CURDIR}\n" | make -f -) 219 + 220 + find $KSRC $KOBJ $ -name '*.gcno' -o -name '*.[ch]' -o -type l $ -a \ 221 + -perm /u+r,g+r | tar cfz $DEST -P -T - 222 + 223 + if [ $? -eq 0 ] ; then 224 + echo "$DEST successfully created, copy to test system and unpack with:" 225 + echo " tar xfz $DEST -P" 226 + else 227 + echo "Could not create file $DEST" 228 + fi 229 + 230 + 231 + Appendix B: gather_on_test.sh 232 + ----------------------------- 233 + 234 + Sample script to gather coverage data files on the test machine 235 + (see 6b):: 236 + 237 + #!/bin/bash -e 238 + 239 + DEST=$1 240 + GCDA=/sys/kernel/debug/gcov 241 + 242 + if [ -z "$DEST" ] ; then 243 + echo "Usage: $0 <output.tar.gz>" >&2 244 + exit 1 245 + fi 246 + 247 + TEMPDIR=$(mktemp -d) 248 + echo Collecting data.. 249 + find $GCDA -type d -exec mkdir -p $TEMPDIR/\{\} \; 250 + find $GCDA -name '*.gcda' -exec sh -c 'cat < $0 > '$TEMPDIR'/$0' {} \; 251 + find $GCDA -name '*.gcno' -exec sh -c 'cp -d $0 '$TEMPDIR'/$0' {} \; 252 + tar czf $DEST -C $TEMPDIR sys 253 + rm -rf $TEMPDIR 254 + 255 + echo "$DEST successfully created, copy to build system and unpack with:" 256 + echo " tar xfz $DEST"

+173

Documentation/dev-tools/kasan.rst

··· 1 + The Kernel Address Sanitizer (KASAN) 2 + ==================================== 3 + 4 + Overview 5 + -------- 6 + 7 + KernelAddressSANitizer (KASAN) is a dynamic memory error detector. It provides 8 + a fast and comprehensive solution for finding use-after-free and out-of-bounds 9 + bugs. 10 + 11 + KASAN uses compile-time instrumentation for checking every memory access, 12 + therefore you will need a GCC version 4.9.2 or later. GCC 5.0 or later is 13 + required for detection of out-of-bounds accesses to stack or global variables. 14 + 15 + Currently KASAN is supported only for the x86_64 and arm64 architectures. 16 + 17 + Usage 18 + ----- 19 + 20 + To enable KASAN configure kernel with:: 21 + 22 + CONFIG_KASAN = y 23 + 24 + and choose between CONFIG_KASAN_OUTLINE and CONFIG_KASAN_INLINE. Outline and 25 + inline are compiler instrumentation types. The former produces smaller binary 26 + the latter is 1.1 - 2 times faster. Inline instrumentation requires a GCC 27 + version 5.0 or later. 28 + 29 + KASAN works with both SLUB and SLAB memory allocators. 30 + For better bug detection and nicer reporting, enable CONFIG_STACKTRACE. 31 + 32 + To disable instrumentation for specific files or directories, add a line 33 + similar to the following to the respective kernel Makefile: 34 + 35 + - For a single file (e.g. main.o):: 36 + 37 + KASAN_SANITIZE_main.o := n 38 + 39 + - For all files in one directory:: 40 + 41 + KASAN_SANITIZE := n 42 + 43 + Error reports 44 + ~~~~~~~~~~~~~ 45 + 46 + A typical out of bounds access report looks like this:: 47 + 48 + ================================================================== 49 + BUG: AddressSanitizer: out of bounds access in kmalloc_oob_right+0x65/0x75 [test_kasan] at addr ffff8800693bc5d3 50 + Write of size 1 by task modprobe/1689 51 + ============================================================================= 52 + BUG kmalloc-128 (Not tainted): kasan error 53 + ----------------------------------------------------------------------------- 54 + 55 + Disabling lock debugging due to kernel taint 56 + INFO: Allocated in kmalloc_oob_right+0x3d/0x75 [test_kasan] age=0 cpu=0 pid=1689 57 + __slab_alloc+0x4b4/0x4f0 58 + kmem_cache_alloc_trace+0x10b/0x190 59 + kmalloc_oob_right+0x3d/0x75 [test_kasan] 60 + init_module+0x9/0x47 [test_kasan] 61 + do_one_initcall+0x99/0x200 62 + load_module+0x2cb3/0x3b20 63 + SyS_finit_module+0x76/0x80 64 + system_call_fastpath+0x12/0x17 65 + INFO: Slab 0xffffea0001a4ef00 objects=17 used=7 fp=0xffff8800693bd728 flags=0x100000000004080 66 + INFO: Object 0xffff8800693bc558 @offset=1368 fp=0xffff8800693bc720 67 + 68 + Bytes b4 ffff8800693bc548: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ 69 + Object ffff8800693bc558: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 70 + Object ffff8800693bc568: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 71 + Object ffff8800693bc578: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 72 + Object ffff8800693bc588: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 73 + Object ffff8800693bc598: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 74 + Object ffff8800693bc5a8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 75 + Object ffff8800693bc5b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 76 + Object ffff8800693bc5c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk. 77 + Redzone ffff8800693bc5d8: cc cc cc cc cc cc cc cc ........ 78 + Padding ffff8800693bc718: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ 79 + CPU: 0 PID: 1689 Comm: modprobe Tainted: G B 3.18.0-rc1-mm1+ #98 80 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 81 + ffff8800693bc000 0000000000000000 ffff8800693bc558 ffff88006923bb78 82 + ffffffff81cc68ae 00000000000000f3 ffff88006d407600 ffff88006923bba8 83 + ffffffff811fd848 ffff88006d407600 ffffea0001a4ef00 ffff8800693bc558 84 + Call Trace: 85 + [<ffffffff81cc68ae>] dump_stack+0x46/0x58 86 + [<ffffffff811fd848>] print_trailer+0xf8/0x160 87 + [<ffffffffa00026a7>] ? kmem_cache_oob+0xc3/0xc3 [test_kasan] 88 + [<ffffffff811ff0f5>] object_err+0x35/0x40 89 + [<ffffffffa0002065>] ? kmalloc_oob_right+0x65/0x75 [test_kasan] 90 + [<ffffffff8120b9fa>] kasan_report_error+0x38a/0x3f0 91 + [<ffffffff8120a79f>] ? kasan_poison_shadow+0x2f/0x40 92 + [<ffffffff8120b344>] ? kasan_unpoison_shadow+0x14/0x40 93 + [<ffffffff8120a79f>] ? kasan_poison_shadow+0x2f/0x40 94 + [<ffffffffa00026a7>] ? kmem_cache_oob+0xc3/0xc3 [test_kasan] 95 + [<ffffffff8120a995>] __asan_store1+0x75/0xb0 96 + [<ffffffffa0002601>] ? kmem_cache_oob+0x1d/0xc3 [test_kasan] 97 + [<ffffffffa0002065>] ? kmalloc_oob_right+0x65/0x75 [test_kasan] 98 + [<ffffffffa0002065>] kmalloc_oob_right+0x65/0x75 [test_kasan] 99 + [<ffffffffa00026b0>] init_module+0x9/0x47 [test_kasan] 100 + [<ffffffff810002d9>] do_one_initcall+0x99/0x200 101 + [<ffffffff811e4e5c>] ? __vunmap+0xec/0x160 102 + [<ffffffff81114f63>] load_module+0x2cb3/0x3b20 103 + [<ffffffff8110fd70>] ? m_show+0x240/0x240 104 + [<ffffffff81115f06>] SyS_finit_module+0x76/0x80 105 + [<ffffffff81cd3129>] system_call_fastpath+0x12/0x17 106 + Memory state around the buggy address: 107 + ffff8800693bc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 108 + ffff8800693bc380: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 109 + ffff8800693bc400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 110 + ffff8800693bc480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 111 + ffff8800693bc500: fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00 112 + >ffff8800693bc580: 00 00 00 00 00 00 00 00 00 00 03 fc fc fc fc fc 113 + ^ 114 + ffff8800693bc600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 115 + ffff8800693bc680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 116 + ffff8800693bc700: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb 117 + ffff8800693bc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 118 + ffff8800693bc800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 119 + ================================================================== 120 + 121 + The header of the report discribe what kind of bug happened and what kind of 122 + access caused it. It's followed by the description of the accessed slub object 123 + (see 'SLUB Debug output' section in Documentation/vm/slub.txt for details) and 124 + the description of the accessed memory page. 125 + 126 + In the last section the report shows memory state around the accessed address. 127 + Reading this part requires some understanding of how KASAN works. 128 + 129 + The state of each 8 aligned bytes of memory is encoded in one shadow byte. 130 + Those 8 bytes can be accessible, partially accessible, freed or be a redzone. 131 + We use the following encoding for each shadow byte: 0 means that all 8 bytes 132 + of the corresponding memory region are accessible; number N (1 <= N <= 7) means 133 + that the first N bytes are accessible, and other (8 - N) bytes are not; 134 + any negative value indicates that the entire 8-byte word is inaccessible. 135 + We use different negative values to distinguish between different kinds of 136 + inaccessible memory like redzones or freed memory (see mm/kasan/kasan.h). 137 + 138 + In the report above the arrows point to the shadow byte 03, which means that 139 + the accessed address is partially accessible. 140 + 141 + 142 + Implementation details 143 + ---------------------- 144 + 145 + From a high level, our approach to memory error detection is similar to that 146 + of kmemcheck: use shadow memory to record whether each byte of memory is safe 147 + to access, and use compile-time instrumentation to check shadow memory on each 148 + memory access. 149 + 150 + AddressSanitizer dedicates 1/8 of kernel memory to its shadow memory 151 + (e.g. 16TB to cover 128TB on x86_64) and uses direct mapping with a scale and 152 + offset to translate a memory address to its corresponding shadow address. 153 + 154 + Here is the function which translates an address to its corresponding shadow 155 + address:: 156 + 157 + static inline void *kasan_mem_to_shadow(const void *addr) 158 + { 159 + return ((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT) 160 + + KASAN_SHADOW_OFFSET; 161 + } 162 + 163 + where ``KASAN_SHADOW_SCALE_SHIFT = 3``. 164 + 165 + Compile-time instrumentation used for checking memory accesses. Compiler inserts 166 + function calls (__asan_load*(addr), __asan_store*(addr)) before each memory 167 + access of size 1, 2, 4, 8 or 16. These functions check whether memory access is 168 + valid or not by checking corresponding shadow memory. 169 + 170 + GCC 5.0 has possibility to perform inline instrumentation. Instead of making 171 + function calls GCC directly inserts the code to check the shadow memory. 172 + This option significantly enlarges kernel but it gives x1.1-x2 performance 173 + boost over outline instrumented kernel.

