| /* |
| * Linux Kernel Dump Test Module for testing kernel crashes conditions: |
| * induces system failures at predefined crashpoints and under predefined |
| * operational conditions in order to evaluate the reliability of kernel |
| * sanity checking and crash dumps obtained using different dumping |
| * solutions. |
| * |
| * This program is free software; you can redistribute it and/or modify |
| * it under the terms of the GNU General Public License as published by |
| * the Free Software Foundation; either version 2 of the License, or |
| * (at your option) any later version. |
| * |
| * This program is distributed in the hope that it will be useful, |
| * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| * GNU General Public License for more details. |
| * |
| * You should have received a copy of the GNU General Public License |
| * along with this program; if not, write to the Free Software |
| * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| * |
| * Copyright (C) IBM Corporation, 2006 |
| * |
| * Author: Ankita Garg <ankita@in.ibm.com> |
| * |
| * It is adapted from the Linux Kernel Dump Test Tool by |
| * Fernando Luis Vazquez Cao <http://lkdtt.sourceforge.net> |
| * |
| * Debugfs support added by Simon Kagstrom <simon.kagstrom@netinsight.net> |
| * |
| * See Documentation/fault-injection/provoke-crashes.txt for instructions |
| */ |
| #include "lkdtm.h" |
| #include <linux/fs.h> |
| #include <linux/module.h> |
| #include <linux/buffer_head.h> |
| #include <linux/kprobes.h> |
| #include <linux/list.h> |
| #include <linux/init.h> |
| #include <linux/interrupt.h> |
| #include <linux/hrtimer.h> |
| #include <linux/slab.h> |
| #include <scsi/scsi_cmnd.h> |
| #include <linux/debugfs.h> |
| |
| #ifdef CONFIG_IDE |
| #include <linux/ide.h> |
| #endif |
| |
| #define DEFAULT_COUNT 10 |
| |
| static int lkdtm_debugfs_open(struct inode *inode, struct file *file); |
| static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, |
| size_t count, loff_t *off); |
| static ssize_t direct_entry(struct file *f, const char __user *user_buf, |
| size_t count, loff_t *off); |
| |
| #ifdef CONFIG_KPROBES |
| static void lkdtm_handler(void); |
| static ssize_t lkdtm_debugfs_entry(struct file *f, |
| const char __user *user_buf, |
| size_t count, loff_t *off); |
| |
| |
| /* jprobe entry point handlers. */ |
| static unsigned int jp_do_irq(unsigned int irq) |
| { |
| lkdtm_handler(); |
| jprobe_return(); |
| return 0; |
| } |
| |
| static irqreturn_t jp_handle_irq_event(unsigned int irq, |
| struct irqaction *action) |
| { |
| lkdtm_handler(); |
| jprobe_return(); |
| return 0; |
| } |
| |
| static void jp_tasklet_action(struct softirq_action *a) |
| { |
| lkdtm_handler(); |
| jprobe_return(); |
| } |
| |
| static void jp_ll_rw_block(int rw, int nr, struct buffer_head *bhs[]) |
| { |
| lkdtm_handler(); |
| jprobe_return(); |
| } |
| |
| struct scan_control; |
| |
| static unsigned long jp_shrink_inactive_list(unsigned long max_scan, |
| struct zone *zone, |
| struct scan_control *sc) |
