Loading...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 | GETTING STARTED WITH KMEMCHECK ============================== Vegard Nossum <vegardno@ifi.uio.no> Contents ======== 0. Introduction 1. Downloading 2. Configuring and compiling 3. How to use 3.1. Booting 3.2. Run-time enable/disable 3.3. Debugging 3.4. Annotating false positives 4. Reporting errors 5. Technical description 0. Introduction =============== kmemcheck is a debugging feature for the Linux Kernel. More specifically, it is a dynamic checker that detects and warns about some uses of uninitialized memory. Userspace programmers might be familiar with Valgrind's memcheck. The main difference between memcheck and kmemcheck is that memcheck works for userspace programs only, and kmemcheck works for the kernel only. The implementations are of course vastly different. Because of this, kmemcheck is not as accurate as memcheck, but it turns out to be good enough in practice to discover real programmer errors that the compiler is not able to find through static analysis. Enabling kmemcheck on a kernel will probably slow it down to the extent that the machine will not be usable for normal workloads such as e.g. an interactive desktop. kmemcheck will also cause the kernel to use about twice as much memory as normal. For this reason, kmemcheck is strictly a debugging feature. 1. Downloading ============== As of version 2.6.31-rc1, kmemcheck is included in the mainline kernel. 2. Configuring and compiling ============================ kmemcheck only works for the x86 (both 32- and 64-bit) platform. A number of configuration variables must have specific settings in order for the kmemcheck menu to even appear in "menuconfig". These are: o CONFIG_CC_OPTIMIZE_FOR_SIZE=n This option is located under "General setup" / "Optimize for size". Without this, gcc will use certain optimizations that usually lead to false positive warnings from kmemcheck. An example of this is a 16-bit field in a struct, where gcc may load 32 bits, then discard the upper 16 bits. kmemcheck sees only the 32-bit load, and may trigger a warning for the upper 16 bits (if they're uninitialized). o CONFIG_SLAB=y or CONFIG_SLUB=y This option is located under "General setup" / "Choose SLAB allocator". o CONFIG_FUNCTION_TRACER=n This option is located under "Kernel hacking" / "Tracers" / "Kernel Function Tracer" When function tracing is compiled in, gcc emits a call to another function at the beginning of every function. This means that when the page fault handler is called, the ftrace framework will be called before kmemcheck has had a chance to handle the fault. If ftrace then modifies memory that was tracked by kmemcheck, the result is an endless recursive page fault. o CONFIG_DEBUG_PAGEALLOC=n This option is located under "Kernel hacking" / "Debug page memory allocations". In addition, I highly recommend turning on CONFIG_DEBUG_INFO=y. This is also located under "Kernel hacking". With this, you will be able to get line number information from the kmemcheck warnings, which is extremely valuable in debugging a problem. This option is not mandatory, however, because it slows down the compilation process and produces a much bigger kernel image. Now the kmemcheck menu should be visible (under "Kernel hacking" / "kmemcheck: trap use of uninitialized memory"). Here follows a description of the kmemcheck configuration variables: o CONFIG_KMEMCHECK This must be enabled in order to use kmemcheck at all... o CONFIG_KMEMCHECK_[DISABLED | ENABLED | ONESHOT]_BY_DEFAULT This option controls the status of kmemcheck at boot-time. "Enabled" will enable kmemcheck right from the start, "disabled" will boot the kernel as normal (but with the kmemcheck code compiled in, so it can be enabled at run-time after the kernel has booted), and "one-shot" is a special mode which will turn kmemcheck off automatically after detecting the first use of uninitialized memory. If you are using kmemcheck to actively debug a problem, then you probably want to choose "enabled" here. The