+733

Documentation/dev-tools/kmemcheck.rst

··· 1 + Getting started with kmemcheck 2 + ============================== 3 + 4 + Vegard Nossum <vegardno@ifi.uio.no> 5 + 6 + 7 + Introduction 8 + ------------ 9 + 10 + kmemcheck is a debugging feature for the Linux Kernel. More specifically, it 11 + is a dynamic checker that detects and warns about some uses of uninitialized 12 + memory. 13 + 14 + Userspace programmers might be familiar with Valgrind's memcheck. The main 15 + difference between memcheck and kmemcheck is that memcheck works for userspace 16 + programs only, and kmemcheck works for the kernel only. The implementations 17 + are of course vastly different. Because of this, kmemcheck is not as accurate 18 + as memcheck, but it turns out to be good enough in practice to discover real 19 + programmer errors that the compiler is not able to find through static 20 + analysis. 21 + 22 + Enabling kmemcheck on a kernel will probably slow it down to the extent that 23 + the machine will not be usable for normal workloads such as e.g. an 24 + interactive desktop. kmemcheck will also cause the kernel to use about twice 25 + as much memory as normal. For this reason, kmemcheck is strictly a debugging 26 + feature. 27 + 28 + 29 + Downloading 30 + ----------- 31 + 32 + As of version 2.6.31-rc1, kmemcheck is included in the mainline kernel. 33 + 34 + 35 + Configuring and compiling 36 + ------------------------- 37 + 38 + kmemcheck only works for the x86 (both 32- and 64-bit) platform. A number of 39 + configuration variables must have specific settings in order for the kmemcheck 40 + menu to even appear in "menuconfig". These are: 41 + 42 + - ``CONFIG_CC_OPTIMIZE_FOR_SIZE=n`` 43 + This option is located under "General setup" / "Optimize for size". 44 + 45 + Without this, gcc will use certain optimizations that usually lead to 46 + false positive warnings from kmemcheck. An example of this is a 16-bit 47 + field in a struct, where gcc may load 32 bits, then discard the upper 48 + 16 bits. kmemcheck sees only the 32-bit load, and may trigger a 49 + warning for the upper 16 bits (if they're uninitialized). 50 + 51 + - ``CONFIG_SLAB=y`` or ``CONFIG_SLUB=y`` 52 + This option is located under "General setup" / "Choose SLAB 53 + allocator". 54 + 55 + - ``CONFIG_FUNCTION_TRACER=n`` 56 + This option is located under "Kernel hacking" / "Tracers" / "Kernel 57 + Function Tracer" 58 + 59 + When function tracing is compiled in, gcc emits a call to another 60 + function at the beginning of every function. This means that when the 61 + page fault handler is called, the ftrace framework will be called 62 + before kmemcheck has had a chance to handle the fault. If ftrace then 63 + modifies memory that was tracked by kmemcheck, the result is an 64 + endless recursive page fault. 65 + 66 + - ``CONFIG_DEBUG_PAGEALLOC=n`` 67 + This option is located under "Kernel hacking" / "Memory Debugging" 68 + / "Debug page memory allocations". 69 + 70 + In addition, I highly recommend turning on ``CONFIG_DEBUG_INFO=y``. This is also 71 + located under "Kernel hacking". With this, you will be able to get line number 72 + information from the kmemcheck warnings, which is extremely valuable in 73 + debugging a problem. This option is not mandatory, however, because it slows 74 + down the compilation process and produces a much bigger kernel image. 75 + 76 + Now the kmemcheck menu should be visible (under "Kernel hacking" / "Memory 77 + Debugging" / "kmemcheck: trap use of uninitialized memory"). Here follows 78 + a description of the kmemcheck configuration variables: 79 + 80 + - ``CONFIG_KMEMCHECK`` 81 + This must be enabled in order to use kmemcheck at all... 82 + 83 + - ``CONFIG_KMEMCHECK_``[``DISABLED`` | ``ENABLED`` | ``ONESHOT``]``_BY_DEFAULT`` 84 + This option controls the status of kmemcheck at boot-time. "Enabled" 85 + will enable kmemcheck right from the start, "disabled" will boot the 86 + kernel as normal (but with the kmemcheck code compiled in, so it can 87 + be enabled at run-time after the kernel has booted), and "one-shot" is 88 + a special mode which will turn kmemcheck off automatically after 89 + detecting the first use of uninitialized memory. 90 + 91 + If you are using kmemcheck to actively debug a problem, then you 92 + probably want to choose "enabled" here. 93 + 94 + The one-shot mode is mostly useful in automated test setups because it 95 + can prevent floods of warnings and increase the chances of the machine 96 + surviving in case something is really wrong. In other cases, the one- 97 + shot mode could actually be counter-productive because it would turn 98 + itself off at the very first error -- in the case of a false positive 99 + too -- and this would come in the way of debugging the specific 100 + problem you were interested in. 101 + 102 + If you would like to use your kernel as normal, but with a chance to 103 + enable kmemcheck in case of some problem, it might be a good idea to 104 + choose "disabled" here. When kmemcheck is disabled, most of the run- 105 + time overhead is not incurred, and the kernel will be almost as fast 106 + as normal. 107 + 108 + - ``CONFIG_KMEMCHECK_QUEUE_SIZE`` 109 + Select the maximum number of error reports to store in an internal 110 + (fixed-size) buffer. Since errors can occur virtually anywhere and in 111 + any context, we need a temporary storage area which is guaranteed not 112 + to generate any other page faults when accessed. The queue will be 113 + emptied as soon as a tasklet may be scheduled. If the queue is full, 114 + new error reports will be lost. 115 + 116 + The default value of 64 is probably fine. If some code produces more 117 + than 64 errors within an irqs-off section, then the code is likely to 118 + produce many, many more, too, and these additional reports seldom give 119 + any more information (the first report is usually the most valuable 120 + anyway). 121 + 122 + This number might have to be adjusted if you are not using serial 123 + console or similar to capture the kernel log. If you are using the 124 + "dmesg" command to save the log, then getting a lot of kmemcheck 125 + warnings might overflow the kernel log itself, and the earlier reports 126 + will get lost in that way instead. Try setting this to 10 or so on 127 + such a setup. 128 + 129 + - ``CONFIG_KMEMCHECK_SHADOW_COPY_SHIFT`` 130 + Select the number of shadow bytes to save along with each entry of the 131 + error-report queue. These bytes indicate what parts of an allocation 132 + are initialized, uninitialized, etc. and will be displayed when an 133 + error is detected to help the debugging of a particular problem. 134 + 135 + The number entered here is actually the logarithm of the number of 136 + bytes that will be saved. So if you pick for example 5 here, kmemcheck 137 + will save 2^5 = 32 bytes. 138 + 139 + The default value should be fine for debugging most problems. It also 140 + fits nicely within 80 columns. 141 + 142 + - ``CONFIG_KMEMCHECK_PARTIAL_OK`` 143 + This option (when enabled) works around certain GCC optimizations that 144 + produce 32-bit reads from 16-bit variables where the upper 16 bits are 145 + thrown away afterwards. 146 + 147 + The default value (enabled) is recommended. This may of course hide 148 + some real errors, but disabling it would probably produce a lot of 149 + false positives. 150 + 151 + - ``CONFIG_KMEMCHECK_BITOPS_OK`` 152 + This option silences warnings that would be generated for bit-field 153 + accesses where not all the bits are initialized at the same time. This 154 + may also hide some real bugs. 155 + 156 + This option is probably obsolete, or it should be replaced with 157 + the kmemcheck-/bitfield-annotations for the code in question. The 158 + default value is therefore fine. 159 + 160 + Now compile the kernel as usual. 161 + 162 + 163 + How to use 164 + ---------- 165 + 166 + Booting 167 + ~~~~~~~ 168 + 169 + First some information about the command-line options. There is only one 170 + option specific to kmemcheck, and this is called "kmemcheck". It can be used 171 + to override the default mode as chosen by the ``CONFIG_KMEMCHECK_*_BY_DEFAULT`` 172 + option. Its possible settings are: 173 + 174 + - ``kmemcheck=0`` (disabled) 175 + - ``kmemcheck=1`` (enabled) 176 + - ``kmemcheck=2`` (one-shot mode) 177 + 178 + If SLUB debugging has been enabled in the kernel, it may take precedence over 179 + kmemcheck in such a way that the slab caches which are under SLUB debugging 180 + will not be tracked by kmemcheck. In order to ensure that this doesn't happen 181 + (even though it shouldn't by default), use SLUB's boot option ``slub_debug``, 182 + like this: ``slub_debug=-`` 183 + 184 + In fact, this option may also be used for fine-grained control over SLUB vs. 185 + kmemcheck. For example, if the command line includes 186 + ``kmemcheck=1 slub_debug=,dentry``, then SLUB debugging will be used only 187 + for the "dentry" slab cache, and with kmemcheck tracking all the other 188 + caches. This is advanced usage, however, and is not generally recommended. 189 + 190 + 191 + Run-time enable/disable 192 + ~~~~~~~~~~~~~~~~~~~~~~~ 193 + 194 + When the kernel has booted, it is possible to enable or disable kmemcheck at 195 + run-time. WARNING: This feature is still experimental and may cause false 196 + positive warnings to appear. Therefore, try not to use this. If you find that 197 + it doesn't work properly (e.g. you see an unreasonable amount of warnings), I 198 + will be happy to take bug reports. 199 + 200 + Use the file ``/proc/sys/kernel/kmemcheck`` for this purpose, e.g.:: 201 + 202 + $ echo 0 > /proc/sys/kernel/kmemcheck # disables kmemcheck 203 + 204 + The numbers are the same as for the ``kmemcheck=`` command-line option. 205 + 206 + 207 + Debugging 208 + ~~~~~~~~~ 209 + 210 + A typical report will look something like this:: 211 + 212 + WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff88003e4a2024) 213 + 80000000000000000000000000000000000000000088ffff0000000000000000 214 + i i i i u u u u i i i i i i i i u u u u u u u u u u u u u u u u 215 + ^ 216 + 217 + Pid: 1856, comm: ntpdate Not tainted 2.6.29-rc5 #264 945P-A 218 + RIP: 0010:[<ffffffff8104ede8>] [<ffffffff8104ede8>] __dequeue_signal+0xc8/0x190 219 + RSP: 0018:ffff88003cdf7d98 EFLAGS: 00210002 220 + RAX: 0000000000000030 RBX: ffff88003d4ea968 RCX: 0000000000000009 221 + RDX: ffff88003e5d6018 RSI: ffff88003e5d6024 RDI: ffff88003cdf7e84 222 + RBP: ffff88003cdf7db8 R08: ffff88003e5d6000 R09: 0000000000000000 223 + R10: 0000000000000080 R11: 0000000000000000 R12: 000000000000000e 224 + R13: ffff88003cdf7e78 R14: ffff88003d530710 R15: ffff88003d5a98c8 225 + FS: 0000000000000000(0000) GS:ffff880001982000(0063) knlGS:00000 226 + CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 227 + CR2: ffff88003f806ea0 CR3: 000000003c036000 CR4: 00000000000006a0 228 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 229 + DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 230 + [<ffffffff8104f04e>] dequeue_signal+0x8e/0x170 231 + [<ffffffff81050bd8>] get_signal_to_deliver+0x98/0x390 232 + [<ffffffff8100b87d>] do_notify_resume+0xad/0x7d0 233 + [<ffffffff8100c7b5>] int_signal+0x12/0x17 234 + [<ffffffffffffffff>] 0xffffffffffffffff 235 + 236 + The single most valuable information in this report is the RIP (or EIP on 32- 237 + bit) value. This will help us pinpoint exactly which instruction that caused 238 + the warning. 239 + 240 + If your kernel was compiled with ``CONFIG_DEBUG_INFO=y``, then all we have to do 241 + is give this address to the addr2line program, like this:: 242 + 243 + $ addr2line -e vmlinux -i ffffffff8104ede8 244 + arch/x86/include/asm/string_64.h:12 245 + include/asm-generic/siginfo.h:287 246 + kernel/signal.c:380 247 + kernel/signal.c:410 248 + 249 + The "``-e vmlinux``" tells addr2line which file to look in. **IMPORTANT:** 250 + This must be the vmlinux of the kernel that produced the warning in the 251 + first place! If not, the line number information will almost certainly be 252 + wrong. 253 + 254 + The "``-i``" tells addr2line to also print the line numbers of inlined 255 + functions. In this case, the flag was very important, because otherwise, 256 + it would only have printed the first line, which is just a call to 257 + ``memcpy()``, which could be called from a thousand places in the kernel, and 258 + is therefore not very useful. These inlined functions would not show up in 259 + the stack trace above, simply because the kernel doesn't load the extra 260 + debugging information. This technique can of course be used with ordinary 261 + kernel oopses as well. 262 + 263 + In this case, it's the caller of ``memcpy()`` that is interesting, and it can be 264 + found in ``include/asm-generic/siginfo.h``, line 287:: 265 + 266 + 281 static inline void copy_siginfo(struct siginfo *to, struct siginfo *from) 267 + 282 { 268 + 283 if (from->si_code < 0) 269 + 284 memcpy(to, from, sizeof(*to)); 270 + 285 else 271 + 286 /* _sigchld is currently the largest know union member */ 272 + 287 memcpy(to, from, __ARCH_SI_PREAMBLE_SIZE + sizeof(from->_sifields._sigchld)); 273 + 288 } 274 + 275 + Since this was a read (kmemcheck usually warns about reads only, though it can 276 + warn about writes to unallocated or freed memory as well), it was probably the 277 + "from" argument which contained some uninitialized bytes. Following the chain 278 + of calls, we move upwards to see where "from" was allocated or initialized, 279 + ``kernel/signal.c``, line 380:: 280 + 281 + 359 static void collect_signal(int sig, struct sigpending *list, siginfo_t *info) 282 + 360 { 283 + ... 284 + 367 list_for_each_entry(q, &list->list, list) { 285 + 368 if (q->info.si_signo == sig) { 286 + 369 if (first) 287 + 370 goto still_pending; 288 + 371 first = q; 289 + ... 290 + 377 if (first) { 291 + 378 still_pending: 292 + 379 list_del_init(&first->list); 293 + 380 copy_siginfo(info, &first->info); 294 + 381 __sigqueue_free(first); 295 + ... 296 + 392 } 297 + 393 } 298 + 299 + Here, it is ``&first->info`` that is being passed on to ``copy_siginfo()``. The 300 + variable ``first`` was found on a list -- passed in as the second argument to 301 + ``collect_signal()``. We continue our journey through the stack, to figure out 302 + where the item on "list" was allocated or initialized. We move to line 410:: 303 + 304 + 395 static int __dequeue_signal(struct sigpending *pending, sigset_t *mask, 305 + 396 siginfo_t *info) 306 + 397 { 307 + ... 308 + 410 collect_signal(sig, pending, info); 309 + ... 310 + 414 } 311 + 312 + Now we need to follow the ``pending`` pointer, since that is being passed on to 313 + ``collect_signal()`` as ``list``. At this point, we've run out of lines from the 314 + "addr2line" output. Not to worry, we just paste the next addresses from the 315 + kmemcheck stack dump, i.e.:: 316 + 317 + [<ffffffff8104f04e>] dequeue_signal+0x8e/0x170 318 + [<ffffffff81050bd8>] get_signal_to_deliver+0x98/0x390 319 + [<ffffffff8100b87d>] do_notify_resume+0xad/0x7d0 320 + [<ffffffff8100c7b5>] int_signal+0x12/0x17 321 + 322 + $ addr2line -e vmlinux -i ffffffff8104f04e ffffffff81050bd8 \ 323 + ffffffff8100b87d ffffffff8100c7b5 324 + kernel/signal.c:446 325 + kernel/signal.c:1806 326 + arch/x86/kernel/signal.c:805 327 + arch/x86/kernel/signal.c:871 328 + arch/x86/kernel/entry_64.S:694 329 + 330 + Remember that since these addresses were found on the stack and not as the 331 + RIP value, they actually point to the _next_ instruction (they are return 332 + addresses). This becomes obvious when we look at the code for line 446:: 333 + 334 + 422 int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) 335 + 423 { 336 + ... 337 + 431 signr = __dequeue_signal(&tsk->signal->shared_pending, 338 + 432 mask, info); 339 + 433 /* 340 + 434 * itimer signal ? 341 + 435 * 342 + 436 * itimers are process shared and we restart periodic 343 + 437 * itimers in the signal delivery path to prevent DoS 344 + 438 * attacks in the high resolution timer case. This is 345 + 439 * compliant with the old way of self restarting 346 + 440 * itimers, as the SIGALRM is a legacy signal and only 347 + 441 * queued once. Changing the restart behaviour to 348 + 442 * restart the timer in the signal dequeue path is 349 + 443 * reducing the timer noise on heavy loaded !highres 350 + 444 * systems too. 351 + 445 */ 352 + 446 if (unlikely(signr == SIGALRM)) { 353 + ... 354 + 489 } 355 + 356 + So instead of looking at 446, we should be looking at 431, which is the line 357 + that executes just before 446. Here we see that what we are looking for is 358 + ``&tsk->signal->shared_pending``. 359 + 360 + Our next task is now to figure out which function that puts items on this 361 + ``shared_pending`` list. A crude, but efficient tool, is ``git grep``:: 362 + 363 + $ git grep -n 'shared_pending' kernel/ 364 + ... 365 + kernel/signal.c:828: pending = group ? &t->signal->shared_pending : &t->pending; 366 + kernel/signal.c:1339: pending = group ? &t->signal->shared_pending : &t->pending; 367 + ... 368 + 369 + There were more results, but none of them were related to list operations, 370 + and these were the only assignments. We inspect the line numbers more closely 371 + and find that this is indeed where items are being added to the list:: 372 + 373 + 816 static int send_signal(int sig, struct siginfo *info, struct task_struct *t, 374 + 817 int group) 375 + 818 { 376 + ... 377 + 828 pending = group ? &t->signal->shared_pending : &t->pending; 378 + ... 379 + 851 q = __sigqueue_alloc(t, GFP_ATOMIC, (sig < SIGRTMIN && 380 + 852 (is_si_special(info) || 381 + 853 info->si_code >= 0))); 382 + 854 if (q) { 383 + 855 list_add_tail(&q->list, &pending->list); 384 + ... 385 + 890 } 386 + 387 + and:: 388 + 389 + 1309 int send_sigqueue(struct sigqueue *q, struct task_struct *t, int group) 390 + 1310 { 391 + .... 392 + 1339 pending = group ? &t->signal->shared_pending : &t->pending; 393 + 1340 list_add_tail(&q->list, &pending->list); 394 + .... 395 + 1347 } 396 + 397 + In the first case, the list element we are looking for, ``q``, is being 398 + returned from the function ``__sigqueue_alloc()``, which looks like an 399 + allocation function. Let's take a look at it:: 400 + 401 + 187 static struct sigqueue *__sigqueue_alloc(struct task_struct *t, gfp_t flags, 402 + 188 int override_rlimit) 403 + 189 { 404 + 190 struct sigqueue *q = NULL; 405 + 191 struct user_struct *user; 406 + 192 407 + 193 /* 408 + 194 * We won't get problems with the target's UID changing under us 409 + 195 * because changing it requires RCU be used, and if t != current, the 410 + 196 * caller must be holding the RCU readlock (by way of a spinlock) and 411 + 197 * we use RCU protection here 412 + 198 */ 413 + 199 user = get_uid(__task_cred(t)->user); 414 + 200 atomic_inc(&user->sigpending); 415 + 201 if (override_rlimit || 416 + 202 atomic_read(&user->sigpending) <= 417 + 203 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) 418 + 204 q = kmem_cache_alloc(sigqueue_cachep, flags); 419 + 205 if (unlikely(q == NULL)) { 420 + 206 atomic_dec(&user->sigpending); 421 + 207 free_uid(user); 422 + 208 } else { 423 + 209 INIT_LIST_HEAD(&q->list); 424 + 210 q->flags = 0; 425 + 211 q->user = user; 426 + 212 } 427 + 213 428 + 214 return q; 429 + 215 } 430 + 431 + We see that this function initializes ``q->list``, ``q->flags``, and 432 + ``q->user``. It seems that now is the time to look at the definition of 433 + ``struct sigqueue``, e.g.:: 434 + 435 + 14 struct sigqueue { 436 + 15 struct list_head list; 437 + 16 int flags; 438 + 17 siginfo_t info; 439 + 18 struct user_struct *user; 440 + 19 }; 441 + 442 + And, you might remember, it was a ``memcpy()`` on ``&first->info`` that 443 + caused the warning, so this makes perfect sense. It also seems reasonable 444 + to assume that it is the caller of ``__sigqueue_alloc()`` that has the 445 + responsibility of filling out (initializing) this member. 446 + 447 + But just which fields of the struct were uninitialized? Let's look at 448 + kmemcheck's report again:: 449 + 450 + WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff88003e4a2024) 451 + 80000000000000000000000000000000000000000088ffff0000000000000000 452 + i i i i u u u u i i i i i i i i u u u u u u u u u u u u u u u u 453 + ^ 454 + 455 + These first two lines are the memory dump of the memory object itself, and 456 + the shadow bytemap, respectively. The memory object itself is in this case 457 + ``&first->info``. Just beware that the start of this dump is NOT the start 458 + of the object itself! The position of the caret (^) corresponds with the 459 + address of the read (ffff88003e4a2024). 460 + 461 + The shadow bytemap dump legend is as follows: 462 + 463 + - i: initialized 464 + - u: uninitialized 465 + - a: unallocated (memory has been allocated by the slab layer, but has not 466 + yet been handed off to anybody) 467 + - f: freed (memory has been allocated by the slab layer, but has been freed 468 + by the previous owner) 469 + 470 + In order to figure out where (relative to the start of the object) the 471 + uninitialized memory was located, we have to look at the disassembly. For 472 + that, we'll need the RIP address again:: 473 + 474 + RIP: 0010:[<ffffffff8104ede8>] [<ffffffff8104ede8>] __dequeue_signal+0xc8/0x190 475 + 476 + $ objdump -d --no-show-raw-insn vmlinux | grep -C 8 ffffffff8104ede8: 477 + ffffffff8104edc8: mov %r8,0x8(%r8) 478 + ffffffff8104edcc: test %r10d,%r10d 479 + ffffffff8104edcf: js ffffffff8104ee88 <__dequeue_signal+0x168> 480 + ffffffff8104edd5: mov %rax,%rdx 481 + ffffffff8104edd8: mov $0xc,%ecx 482 + ffffffff8104eddd: mov %r13,%rdi 483 + ffffffff8104ede0: mov $0x30,%eax 484 + ffffffff8104ede5: mov %rdx,%rsi 485 + ffffffff8104ede8: rep movsl %ds:(%rsi),%es:(%rdi) 486 + ffffffff8104edea: test $0x2,%al 487 + ffffffff8104edec: je ffffffff8104edf0 <__dequeue_signal+0xd0> 488 + ffffffff8104edee: movsw %ds:(%rsi),%es:(%rdi) 489 + ffffffff8104edf0: test $0x1,%al 490 + ffffffff8104edf2: je ffffffff8104edf5 <__dequeue_signal+0xd5> 491 + ffffffff8104edf4: movsb %ds:(%rsi),%es:(%rdi) 492 + ffffffff8104edf5: mov %r8,%rdi 493 + ffffffff8104edf8: callq ffffffff8104de60 <__sigqueue_free> 494 + 495 + As expected, it's the "``rep movsl``" instruction from the ``memcpy()`` 496 + that causes the warning. We know about ``REP MOVSL`` that it uses the register 497 + ``RCX`` to count the number of remaining iterations. By taking a look at the 498 + register dump again (from the kmemcheck report), we can figure out how many 499 + bytes were left to copy:: 500 + 501 + RAX: 0000000000000030 RBX: ffff88003d4ea968 RCX: 0000000000000009 502 + 503 + By looking at the disassembly, we also see that ``%ecx`` is being loaded 504 + with the value ``$0xc`` just before (ffffffff8104edd8), so we are very 505 + lucky. Keep in mind that this is the number of iterations, not bytes. And 506 + since this is a "long" operation, we need to multiply by 4 to get the 507 + number of bytes. So this means that the uninitialized value was encountered 508 + at 4 * (0xc - 0x9) = 12 bytes from the start of the object. 509 + 510 + We can now try to figure out which field of the "``struct siginfo``" that 511 + was not initialized. This is the beginning of the struct:: 512 + 513 + 40 typedef struct siginfo { 514 + 41 int si_signo; 515 + 42 int si_errno; 516 + 43 int si_code; 517 + 44 518 + 45 union { 519 + .. 520 + 92 } _sifields; 521 + 93 } siginfo_t; 522 + 523 + On 64-bit, the int is 4 bytes long, so it must the union member that has 524 + not been initialized. We can verify this using gdb:: 525 + 526 + $ gdb vmlinux 527 + ... 528 + (gdb) p &((struct siginfo *) 0)->_sifields 529 + $1 = (union {...} *) 0x10 530 + 531 + Actually, it seems that the union member is located at offset 0x10 -- which 532 + means that gcc has inserted 4 bytes of padding between the members ``si_code`` 533 + and ``_sifields``. We can now get a fuller picture of the memory dump:: 534 + 535 + _----------------------------=> si_code 536 + / _--------------------=> (padding) 537 + | / _------------=> _sifields(._kill._pid) 538 + | | / _----=> _sifields(._kill._uid) 539 + | | | / 540 + -------|-------|-------|-------| 541 + 80000000000000000000000000000000000000000088ffff0000000000000000 542 + i i i i u u u u i i i i i i i i u u u u u u u u u u u u u u u u 543 + 544 + This allows us to realize another important fact: ``si_code`` contains the 545 + value 0x80. Remember that x86 is little endian, so the first 4 bytes 546 + "80000000" are really the number 0x00000080. With a bit of research, we 547 + find that this is actually the constant ``SI_KERNEL`` defined in 548 + ``include/asm-generic/siginfo.h``:: 549 + 550 + 144 #define SI_KERNEL 0x80 /* sent by the kernel from somewhere */ 551 + 552 + This macro is used in exactly one place in the x86 kernel: In ``send_signal()`` 553 + in ``kernel/signal.c``:: 554 + 555 + 816 static int send_signal(int sig, struct siginfo *info, struct task_struct *t, 556 + 817 int group) 557 + 818 { 558 + ... 559 + 828 pending = group ? &t->signal->shared_pending : &t->pending; 560 + ... 561 + 851 q = __sigqueue_alloc(t, GFP_ATOMIC, (sig < SIGRTMIN && 562 + 852 (is_si_special(info) || 563 + 853 info->si_code >= 0))); 564 + 854 if (q) { 565 + 855 list_add_tail(&q->list, &pending->list); 566 + 856 switch ((unsigned long) info) { 567 + ... 568 + 865 case (unsigned long) SEND_SIG_PRIV: 569 + 866 q->info.si_signo = sig; 570 + 867 q->info.si_errno = 0; 571 + 868 q->info.si_code = SI_KERNEL; 572 + 869 q->info.si_pid = 0; 573 + 870 q->info.si_uid = 0; 574 + 871 break; 575 + ... 576 + 890 } 577 + 578 + Not only does this match with the ``.si_code`` member, it also matches the place 579 + we found earlier when looking for where siginfo_t objects are enqueued on the 580 + ``shared_pending`` list. 581 + 582 + So to sum up: It seems that it is the padding introduced by the compiler 583 + between two struct fields that is uninitialized, and this gets reported when 584 + we do a ``memcpy()`` on the struct. This means that we have identified a false 585 + positive warning. 586 + 587 + Normally, kmemcheck will not report uninitialized accesses in ``memcpy()`` calls 588 + when both the source and destination addresses are tracked. (Instead, we copy 589 + the shadow bytemap as well). In this case, the destination address clearly 590 + was not tracked. We can dig a little deeper into the stack trace from above:: 591 + 592 + arch/x86/kernel/signal.c:805 593 + arch/x86/kernel/signal.c:871 594 + arch/x86/kernel/entry_64.S:694 595 + 596 + And we clearly see that the destination siginfo object is located on the 597 + stack:: 598 + 599 + 782 static void do_signal(struct pt_regs *regs) 600 + 783 { 601 + 784 struct k_sigaction ka; 602 + 785 siginfo_t info; 603 + ... 604 + 804 signr = get_signal_to_deliver(&info, &ka, regs, NULL); 605 + ... 606 + 854 } 607 + 608 + And this ``&info`` is what eventually gets passed to ``copy_siginfo()`` as the 609 + destination argument. 610 + 611 + Now, even though we didn't find an actual error here, the example is still a 612 + good one, because it shows how one would go about to find out what the report 613 + was all about. 614 + 615 + 616 + Annotating false positives 617 + ~~~~~~~~~~~~~~~~~~~~~~~~~~ 618 + 619 + There are a few different ways to make annotations in the source code that 620 + will keep kmemcheck from checking and reporting certain allocations. Here 621 + they are: 622 + 623 + - ``__GFP_NOTRACK_FALSE_POSITIVE`` 624 + This flag can be passed to ``kmalloc()`` or ``kmem_cache_alloc()`` 625 + (therefore also to other functions that end up calling one of 626 + these) to indicate that the allocation should not be tracked 627 + because it would lead to a false positive report. This is a "big 628 + hammer" way of silencing kmemcheck; after all, even if the false 629 + positive pertains to particular field in a struct, for example, we 630 + will now lose the ability to find (real) errors in other parts of 631 + the same struct. 632 + 633 + Example:: 634 + 635 + /* No warnings will ever trigger on accessing any part of x */ 636 + x = kmalloc(sizeof *x, GFP_KERNEL | __GFP_NOTRACK_FALSE_POSITIVE); 637 + 638 + - ``kmemcheck_bitfield_begin(name)``/``kmemcheck_bitfield_end(name)`` and 639 + ``kmemcheck_annotate_bitfield(ptr, name)`` 640 + The first two of these three macros can be used inside struct 641 + definitions to signal, respectively, the beginning and end of a 642 + bitfield. Additionally, this will assign the bitfield a name, which 643 + is given as an argument to the macros. 644 + 645 + Having used these markers, one can later use 646 + kmemcheck_annotate_bitfield() at the point of allocation, to indicate 647 + which parts of the allocation is part of a bitfield. 648 + 649 + Example:: 650 + 651 + struct foo { 652 + int x; 653 + 654 + kmemcheck_bitfield_begin(flags); 655 + int flag_a:1; 656 + int flag_b:1; 657 + kmemcheck_bitfield_end(flags); 658 + 659 + int y; 660 + }; 661 + 662 + struct foo *x = kmalloc(sizeof *x); 663 + 664 + /* No warnings will trigger on accessing the bitfield of x */ 665 + kmemcheck_annotate_bitfield(x, flags); 666 + 667 + Note that ``kmemcheck_annotate_bitfield()`` can be used even before the 668 + return value of ``kmalloc()`` is checked -- in other words, passing NULL 669 + as the first argument is legal (and will do nothing). 670 + 671 + 672 + Reporting errors 673 + ---------------- 674 + 675 + As we have seen, kmemcheck will produce false positive reports. Therefore, it 676 + is not very wise to blindly post kmemcheck warnings to mailing lists and 677 + maintainers. Instead, I encourage maintainers and developers to find errors 678 + in their own code. If you get a warning, you can try to work around it, try 679 + to figure out if it's a real error or not, or simply ignore it. Most 680 + developers know their own code and will quickly and efficiently determine the 681 + root cause of a kmemcheck report. This is therefore also the most efficient 682 + way to work with kmemcheck. 683 + 684 + That said, we (the kmemcheck maintainers) will always be on the lookout for 685 + false positives that we can annotate and silence. So whatever you find, 686 + please drop us a note privately! Kernel configs and steps to reproduce (if 687 + available) are of course a great help too. 688 + 689 + Happy hacking! 690 + 691 + 692 + Technical description 693 + --------------------- 694 + 695 + kmemcheck works by marking memory pages non-present. This means that whenever 696 + somebody attempts to access the page, a page fault is generated. The page 697 + fault handler notices that the page was in fact only hidden, and so it calls 698 + on the kmemcheck code to make further investigations. 699 + 700 + When the investigations are completed, kmemcheck "shows" the page by marking 701 + it present (as it would be under normal circumstances). This way, the 702 + interrupted code can continue as usual. 703 + 704 + But after the instruction has been executed, we should hide the page again, so 705 + that we can catch the next access too! Now kmemcheck makes use of a debugging 706 + feature of the processor, namely single-stepping. When the processor has 707 + finished the one instruction that generated the memory access, a debug 708 + exception is raised. From here, we simply hide the page again and continue 709 + execution, this time with the single-stepping feature turned off. 710 + 711 + kmemcheck requires some assistance from the memory allocator in order to work. 712 + The memory allocator needs to 713 + 714 + 1. Tell kmemcheck about newly allocated pages and pages that are about to 715 + be freed. This allows kmemcheck to set up and tear down the shadow memory 716 + for the pages in question. The shadow memory stores the status of each 717 + byte in the allocation proper, e.g. whether it is initialized or 718 + uninitialized. 719 + 720 + 2. Tell kmemcheck which parts of memory should be marked uninitialized. 721 + There are actually a few more states, such as "not yet allocated" and 722 + "recently freed". 723 + 724 + If a slab cache is set up using the SLAB_NOTRACK flag, it will never return 725 + memory that can take page faults because of kmemcheck. 726 + 727 + If a slab cache is NOT set up using the SLAB_NOTRACK flag, callers can still 728 + request memory with the __GFP_NOTRACK or __GFP_NOTRACK_FALSE_POSITIVE flags. 729 + This does not prevent the page faults from occurring, however, but marks the 730 + object in question as being initialized so that no warnings will ever be 731 + produced for this object. 732 + 733 + Currently, the SLAB and SLUB allocators are supported by kmemcheck.