| { |
| lkdtm_handler(); |
| jprobe_return(); |
| return 0; |
| } |
| |
| static int jp_hrtimer_start(struct hrtimer *timer, ktime_t tim, |
| const enum hrtimer_mode mode) |
| { |
| lkdtm_handler(); |
| jprobe_return(); |
| return 0; |
| } |
| |
| static int jp_scsi_dispatch_cmd(struct scsi_cmnd *cmd) |
| { |
| lkdtm_handler(); |
| jprobe_return(); |
| return 0; |
| } |
| |
| # ifdef CONFIG_IDE |
| static int jp_generic_ide_ioctl(ide_drive_t *drive, struct file *file, |
| struct block_device *bdev, unsigned int cmd, |
| unsigned long arg) |
| { |
| lkdtm_handler(); |
| jprobe_return(); |
| return 0; |
| } |
| # endif |
| #endif |
| |
| /* Crash points */ |
| struct crashpoint { |
| const char *name; |
| const struct file_operations fops; |
| struct jprobe jprobe; |
| }; |
| |
| #define CRASHPOINT(_name, _write, _symbol, _entry) \ |
| { \ |
| .name = _name, \ |
| .fops = { \ |
| .read = lkdtm_debugfs_read, \ |
| .llseek = generic_file_llseek, \ |
| .open = lkdtm_debugfs_open, \ |
| .write = _write, \ |
| }, \ |
| .jprobe = { \ |
| .kp.symbol_name = _symbol, \ |
| .entry = (kprobe_opcode_t *)_entry, \ |
| }, \ |
| } |
| |
| /* Define the possible places where we can trigger a crash point. */ |
| struct crashpoint crashpoints[] = { |
| CRASHPOINT("DIRECT", direct_entry, |
| NULL, NULL), |
| #ifdef CONFIG_KPROBES |
| CRASHPOINT("INT_HARDWARE_ENTRY", lkdtm_debugfs_entry, |
| "do_IRQ", jp_do_irq), |
| CRASHPOINT("INT_HW_IRQ_EN", lkdtm_debugfs_entry, |
| "handle_IRQ_event", jp_handle_irq_event), |
| CRASHPOINT("INT_TASKLET_ENTRY", lkdtm_debugfs_entry, |
| "tasklet_action", jp_tasklet_action), |
| CRASHPOINT("FS_DEVRW", lkdtm_debugfs_entry, |
| "ll_rw_block", jp_ll_rw_block), |
| CRASHPOINT("MEM_SWAPOUT", lkdtm_debugfs_entry, |
| "shrink_inactive_list", jp_shrink_inactive_list), |
| CRASHPOINT("TIMERADD", lkdtm_debugfs_entry, |
| "hrtimer_start", jp_hrtimer_start), |
| CRASHPOINT("SCSI_DISPATCH_CMD", lkdtm_debugfs_entry, |
| "scsi_dispatch_cmd", jp_scsi_dispatch_cmd), |
| # ifdef CONFIG_IDE |
| CRASHPOINT("IDE_CORE_CP", lkdtm_debugfs_entry, |
| "generic_ide_ioctl", jp_generic_ide_ioctl), |
| # endif |
| #endif |
| }; |
| |
| |
| /* Crash types. */ |
| struct crashtype { |
| const char *name; |
| void (*func)(void); |
| }; |
| |
| #define CRASHTYPE(_name) \ |
| { \ |
| .name = __stringify(_name), \ |
| .func = lkdtm_ ## _name, \ |
| } |
| |
| /* Define the possible types of crashes that can be triggered. */ |
| struct crashtype crashtypes[] = { |
| CRASHTYPE(PANIC), |
| CRASHTYPE(BUG), |
| CRASHTYPE(WARNING), |
| CRASHTYPE(EXCEPTION), |
| CRASHTYPE(LOOP), |
| CRASHTYPE(OVERFLOW), |
| CRASHTYPE(CORRUPT_LIST_ADD), |
| CRASHTYPE(CORRUPT_LIST_DEL), |
| CRASHTYPE(CORRUPT_STACK), |
| CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE), |
| CRASHTYPE(OVERWRITE_ALLOCATION), |
| CRASHTYPE(WRITE_AFTER_FREE), |
| CRASHTYPE(READ_AFTER_FREE), |
| CRASHTYPE(WRITE_BUDDY_AFTER_FREE), |
| CRASHTYPE(READ_BUDDY_AFTER_FREE), |
| CRASHTYPE(SOFTLOCKUP), |
| CRASHTYPE(HARDLOCKUP), |
| CRASHTYPE(SPINLOCKUP), |