one-shot mode is mostly useful in automated test setups because it can prevent floods of warnings and increase the chances of the machine surviving in case something is really wrong. In other cases, the one- shot mode could actually be counter-productive because it would turn itself off at the very first error -- in the case of a false positive too -- and this would come in the way of debugging the specific problem you were interested in. If you would like to use your kernel as normal, but with a chance to enable kmemcheck in case of some problem, it might be a good idea to choose "disabled" here. When kmemcheck is disabled, most of the run- time overhead is not incurred, and the kernel will be almost as fast as normal. o CONFIG_KMEMCHECK_QUEUE_SIZE Select the maximum number of error reports to store in an internal (fixed-size) buffer. Since errors can occur virtually anywhere and in any context, we need a temporary storage area which is guaranteed not to generate any other page faults when accessed. The queue will be emptied as soon as a tasklet may be scheduled. If the queue is full, new error reports will be lost. The default value of 64 is probably fine. If some code produces more than 64 errors within an irqs-off section, then the code is likely to produce many, many more, too, and these additional reports seldom give any more information (the first report is usually the most valuable anyway). This number might have to be adjusted if you are not using serial console or similar to capture the kernel log. If you are using the "dmesg" command to save the log, then getting a lot of kmemcheck warnings might overflow the kernel log itself, and the earlier reports will get lost in that way instead. Try setting this to 10 or so on such a setup. o CONFIG_KMEMCHECK_SHADOW_COPY_SHIFT Select the number of shadow bytes to save along with each entry of the error-report queue. These bytes indicate what parts of an allocation are initialized, uninitialized, etc. and will be displayed when an error is detected to help the debugging of a particular problem. The number entered here is actually the logarithm of the number of bytes that will be saved. So if you pick for example 5 here, kmemcheck will save 2^5 = 32 bytes. The default value should be fine for debugging most problems. It also fits nicely within 80 columns. o CONFIG_KMEMCHECK_PARTIAL_OK This option (when enabled) works around certain GCC optimizations that produce 32-bit reads from 16-bit variables where the upper 16 bits are thrown away afterwards. The default value (enabled) is recommended. This may of course hide some real errors, but disabling it would probably produce a lot of false positives. o CONFIG_KMEMCHECK_BITOPS_OK This option silences warnings that would be generated for bit-field accesses where not all the bits are initialized at the same time. This may also hide some real bugs. This option is probably obsolete, or it should be replaced with the kmemcheck-/bitfield-annotations for the code in question. The default value is therefore fine. Now compile the kernel as usual. 3. How to use ============= 3.1. Booting ============ First some information about the command-line options. There is only one option specific to kmemcheck, and this is called "kmemcheck". It can be used to override the default mode as chosen by the CONFIG_KMEMCHECK_*_BY_DEFAULT option. Its possible settings are: o kmemcheck=0 (disabled) o kmemcheck=1 (enabled) o kmemcheck=2 (one-shot mode) If SLUB debugging has been enabled in the kernel, it may take precedence over kmemcheck in such a way that the slab caches which are under SLUB debugging will not be tracked by kmemcheck. In order to ensure that this doesn't happen (even though it shouldn't by default), use SLUB's boot option "slub_debug", like this: slub_debug=- In fact, this option may also be used for fine-grained control over SLUB vs. kmemcheck. For example, if the command line includes "kmemcheck=1 slub_debug=,dentry", then SLUB debugging will be used only for the "dentry" slab cache, and with kmemcheck tracking all the other caches. This is advanced usage, however, and is not generally recommended. 