+25

Documentation/dev-tools/tools.rst

··· 1 + ================================ 2 + Development tools for the kernel 3 + ================================ 4 + 5 + This document is a collection of documents about development tools that can 6 + be used to work on the kernel. For now, the documents have been pulled 7 + together without any significant effot to integrate them into a coherent 8 + whole; patches welcome! 9 + 10 + .. class:: toc-title 11 + 12 + Table of contents 13 + 14 + .. toctree:: 15 + :maxdepth: 2 16 + 17 + coccinelle 18 + sparse 19 + kcov 20 + gcov 21 + kasan 22 + ubsan 23 + kmemleak 24 + kmemcheck 25 + gdb-kernel-debugging

+7

Documentation/docutils.conf

··· 1 + # -*- coding: utf-8 mode: conf-colon -*- 2 + # 3 + # docutils configuration file 4 + # http://docutils.sourceforge.net/docs/user/config.html 5 + 6 + [general] 7 + halt_level: severe

-257

Documentation/gcov.txt

··· 1 - Using gcov with the Linux kernel 2 - ================================ 3 - 4 - 1. Introduction 5 - 2. Preparation 6 - 3. Customization 7 - 4. Files 8 - 5. Modules 9 - 6. Separated build and test machines 10 - 7. Troubleshooting 11 - Appendix A: sample script: gather_on_build.sh 12 - Appendix B: sample script: gather_on_test.sh 13 - 14 - 15 - 1. Introduction 16 - =============== 17 - 18 - gcov profiling kernel support enables the use of GCC's coverage testing 19 - tool gcov [1] with the Linux kernel. Coverage data of a running kernel 20 - is exported in gcov-compatible format via the "gcov" debugfs directory. 21 - To get coverage data for a specific file, change to the kernel build 22 - directory and use gcov with the -o option as follows (requires root): 23 - 24 - # cd /tmp/linux-out 25 - # gcov -o /sys/kernel/debug/gcov/tmp/linux-out/kernel spinlock.c 26 - 27 - This will create source code files annotated with execution counts 28 - in the current directory. In addition, graphical gcov front-ends such 29 - as lcov [2] can be used to automate the process of collecting data 30 - for the entire kernel and provide coverage overviews in HTML format. 31 - 32 - Possible uses: 33 - 34 - * debugging (has this line been reached at all?) 35 - * test improvement (how do I change my test to cover these lines?) 36 - * minimizing kernel configurations (do I need this option if the 37 - associated code is never run?) 38 - 39 - -- 40 - 41 - [1] http://gcc.gnu.org/onlinedocs/gcc/Gcov.html 42 - [2] http://ltp.sourceforge.net/coverage/lcov.php 43 - 44 - 45 - 2. Preparation 46 - ============== 47 - 48 - Configure the kernel with: 49 - 50 - CONFIG_DEBUG_FS=y 51 - CONFIG_GCOV_KERNEL=y 52 - 53 - select the gcc's gcov format, default is autodetect based on gcc version: 54 - 55 - CONFIG_GCOV_FORMAT_AUTODETECT=y 56 - 57 - and to get coverage data for the entire kernel: 58 - 59 - CONFIG_GCOV_PROFILE_ALL=y 60 - 61 - Note that kernels compiled with profiling flags will be significantly 62 - larger and run slower. Also CONFIG_GCOV_PROFILE_ALL may not be supported 63 - on all architectures. 64 - 65 - Profiling data will only become accessible once debugfs has been 66 - mounted: 67 - 68 - mount -t debugfs none /sys/kernel/debug 69 - 70 - 71 - 3. Customization 72 - ================ 73 - 74 - To enable profiling for specific files or directories, add a line 75 - similar to the following to the respective kernel Makefile: 76 - 77 - For a single file (e.g. main.o): 78 - GCOV_PROFILE_main.o := y 79 - 80 - For all files in one directory: 81 - GCOV_PROFILE := y 82 - 83 - To exclude files from being profiled even when CONFIG_GCOV_PROFILE_ALL 84 - is specified, use: 85 - 86 - GCOV_PROFILE_main.o := n 87 - and: 88 - GCOV_PROFILE := n 89 - 90 - Only files which are linked to the main kernel image or are compiled as 91 - kernel modules are supported by this mechanism. 92 - 93 - 94 - 4. Files 95 - ======== 96 - 97 - The gcov kernel support creates the following files in debugfs: 98 - 99 - /sys/kernel/debug/gcov 100 - Parent directory for all gcov-related files. 101 - 102 - /sys/kernel/debug/gcov/reset 103 - Global reset file: resets all coverage data to zero when 104 - written to. 105 - 106 - /sys/kernel/debug/gcov/path/to/compile/dir/file.gcda 107 - The actual gcov data file as understood by the gcov 108 - tool. Resets file coverage data to zero when written to. 109 - 110 - /sys/kernel/debug/gcov/path/to/compile/dir/file.gcno 111 - Symbolic link to a static data file required by the gcov 112 - tool. This file is generated by gcc when compiling with 113 - option -ftest-coverage. 114 - 115 - 116 - 5. Modules 117 - ========== 118 - 119 - Kernel modules may contain cleanup code which is only run during 120 - module unload time. The gcov mechanism provides a means to collect 121 - coverage data for such code by keeping a copy of the data associated 122 - with the unloaded module. This data remains available through debugfs. 123 - Once the module is loaded again, the associated coverage counters are 124 - initialized with the data from its previous instantiation. 125 - 126 - This behavior can be deactivated by specifying the gcov_persist kernel 127 - parameter: 128 - 129 - gcov_persist=0 130 - 131 - At run-time, a user can also choose to discard data for an unloaded 132 - module by writing to its data file or the global reset file. 133 - 134 - 135 - 6. Separated build and test machines 136 - ==================================== 137 - 138 - The gcov kernel profiling infrastructure is designed to work out-of-the 139 - box for setups where kernels are built and run on the same machine. In 140 - cases where the kernel runs on a separate machine, special preparations 141 - must be made, depending on where the gcov tool is used: 142 - 143 - a) gcov is run on the TEST machine 144 - 145 - The gcov tool version on the test machine must be compatible with the 146 - gcc version used for kernel build. Also the following files need to be 147 - copied from build to test machine: 148 - 149 - from the source tree: 150 - - all C source files + headers 151 - 152 - from the build tree: 153 - - all C source files + headers 154 - - all .gcda and .gcno files 155 - - all links to directories 156 - 157 - It is important to note that these files need to be placed into the 158 - exact same file system location on the test machine as on the build 159 - machine. If any of the path components is symbolic link, the actual 160 - directory needs to be used instead (due to make's CURDIR handling). 161 - 162 - b) gcov is run on the BUILD machine 163 - 164 - The following files need to be copied after each test case from test 165 - to build machine: 166 - 167 - from the gcov directory in sysfs: 168 - - all .gcda files 169 - - all links to .gcno files 170 - 171 - These files can be copied to any location on the build machine. gcov 172 - must then be called with the -o option pointing to that directory. 173 - 174 - Example directory setup on the build machine: 175 - 176 - /tmp/linux: kernel source tree 177 - /tmp/out: kernel build directory as specified by make O= 178 - /tmp/coverage: location of the files copied from the test machine 179 - 180 - [user@build] cd /tmp/out 181 - [user@build] gcov -o /tmp/coverage/tmp/out/init main.c 182 - 183 - 184 - 7. Troubleshooting 185 - ================== 186 - 187 - Problem: Compilation aborts during linker step. 188 - Cause: Profiling flags are specified for source files which are not 189 - linked to the main kernel or which are linked by a custom 190 - linker procedure. 191 - Solution: Exclude affected source files from profiling by specifying 192 - GCOV_PROFILE := n or GCOV_PROFILE_basename.o := n in the 193 - corresponding Makefile. 194 - 195 - Problem: Files copied from sysfs appear empty or incomplete. 196 - Cause: Due to the way seq_file works, some tools such as cp or tar 197 - may not correctly copy files from sysfs. 198 - Solution: Use 'cat' to read .gcda files and 'cp -d' to copy links. 199 - Alternatively use the mechanism shown in Appendix B. 200 - 201 - 202 - Appendix A: gather_on_build.sh 203 - ============================== 204 - 205 - Sample script to gather coverage meta files on the build machine 206 - (see 6a): 207 - #!/bin/bash 208 - 209 - KSRC=$1 210 - KOBJ=$2 211 - DEST=$3 212 - 213 - if [ -z "$KSRC" ] || [ -z "$KOBJ" ] || [ -z "$DEST" ]; then 214 - echo "Usage: $0 <ksrc directory> <kobj directory> <output.tar.gz>" >&2 215 - exit 1 216 - fi 217 - 218 - KSRC=$(cd $KSRC; printf "all:\n\t@echo \${CURDIR}\n" | make -f -) 219 - KOBJ=$(cd $KOBJ; printf "all:\n\t@echo \${CURDIR}\n" | make -f -) 220 - 221 - find $KSRC $KOBJ $ -name '*.gcno' -o -name '*.[ch]' -o -type l $ -a \ 222 - -perm /u+r,g+r | tar cfz $DEST -P -T - 223 - 224 - if [ $? -eq 0 ] ; then 225 - echo "$DEST successfully created, copy to test system and unpack with:" 226 - echo " tar xfz $DEST -P" 227 - else 228 - echo "Could not create file $DEST" 229 - fi 230 - 231 - 232 - Appendix B: gather_on_test.sh 233 - ============================= 234 - 235 - Sample script to gather coverage data files on the test machine 236 - (see 6b): 237 - 238 - #!/bin/bash -e 239 - 240 - DEST=$1 241 - GCDA=/sys/kernel/debug/gcov 242 - 243 - if [ -z "$DEST" ] ; then 244 - echo "Usage: $0 <output.tar.gz>" >&2 245 - exit 1 246 - fi 247 - 248 - TEMPDIR=$(mktemp -d) 249 - echo Collecting data.. 250 - find $GCDA -type d -exec mkdir -p $TEMPDIR/\{\} \; 251 - find $GCDA -name '*.gcda' -exec sh -c 'cat < $0 > '$TEMPDIR'/$0' {} \; 252 - find $GCDA -name '*.gcno' -exec sh -c 'cp -d $0 '$TEMPDIR'/$0' {} \; 253 - tar czf $DEST -C $TEMPDIR sys 254 - rm -rf $TEMPDIR 255 - 256 - echo "$DEST successfully created, copy to build system and unpack with:" 257 - echo " tar xfz $DEST"