| CRASHTYPE(HUNG_TASK), |
| CRASHTYPE(EXEC_DATA), |
| CRASHTYPE(EXEC_STACK), |
| CRASHTYPE(EXEC_KMALLOC), |
| CRASHTYPE(EXEC_VMALLOC), |
| CRASHTYPE(EXEC_RODATA), |
| CRASHTYPE(EXEC_USERSPACE), |
| CRASHTYPE(ACCESS_USERSPACE), |
| CRASHTYPE(WRITE_RO), |
| CRASHTYPE(WRITE_RO_AFTER_INIT), |
| CRASHTYPE(WRITE_KERN), |
| CRASHTYPE(REFCOUNT_SATURATE_INC), |
| CRASHTYPE(REFCOUNT_SATURATE_ADD), |
| CRASHTYPE(REFCOUNT_ZERO_DEC), |
| CRASHTYPE(REFCOUNT_ZERO_INC), |
| CRASHTYPE(REFCOUNT_ZERO_SUB), |
| CRASHTYPE(REFCOUNT_ZERO_ADD), |
| CRASHTYPE(USERCOPY_HEAP_SIZE_TO), |
| CRASHTYPE(USERCOPY_HEAP_SIZE_FROM), |
| CRASHTYPE(USERCOPY_HEAP_FLAG_TO), |
| CRASHTYPE(USERCOPY_HEAP_FLAG_FROM), |
| CRASHTYPE(USERCOPY_STACK_FRAME_TO), |
| CRASHTYPE(USERCOPY_STACK_FRAME_FROM), |
| CRASHTYPE(USERCOPY_STACK_BEYOND), |
| CRASHTYPE(USERCOPY_KERNEL), |
| }; |
| |
| |
| /* Global jprobe entry and crashtype. */ |
| static struct jprobe *lkdtm_jprobe; |
| struct crashpoint *lkdtm_crashpoint; |
| struct crashtype *lkdtm_crashtype; |
| |
| /* Module parameters */ |
| static int recur_count = -1; |
| module_param(recur_count, int, 0644); |
| MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test"); |
| |
| static char* cpoint_name; |
| module_param(cpoint_name, charp, 0444); |
| MODULE_PARM_DESC(cpoint_name, " Crash Point, where kernel is to be crashed"); |
| |
| static char* cpoint_type; |
| module_param(cpoint_type, charp, 0444); |
| MODULE_PARM_DESC(cpoint_type, " Crash Point Type, action to be taken on "\ |
| "hitting the crash point"); |
| |
| static int cpoint_count = DEFAULT_COUNT; |
| module_param(cpoint_count, int, 0644); |
| MODULE_PARM_DESC(cpoint_count, " Crash Point Count, number of times the "\ |
| "crash point is to be hit to trigger action"); |
| |
| |
| /* Return the crashtype number or NULL if the name is invalid */ |
| static struct crashtype *find_crashtype(const char *name) |
| { |
| int i; |
| |
| for (i = 0; i < ARRAY_SIZE(crashtypes); i++) { |
| if (!strcmp(name, crashtypes[i].name)) |
| return &crashtypes[i]; |
| } |
| |
| return NULL; |
| } |
| |
| /* |
| * This is forced noinline just so it distinctly shows up in the stackdump |
| * which makes validation of expected lkdtm crashes easier. |
| */ |
| static noinline void lkdtm_do_action(struct crashtype *crashtype) |
| { |
| BUG_ON(!crashtype || !crashtype->func); |
| crashtype->func(); |
| } |
| |
| static int lkdtm_register_cpoint(struct crashpoint *crashpoint, |
| struct crashtype *crashtype) |
| { |
| int ret; |
| |
| /* If this doesn't have a symbol, just call immediately. */ |
| if (!crashpoint->jprobe.kp.symbol_name) { |
| lkdtm_do_action(crashtype); |
| return 0; |
| } |
| |
| if (lkdtm_jprobe != NULL) |
| unregister_jprobe(lkdtm_jprobe); |
| |
| lkdtm_crashpoint = crashpoint; |
| lkdtm_crashtype = crashtype; |
| lkdtm_jprobe = &crashpoint->jprobe; |
| ret = register_jprobe(lkdtm_jprobe); |
| if (ret < 0) { |
| pr_info("Couldn't register jprobe %s\n", |
| crashpoint->jprobe.kp.symbol_name); |
| lkdtm_jprobe = NULL; |