3.2. Run-time enable/disable ============================ When the kernel has booted, it is possible to enable or disable kmemcheck at run-time. WARNING: This feature is still experimental and may cause false positive warnings to appear. Therefore, try not to use this. If you find that it doesn't work properly (e.g. you see an unreasonable amount of warnings), I will be happy to take bug reports. Use the file /proc/sys/kernel/kmemcheck for this purpose, e.g.: $ echo 0 > /proc/sys/kernel/kmemcheck # disables kmemcheck The numbers are the same as for the kmemcheck= command-line option. 3.3. Debugging ============== A typical report will look something like this: WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff88003e4a2024) 80000000000000000000000000000000000000000088ffff0000000000000000 i i i i u u u u i i i i i i i i u u u u u u u u u u u u u u u u ^ Pid: 1856, comm: ntpdate Not tainted 2.6.29-rc5 #264 945P-A RIP: 0010:[<ffffffff8104ede8>] [<ffffffff8104ede8>] __dequeue_signal+0xc8/0x190 RSP: 0018:ffff88003cdf7d98 EFLAGS: 00210002 RAX: 0000000000000030 RBX: ffff88003d4ea968 RCX: 0000000000000009 RDX: ffff88003e5d6018 RSI: ffff88003e5d6024 RDI: ffff88003cdf7e84 RBP: ffff88003cdf7db8 R08: ffff88003e5d6000 R09: 0000000000000000 R10: 0000000000000080 R11: 0000000000000000 R12: 000000000000000e R13: ffff88003cdf7e78 R14: ffff88003d530710 R15: ffff88003d5a98c8 FS: 0000000000000000(0000) GS:ffff880001982000(0063) knlGS:00000 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: ffff88003f806ea0 CR3: 000000003c036000 CR4: 00000000000006a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 [<ffffffff8104f04e>] dequeue_signal+0x8e/0x170 [<ffffffff81050bd8>] get_signal_to_deliver+0x98/0x390 [<ffffffff8100b87d>] do_notify_resume+0xad/0x7d0 [<ffffffff8100c7b5>] int_signal+0x12/0x17 [<ffffffffffffffff>] 0xffffffffffffffff The single most valuable information in this report is the RIP (or EIP on 32- bit) value. This will help us pinpoint exactly which instruction that caused the warning. If your kernel was compiled with CONFIG_DEBUG_INFO=y, then all we have to do is give this address to the addr2line program, like this: $ addr2line -e vmlinux -i ffffffff8104ede8 arch/x86/include/asm/string_64.h:12 include/asm-generic/siginfo.h:287 kernel/signal.c:380 kernel/signal.c:410 The "-e vmlinux" tells addr2line which file to look in. IMPORTANT: This must be the vmlinux of the kernel that produced the warning in the first place! If not, the line number information will almost certainly be wrong. The "-i" tells addr2line to also print the line numbers of inlined functions. In this case, the flag was very important, because otherwise, it would only have printed the first line, which is just a call to memcpy(), which could be called from a thousand places in the kernel, and is therefore not very useful. These inlined functions would not show up in the stack trace above, simply because the kernel doesn't load the extra debugging information. This technique can of course be used with ordinary kernel oopses as well. In this case, it's the caller of memcpy() that is interesting, and it can be found in include/asm-generic/siginfo.h, line 287: 281 static inline void copy_siginfo(struct siginfo *to, struct siginfo *from) 282 { 283 if (from->si_code < 0) 284 memcpy(to, from, sizeof(*to)); 285 else 286 /* _sigchld is currently the largest know union member */ 287 memcpy(to, from, __ARCH_SI_PREAMBLE_SIZE + sizeof(from->_sifields._sigchld)); 288 } Since this was a read (kmemcheck usually warns about reads only, though it can warn about writes to unallocated or freed memory as well), it was probably the "from" argument which contained some uninitialized bytes. Following the chain of calls, we move upwards to see where "from" was allocated or initialized, kernel/signal.c, line 380: 359 static void collect_signal(int sig, struct sigpending *list, siginfo_t *info) 360 { ... 