+45 -32

Documentation/gdb-kernel-debugging.txt Documentation/dev-tools/gdb-kernel-debugging.rst

··· 1 + .. highlight:: none 2 + 1 3 Debugging kernel and modules via gdb 2 4 ==================================== 3 5 ··· 15 13 Requirements 16 14 ------------ 17 15 18 - o gdb 7.2+ (recommended: 7.4+) with python support enabled (typically true 19 - for distributions) 16 + - gdb 7.2+ (recommended: 7.4+) with python support enabled (typically true 17 + for distributions) 20 18 21 19 22 20 Setup 23 21 ----- 24 22 25 - o Create a virtual Linux machine for QEMU/KVM (see www.linux-kvm.org and 26 - www.qemu.org for more details). For cross-development, 27 - http://landley.net/aboriginal/bin keeps a pool of machine images and 28 - toolchains that can be helpful to start from. 23 + - Create a virtual Linux machine for QEMU/KVM (see www.linux-kvm.org and 24 + www.qemu.org for more details). For cross-development, 25 + http://landley.net/aboriginal/bin keeps a pool of machine images and 26 + toolchains that can be helpful to start from. 29 27 30 - o Build the kernel with CONFIG_GDB_SCRIPTS enabled, but leave 31 - CONFIG_DEBUG_INFO_REDUCED off. If your architecture supports 32 - CONFIG_FRAME_POINTER, keep it enabled. 28 + - Build the kernel with CONFIG_GDB_SCRIPTS enabled, but leave 29 + CONFIG_DEBUG_INFO_REDUCED off. If your architecture supports 30 + CONFIG_FRAME_POINTER, keep it enabled. 33 31 34 - o Install that kernel on the guest. 32 + - Install that kernel on the guest. 33 + Alternatively, QEMU allows to boot the kernel directly using -kernel, 34 + -append, -initrd command line switches. This is generally only useful if 35 + you do not depend on modules. See QEMU documentation for more details on 36 + this mode. 35 37 36 - Alternatively, QEMU allows to boot the kernel directly using -kernel, 37 - -append, -initrd command line switches. This is generally only useful if 38 - you do not depend on modules. See QEMU documentation for more details on 39 - this mode. 38 + - Enable the gdb stub of QEMU/KVM, either 40 39 41 - o Enable the gdb stub of QEMU/KVM, either 42 40 - at VM startup time by appending "-s" to the QEMU command line 43 - or 41 + 42 + or 43 + 44 44 - during runtime by issuing "gdbserver" from the QEMU monitor 45 45 console 46 46 47 - o cd /path/to/linux-build 47 + - cd /path/to/linux-build 48 48 49 - o Start gdb: gdb vmlinux 49 + - Start gdb: gdb vmlinux 50 50 51 - Note: Some distros may restrict auto-loading of gdb scripts to known safe 52 - directories. In case gdb reports to refuse loading vmlinux-gdb.py, add 51 + Note: Some distros may restrict auto-loading of gdb scripts to known safe 52 + directories. In case gdb reports to refuse loading vmlinux-gdb.py, add:: 53 53 54 54 add-auto-load-safe-path /path/to/linux-build 55 55 56 - to ~/.gdbinit. See gdb help for more details. 56 + to ~/.gdbinit. See gdb help for more details. 57 57 58 - o Attach to the booted guest: 58 + - Attach to the booted guest:: 59 + 59 60 (gdb) target remote :1234 60 61 61 62 62 63 Examples of using the Linux-provided gdb helpers 63 64 ------------------------------------------------ 64 65 65 - o Load module (and main kernel) symbols: 66 + - Load module (and main kernel) symbols:: 67 + 66 68 (gdb) lx-symbols 67 69 loading vmlinux 68 70 scanning for modules in /home/user/linux/build ··· 78 72 ... 79 73 loading @0xffffffffa0000000: /home/user/linux/build/drivers/ata/ata_generic.ko 80 74 81 - o Set a breakpoint on some not yet loaded module function, e.g.: 75 + - Set a breakpoint on some not yet loaded module function, e.g.:: 76 + 82 77 (gdb) b btrfs_init_sysfs 83 78 Function "btrfs_init_sysfs" not defined. 84 79 Make breakpoint pending on future shared library load? (y or [n]) y 85 80 Breakpoint 1 (btrfs_init_sysfs) pending. 86 81 87 - o Continue the target 82 + - Continue the target:: 83 + 88 84 (gdb) c 89 85 90 - o Load the module on the target and watch the symbols being loaded as well as 91 - the breakpoint hit: 86 + - Load the module on the target and watch the symbols being loaded as well as 87 + the breakpoint hit:: 88 + 92 89 loading @0xffffffffa0034000: /home/user/linux/build/lib/libcrc32c.ko 93 90 loading @0xffffffffa0050000: /home/user/linux/build/lib/lzo/lzo_compress.ko 94 91 loading @0xffffffffa006e000: /home/user/linux/build/lib/zlib_deflate/zlib_deflate.ko ··· 100 91 Breakpoint 1, btrfs_init_sysfs () at /home/user/linux/fs/btrfs/sysfs.c:36 101 92 36 btrfs_kset = kset_create_and_add("btrfs", NULL, fs_kobj); 102 93 103 - o Dump the log buffer of the target kernel: 94 + - Dump the log buffer of the target kernel:: 95 + 104 96 (gdb) lx-dmesg 105 97 [ 0.000000] Initializing cgroup subsys cpuset 106 98 [ 0.000000] Initializing cgroup subsys cpu ··· 112 102 [ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved 113 103 .... 114 104 115 - o Examine fields of the current task struct: 105 + - Examine fields of the current task struct:: 106 + 116 107 (gdb) p $lx_current().pid 117 108 $1 = 4998 118 109 (gdb) p $lx_current().comm 119 110 $2 = "modprobe\000\000\000\000\000\000\000" 120 111 121 - o Make use of the per-cpu function for the current or a specified CPU: 112 + - Make use of the per-cpu function for the current or a specified CPU:: 113 + 122 114 (gdb) p $lx_per_cpu("runqueues").nr_running 123 115 $3 = 1 124 116 (gdb) p $lx_per_cpu("runqueues", 2).nr_running 125 117 $4 = 0 126 118 127 - o Dig into hrtimers using the container_of helper: 119 + - Dig into hrtimers using the container_of helper:: 120 + 128 121 (gdb) set $next = $lx_per_cpu("hrtimer_bases").clock_base[0].active.next 129 122 (gdb) p *$container_of($next, "struct hrtimer", "node") 130 123 $5 = { ··· 157 144 ------------------------------ 158 145 159 146 The number of commands and convenience functions may evolve over the time, 160 - this is just a snapshot of the initial version: 147 + this is just a snapshot of the initial version:: 161 148 162 149 (gdb) apropos lx 163 150 function lx_current -- Return current task

+5

Documentation/gpu/conf.py

··· 1 + # -*- coding: utf-8; mode: python -*- 2 + 3 + project = "Linux GPU Driver Developer's Guide" 4 + 5 + tags.add("subproject")

+7

Documentation/gpu/index.rst

··· 12 12 drm-uapi 13 13 i915 14 14 vga-switcheroo 15 + 16 + .. only:: subproject 17 + 18 + Indices 19 + ======= 20 + 21 + * :ref:`genindex`

+2 -7

Documentation/index.rst

··· 6 6 Welcome to The Linux Kernel's documentation! 7 7 ============================================ 8 8 9 - Nothing for you to see here *yet*. Please move along. 10 - 11 9 Contents: 12 10 13 11 .. toctree:: 14 12 :maxdepth: 2 15 13 16 14 kernel-documentation 17 - media/media_uapi 18 - media/media_kapi 19 - media/dvb-drivers/index 20 - media/v4l-drivers/index 15 + dev-tools/tools 16 + media/index 21 17 gpu/index 22 18 23 19 Indices and tables 24 20 ================== 25 21 26 22 * :ref:`genindex` 27 - * :ref:`search`

-171

Documentation/kasan.txt

··· 1 - KernelAddressSanitizer (KASAN) 2 - ============================== 3 - 4 - 0. Overview 5 - =========== 6 - 7 - KernelAddressSANitizer (KASAN) is a dynamic memory error detector. It provides 8 - a fast and comprehensive solution for finding use-after-free and out-of-bounds 9 - bugs. 10 - 11 - KASAN uses compile-time instrumentation for checking every memory access, 12 - therefore you will need a GCC version 4.9.2 or later. GCC 5.0 or later is 13 - required for detection of out-of-bounds accesses to stack or global variables. 14 - 15 - Currently KASAN is supported only for x86_64 architecture. 16 - 17 - 1. Usage 18 - ======== 19 - 20 - To enable KASAN configure kernel with: 21 - 22 - CONFIG_KASAN = y 23 - 24 - and choose between CONFIG_KASAN_OUTLINE and CONFIG_KASAN_INLINE. Outline and 25 - inline are compiler instrumentation types. The former produces smaller binary 26 - the latter is 1.1 - 2 times faster. Inline instrumentation requires a GCC 27 - version 5.0 or later. 28 - 29 - KASAN works with both SLUB and SLAB memory allocators. 30 - For better bug detection and nicer reporting, enable CONFIG_STACKTRACE. 31 - 32 - To disable instrumentation for specific files or directories, add a line 33 - similar to the following to the respective kernel Makefile: 34 - 35 - For a single file (e.g. main.o): 36 - KASAN_SANITIZE_main.o := n 37 - 38 - For all files in one directory: 39 - KASAN_SANITIZE := n 40 - 41 - 1.1 Error reports 42 - ================= 43 - 44 - A typical out of bounds access report looks like this: 45 - 46 - ================================================================== 47 - BUG: AddressSanitizer: out of bounds access in kmalloc_oob_right+0x65/0x75 [test_kasan] at addr ffff8800693bc5d3 48 - Write of size 1 by task modprobe/1689 49 - ============================================================================= 50 - BUG kmalloc-128 (Not tainted): kasan error 51 - ----------------------------------------------------------------------------- 52 - 53 - Disabling lock debugging due to kernel taint 54 - INFO: Allocated in kmalloc_oob_right+0x3d/0x75 [test_kasan] age=0 cpu=0 pid=1689 55 - __slab_alloc+0x4b4/0x4f0 56 - kmem_cache_alloc_trace+0x10b/0x190 57 - kmalloc_oob_right+0x3d/0x75 [test_kasan] 58 - init_module+0x9/0x47 [test_kasan] 59 - do_one_initcall+0x99/0x200 60 - load_module+0x2cb3/0x3b20 61 - SyS_finit_module+0x76/0x80 62 - system_call_fastpath+0x12/0x17 63 - INFO: Slab 0xffffea0001a4ef00 objects=17 used=7 fp=0xffff8800693bd728 flags=0x100000000004080 64 - INFO: Object 0xffff8800693bc558 @offset=1368 fp=0xffff8800693bc720 65 - 66 - Bytes b4 ffff8800693bc548: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ 67 - Object ffff8800693bc558: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 68 - Object ffff8800693bc568: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 69 - Object ffff8800693bc578: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 70 - Object ffff8800693bc588: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 71 - Object ffff8800693bc598: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 72 - Object ffff8800693bc5a8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 73 - Object ffff8800693bc5b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 74 - Object ffff8800693bc5c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk. 75 - Redzone ffff8800693bc5d8: cc cc cc cc cc cc cc cc ........ 76 - Padding ffff8800693bc718: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ 77 - CPU: 0 PID: 1689 Comm: modprobe Tainted: G B 3.18.0-rc1-mm1+ #98 78 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 79 - ffff8800693bc000 0000000000000000 ffff8800693bc558 ffff88006923bb78 80 - ffffffff81cc68ae 00000000000000f3 ffff88006d407600 ffff88006923bba8 81 - ffffffff811fd848 ffff88006d407600 ffffea0001a4ef00 ffff8800693bc558 82 - Call Trace: 83 - [<ffffffff81cc68ae>] dump_stack+0x46/0x58 84 - [<ffffffff811fd848>] print_trailer+0xf8/0x160 85 - [<ffffffffa00026a7>] ? kmem_cache_oob+0xc3/0xc3 [test_kasan] 86 - [<ffffffff811ff0f5>] object_err+0x35/0x40 87 - [<ffffffffa0002065>] ? kmalloc_oob_right+0x65/0x75 [test_kasan] 88 - [<ffffffff8120b9fa>] kasan_report_error+0x38a/0x3f0 89 - [<ffffffff8120a79f>] ? kasan_poison_shadow+0x2f/0x40 90 - [<ffffffff8120b344>] ? kasan_unpoison_shadow+0x14/0x40 91 - [<ffffffff8120a79f>] ? kasan_poison_shadow+0x2f/0x40 92 - [<ffffffffa00026a7>] ? kmem_cache_oob+0xc3/0xc3 [test_kasan] 93 - [<ffffffff8120a995>] __asan_store1+0x75/0xb0 94 - [<ffffffffa0002601>] ? kmem_cache_oob+0x1d/0xc3 [test_kasan] 95 - [<ffffffffa0002065>] ? kmalloc_oob_right+0x65/0x75 [test_kasan] 96 - [<ffffffffa0002065>] kmalloc_oob_right+0x65/0x75 [test_kasan] 97 - [<ffffffffa00026b0>] init_module+0x9/0x47 [test_kasan] 98 - [<ffffffff810002d9>] do_one_initcall+0x99/0x200 99 - [<ffffffff811e4e5c>] ? __vunmap+0xec/0x160 100 - [<ffffffff81114f63>] load_module+0x2cb3/0x3b20 101 - [<ffffffff8110fd70>] ? m_show+0x240/0x240 102 - [<ffffffff81115f06>] SyS_finit_module+0x76/0x80 103 - [<ffffffff81cd3129>] system_call_fastpath+0x12/0x17 104 - Memory state around the buggy address: 105 - ffff8800693bc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 106 - ffff8800693bc380: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 107 - ffff8800693bc400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 108 - ffff8800693bc480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 109 - ffff8800693bc500: fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00 110 - >ffff8800693bc580: 00 00 00 00 00 00 00 00 00 00 03 fc fc fc fc fc 111 - ^ 112 - ffff8800693bc600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 113 - ffff8800693bc680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 114 - ffff8800693bc700: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb 115 - ffff8800693bc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 116 - ffff8800693bc800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 117 - ================================================================== 118 - 119 - The header of the report discribe what kind of bug happened and what kind of 120 - access caused it. It's followed by the description of the accessed slub object 121 - (see 'SLUB Debug output' section in Documentation/vm/slub.txt for details) and 122 - the description of the accessed memory page. 123 - 124 - In the last section the report shows memory state around the accessed address. 125 - Reading this part requires some understanding of how KASAN works. 126 - 127 - The state of each 8 aligned bytes of memory is encoded in one shadow byte. 128 - Those 8 bytes can be accessible, partially accessible, freed or be a redzone. 129 - We use the following encoding for each shadow byte: 0 means that all 8 bytes 130 - of the corresponding memory region are accessible; number N (1 <= N <= 7) means 131 - that the first N bytes are accessible, and other (8 - N) bytes are not; 132 - any negative value indicates that the entire 8-byte word is inaccessible. 133 - We use different negative values to distinguish between different kinds of 134 - inaccessible memory like redzones or freed memory (see mm/kasan/kasan.h). 135 - 136 - In the report above the arrows point to the shadow byte 03, which means that 137 - the accessed address is partially accessible. 138 - 139 - 140 - 2. Implementation details 141 - ========================= 142 - 143 - From a high level, our approach to memory error detection is similar to that 144 - of kmemcheck: use shadow memory to record whether each byte of memory is safe 145 - to access, and use compile-time instrumentation to check shadow memory on each 146 - memory access. 147 - 148 - AddressSanitizer dedicates 1/8 of kernel memory to its shadow memory 149 - (e.g. 16TB to cover 128TB on x86_64) and uses direct mapping with a scale and 150 - offset to translate a memory address to its corresponding shadow address. 151 - 152 - Here is the function which translates an address to its corresponding shadow 153 - address: 154 - 155 - static inline void *kasan_mem_to_shadow(const void *addr) 156 - { 157 - return ((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT) 158 - + KASAN_SHADOW_OFFSET; 159 - } 160 - 161 - where KASAN_SHADOW_SCALE_SHIFT = 3. 162 - 163 - Compile-time instrumentation used for checking memory accesses. Compiler inserts 164 - function calls (__asan_load*(addr), __asan_store*(addr)) before each memory 165 - access of size 1, 2, 4, 8 or 16. These functions check whether memory access is 166 - valid or not by checking corresponding shadow memory. 167 - 168 - GCC 5.0 has possibility to perform inline instrumentation. Instead of making 169 - function calls GCC directly inserts the code to check the shadow memory. 170 - This option significantly enlarges kernel but it gives x1.1-x2 performance 171 - boost over outline instrumented kernel.