| lkdtm_crashpoint = NULL; |
| lkdtm_crashtype = NULL; |
| } |
| |
| return ret; |
| } |
| |
| #ifdef CONFIG_KPROBES |
| /* Global crash counter and spinlock. */ |
| static int crash_count = DEFAULT_COUNT; |
| static DEFINE_SPINLOCK(crash_count_lock); |
| |
| /* Called by jprobe entry points. */ |
| static void lkdtm_handler(void) |
| { |
| unsigned long flags; |
| bool do_it = false; |
| |
| BUG_ON(!lkdtm_crashpoint || !lkdtm_crashtype); |
| |
| spin_lock_irqsave(&crash_count_lock, flags); |
| crash_count--; |
| pr_info("Crash point %s of type %s hit, trigger in %d rounds\n", |
| lkdtm_crashpoint->name, lkdtm_crashtype->name, crash_count); |
| |
| if (crash_count == 0) { |
| do_it = true; |
| crash_count = cpoint_count; |
| } |
| spin_unlock_irqrestore(&crash_count_lock, flags); |
| |
| if (do_it) |
| lkdtm_do_action(lkdtm_crashtype); |
| } |
| |
| static ssize_t lkdtm_debugfs_entry(struct file *f, |
| const char __user *user_buf, |
| size_t count, loff_t *off) |
| { |
| struct crashpoint *crashpoint = file_inode(f)->i_private; |
| struct crashtype *crashtype = NULL; |
| char *buf; |
| int err; |
| |
| if (count >= PAGE_SIZE) |
| return -EINVAL; |
| |
| buf = (char *)__get_free_page(GFP_KERNEL); |
| if (!buf) |
| return -ENOMEM; |
| if (copy_from_user(buf, user_buf, count)) { |
| free_page((unsigned long) buf); |
| return -EFAULT; |
| } |
| /* NULL-terminate and remove enter */ |
| buf[count] = '\0'; |
| strim(buf); |
| |
| crashtype = find_crashtype(buf); |
| free_page((unsigned long)buf); |
| |
| if (!crashtype) |
| return -EINVAL; |
| |
| err = lkdtm_register_cpoint(crashpoint, crashtype); |
| if (err < 0) |
| return err; |
| |
| *off += count; |
| |
| return count; |
| } |
| #endif |
| |
| /* Generic read callback that just prints out the available crash types */ |
| static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, |
| size_t count, loff_t *off) |
| { |
| char *buf; |
| int i, n, out; |
| |
| buf = (char *)__get_free_page(GFP_KERNEL); |
| if (buf == NULL) |
| return -ENOMEM; |
| |
| n = snprintf(buf, PAGE_SIZE, "Available crash types:\n"); |
| for (i = 0; i < ARRAY_SIZE(crashtypes); i++) { |
| n += snprintf(buf + n, PAGE_SIZE - n, "%s\n", |
| crashtypes[i].name); |
| } |
| buf[n] = '\0'; |
| |
| out = simple_read_from_buffer(user_buf, count, off, |
| buf, n); |
| free_page((unsigned long) buf); |
| |
| return out; |
| } |
| |
| static int lkdtm_debugfs_open(struct inode *inode, struct file *file) |
| { |
| return 0; |
| } |
| |
| /* Special entry to just crash directly. Available without KPROBEs */ |
| static ssize_t direct_entry(struct file *f, const char __user *user_buf, |
| size_t count, loff_t *off) |
| { |
| struct crashtype *crashtype; |
| char *buf; |
| |
| if (count >= PAGE_SIZE) |
| return -EINVAL; |
| if (count < 1) |
| return -EINVAL; |
| |
| buf = (char *)__get_free_page(GFP_KERNEL); |
| if (!buf) |
| return -ENOMEM; |
| if (copy_from_user(buf, user_buf, count)) { |
| free_page((unsigned long) buf); |
| return -EFAULT; |
| } |
| /* NULL-terminate and remove enter */ |