367 list_for_each_entry(q, &list->list, list) { 368 if (q->info.si_signo == sig) { 369 if (first) 370 goto still_pending; 371 first = q; ... 377 if (first) { 378 still_pending: 379 list_del_init(&first->list); 380 copy_siginfo(info, &first->info); 381 __sigqueue_free(first); ... 392 } 393 } Here, it is &first->info that is being passed on to copy_siginfo(). The variable "first" was found on a list -- passed in as the second argument to collect_signal(). We continue our journey through the stack, to figure out where the item on "list" was allocated or initialized. We move to line 410: 395 static int __dequeue_signal(struct sigpending *pending, sigset_t *mask, 396 siginfo_t *info) 397 { ... 410 collect_signal(sig, pending, info); ... 414 } Now we need to follow the "pending" pointer, since that is being passed on to collect_signal() as "list". At this point, we've run out of lines from the "addr2line" output. Not to worry, we just paste the next addresses from the kmemcheck stack dump, i.e.: [<ffffffff8104f04e>] dequeue_signal+0x8e/0x170 [<ffffffff81050bd8>] get_signal_to_deliver+0x98/0x390 [<ffffffff8100b87d>] do_notify_resume+0xad/0x7d0 [<ffffffff8100c7b5>] int_signal+0x12/0x17 $ addr2line -e vmlinux -i ffffffff8104f04e ffffffff81050bd8 \ ffffffff8100b87d ffffffff8100c7b5 kernel/signal.c:446 kernel/signal.c:1806 arch/x86/kernel/signal.c:805 arch/x86/kernel/signal.c:871 arch/x86/kernel/entry_64.S:694 Remember that since these addresses were found on the stack and not as the RIP value, they actually point to the _next_ instruction (they are return addresses). This becomes obvious when we look at the code for line 446: 422 int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info) 423 { ... 431 signr = __dequeue_signal(&tsk->signal->shared_pending, 432 mask, info); 433 /* 434 * itimer signal ? 435 * 436 * itimers are process shared and we restart periodic 437 * itimers in the signal delivery path to prevent DoS 438 * attacks in the high resolution timer case. This is 439 * compliant with the old way of self restarting 440 * itimers, as the SIGALRM is a legacy signal and only 441 * queued once. Changing the restart behaviour to 442 * restart the timer in the signal dequeue path is 443 * reducing the timer noise on heavy loaded !highres 444 * systems too. 445 */ 446 if (unlikely(signr == SIGALRM)) { ... 489 } So instead of looking at 446, we should be looking at 431, which is the line that executes just before 446. Here we see that what we are looking for is &tsk->signal->shared_pending. Our next task is now to figure out which function that puts items on this "shared_pending" list. A crude, but efficient tool, is git grep: $ git grep -n 'shared_pending' kernel/ ... kernel/signal.c:828: pending = group ? &t->signal->shared_pending : &t->pending; kernel/signal.c:1339: pending = group ? &t->signal->shared_pending : &t->pending; ... There were more results, but none of them were related to list operations, and these were the only assignments. We inspect the line numbers more closely and find that this is indeed where items are being added to the list: 816 static int send_signal(int sig, struct siginfo *info, struct task_struct *t, 817 int group) 818 { ... 828 pending = group ? &t->signal->shared_pending : &t->pending; ... 851 q = __sigqueue_alloc(t, GFP_ATOMIC, (sig < SIGRTMIN && 852 (is_si_special(info) || 853 info->si_code >= 0))); 854 if (q) { 855 list_add_tail(&q->list, &pending->list); ... 890 } and: 1309 int send_sigqueue(struct sigqueue *q, struct task_struct *t, int group) 1310 { .... 1339 pending = group ? &t->signal->shared_pending : &t->pending; 1340 list_add_tail(&q->list, &pending->list); .... 