+38 -1

Documentation/kbuild/kconfig-language.txt

··· 274 274 275 275 This is similar to the simple config entry above, but it also gives a 276 276 hint to front ends, that all suboptions should be displayed as a 277 - separate list of options. 277 + separate list of options. To make sure all the suboptions will really 278 + show up under the menuconfig entry and not outside of it, every item 279 + from the <config options> list must depend on the menuconfig symbol. 280 + In practice, this is achieved by using one of the next two constructs: 281 + 282 + (1): 283 + menuconfig M 284 + if M 285 + config C1 286 + config C2 287 + endif 288 + 289 + (2): 290 + menuconfig M 291 + config C1 292 + depends on M 293 + config C2 294 + depends on M 295 + 296 + In the following examples (3) and (4), C1 and C2 still have the M 297 + dependency, but will not appear under menuconfig M anymore, because 298 + of C0, which doesn't depend on M: 299 + 300 + (3): 301 + menuconfig M 302 + config C0 303 + if M 304 + config C1 305 + config C2 306 + endif 307 + 308 + (4): 309 + menuconfig M 310 + config C0 311 + config C1 312 + depends on M 313 + config C2 314 + depends on M 278 315 279 316 choices: 280 317

+37 -37

Documentation/kcov.txt Documentation/dev-tools/kcov.rst

··· 12 12 and instrumentation of some inherently non-deterministic parts of kernel is 13 13 disbled (e.g. scheduler, locking). 14 14 15 - Usage: 16 - ====== 15 + Usage 16 + ----- 17 17 18 - Configure kernel with: 18 + Configure the kernel with:: 19 19 20 20 CONFIG_KCOV=y 21 21 22 22 CONFIG_KCOV requires gcc built on revision 231296 or later. 23 - Profiling data will only become accessible once debugfs has been mounted: 23 + Profiling data will only become accessible once debugfs has been mounted:: 24 24 25 25 mount -t debugfs none /sys/kernel/debug 26 26 27 - The following program demonstrates kcov usage from within a test program: 27 + The following program demonstrates kcov usage from within a test program:: 28 28 29 - #include <stdio.h> 30 - #include <stddef.h> 31 - #include <stdint.h> 32 - #include <stdlib.h> 33 - #include <sys/types.h> 34 - #include <sys/stat.h> 35 - #include <sys/ioctl.h> 36 - #include <sys/mman.h> 37 - #include <unistd.h> 38 - #include <fcntl.h> 29 + #include <stdio.h> 30 + #include <stddef.h> 31 + #include <stdint.h> 32 + #include <stdlib.h> 33 + #include <sys/types.h> 34 + #include <sys/stat.h> 35 + #include <sys/ioctl.h> 36 + #include <sys/mman.h> 37 + #include <unistd.h> 38 + #include <fcntl.h> 39 39 40 - #define KCOV_INIT_TRACE _IOR('c', 1, unsigned long) 41 - #define KCOV_ENABLE _IO('c', 100) 42 - #define KCOV_DISABLE _IO('c', 101) 43 - #define COVER_SIZE (64<<10) 40 + #define KCOV_INIT_TRACE _IOR('c', 1, unsigned long) 41 + #define KCOV_ENABLE _IO('c', 100) 42 + #define KCOV_DISABLE _IO('c', 101) 43 + #define COVER_SIZE (64<<10) 44 44 45 - int main(int argc, char **argv) 46 - { 45 + int main(int argc, char **argv) 46 + { 47 47 int fd; 48 48 unsigned long *cover, n, i; 49 49 ··· 83 83 if (close(fd)) 84 84 perror("close"), exit(1); 85 85 return 0; 86 - } 86 + } 87 87 88 - After piping through addr2line output of the program looks as follows: 88 + After piping through addr2line output of the program looks as follows:: 89 89 90 - SyS_read 91 - fs/read_write.c:562 92 - __fdget_pos 93 - fs/file.c:774 94 - __fget_light 95 - fs/file.c:746 96 - __fget_light 97 - fs/file.c:750 98 - __fget_light 99 - fs/file.c:760 100 - __fdget_pos 101 - fs/file.c:784 102 - SyS_read 103 - fs/read_write.c:562 90 + SyS_read 91 + fs/read_write.c:562 92 + __fdget_pos 93 + fs/file.c:774 94 + __fget_light 95 + fs/file.c:746 96 + __fget_light 97 + fs/file.c:750 98 + __fget_light 99 + fs/file.c:760 100 + __fdget_pos 101 + fs/file.c:784 102 + SyS_read 103 + fs/read_write.c:562 104 104 105 105 If a program needs to collect coverage from several threads (independently), 106 106 it needs to open /sys/kernel/debug/kcov in each thread separately.

+29 -6

Documentation/kernel-documentation.rst

··· 107 107 the order as encountered."), having the higher levels the same overall makes 108 108 it easier to follow the documents. 109 109 110 + 111 + the C domain 112 + ------------ 113 + 114 + The `Sphinx C Domain`_ (name c) is suited for documentation of C API. E.g. a 115 + function prototype: 116 + 117 + .. code-block:: rst 118 + 119 + .. c:function:: int ioctl( int fd, int request ) 120 + 121 + The C domain of the kernel-doc has some additional features. E.g. you can 122 + *rename* the reference name of a function with a common name like ``open`` or 123 + ``ioctl``: 124 + 125 + .. code-block:: rst 126 + 127 + .. c:function:: int ioctl( int fd, int request ) 128 + :name: VIDIOC_LOG_STATUS 129 + 130 + The func-name (e.g. ioctl) remains in the output but the ref-name changed from 131 + ``ioctl`` to ``VIDIOC_LOG_STATUS``. The index entry for this function is also 132 + changed to ``VIDIOC_LOG_STATUS`` and the function can now referenced by: 133 + 134 + .. code-block:: rst 135 + 136 + :c:func:`VIDIOC_LOG_STATUS` 137 + 138 + 110 139 list tables 111 140 ----------- 112 141 ··· 395 366 Cross-referencing from reStructuredText 396 367 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 397 368 398 - .. highlight:: none 399 - 400 369 To cross-reference the functions and types defined in the kernel-doc comments 401 370 from reStructuredText documents, please use the `Sphinx C Domain`_ 402 371 references. For example:: ··· 416 389 417 390 Function documentation 418 391 ---------------------- 419 - 420 - .. highlight:: c 421 392 422 393 The general format of a function and function-like macro kernel-doc comment is:: 423 394 ··· 596 571 597 572 Converting DocBook to Sphinx 598 573 ---------------------------- 599 - 600 - .. highlight:: none 601 574 602 575 Over time, we expect all of the documents under ``Documentation/DocBook`` to be 603 576 converted to Sphinx and reStructuredText. For most DocBook XML documents, a good

+1 -1

Documentation/kernel-parameters.txt

··· 1688 1688 1689 1689 intel_idle.max_cstate= [KNL,HW,ACPI,X86] 1690 1690 0 disables intel_idle and fall back on acpi_idle. 1691 - 1 to 6 specify maximum depth of C-state. 1691 + 1 to 9 specify maximum depth of C-state. 1692 1692 1693 1693 intel_pstate= [X86] 1694 1694 disable