| buf[count] = '\0'; |
| strim(buf); |
| |
| crashtype = find_crashtype(buf); |
| free_page((unsigned long) buf); |
| if (!crashtype) |
| return -EINVAL; |
| |
| pr_info("Performing direct entry %s\n", crashtype->name); |
| lkdtm_do_action(crashtype); |
| *off += count; |
| |
| return count; |
| } |
| |
| static struct dentry *lkdtm_debugfs_root; |
| |
| static int __init lkdtm_module_init(void) |
| { |
| struct crashpoint *crashpoint = NULL; |
| struct crashtype *crashtype = NULL; |
| int ret = -EINVAL; |
| int i; |
| |
| /* Neither or both of these need to be set */ |
| if ((cpoint_type || cpoint_name) && !(cpoint_type && cpoint_name)) { |
| pr_err("Need both cpoint_type and cpoint_name or neither\n"); |
| return -EINVAL; |
| } |
| |
| if (cpoint_type) { |
| crashtype = find_crashtype(cpoint_type); |
| if (!crashtype) { |
| pr_err("Unknown crashtype '%s'\n", cpoint_type); |
| return -EINVAL; |
| } |
| } |
| |
| if (cpoint_name) { |
| for (i = 0; i < ARRAY_SIZE(crashpoints); i++) { |
| if (!strcmp(cpoint_name, crashpoints[i].name)) |
| crashpoint = &crashpoints[i]; |
| } |
| |
| /* Refuse unknown crashpoints. */ |
| if (!crashpoint) { |
| pr_err("Invalid crashpoint %s\n", cpoint_name); |
| return -EINVAL; |
| } |
| } |
| |
| #ifdef CONFIG_KPROBES |
| /* Set crash count. */ |
| crash_count = cpoint_count; |
| #endif |
| |
| /* Handle test-specific initialization. */ |
| lkdtm_bugs_init(&recur_count); |
| lkdtm_perms_init(); |
| lkdtm_usercopy_init(); |
| |
| /* Register debugfs interface */ |
| lkdtm_debugfs_root = debugfs_create_dir("provoke-crash", NULL); |
| if (!lkdtm_debugfs_root) { |
| pr_err("creating root dir failed\n"); |
| return -ENODEV; |
| } |
| |
| /* Install debugfs trigger files. */ |
| for (i = 0; i < ARRAY_SIZE(crashpoints); i++) { |
| struct crashpoint *cur = &crashpoints[i]; |
| struct dentry *de; |
| |
| de = debugfs_create_file(cur->name, 0644, lkdtm_debugfs_root, |
| cur, &cur->fops); |
| if (de == NULL) { |
| pr_err("could not create crashpoint %s\n", cur->name); |
| goto out_err; |
| } |
| } |
| |
| /* Install crashpoint if one was selected. */ |
| if (crashpoint) { |
| ret = lkdtm_register_cpoint(crashpoint, crashtype); |
| if (ret < 0) { |
| pr_info("Invalid crashpoint %s\n", crashpoint->name); |
| goto out_err; |
| } |
| pr_info("Crash point %s of type %s registered\n", |
| crashpoint->name, cpoint_type); |
| } else { |
| pr_info("No crash points registered, enable through debugfs\n"); |
| } |
| |
| return 0; |
| |
| out_err: |
| debugfs_remove_recursive(lkdtm_debugfs_root); |
| return ret; |
| } |
| |
| static void __exit lkdtm_module_exit(void) |
| { |
| debugfs_remove_recursive(lkdtm_debugfs_root); |
| |
| /* Handle test-specific clean-up. */ |
| lkdtm_usercopy_exit(); |
| |
| if (lkdtm_jprobe != NULL) |
| unregister_jprobe(lkdtm_jprobe); |
| |
| pr_info("Crash point unregistered\n"); |
| } |
| |
| module_init(lkdtm_module_init); |
| module_exit(lkdtm_module_exit); |
| |
| MODULE_LICENSE("GPL"); |
| MODULE_DESCRIPTION("Kernel crash testing module"); |