1347 } In the first case, the list element we are looking for, "q", is being returned from the function __sigqueue_alloc(), which looks like an allocation function. Let's take a look at it: 187 static struct sigqueue *__sigqueue_alloc(struct task_struct *t, gfp_t flags, 188 int override_rlimit) 189 { 190 struct sigqueue *q = NULL; 191 struct user_struct *user; 192 193 /* 194 * We won't get problems with the target's UID changing under us 195 * because changing it requires RCU be used, and if t != current, the 196 * caller must be holding the RCU readlock (by way of a spinlock) and 197 * we use RCU protection here 198 */ 199 user = get_uid(__task_cred(t)->user); 200 atomic_inc(&user->sigpending); 201 if (override_rlimit || 202 atomic_read(&user->sigpending) <= 203 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) 204 q = kmem_cache_alloc(sigqueue_cachep, flags); 205 if (unlikely(q == NULL)) { 206 atomic_dec(&user->sigpending); 207 free_uid(user); 208 } else { 209 INIT_LIST_HEAD(&q->list); 210 q->flags = 0; 211 q->user = user; 212 } 213 214 return q; 215 } We see that this function initializes q->list, q->flags, and q->user. It seems that now is the time to look at the definition of "struct sigqueue", e.g.: 14 struct sigqueue { 15 struct list_head list; 16 int flags; 17 siginfo_t info; 18 struct user_struct *user; 19 }; And, you might remember, it was a memcpy() on &first->info that caused the warning, so this makes perfect sense. It also seems reasonable to assume that it is the caller of __sigqueue_alloc() that has the responsibility of filling out (initializing) this member. But just which fields of the struct were uninitialized? Let's look at kmemcheck's report again: WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff88003e4a2024) 80000000000000000000000000000000000000000088ffff0000000000000000 i i i i u u u u i i i i i i i i u u u u u u u u u u u u u u u u ^ These first two lines are the memory dump of the memory object itself, and the shadow bytemap, respectively. The memory object itself is in this case &first->info. Just beware that the start of this dump is NOT the start of the object itself! The position of the caret (^) corresponds with the address of the read (ffff88003e4a2024). The shadow bytemap dump legend is as follows: i - initialized u - uninitialized a - unallocated (memory has been allocated by the slab layer, but has not yet been handed off to anybody) f - freed (memory has been allocated by the slab layer, but has been freed by the previous owner) In order to figure out where (relative to the start of the object) the uninitialized memory was located, we have to look at the disassembly. For that, we'll need the RIP address again: RIP: 0010:[<ffffffff8104ede8>] [<ffffffff8104ede8>] __dequeue_signal+0xc8/0x190 $ objdump -d --no-show-raw-insn vmlinux | grep -C 8 ffffffff8104ede8: ffffffff8104edc8: mov %r8,0x8(%r8) ffffffff8104edcc: test %r10d,%r10d ffffffff8104edcf: js ffffffff8104ee88 <__dequeue_signal+0x168> ffffffff8104edd5: mov %rax,%rdx ffffffff8104edd8: mov $0xc,%ecx ffffffff8104eddd: mov %r13,%rdi ffffffff8104ede0: mov $0x30,%eax ffffffff8104ede5: mov %rdx,%rsi ffffffff8104ede8: rep movsl %ds:(%rsi),%es:(%rdi) ffffffff8104edea: test $0x2,%al ffffffff8104edec: je ffffffff8104edf0 <__dequeue_signal+0xd0> ffffffff8104edee: movsw %ds:(%rsi),%es:(%rdi) ffffffff8104edf0: test $0x1,%al ffffffff8104edf2: je ffffffff8104edf5 <__dequeue_signal+0xd5> ffffffff8104edf4: movsb %ds:(%rsi),%es:(%rdi) ffffffff8104edf5: mov %r8,%rdi ffffffff8104edf8: callq ffffffff8104de60 <__sigqueue_free> As expected, it's the "rep movsl" instruction from the memcpy() that causes the warning. We know about REP MOVSL that it uses the register RCX to count the number of remaining iterations. By taking a look at the register dump again (from the kmemcheck report), we can figure out how many bytes were left to copy: RAX: 0000000000000030 RBX: ffff88003d4ea968 RCX: 0000000000000009 By looking at the disassembly, we also see that %ecx is being loaded with the value $0xc just before (ffffffff8104edd8), so we are very lucky. Keep in mind that this is the number of iterations, not bytes. And since this is a "long" operation, we need to multiply by 4 to get the number of bytes. So this means that the uninitialized value was encountered at 4 * (0xc - 0x9) = 12 bytes from the start of the object. We can now try to figure out which field of the "struct siginfo" that was not initialized. This is the beginning of the struct: 40 typedef struct siginfo { 41 int si_signo; 42 int si_errno; 43 int si_code; 44 45 union { .. 