-754

Documentation/kmemcheck.txt

··· 1 - GETTING STARTED WITH KMEMCHECK 2 - ============================== 3 - 4 - Vegard Nossum <vegardno@ifi.uio.no> 5 - 6 - 7 - Contents 8 - ======== 9 - 0. Introduction 10 - 1. Downloading 11 - 2. Configuring and compiling 12 - 3. How to use 13 - 3.1. Booting 14 - 3.2. Run-time enable/disable 15 - 3.3. Debugging 16 - 3.4. Annotating false positives 17 - 4. Reporting errors 18 - 5. Technical description 19 - 20 - 21 - 0. Introduction 22 - =============== 23 - 24 - kmemcheck is a debugging feature for the Linux Kernel. More specifically, it 25 - is a dynamic checker that detects and warns about some uses of uninitialized 26 - memory. 27 - 28 - Userspace programmers might be familiar with Valgrind's memcheck. The main 29 - difference between memcheck and kmemcheck is that memcheck works for userspace 30 - programs only, and kmemcheck works for the kernel only. The implementations 31 - are of course vastly different. Because of this, kmemcheck is not as accurate 32 - as memcheck, but it turns out to be good enough in practice to discover real 33 - programmer errors that the compiler is not able to find through static 34 - analysis. 35 - 36 - Enabling kmemcheck on a kernel will probably slow it down to the extent that 37 - the machine will not be usable for normal workloads such as e.g. an 38 - interactive desktop. kmemcheck will also cause the kernel to use about twice 39 - as much memory as normal. For this reason, kmemcheck is strictly a debugging 40 - feature. 41 - 42 - 43 - 1. Downloading 44 - ============== 45 - 46 - As of version 2.6.31-rc1, kmemcheck is included in the mainline kernel. 47 - 48 - 49 - 2. Configuring and compiling 50 - ============================ 51 - 52 - kmemcheck only works for the x86 (both 32- and 64-bit) platform. A number of 53 - configuration variables must have specific settings in order for the kmemcheck 54 - menu to even appear in "menuconfig". These are: 55 - 56 - o CONFIG_CC_OPTIMIZE_FOR_SIZE=n 57 - 58 - This option is located under "General setup" / "Optimize for size". 59 - 60 - Without this, gcc will use certain optimizations that usually lead to 61 - false positive warnings from kmemcheck. An example of this is a 16-bit 62 - field in a struct, where gcc may load 32 bits, then discard the upper 63 - 16 bits. kmemcheck sees only the 32-bit load, and may trigger a 64 - warning for the upper 16 bits (if they're uninitialized). 65 - 66 - o CONFIG_SLAB=y or CONFIG_SLUB=y 67 - 68 - This option is located under "General setup" / "Choose SLAB 69 - allocator". 70 - 71 - o CONFIG_FUNCTION_TRACER=n 72 - 73 - This option is located under "Kernel hacking" / "Tracers" / "Kernel 74 - Function Tracer" 75 - 76 - When function tracing is compiled in, gcc emits a call to another 77 - function at the beginning of every function. This means that when the 78 - page fault handler is called, the ftrace framework will be called 79 - before kmemcheck has had a chance to handle the fault. If ftrace then 80 - modifies memory that was tracked by kmemcheck, the result is an 81 - endless recursive page fault. 82 - 83 - o CONFIG_DEBUG_PAGEALLOC=n 84 - 85 - This option is located under "Kernel hacking" / "Memory Debugging" 86 - / "Debug page memory allocations". 87 - 88 - In addition, I highly recommend turning on CONFIG_DEBUG_INFO=y. This is also 89 - located under "Kernel hacking". With this, you will be able to get line number 90 - information from the kmemcheck warnings, which is extremely valuable in 91 - debugging a problem. This option is not mandatory, however, because it slows 92 - down the compilation process and produces a much bigger kernel image. 93 - 94 - Now the kmemcheck menu should be visible (under "Kernel hacking" / "Memory 95 - Debugging" / "kmemcheck: trap use of uninitialized memory"). Here follows 96 - a description of the kmemcheck configuration variables: 97 - 98 - o CONFIG_KMEMCHECK 99 - 100 - This must be enabled in order to use kmemcheck at all... 101 - 102 - o CONFIG_KMEMCHECK_[DISABLED | ENABLED | ONESHOT]_BY_DEFAULT 103 - 104 - This option controls the status of kmemcheck at boot-time. "Enabled" 105 - will enable kmemcheck right from the start, "disabled" will boot the 106 - kernel as normal (but with the kmemcheck code compiled in, so it can 107 - be enabled at run-time after the kernel has booted), and "one-shot" is 108 - a special mode which will turn kmemcheck off automatically after 109 - detecting the first use of uninitialized memory. 110 - 111 - If you are using kmemcheck to actively debug a problem, then you 112 - probably want to choose "enabled" here. 113 - 114 - The one-shot mode is mostly useful in automated test setups because it 115 - can prevent floods of warnings and increase the chances of the machine 116 - surviving in case something is really wrong. In other cases, the one- 117 - shot mode could actually be counter-productive because it would turn 118 - itself off at the very first error -- in the case of a false positive 119 - too -- and this would come in the way of debugging the specific 120 - problem you were interested in. 121 - 122 - If you would like to use your kernel as normal, but with a chance to 123 - enable kmemcheck in case of some problem, it might be a good idea to 124 - choose "disabled" here. When kmemcheck is disabled, most of the run- 125 - time overhead is not incurred, and the kernel will be almost as fast 126 - as normal. 127 - 128 - o CONFIG_KMEMCHECK_QUEUE_SIZE 129 - 130 - Select the maximum number of error reports to store in an internal 131 - (fixed-size) buffer. Since errors can occur virtually anywhere and in 132 - any context, we need a temporary storage area which is guaranteed not 133 - to generate any other page faults when accessed. The queue will be 134 - emptied as soon as a tasklet may be scheduled. If the queue is full, 135 - new error reports will be lost. 136 - 137 - The default value of 64 is probably fine. If some code produces more 138 - than 64 errors within an irqs-off section, then the code is likely to 139 - produce many, many more, too, and these additional reports seldom give 140 - any more information (the first report is usually the most valuable 141 - anyway). 142 - 143 - This number might have to be adjusted if you are not using serial 144 - console or similar to capture the kernel log. If you are using the 145 - "dmesg" command to save the log, then getting a lot of kmemcheck 146 - warnings might overflow the kernel log itself, and the earlier reports 147 - will get lost in that way instead. Try setting this to 10 or so on 148 - such a setup. 149 - 150 - o CONFIG_KMEMCHECK_SHADOW_COPY_SHIFT 151 - 152 - Select the number of shadow bytes to save along with each entry of the 153 - error-report queue. These bytes indicate what parts of an allocation 154 - are initialized, uninitialized, etc. and will be displayed when an 155 - error is detected to help the debugging of a particular problem. 156 - 157 - The number entered here is actually the logarithm of the number of 158 - bytes that will be saved. So if you pick for example 5 here, kmemcheck 159 - will save 2^5 = 32 bytes. 160 - 161 - The default value should be fine for debugging most problems. It also 162 - fits nicely within 80 columns. 163 - 164 - o CONFIG_KMEMCHECK_PARTIAL_OK 165 - 166 - This option (when enabled) works around certain GCC optimizations that 167 - produce 32-bit reads from 16-bit variables where the upper 16 bits are 168 - thrown away afterwards. 169 - 170 - The default value (enabled) is recommended. This may of course hide 171 - some real errors, but disabling it would probably produce a lot of 172 - false positives. 173 - 174 - o CONFIG_KMEMCHECK_BITOPS_OK 175 - 176 - This option silences warnings that would be generated for bit-field 177 - accesses where not all the bits are initialized at the same time. This 178 - may also hide some real bugs. 179 - 180 - This option is probably obsolete, or it should be replaced with 181 - the kmemcheck-/bitfield-annotations for the code in question. The 182 - default value is therefore fine. 183 - 184 - Now compile the kernel as usual. 185 - 186 - 187 - 3. How to use 188 - ============= 189 - 190 - 3.1. Booting 191 - ============ 192 - 193 - First some information about the command-line options. There is only one 194 - option specific to kmemcheck, and this is called "kmemcheck". It can be used 195 - to override the default mode as chosen by the CONFIG_KMEMCHECK_*_BY_DEFAULT 196 - option. Its possible settings are: 197 - 198 - o kmemcheck=0 (disabled) 199 - o kmemcheck=1 (enabled) 200 - o kmemcheck=2 (one-shot mode) 201 - 202 - If SLUB debugging has been enabled in the kernel, it may take precedence over 203 - kmemcheck in such a way that the slab caches which are under SLUB debugging 204 - will not be tracked by kmemcheck. In order to ensure that this doesn't happen 205 - (even though it shouldn't by default), use SLUB's boot option "slub_debug", 206 - like this: slub_debug=- 207 - 208 - In fact, this option may also be used for fine-grained control over SLUB vs. 209 - kmemcheck. For example, if the command line includes "kmemcheck=1 210 - slub_debug=,dentry", then SLUB debugging will be used only for the "dentry" 211 - slab cache, and with kmemcheck tracking all the other caches. This is advanced 212 - usage, however, and is not generally recommended. 213 - 214 - 215 - 3.2. Run-time enable/disable 216 - ============================ 217 - 218 - When the kernel has booted, it is possible to enable or disable kmemcheck at 219 - run-time. WARNING: This feature is still experimental and may cause false 220 - positive warnings to appear. Therefore, try not to use this. If you find that 221 - it doesn't work properly (e.g. you see an unreasonable amount of warnings), I 222 - will be happy to take bug reports. 223 - 224 - Use the file /proc/sys/kernel/kmemcheck for this purpose, e.g.: 225 - 226 - $ echo 0 > /proc/sys/kernel/kmemcheck # disables kmemcheck 227 - 228 - The numbers are the same as for the kmemcheck= command-line option. 229 - 230 - 231 - 3.3. Debugging 232 - ============== 233 - 234 - A typical report will look something like this: 235 - 236 - WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff88003e4a2024) 237 - 80000000000000000000000000000000000000000088ffff0000000000000000 238 - i i i i u u u u i i i i i i i i u u u u u u u u u u u u u u u u 239 - ^ 240 - 241 - Pid: 1856, comm: ntpdate Not tainted 2.6.29-rc5 #264 945P-A 242 - RIP: 0010:[<ffffffff8104ede8>] [<ffffffff8104ede8>] __dequeue_signal+0xc8/0x190 243 - RSP: 0018:ffff88003cdf7d98 EFLAGS: 00210002 244 - RAX: 0000000000000030 RBX: ffff88003d4ea968 RCX: 0000000000000009 245 - RDX: ffff88003e5d6018 RSI: ffff88003e5d6024 RDI: ffff88003cdf7e84 246 - RBP: ffff88003cdf7db8 R08: ffff88003e5d6000 R09: 0000000000000000 247 - R10: 0000000000000080 R11: 0000000000000000 R12: 000000000000000e 248 - R13: ffff88003cdf7e78 R14: ffff88003d530710 R15: ffff88003d5a98c8 249 - FS: 0000000000000000(0000) GS:ffff880001982000(0063) knlGS:00000 250 - CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 251 - CR2: ffff88003f806ea0 CR3: 000000003c036000 CR4: 00000000000006a0 252 - DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 253 - DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 254 - [<ffffffff8104f04e>] dequeue_signal+0x8e/0x170 255 - [<ffffffff81050bd8>] get_signal_to_deliver+0x98/0x390 256 - [<ffffffff8100b87d>] do_notify_resume+0xad/0x7d0 257 - [<ffffffff8100c7b5>] int_signal+0x12/0x17 258 - [<ffffffffffffffff>] 0xffffffffffffffff 259 - 260 - The single most valuable information in this report is the RIP (or EIP on 32- 261 - bit) value. This will help us pinpoint exactly which instruction that caused 262 - the warning. 263 - 264 - If your kernel was compiled with CONFIG_DEBUG_INFO=y, then all we have to do 265 - is give this address to the addr2line program, like this: 266 - 267 - $ addr2line -e vmlinux -i ffffffff8104ede8 268 - arch/x86/include/asm/string_64.h:12 269 - include/asm-generic/siginfo.h:287 270 - kernel/signal.c:380 271 - kernel/signal.c:410 272 - 273 - The "-e vmlinux" tells addr2line which file to look in. IMPORTANT: This must 274 - be the vmlinux of the kernel that produced the warning in the first place! If 275 - not, the line number information will almost certainly be wrong. 276 - 277 - The "-i" tells addr2line to also print the line numbers of inlined functions. 278 - In this case, the flag was very important, because otherwise, it would only 279 - have printed the first line, which is just a call to memcpy(), which could be 280 - called from a thousand places in the kernel, and is therefore not very useful. 281 - These inlined functions would not show up in the stack trace above, simply 282 - because the kernel doesn't load the extra debugging information. This 283 - technique can of course be used with ordinary kernel oopses as well. 284 - 285 - In this case, it's the caller of memcpy() that is interesting, and it can be 286 - found in include/asm-generic/siginfo.h, line 287: 287 - 288 - 281 static inline void copy_siginfo(struct siginfo *to, struct siginfo *from) 289 - 282 { 290 - 283 if (from->si_code < 0) 291 - 284 memcpy(to, from, sizeof(*to)); 292 - 285 else 293 - 286 /* _sigchld is currently the largest know union member */ 294 - 287 memcpy(to, from, __ARCH_SI_PREAMBLE_SIZE + sizeof(from->_sifields._sigchld)); 295 - 288 } 296 - 297 - Since this was a read (kmemcheck usually warns about reads only, though it can 298 - warn about writes to unallocated or freed memory as well), it was probably the 299 - "from" argument which contained some uninitialized bytes. Following the chain 300 - of calls, we move upwards to see where "from" was allocated or initialized, 301 - kernel/signal.c, line 380: 302 - 303 - 359 static void collect_signal(int sig, struct sigpending *list, siginfo_t *info) 304 - 360 { 305 - ... 306 - 367 list_for_each_entry(q, &list->list, list) { 307 - 368 if (q->info.si_signo == sig) { 308 - 369 if (first) 309 - 370 goto still_pending; 310 - 371 first = q; 311 - ... 312 - 377 if (first) { 313 - 378 still_pending: 314 - 379 list_del_init(&first->list); 315 - 380 copy_siginfo(info, &first->info); 316 - 381 __sigqueue_free(first); 317 - ... 318 - 392 } 319 - 393 } 320 - 321 - Here, it is &first->info that is being passed on to copy_siginfo(). The 322 - variable "first" was found on a list -- passed in as the second argument to 323 - collect_signal(). We continue our journey through the stack, to figure out 324 - where the item on "list" was allocated or initialized. We move to line 410: 325 - 326 - 395 static int __dequeue_signal(struct sigpending *pending, sigset_t *mask, 327 - 396 siginfo_t *info) 328 - 397 { 329 - ... 330 - 410 collect_signal(sig, pending, info); 331 - ... 332 - 414 } 333 - 334 - Now we need to follow the "pending" pointer, since that is being passed on to 335 - collect_signal() as "list". At this point, we've run out of lines from the 336 - "addr2line" output. Not to worry, we just paste the next addresses from the 337 - kmemcheck stack dump, i.e.: 338 - 339 - [<ffffffff8104f04e>] dequeue_signal+0x8e/0x170 340 - [<ffffffff81050bd8>] get_signal_to_deliver+0x98/0x390 341 - [<ffffffff8100b87d>] do_notify_resume+0xad/0x7d0 342 - [<ffffffff8100c7b5>] int_signal+0x12/0x17 343 - 344 - $ addr2line -e vmlinux -i ffffffff8104f04e ffffffff81050bd8 \ 345 - ffffffff8100b87d ffffffff8100c7b5 346 - kernel/signal.c:446 347 - kernel/signal.c:1806 348 - arch/x86/kernel/signal.c:805 349 - arch/x86/kernel/signal.c:871 350 - arch/x86/kernel/entry_64.S:694 351 - 352 - Remember that since these addresses were found on the stack and not as the 353 - RIP value, they actually point to the _next_ instruction (they are return 354 - addresses). This becomes obvious when we look at the code for line 446: 355 - 356 - 422 int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) 357 - 423 { 358 - ... 359 - 431 signr = __dequeue_signal(&tsk->signal->shared_pending, 360 - 432 mask, info); 361 - 433 /* 362 - 434 * itimer signal ? 363 - 435 * 364 - 436 * itimers are process shared and we restart periodic 365 - 437 * itimers in the signal delivery path to prevent DoS 366 - 438 * attacks in the high resolution timer case. This is 367 - 439 * compliant with the old way of self restarting 368 - 440 * itimers, as the SIGALRM is a legacy signal and only 369 - 441 * queued once. Changing the restart behaviour to 370 - 442 * restart the timer in the signal dequeue path is 371 - 443 * reducing the timer noise on heavy loaded !highres 372 - 444 * systems too. 373 - 445 */ 374 - 446 if (unlikely(signr == SIGALRM)) { 375 - ... 376 - 489 } 377 - 378 - So instead of looking at 446, we should be looking at 431, which is the line 379 - that executes just before 446. Here we see that what we are looking for is 380 - &tsk->signal->shared_pending. 381 - 382 - Our next task is now to figure out which function that puts items on this 383 - "shared_pending" list. A crude, but efficient tool, is git grep: 384 - 385 - $ git grep -n 'shared_pending' kernel/ 386 - ... 387 - kernel/signal.c:828: pending = group ? &t->signal->shared_pending : &t->pending; 388 - kernel/signal.c:1339: pending = group ? &t->signal->shared_pending : &t->pending; 389 - ... 390 - 391 - There were more results, but none of them were related to list operations, 392 - and these were the only assignments. We inspect the line numbers more closely 393 - and find that this is indeed where items are being added to the list: 394 - 395 - 816 static int send_signal(int sig, struct siginfo *info, struct task_struct *t, 396 - 817 int group) 397 - 818 { 398 - ... 399 - 828 pending = group ? &t->signal->shared_pending : &t->pending; 400 - ... 401 - 851 q = __sigqueue_alloc(t, GFP_ATOMIC, (sig < SIGRTMIN && 402 - 852 (is_si_special(info) || 403 - 853 info->si_code >= 0))); 404 - 854 if (q) { 405 - 855 list_add_tail(&q->list, &pending->list); 406 - ... 407 - 890 } 408 - 409 - and: 410 - 411 - 1309 int send_sigqueue(struct sigqueue *q, struct task_struct *t, int group) 412 - 1310 { 413 - .... 414 - 1339 pending = group ? &t->signal->shared_pending : &t->pending; 415 - 1340 list_add_tail(&q->list, &pending->list); 416 - .... 417 - 1347 } 418 - 419 - In the first case, the list element we are looking for, "q", is being returned 420 - from the function __sigqueue_alloc(), which looks like an allocation function. 421 - Let's take a look at it: 422 - 423 - 187 static struct sigqueue *__sigqueue_alloc(struct task_struct *t, gfp_t flags, 424 - 188 int override_rlimit) 425 - 189 { 426 - 190 struct sigqueue *q = NULL; 427 - 191 struct user_struct *user; 428 - 192 429 - 193 /* 430 - 194 * We won't get problems with the target's UID changing under us 431 - 195 * because changing it requires RCU be used, and if t != current, the 432 - 196 * caller must be holding the RCU readlock (by way of a spinlock) and 433 - 197 * we use RCU protection here 434 - 198 */ 435 - 199 user = get_uid(__task_cred(t)->user); 436 - 200 atomic_inc(&user->sigpending); 437 - 201 if (override_rlimit || 438 - 202 atomic_read(&user->sigpending) <= 439 - 203 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) 440 - 204 q = kmem_cache_alloc(sigqueue_cachep, flags); 441 - 205 if (unlikely(q == NULL)) { 442 - 206 atomic_dec(&user->sigpending); 443 - 207 free_uid(user); 444 - 208 } else { 445 - 209 INIT_LIST_HEAD(&q->list); 446 - 210 q->flags = 0; 447 - 211 q->user = user; 448 - 212 } 449 - 213 450 - 214 return q; 451 - 215 } 452 - 453 - We see that this function initializes q->list, q->flags, and q->user. It seems 454 - that now is the time to look at the definition of "struct sigqueue", e.g.: 455 - 456 - 14 struct sigqueue { 457 - 15 struct list_head list; 458 - 16 int flags; 459 - 17 siginfo_t info; 460 - 18 struct user_struct *user; 461 - 19 }; 462 - 463 - And, you might remember, it was a memcpy() on &first->info that caused the 464 - warning, so this makes perfect sense. It also seems reasonable to assume that 465 - it is the caller of __sigqueue_alloc() that has the responsibility of filling 466 - out (initializing) this member. 467 - 468 - But just which fields of the struct were uninitialized? Let's look at 469 - kmemcheck's report again: 470 - 471 - WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff88003e4a2024) 472 - 80000000000000000000000000000000000000000088ffff0000000000000000 473 - i i i i u u u u i i i i i i i i u u u u u u u u u u u u u u u u 474 - ^ 475 - 476 - These first two lines are the memory dump of the memory object itself, and the 477 - shadow bytemap, respectively. The memory object itself is in this case 478 - &first->info. Just beware that the start of this dump is NOT the start of the 479 - object itself! The position of the caret (^) corresponds with the address of 480 - the read (ffff88003e4a2024). 481 - 482 - The shadow bytemap dump legend is as follows: 483 - 484 - i - initialized 485 - u - uninitialized 486 - a - unallocated (memory has been allocated by the slab layer, but has not 487 - yet been handed off to anybody) 488 - f - freed (memory has been allocated by the slab layer, but has been freed 489 - by the previous owner) 490 - 491 - In order to figure out where (relative to the start of the object) the 492 - uninitialized memory was located, we have to look at the disassembly. For 493 - that, we'll need the RIP address again: 494 - 495 - RIP: 0010:[<ffffffff8104ede8>] [<ffffffff8104ede8>] __dequeue_signal+0xc8/0x190 496 - 497 - $ objdump -d --no-show-raw-insn vmlinux | grep -C 8 ffffffff8104ede8: 498 - ffffffff8104edc8: mov %r8,0x8(%r8) 499 - ffffffff8104edcc: test %r10d,%r10d 500 - ffffffff8104edcf: js ffffffff8104ee88 <__dequeue_signal+0x168> 501 - ffffffff8104edd5: mov %rax,%rdx 502 - ffffffff8104edd8: mov $0xc,%ecx 503 - ffffffff8104eddd: mov %r13,%rdi 504 - ffffffff8104ede0: mov $0x30,%eax 505 - ffffffff8104ede5: mov %rdx,%rsi 506 - ffffffff8104ede8: rep movsl %ds:(%rsi),%es:(%rdi) 507 - ffffffff8104edea: test $0x2,%al 508 - ffffffff8104edec: je ffffffff8104edf0 <__dequeue_signal+0xd0> 509 - ffffffff8104edee: movsw %ds:(%rsi),%es:(%rdi) 510 - ffffffff8104edf0: test $0x1,%al 511 - ffffffff8104edf2: je ffffffff8104edf5 <__dequeue_signal+0xd5> 512 - ffffffff8104edf4: movsb %ds:(%rsi),%es:(%rdi) 513 - ffffffff8104edf5: mov %r8,%rdi 514 - ffffffff8104edf8: callq ffffffff8104de60 <__sigqueue_free> 515 - 516 - As expected, it's the "rep movsl" instruction from the memcpy() that causes 517 - the warning. We know about REP MOVSL that it uses the register RCX to count 518 - the number of remaining iterations. By taking a look at the register dump 519 - again (from the kmemcheck report), we can figure out how many bytes were left 520 - to copy: 521 - 522 - RAX: 0000000000000030 RBX: ffff88003d4ea968 RCX: 0000000000000009 523 - 524 - By looking at the disassembly, we also see that %ecx is being loaded with the 525 - value $0xc just before (ffffffff8104edd8), so we are very lucky. Keep in mind 526 - that this is the number of iterations, not bytes. And since this is a "long" 527 - operation, we need to multiply by 4 to get the number of bytes. So this means 528 - that the uninitialized value was encountered at 4 * (0xc - 0x9) = 12 bytes 529 - from the start of the object. 530 - 531 - We can now try to figure out which field of the "struct siginfo" that was not 532 - initialized. This is the beginning of the struct: 533 - 534 - 40 typedef struct siginfo { 535 - 41 int si_signo; 536 - 42 int si_errno; 537 - 43 int si_code; 538 - 44 539 - 45 union { 540 - .. 541 - 92 } _sifields; 542 - 93 } siginfo_t; 543 - 544 - On 64-bit, the int is 4 bytes long, so it must the union member that has 545 - not been initialized. We can verify this using gdb: 546 - 547 - $ gdb vmlinux 548 - ... 549 - (gdb) p &((struct siginfo *) 0)->_sifields 550 - $1 = (union {...} *) 0x10 551 - 552 - Actually, it seems that the union member is located at offset 0x10 -- which 553 - means that gcc has inserted 4 bytes of padding between the members si_code 554 - and _sifields. We can now get a fuller picture of the memory dump: 555 - 556 - _----------------------------=> si_code 557 - / _--------------------=> (padding) 558 - | / _------------=> _sifields(._kill._pid) 559 - | | / _----=> _sifields(._kill._uid) 560 - | | | / 561 - -------|-------|-------|-------| 562 - 80000000000000000000000000000000000000000088ffff0000000000000000 563 - i i i i u u u u i i i i i i i i u u u u u u u u u u u u u u u u 564 - 565 - This allows us to realize another important fact: si_code contains the value 566 - 0x80. Remember that x86 is little endian, so the first 4 bytes "80000000" are 567 - really the number 0x00000080. With a bit of research, we find that this is 568 - actually the constant SI_KERNEL defined in include/asm-generic/siginfo.h: 569 - 570 - 144 #define SI_KERNEL 0x80 /* sent by the kernel from somewhere */ 571 - 572 - This macro is used in exactly one place in the x86 kernel: In send_signal() 573 - in kernel/signal.c: 574 - 575 - 816 static int send_signal(int sig, struct siginfo *info, struct task_struct *t, 576 - 817 int group) 577 - 818 { 578 - ... 579 - 828 pending = group ? &t->signal->shared_pending : &t->pending; 580 - ... 581 - 851 q = __sigqueue_alloc(t, GFP_ATOMIC, (sig < SIGRTMIN && 582 - 852 (is_si_special(info) || 583 - 853 info->si_code >= 0))); 584 - 854 if (q) { 585 - 855 list_add_tail(&q->list, &pending->list); 586 - 856 switch ((unsigned long) info) { 587 - ... 588 - 865 case (unsigned long) SEND_SIG_PRIV: 589 - 866 q->info.si_signo = sig; 590 - 867 q->info.si_errno = 0; 591 - 868 q->info.si_code = SI_KERNEL; 592 - 869 q->info.si_pid = 0; 593 - 870 q->info.si_uid = 0; 594 - 871 break; 595 - ... 596 - 890 } 597 - 598 - Not only does this match with the .si_code member, it also matches the place 599 - we found earlier when looking for where siginfo_t objects are enqueued on the 600 - "shared_pending" list. 601 - 602 - So to sum up: It seems that it is the padding introduced by the compiler 603 - between two struct fields that is uninitialized, and this gets reported when 604 - we do a memcpy() on the struct. This means that we have identified a false 605 - positive warning. 606 - 607 - Normally, kmemcheck will not report uninitialized accesses in memcpy() calls 608 - when both the source and destination addresses are tracked. (Instead, we copy 609 - the shadow bytemap as well). In this case, the destination address clearly 610 - was not tracked. We can dig a little deeper into the stack trace from above: 611 - 612 - arch/x86/kernel/signal.c:805 613 - arch/x86/kernel/signal.c:871 614 - arch/x86/kernel/entry_64.S:694 615 - 616 - And we clearly see that the destination siginfo object is located on the 617 - stack: 618 - 619 - 782 static void do_signal(struct pt_regs *regs) 620 - 783 { 621 - 784 struct k_sigaction ka; 622 - 785 siginfo_t info; 623 - ... 624 - 804 signr = get_signal_to_deliver(&info, &ka, regs, NULL); 625 - ... 626 - 854 } 627 - 628 - And this &info is what eventually gets passed to copy_siginfo() as the 629 - destination argument. 630 - 631 - Now, even though we didn't find an actual error here, the example is still a 632 - good one, because it shows how one would go about to find out what the report 633 - was all about. 634 - 635 - 636 - 3.4. Annotating false positives 637 - =============================== 638 - 639 - There are a few different ways to make annotations in the source code that 640 - will keep kmemcheck from checking and reporting certain allocations. Here 641 - they are: 642 - 643 - o __GFP_NOTRACK_FALSE_POSITIVE 644 - 645 - This flag can be passed to kmalloc() or kmem_cache_alloc() (therefore 646 - also to other functions that end up calling one of these) to indicate 647 - that the allocation should not be tracked because it would lead to 648 - a false positive report. This is a "big hammer" way of silencing 649 - kmemcheck; after all, even if the false positive pertains to 650 - particular field in a struct, for example, we will now lose the 651 - ability to find (real) errors in other parts of the same struct. 652 - 653 - Example: 654 - 655 - /* No warnings will ever trigger on accessing any part of x */ 656 - x = kmalloc(sizeof *x, GFP_KERNEL | __GFP_NOTRACK_FALSE_POSITIVE); 657 - 658 - o kmemcheck_bitfield_begin(name)/kmemcheck_bitfield_end(name) and 659 - kmemcheck_annotate_bitfield(ptr, name) 660 - 661 - The first two of these three macros can be used inside struct 662 - definitions to signal, respectively, the beginning and end of a 663 - bitfield. Additionally, this will assign the bitfield a name, which 664 - is given as an argument to the macros. 665 - 666 - Having used these markers, one can later use 667 - kmemcheck_annotate_bitfield() at the point of allocation, to indicate 668 - which parts of the allocation is part of a bitfield. 669 - 670 - Example: 671 - 672 - struct foo { 673 - int x; 674 - 675 - kmemcheck_bitfield_begin(flags); 676 - int flag_a:1; 677 - int flag_b:1; 678 - kmemcheck_bitfield_end(flags); 679 - 680 - int y; 681 - }; 682 - 683 - struct foo *x = kmalloc(sizeof *x); 684 - 685 - /* No warnings will trigger on accessing the bitfield of x */ 686 - kmemcheck_annotate_bitfield(x, flags); 687 - 688 - Note that kmemcheck_annotate_bitfield() can be used even before the 689 - return value of kmalloc() is checked -- in other words, passing NULL 690 - as the first argument is legal (and will do nothing). 691 - 692 - 693 - 4. Reporting errors 694 - =================== 695 - 696 - As we have seen, kmemcheck will produce false positive reports. Therefore, it 697 - is not very wise to blindly post kmemcheck warnings to mailing lists and 698 - maintainers. Instead, I encourage maintainers and developers to find errors 699 - in their own code. If you get a warning, you can try to work around it, try 700 - to figure out if it's a real error or not, or simply ignore it. Most 701 - developers know their own code and will quickly and efficiently determine the 702 - root cause of a kmemcheck report. This is therefore also the most efficient 703 - way to work with kmemcheck. 704 - 705 - That said, we (the kmemcheck maintainers) will always be on the lookout for 706 - false positives that we can annotate and silence. So whatever you find, 707 - please drop us a note privately! Kernel configs and steps to reproduce (if 708 - available) are of course a great help too. 709 - 710 - Happy hacking! 711 - 712 - 713 - 5. Technical description 714 - ======================== 715 - 716 - kmemcheck works by marking memory pages non-present. This means that whenever 717 - somebody attempts to access the page, a page fault is generated. The page 718 - fault handler notices that the page was in fact only hidden, and so it calls 719 - on the kmemcheck code to make further investigations. 720 - 721 - When the investigations are completed, kmemcheck "shows" the page by marking 722 - it present (as it would be under normal circumstances). This way, the 723 - interrupted code can continue as usual. 724 - 725 - But after the instruction has been executed, we should hide the page again, so 726 - that we can catch the next access too! Now kmemcheck makes use of a debugging 727 - feature of the processor, namely single-stepping. When the processor has 728 - finished the one instruction that generated the memory access, a debug 729 - exception is raised. From here, we simply hide the page again and continue 730 - execution, this time with the single-stepping feature turned off. 731 - 732 - kmemcheck requires some assistance from the memory allocator in order to work. 733 - The memory allocator needs to 734 - 735 - 1. Tell kmemcheck about newly allocated pages and pages that are about to 736 - be freed. This allows kmemcheck to set up and tear down the shadow memory 737 - for the pages in question. The shadow memory stores the status of each 738 - byte in the allocation proper, e.g. whether it is initialized or 739 - uninitialized. 740 - 741 - 2. Tell kmemcheck which parts of memory should be marked uninitialized. 742 - There are actually a few more states, such as "not yet allocated" and 743 - "recently freed". 744 - 745 - If a slab cache is set up using the SLAB_NOTRACK flag, it will never return 746 - memory that can take page faults because of kmemcheck. 747 - 748 - If a slab cache is NOT set up using the SLAB_NOTRACK flag, callers can still 749 - request memory with the __GFP_NOTRACK or __GFP_NOTRACK_FALSE_POSITIVE flags. 750 - This does not prevent the page faults from occurring, however, but marks the 751 - object in question as being initialized so that no warnings will ever be 752 - produced for this object. 753 - 754 - Currently, the SLAB and SLUB allocators are supported by kmemcheck.

+48 -41

Documentation/kmemleak.txt Documentation/dev-tools/kmemleak.rst

··· 1 1 Kernel Memory Leak Detector 2 2 =========================== 3 3 4 - Introduction 5 - ------------ 6 - 7 4 Kmemleak provides a way of detecting possible kernel memory leaks in a 8 5 way similar to a tracing garbage collector 9 6 (https://en.wikipedia.org/wiki/Garbage_collection_%28computer_science%29#Tracing_garbage_collectors), 10 7 with the difference that the orphan objects are not freed but only 11 8 reported via /sys/kernel/debug/kmemleak. A similar method is used by the 12 - Valgrind tool (memcheck --leak-check) to detect the memory leaks in 9 + Valgrind tool (``memcheck --leak-check``) to detect the memory leaks in 13 10 user-space applications. 14 11 Kmemleak is supported on x86, arm, powerpc, sparc, sh, microblaze, ppc, mips, s390, metag and tile. 15 12 ··· 16 19 CONFIG_DEBUG_KMEMLEAK in "Kernel hacking" has to be enabled. A kernel 17 20 thread scans the memory every 10 minutes (by default) and prints the 18 21 number of new unreferenced objects found. To display the details of all 19 - the possible memory leaks: 22 + the possible memory leaks:: 20 23 21 24 # mount -t debugfs nodev /sys/kernel/debug/ 22 25 # cat /sys/kernel/debug/kmemleak 23 26 24 - To trigger an intermediate memory scan: 27 + To trigger an intermediate memory scan:: 25 28 26 29 # echo scan > /sys/kernel/debug/kmemleak 27 30 28 - To clear the list of all current possible memory leaks: 31 + To clear the list of all current possible memory leaks:: 29 32 30 33 # echo clear > /sys/kernel/debug/kmemleak 31 34 32 - New leaks will then come up upon reading /sys/kernel/debug/kmemleak 35 + New leaks will then come up upon reading ``/sys/kernel/debug/kmemleak`` 33 36 again. 34 37 35 38 Note that the orphan objects are listed in the order they were allocated ··· 37 40 objects to be reported as orphan. 38 41 39 42 Memory scanning parameters can be modified at run-time by writing to the 40 - /sys/kernel/debug/kmemleak file. The following parameters are supported: 43 + ``/sys/kernel/debug/kmemleak`` file. The following parameters are supported: 41 44 42 - off - disable kmemleak (irreversible) 43 - stack=on - enable the task stacks scanning (default) 44 - stack=off - disable the tasks stacks scanning 45 - scan=on - start the automatic memory scanning thread (default) 46 - scan=off - stop the automatic memory scanning thread 47 - scan=<secs> - set the automatic memory scanning period in seconds 48 - (default 600, 0 to stop the automatic scanning) 49 - scan - trigger a memory scan 50 - clear - clear list of current memory leak suspects, done by 51 - marking all current reported unreferenced objects grey, 52 - or free all kmemleak objects if kmemleak has been disabled. 53 - dump=<addr> - dump information about the object found at <addr> 45 + - off 46 + disable kmemleak (irreversible) 47 + - stack=on 48 + enable the task stacks scanning (default) 49 + - stack=off 50 + disable the tasks stacks scanning 51 + - scan=on 52 + start the automatic memory scanning thread (default) 53 + - scan=off 54 + stop the automatic memory scanning thread 55 + - scan=<secs> 56 + set the automatic memory scanning period in seconds 57 + (default 600, 0 to stop the automatic scanning) 58 + - scan 59 + trigger a memory scan 60 + - clear 61 + clear list of current memory leak suspects, done by 62 + marking all current reported unreferenced objects grey, 63 + or free all kmemleak objects if kmemleak has been disabled. 64 + - dump=<addr> 65 + dump information about the object found at <addr> 54 66 55 - Kmemleak can also be disabled at boot-time by passing "kmemleak=off" on 67 + Kmemleak can also be disabled at boot-time by passing ``kmemleak=off`` on 56 68 the kernel command line. 57 69 58 70 Memory may be allocated or freed before kmemleak is initialised and ··· 69 63 is configured via the CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE option. 70 64 71 65 If CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF are enabled, the kmemleak is 72 - disabled by default. Passing "kmemleak=on" on the kernel command 66 + disabled by default. Passing ``kmemleak=on`` on the kernel command 73 67 line enables the function. 74 68 75 69 Basic Algorithm 76 70 --------------- 77 71 78 - The memory allocations via kmalloc, vmalloc, kmem_cache_alloc and 72 + The memory allocations via :c:func:`kmalloc`, :c:func:`vmalloc`, 73 + :c:func:`kmem_cache_alloc` and 79 74 friends are traced and the pointers, together with additional 80 75 information like size and stack trace, are stored in a rbtree. 81 76 The corresponding freeing function calls are tracked and the pointers ··· 120 113 you can find new unreferenced objects; this should help with testing 121 114 specific sections of code. 122 115 123 - To test a critical section on demand with a clean kmemleak do: 116 + To test a critical section on demand with a clean kmemleak do:: 124 117 125 118 # echo clear > /sys/kernel/debug/kmemleak 126 119 ... test your kernel or modules ... 127 120 # echo scan > /sys/kernel/debug/kmemleak 128 121 129 - Then as usual to get your report with: 122 + Then as usual to get your report with:: 130 123 131 124 # cat /sys/kernel/debug/kmemleak 132 125 ··· 138 131 won't be freed when kmemleak is disabled, and those objects may occupy 139 132 a large part of physical memory. 140 133 141 - In this situation, you may reclaim memory with: 134 + In this situation, you may reclaim memory with:: 142 135 143 136 # echo clear > /sys/kernel/debug/kmemleak 144 137 ··· 147 140 148 141 See the include/linux/kmemleak.h header for the functions prototype. 149 142 150 - kmemleak_init - initialize kmemleak 151 - kmemleak_alloc - notify of a memory block allocation 152 - kmemleak_alloc_percpu - notify of a percpu memory block allocation 153 - kmemleak_free - notify of a memory block freeing 154 - kmemleak_free_part - notify of a partial memory block freeing 155 - kmemleak_free_percpu - notify of a percpu memory block freeing 156 - kmemleak_update_trace - update object allocation stack trace 157 - kmemleak_not_leak - mark an object as not a leak 158 - kmemleak_ignore - do not scan or report an object as leak 159 - kmemleak_scan_area - add scan areas inside a memory block 160 - kmemleak_no_scan - do not scan a memory block 161 - kmemleak_erase - erase an old value in a pointer variable 162 - kmemleak_alloc_recursive - as kmemleak_alloc but checks the recursiveness 163 - kmemleak_free_recursive - as kmemleak_free but checks the recursiveness 143 + - ``kmemleak_init`` - initialize kmemleak 144 + - ``kmemleak_alloc`` - notify of a memory block allocation 145 + - ``kmemleak_alloc_percpu`` - notify of a percpu memory block allocation 146 + - ``kmemleak_free`` - notify of a memory block freeing 147 + - ``kmemleak_free_part`` - notify of a partial memory block freeing 148 + - ``kmemleak_free_percpu`` - notify of a percpu memory block freeing 149 + - ``kmemleak_update_trace`` - update object allocation stack trace 150 + - ``kmemleak_not_leak`` - mark an object as not a leak 151 + - ``kmemleak_ignore`` - do not scan or report an object as leak 152 + - ``kmemleak_scan_area`` - add scan areas inside a memory block 153 + - ``kmemleak_no_scan`` - do not scan a memory block 154 + - ``kmemleak_erase`` - erase an old value in a pointer variable 155 + - ``kmemleak_alloc_recursive`` - as kmemleak_alloc but checks the recursiveness 156 + - ``kmemleak_free_recursive`` - as kmemleak_free but checks the recursiveness 164 157 165 158 Dealing with false positives/negatives 166 159 --------------------------------------

+10

Documentation/kprobes.txt

··· 103 103 or in registers. The jprobe will work in either case, so long as the 104 104 handler's prototype matches that of the probed function. 105 105 106 + Note that in some architectures (e.g.: arm64 and sparc64) the stack 107 + copy is not done, as the actual location of stacked parameters may be 108 + outside of a reasonable MAX_STACK_SIZE value and because that location 109 + cannot be determined by the jprobes code. In this case the jprobes 110 + user must be careful to make certain the calling signature of the 111 + function does not cause parameters to be passed on the stack (e.g.: 112 + more than eight function arguments, an argument of more than sixteen 113 + bytes, or more than 64 bytes of argument data, depending on 114 + architecture). 115 + 106 116 1.3 Return Probes 107 117 108 118 1.3.1 How Does a Return Probe Work?

+2 -1

Documentation/media/Makefile

··· 10 10 11 11 TARGETS := $(addprefix $(BUILDDIR)/, $(FILES)) 12 12 13 - htmldocs: $(BUILDDIR) ${TARGETS} 13 + .PHONY: all 14 + all: $(BUILDDIR) ${TARGETS} 14 15 15 16 $(BUILDDIR): 16 17 $(Q)mkdir -p $@

+5

Documentation/media/conf.py

··· 1 + # -*- coding: utf-8; mode: python -*- 2 + 3 + project = 'Linux Media Subsystem Documentation' 4 + 5 + tags.add("subproject")

+93

Documentation/media/conf_nitpick.py

··· 1 + # -*- coding: utf-8; mode: python -*- 2 + 3 + project = 'Linux Media Subsystem Documentation' 4 + 5 + # It is possible to run Sphinx in nickpick mode with: 6 + nitpicky = True 7 + 8 + # within nit-picking build, do not refer to any intersphinx object 9 + intersphinx_mapping = {} 10 + 11 + # In nickpick mode, it will complain about lots of missing references that 12 + # 13 + # 1) are just typedefs like: bool, __u32, etc; 14 + # 2) It will complain for things like: enum, NULL; 15 + # 3) It will complain for symbols that should be on different 16 + # books (but currently aren't ported to ReST) 17 + # 18 + # The list below has a list of such symbols to be ignored in nitpick mode 19 + # 20 + nitpick_ignore = [ 21 + ("c:func", "clock_gettime"), 22 + ("c:func", "close"), 23 + ("c:func", "container_of"), 24 + ("c:func", "determine_valid_ioctls"), 25 + ("c:func", "ERR_PTR"), 26 + ("c:func", "ioctl"), 27 + ("c:func", "IS_ERR"), 28 + ("c:func", "mmap"), 29 + ("c:func", "open"), 30 + ("c:func", "pci_name"), 31 + ("c:func", "poll"), 32 + ("c:func", "PTR_ERR"), 33 + ("c:func", "read"), 34 + ("c:func", "release"), 35 + ("c:func", "set"), 36 + ("c:func", "struct fd_set"), 37 + ("c:func", "struct pollfd"), 38 + ("c:func", "usb_make_path"), 39 + ("c:func", "write"), 40 + ("c:type", "atomic_t"), 41 + ("c:type", "bool"), 42 + ("c:type", "buf_queue"), 43 + ("c:type", "device"), 44 + ("c:type", "device_driver"), 45 + ("c:type", "device_node"), 46 + ("c:type", "enum"), 47 + ("c:type", "file"), 48 + ("c:type", "i2c_adapter"), 49 + ("c:type", "i2c_board_info"), 50 + ("c:type", "i2c_client"), 51 + ("c:type", "ktime_t"), 52 + ("c:type", "led_classdev_flash"), 53 + ("c:type", "list_head"), 54 + ("c:type", "lock_class_key"), 55 + ("c:type", "module"), 56 + ("c:type", "mutex"), 57 + ("c:type", "pci_dev"), 58 + ("c:type", "pdvbdev"), 59 + ("c:type", "poll_table_struct"), 60 + ("c:type", "s32"), 61 + ("c:type", "s64"), 62 + ("c:type", "sd"), 63 + ("c:type", "spi_board_info"), 64 + ("c:type", "spi_device"), 65 + ("c:type", "spi_master"), 66 + ("c:type", "struct fb_fix_screeninfo"), 67 + ("c:type", "struct pollfd"), 68 + ("c:type", "struct timeval"), 69 + ("c:type", "struct video_capability"), 70 + ("c:type", "u16"), 71 + ("c:type", "u32"), 72 + ("c:type", "u64"), 73 + ("c:type", "u8"), 74 + ("c:type", "union"), 75 + ("c:type", "usb_device"), 76 + 77 + ("cpp:type", "boolean"), 78 + ("cpp:type", "fd"), 79 + ("cpp:type", "fd_set"), 80 + ("cpp:type", "int16_t"), 81 + ("cpp:type", "NULL"), 82 + ("cpp:type", "off_t"), 83 + ("cpp:type", "pollfd"), 84 + ("cpp:type", "size_t"), 85 + ("cpp:type", "ssize_t"), 86 + ("cpp:type", "timeval"), 87 + ("cpp:type", "__u16"), 88 + ("cpp:type", "__u32"), 89 + ("cpp:type", "__u64"), 90 + ("cpp:type", "uint16_t"), 91 + ("cpp:type", "uint32_t"), 92 + ("cpp:type", "video_system_t"), 93 + ]

+19

Documentation/media/index.rst

··· 1 + Linux Media Subsystem Documentation 2 + =================================== 3 + 4 + Contents: 5 + 6 + .. toctree:: 7 + :maxdepth: 2 8 + 9 + media_uapi 10 + media_kapi 11 + dvb-drivers/index 12 + v4l-drivers/index 13 + 14 + .. only:: subproject 15 + 16 + Indices 17 + ======= 18 + 19 + * :ref:`genindex`

+1 -1

Documentation/media/uapi/cec/cec-func-open.rst

··· 32 32 Open flags. Access mode must be ``O_RDWR``. 33 33 34 34 When the ``O_NONBLOCK`` flag is given, the 35 - :ref:`CEC_RECEIVE <CEC_RECEIVE>` and :ref:`CEC_DQEVENT <CEC_DQEVENT>` ioctls 35 + :ref:`CEC_RECEIVE <CEC_RECEIVE>` and :c:func:`CEC_DQEVENT` ioctls 36 36 will return the ``EAGAIN`` error code when no message or event is available, and 37 37 ioctls :ref:`CEC_TRANSMIT <CEC_TRANSMIT>`, 38 38 :ref:`CEC_ADAP_S_PHYS_ADDR <CEC_ADAP_S_PHYS_ADDR>` and

+3 -2

Documentation/media/uapi/cec/cec-ioc-dqevent.rst

··· 15 15 Synopsis 16 16 ======== 17 17 18 - .. cpp:function:: int ioctl( int fd, int request, struct cec_event *argp ) 18 + .. c:function:: int ioctl( int fd, int request, struct cec_event *argp ) 19 + :name: CEC_DQEVENT 19 20 20 21 Arguments 21 22 ========= ··· 39 38 and is currently only available as a staging kernel module. 40 39 41 40 CEC devices can send asynchronous events. These can be retrieved by 42 - calling :ref:`ioctl CEC_DQEVENT <CEC_DQEVENT>`. If the file descriptor is in 41 + calling :c:func:`CEC_DQEVENT`. If the file descriptor is in 43 42 non-blocking mode and no event is pending, then it will return -1 and 44 43 set errno to the ``EAGAIN`` error code. 45 44