92 } _sifields; 93 } siginfo_t; On 64-bit, the int is 4 bytes long, so it must the the union member that has not been initialized. We can verify this using gdb: $ gdb vmlinux ... (gdb) p &((struct siginfo *) 0)->_sifields $1 = (union {...} *) 0x10 Actually, it seems that the union member is located at offset 0x10 -- which means that gcc has inserted 4 bytes of padding between the members si_code and _sifields. We can now get a fuller picture of the memory dump: _----------------------------=> si_code / _--------------------=> (padding) | / _------------=> _sifields(._kill._pid) | | / _----=> _sifields(._kill._uid) | | | / -------|-------|-------|-------| 80000000000000000000000000000000000000000088ffff0000000000000000 i i i i u u u u i i i i i i i i u u u u u u u u u u u u u u u u This allows us to realize another important fact: si_code contains the value 0x80. Remember that x86 is little endian, so the first 4 bytes "80000000" are really the number 0x00000080. With a bit of research, we find that this is actually the constant SI_KERNEL defined in include/asm-generic/siginfo.h: 144 #define SI_KERNEL 0x80 /* sent by the kernel from somewhere */ This macro is used in exactly one place in the x86 kernel: In send_signal() in kernel/signal.c: 816 static int send_signal(int sig, struct siginfo *info, struct task_struct *t, 817 int group) 818 { ... 828 pending = group ? &t->signal->shared_pending : &t->pending; ... 851 q = __sigqueue_alloc(t, GFP_ATOMIC, (sig < SIGRTMIN && 852 (is_si_special(info) || 853 info->si_code >= 0))); 854 if (q) { 855 list_add_tail(&q->list, &pending->list); 856 switch ((unsigned long) info) { ... 865 case (unsigned long) SEND_SIG_PRIV: 866 q->info.si_signo = sig; 867 q->info.si_errno = 0; 868 q->info.si_code = SI_KERNEL; 869 q->info.si_pid = 0; 870 q->info.si_uid = 0; 871 break; ... 890 } Not only does this match with the .si_code member, it also matches the place we found earlier when looking for where siginfo_t objects are enqueued on the "shared_pending" list. So to sum up: It seems that it is the padding introduced by the compiler between two struct fields that is uninitialized, and this gets reported when we do a memcpy() on the struct. This means that we have identified a false positive warning. Normally, kmemcheck will not report uninitialized accesses in memcpy() calls when both the source and destination addresses are tracked. (Instead, we copy the shadow bytemap as well). In this case, the destination address clearly was not tracked. We can dig a little deeper into the stack trace from above: arch/x86/kernel/signal.c:805 arch/x86/kernel/signal.c:871 arch/x86/kernel/entry_64.S:694 And we clearly see that the destination siginfo object is located on the stack: 782 static void do_signal(struct pt_regs *regs) 783 { 784 struct k_sigaction ka; 785 siginfo_t info; ... 804 signr = get_signal_to_deliver(&info, &ka, regs, NULL); ... 854 } And this &info is what eventually gets passed to copy_siginfo() as the destination argument. Now, even though we didn't find an actual error here, the example is still a good one, because it shows how one would go about to find out what the report was all about. 3.4. Annotating false positives =============================== There are a few different ways to make annotations in the source code that will keep kmemcheck from checking and reporting certain allocations. Here they are: o __GFP_NOTRACK_FALSE_POSITIVE This flag can be passed to kmalloc() or kmem_cache_alloc() (therefore also to other functions that end up calling one of these) to indicate that the allocation should not be tracked because it would lead to a false positive report. This is a "big hammer" way of silencing kmemcheck; after all, even if the false positive pertains to particular field in a struct, for example, we will now lose the ability to find (real) errors in other parts of the same