+2 -3

Documentation/serial/serial-rs485.txt

··· 45 45 46 46 #include <linux/serial.h> 47 47 48 - /* RS485 ioctls: */ 49 - #define TIOCGRS485 0x542E 50 - #define TIOCSRS485 0x542F 48 + /* Include definition for RS485 ioctls: TIOCGRS485 and TIOCSRS485 */ 49 + #include <sys/ioctl.h> 51 50 52 51 /* Open your specific device (e.g., /dev/mydevice): */ 53 52 int fd = open ("/dev/mydevice", O_RDWR);

+24 -15

Documentation/sparse.txt Documentation/dev-tools/sparse.rst

··· 1 - Copyright 2004 Linus Torvalds 2 - Copyright 2004 Pavel Machek <pavel@ucw.cz> 3 - Copyright 2006 Bob Copeland <me@bobcopeland.com> 1 + .. Copyright 2004 Linus Torvalds 2 + .. Copyright 2004 Pavel Machek <pavel@ucw.cz> 3 + .. Copyright 2006 Bob Copeland <me@bobcopeland.com> 4 + 5 + Sparse 6 + ====== 7 + 8 + Sparse is a semantic checker for C programs; it can be used to find a 9 + number of potential problems with kernel code. See 10 + https://lwn.net/Articles/689907/ for an overview of sparse; this document 11 + contains some kernel-specific sparse information. 12 + 4 13 5 14 Using sparse for typechecking 6 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 15 + ----------------------------- 7 16 8 - "__bitwise" is a type attribute, so you have to do something like this: 17 + "__bitwise" is a type attribute, so you have to do something like this:: 9 18 10 19 typedef int __bitwise pm_request_t; 11 20 ··· 29 20 the enum values are all the same type, now "enum pm_request" will be that 30 21 type too. 31 22 32 - And with gcc, all the __bitwise/__force stuff goes away, and it all ends 33 - up looking just like integers to gcc. 23 + And with gcc, all the "__bitwise"/"__force stuff" goes away, and it all 24 + ends up looking just like integers to gcc. 34 25 35 26 Quite frankly, you don't need the enum there. The above all really just 36 27 boils down to one special "int __bitwise" type. 37 28 38 - So the simpler way is to just do 29 + So the simpler way is to just do:: 39 30 40 31 typedef int __bitwise pm_request_t; 41 32 ··· 59 50 don't want to drown in noise unless we'd explicitly asked for it. 60 51 61 52 Using sparse for lock checking 62 - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 53 + ------------------------------ 63 54 64 55 The following macros are undefined for gcc and defined during a sparse 65 56 run to use the "context" tracking feature of sparse, applied to ··· 78 69 sparse would otherwise report a context imbalance. 79 70 80 71 Getting sparse 81 - ~~~~~~~~~~~~~~ 72 + -------------- 82 73 83 74 You can get latest released versions from the Sparse homepage at 84 75 https://sparse.wiki.kernel.org/index.php/Main_Page 85 76 86 77 Alternatively, you can get snapshots of the latest development version 87 - of sparse using git to clone.. 78 + of sparse using git to clone:: 88 79 89 80 git://git.kernel.org/pub/scm/devel/sparse/sparse.git 90 81 91 - DaveJ has hourly generated tarballs of the git tree available at.. 82 + DaveJ has hourly generated tarballs of the git tree available at:: 92 83 93 84 http://www.codemonkey.org.uk/projects/git-snapshots/sparse/ 94 85 95 86 96 - Once you have it, just do 87 + Once you have it, just do:: 97 88 98 89 make 99 90 make install ··· 101 92 as a regular user, and it will install sparse in your ~/bin directory. 102 93 103 94 Using sparse 104 - ~~~~~~~~~~~~ 95 + ------------ 105 96 106 97 Do a kernel make with "make C=1" to run sparse on all the C files that get 107 98 recompiled, or use "make C=2" to run sparse on the files whether they need to ··· 110 101 111 102 The optional make variable CF can be used to pass arguments to sparse. The 112 103 build system passes -Wbitwise to sparse automatically. To perform endianness 113 - checks, you may define __CHECK_ENDIAN__: 104 + checks, you may define __CHECK_ENDIAN__:: 114 105 115 106 make C=2 CF="-D__CHECK_ENDIAN__" 116 107

+2 -1

Documentation/sphinx-static/theme_overrides.css

··· 42 42 caption a.headerlink { opacity: 0; } 43 43 caption a.headerlink:hover { opacity: 1; } 44 44 45 - /* inline literal: drop the borderbox and red color */ 45 + /* inline literal: drop the borderbox, padding and red color */ 46 46 47 47 code, .rst-content tt, .rst-content code { 48 48 color: inherit; 49 49 border: none; 50 + padding: unset; 50 51 background: inherit; 51 52 font-size: 85%; 52 53 }

+102

Documentation/sphinx/cdomain.py

··· 1 + # -*- coding: utf-8; mode: python -*- 2 + u""" 3 + cdomain 4 + ~~~~~~~ 5 + 6 + Replacement for the sphinx c-domain. 7 + 8 + :copyright: Copyright (C) 2016 Markus Heiser 9 + :license: GPL Version 2, June 1991 see Linux/COPYING for details. 10 + 11 + List of customizations: 12 + 13 + * Moved the *duplicate C object description* warnings for function 14 + declarations in the nitpicky mode. See Sphinx documentation for 15 + the config values for ``nitpick`` and ``nitpick_ignore``. 16 + 17 + * Add option 'name' to the "c:function:" directive. With option 'name' the 18 + ref-name of a function can be modified. E.g.:: 19 + 20 + .. c:function:: int ioctl( int fd, int request ) 21 + :name: VIDIOC_LOG_STATUS 22 + 23 + The func-name (e.g. ioctl) remains in the output but the ref-name changed 24 + from 'ioctl' to 'VIDIOC_LOG_STATUS'. The function is referenced by:: 25 + 26 + * :c:func:`VIDIOC_LOG_STATUS` or 27 + * :any:`VIDIOC_LOG_STATUS` (``:any:`` needs sphinx 1.3) 28 + """ 29 + 30 + from docutils.parsers.rst import directives 31 + 32 + from sphinx.domains.c import CObject as Base_CObject 33 + from sphinx.domains.c import CDomain as Base_CDomain 34 + 35 + __version__ = '1.0' 36 + 37 + def setup(app): 38 + 39 + app.override_domain(CDomain) 40 + 41 + return dict( 42 + version = __version__, 43 + parallel_read_safe = True, 44 + parallel_write_safe = True 45 + ) 46 + 47 + class CObject(Base_CObject): 48 + 49 + """ 50 + Description of a C language object. 51 + """ 52 + option_spec = { 53 + "name" : directives.unchanged 54 + } 55 + 56 + def handle_signature(self, sig, signode): 57 + """Transform a C signature into RST nodes.""" 58 + fullname = super(CObject, self).handle_signature(sig, signode) 59 + if "name" in self.options: 60 + if self.objtype == 'function': 61 + fullname = self.options["name"] 62 + else: 63 + # FIXME: handle :name: value of other declaration types? 64 + pass 65 + return fullname 66 + 67 + def add_target_and_index(self, name, sig, signode): 68 + # for C API items we add a prefix since names are usually not qualified 69 + # by a module name and so easily clash with e.g. section titles 70 + targetname = 'c.' + name 71 + if targetname not in self.state.document.ids: 72 + signode['names'].append(targetname) 73 + signode['ids'].append(targetname) 74 + signode['first'] = (not self.names) 75 + self.state.document.note_explicit_target(signode) 76 + inv = self.env.domaindata['c']['objects'] 77 + if (name in inv and self.env.config.nitpicky): 78 + if self.objtype == 'function': 79 + if ('c:func', name) not in self.env.config.nitpick_ignore: 80 + self.state_machine.reporter.warning( 81 + 'duplicate C object description of %s, ' % name + 82 + 'other instance in ' + self.env.doc2path(inv[name][0]), 83 + line=self.lineno) 84 + inv[name] = (self.env.docname, self.objtype) 85 + 86 + indextext = self.get_index_text(name) 87 + if indextext: 88 + self.indexnode['entries'].append(('single', indextext, 89 + targetname, '', None)) 90 + 91 + class CDomain(Base_CDomain): 92 + 93 + """C language domain.""" 94 + name = 'c' 95 + label = 'C' 96 + directives = { 97 + 'function': CObject, 98 + 'member': CObject, 99 + 'macro': CObject, 100 + 'type': CObject, 101 + 'var': CObject, 102 + }

+32

Documentation/sphinx/load_config.py

··· 1 + # -*- coding: utf-8; mode: python -*- 2 + # pylint: disable=R0903, C0330, R0914, R0912, E0401 3 + 4 + import os 5 + import sys 6 + from sphinx.util.pycompat import execfile_ 7 + 8 + # ------------------------------------------------------------------------------ 9 + def loadConfig(namespace): 10 + # ------------------------------------------------------------------------------ 11 + 12 + u"""Load an additional configuration file into *namespace*. 13 + 14 + The name of the configuration file is taken from the environment 15 + ``SPHINX_CONF``. The external configuration file extends (or overwrites) the 16 + configuration values from the origin ``conf.py``. With this you are able to 17 + maintain *build themes*. """ 18 + 19 + config_file = os.environ.get("SPHINX_CONF", None) 20 + if (config_file is not None 21 + and os.path.normpath(namespace["__file__"]) != os.path.normpath(config_file) ): 22 + config_file = os.path.abspath(config_file) 23 + 24 + if os.path.isfile(config_file): 25 + sys.stdout.write("load additional sphinx-config: %s\n" % config_file) 26 + config = namespace.copy() 27 + config['__file__'] = config_file 28 + execfile_(config_file, config) 29 + del config['__file__'] 30 + namespace.update(config) 31 + else: 32 + sys.stderr.write("WARNING: additional sphinx-config not found: %s\n" % config_file)

+1 -1

Documentation/sphinx/parse-headers.pl

··· 220 220 # 221 221 # Add escape codes for special characters 222 222 # 223 - $data =~ s,([\_\`\*\<\>\&\\\\:\/\|]),\\$1,g; 223 + $data =~ s,([\_\`\*\<\>\&\\\\:\/\|\%\$\#\{\}\~\^]),\\$1,g; 224 224 225 225 $data =~ s,DEPRECATED,**DEPRECATED**,g; 226 226

+23 -19

Documentation/ubsan.txt Documentation/dev-tools/ubsan.rst

··· 1 - Undefined Behavior Sanitizer - UBSAN 2 - 3 - Overview 4 - -------- 1 + The Undefined Behavior Sanitizer - UBSAN 2 + ======================================== 5 3 6 4 UBSAN is a runtime undefined behaviour checker. 7 5 ··· 8 10 that may cause UB. If check fails (i.e. UB detected) __ubsan_handle_* 9 11 function called to print error message. 10 12 11 - GCC has that feature since 4.9.x [1] (see -fsanitize=undefined option and 12 - its suboptions). GCC 5.x has more checkers implemented [2]. 13 + GCC has that feature since 4.9.x [1_] (see ``-fsanitize=undefined`` option and 14 + its suboptions). GCC 5.x has more checkers implemented [2_]. 13 15 14 16 Report example 15 - --------------- 17 + -------------- 18 + 19 + :: 16 20 17 21 ================================================================================ 18 22 UBSAN: Undefined behaviour in ../include/linux/bitops.h:110:33 ··· 47 47 Usage 48 48 ----- 49 49 50 - To enable UBSAN configure kernel with: 50 + To enable UBSAN configure kernel with:: 51 51 52 52 CONFIG_UBSAN=y 53 53 54 - and to check the entire kernel: 54 + and to check the entire kernel:: 55 55 56 56 CONFIG_UBSAN_SANITIZE_ALL=y 57 57 58 58 To enable instrumentation for specific files or directories, add a line 59 59 similar to the following to the respective kernel Makefile: 60 60 61 - For a single file (e.g. main.o): 62 - UBSAN_SANITIZE_main.o := y 61 + - For a single file (e.g. main.o):: 63 62 64 - For all files in one directory: 65 - UBSAN_SANITIZE := y 63 + UBSAN_SANITIZE_main.o := y 64 + 65 + - For all files in one directory:: 66 + 67 + UBSAN_SANITIZE := y 66 68 67 69 To exclude files from being instrumented even if 68 - CONFIG_UBSAN_SANITIZE_ALL=y, use: 70 + ``CONFIG_UBSAN_SANITIZE_ALL=y``, use:: 69 71 70 - UBSAN_SANITIZE_main.o := n 71 - and: 72 - UBSAN_SANITIZE := n 72 + UBSAN_SANITIZE_main.o := n 73 + 74 + and:: 75 + 76 + UBSAN_SANITIZE := n 73 77 74 78 Detection of unaligned accesses controlled through the separate option - 75 79 CONFIG_UBSAN_ALIGNMENT. It's off by default on architectures that support ··· 84 80 References 85 81 ---------- 86 82 87 - [1] - https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Debugging-Options.html 88 - [2] - https://gcc.gnu.org/onlinedocs/gcc/Debugging-Options.html 83 + .. _1: https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Debugging-Options.html 84 + .. _2: https://gcc.gnu.org/onlinedocs/gcc/Debugging-Options.html

+5 -5

MAINTAINERS

··· 3124 3124 T: git git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild.git misc 3125 3125 W: http://coccinelle.lip6.fr/ 3126 3126 S: Supported 3127 - F: Documentation/coccinelle.txt 3127 + F: Documentation/dev-tools/coccinelle.rst 3128 3128 F: scripts/coccinelle/ 3129 3129 F: scripts/coccicheck 3130 3130 ··· 5118 5118 M: Peter Oberparleiter <oberpar@linux.vnet.ibm.com> 5119 5119 S: Maintained 5120 5120 F: kernel/gcov/ 5121 - F: Documentation/gcov.txt 5121 + F: Documentation/dev-tools/gcov.rst 5122 5122 5123 5123 GDT SCSI DISK ARRAY CONTROLLER DRIVER 5124 5124 M: Achim Leubner <achim_leubner@adaptec.com> ··· 6587 6587 S: Maintained 6588 6588 F: arch/*/include/asm/kasan.h 6589 6589 F: arch/*/mm/kasan_init* 6590 - F: Documentation/kasan.txt 6590 + F: Documentation/dev-tools/kasan.rst 6591 6591 F: include/linux/kasan*.h 6592 6592 F: lib/test_kasan.c 6593 6593 F: mm/kasan/ ··· 6803 6803 M: Vegard Nossum <vegardno@ifi.uio.no> 6804 6804 M: Pekka Enberg <penberg@kernel.org> 6805 6805 S: Maintained 6806 - F: Documentation/kmemcheck.txt 6806 + F: Documentation/dev-tools/kmemcheck.rst 6807 6807 F: arch/x86/include/asm/kmemcheck.h 6808 6808 F: arch/x86/mm/kmemcheck/ 6809 6809 F: include/linux/kmemcheck.h ··· 6812 6812 KMEMLEAK 6813 6813 M: Catalin Marinas <catalin.marinas@arm.com> 6814 6814 S: Maintained 6815 - F: Documentation/kmemleak.txt 6815 + F: Documentation/dev-tools/kmemleak.rst 6816 6816 F: include/linux/kmemleak.h 6817 6817 F: mm/kmemleak.c 6818 6818 F: mm/kmemleak-test.c

+1 -1

Makefile

··· 1432 1432 1433 1433 # Documentation targets 1434 1434 # --------------------------------------------------------------------------- 1435 - DOC_TARGETS := xmldocs sgmldocs psdocs pdfdocs htmldocs mandocs installmandocs epubdocs cleandocs 1435 + DOC_TARGETS := xmldocs sgmldocs psdocs latexdocs pdfdocs htmldocs mandocs installmandocs epubdocs cleandocs 1436 1436 PHONY += $(DOC_TARGETS) 1437 1437 $(DOC_TARGETS): scripts_basic FORCE 1438 1438 $(Q)$(MAKE) $(build)=scripts build_docproc build_check-lc_ctype

+2 -6

README

··· 229 229 under some circumstances lead to problems: probing for a 230 230 nonexistent controller card may confuse your other controllers 231 231 232 - - Compiling the kernel with "Processor type" set higher than 386 233 - will result in a kernel that does NOT work on a 386. The 234 - kernel will detect this on bootup, and give up. 235 - 236 232 - A kernel with math-emulation compiled in will still use the 237 233 coprocessor if one is present: the math emulation will just 238 234 never get used in that case. The kernel will be slightly larger, ··· 285 289 LOCALVERSION can be set in the "General Setup" menu. 286 290 287 291 - In order to boot your new kernel, you'll need to copy the kernel 288 - image (e.g. .../linux/arch/i386/boot/bzImage after compilation) 292 + image (e.g. .../linux/arch/x86/boot/bzImage after compilation) 289 293 to the place where your regular bootable kernel is found. 290 294 291 295 - Booting a kernel directly from a floppy without the assistance of a ··· 387 391 388 392 - Alternatively, you can use gdb on a running kernel. (read-only; i.e. you 389 393 cannot change values or set break points.) To do this, first compile the 390 - kernel with -g; edit arch/i386/Makefile appropriately, then do a "make 394 + kernel with -g; edit arch/x86/Makefile appropriately, then do a "make 391 395 clean". You'll also need to enable CONFIG_PROC_FS (via "make config"). 392 396 393 397 After you've rebooted with the new kernel, do "gdb vmlinux /proc/kcore".

-3

scripts/kernel-doc

··· 1849 1849 $count++; 1850 1850 $type = $args{'parametertypes'}{$parameter}; 1851 1851 1852 - # RST doesn't like address_space tags at function prototypes 1853 - $type =~ s/__(user|kernel|iomem|percpu|pmem|rcu)\s*//; 1854 - 1855 1852 if ($type =~ m/([^$]*\(\*)\s*$\s*$([^$]*)\)/) { 1856 1853 # pointer-to-function 1857 1854 print $1 . $parameter . ") (" . $2;