struct. Example: /* No warnings will ever trigger on accessing any part of x */ x = kmalloc(sizeof *x, GFP_KERNEL | __GFP_NOTRACK_FALSE_POSITIVE); o kmemcheck_bitfield_begin(name)/kmemcheck_bitfield_end(name) and kmemcheck_annotate_bitfield(ptr, name) The first two of these three macros can be used inside struct definitions to signal, respectively, the beginning and end of a bitfield. Additionally, this will assign the bitfield a name, which is given as an argument to the macros. Having used these markers, one can later use kmemcheck_annotate_bitfield() at the point of allocation, to indicate which parts of the allocation is part of a bitfield. Example: struct foo { int x; kmemcheck_bitfield_begin(flags); int flag_a:1; int flag_b:1; kmemcheck_bitfield_end(flags); int y; }; struct foo *x = kmalloc(sizeof *x); /* No warnings will trigger on accessing the bitfield of x */ kmemcheck_annotate_bitfield(x, flags); Note that kmemcheck_annotate_bitfield() can be used even before the return value of kmalloc() is checked -- in other words, passing NULL as the first argument is legal (and will do nothing). 4. Reporting errors =================== As we have seen, kmemcheck will produce false positive reports. Therefore, it is not very wise to blindly post kmemcheck warnings to mailing lists and maintainers. Instead, I encourage maintainers and developers to find errors in their own code. If you get a warning, you can try to work around it, try to figure out if it's a real error or not, or simply ignore it. Most developers know their own code and will quickly and efficiently determine the root cause of a kmemcheck report. This is therefore also the most efficient way to work with kmemcheck. That said, we (the kmemcheck maintainers) will always be on the lookout for false positives that we can annotate and silence. So whatever you find, please drop us a note privately! Kernel configs and steps to reproduce (if available) are of course a great help too. Happy hacking! 5. Technical description ======================== kmemcheck works by marking memory pages non-present. This means that whenever somebody attempts to access the page, a page fault is generated. The page fault handler notices that the page was in fact only hidden, and so it calls on the kmemcheck code to make further investigations. When the investigations are completed, kmemcheck "shows" the page by marking it present (as it would be under normal circumstances). This way, the interrupted code can continue as usual. But after the instruction has been executed, we should hide the page again, so that we can catch the next access too! Now kmemcheck makes use of a debugging feature of the processor, namely single-stepping. When the processor has finished the one instruction that generated the memory access, a debug exception is raised. From here, we simply hide the page again and continue execution, this time with the single-stepping feature turned off. kmemcheck requires some assistance from the memory allocator in order to work. The memory allocator needs to 1. Tell kmemcheck about newly allocated pages and pages that are about to be freed. This allows kmemcheck to set up and tear down the shadow memory for the pages in question. The shadow memory stores the status of each byte in the allocation proper, e.g. whether it is initialized or uninitialized. 2. Tell kmemcheck which parts of memory should be marked uninitialized. There are actually a few more states, such as "not yet allocated" and "recently freed". If a slab cache is set up using the SLAB_NOTRACK flag, it will never return memory that can take page faults because of kmemcheck. If a slab cache is NOT set up using the SLAB_NOTRACK flag, callers can still request memory with the __GFP_NOTRACK or __GFP_NOTRACK_FALSE_POSITIVE flags. This does not prevent the page faults from occurring, however, but marks the object in question as being initialized so that no warnings will ever be produced for this object. Currently, the SLAB and SLUB allocators are supported by kmemcheck. |