2 * Kprobe module for testing crash dumps
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
18 * Copyright (C) IBM Corporation, 2006
20 * Author: Ankita Garg <ankita@in.ibm.com>
22 * This module induces system failures at predefined crashpoints to
23 * evaluate the reliability of crash dumps obtained using different dumping
26 * It is adapted from the Linux Kernel Dump Test Tool by
27 * Fernando Luis Vazquez Cao <http://lkdtt.sourceforge.net>
29 * Debugfs support added by Simon Kagstrom <simon.kagstrom@netinsight.net>
31 * See Documentation/fault-injection/provoke-crashes.txt for instructions
34 #include <linux/kernel.h>
36 #include <linux/module.h>
37 #include <linux/buffer_head.h>
38 #include <linux/kprobes.h>
39 #include <linux/list.h>
40 #include <linux/init.h>
41 #include <linux/interrupt.h>
42 #include <linux/hrtimer.h>
43 #include <linux/slab.h>
44 #include <scsi/scsi_cmnd.h>
45 #include <linux/debugfs.h>
46 #include <linux/vmalloc.h>
47 #include <linux/mman.h>
50 #include <linux/ide.h>
54 * Make sure our attempts to over run the kernel stack doesn't trigger
55 * a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we
56 * recurse past the end of THREAD_SIZE by default.
58 #if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0)
59 #define REC_STACK_SIZE (CONFIG_FRAME_WARN / 2)
61 #define REC_STACK_SIZE (THREAD_SIZE / 8)
63 #define REC_NUM_DEFAULT ((THREAD_SIZE / REC_STACK_SIZE) * 2)
65 #define DEFAULT_COUNT 10
70 CN_INT_HARDWARE_ENTRY,
90 CT_UNALIGNED_LOAD_STORE_WRITE,
91 CT_OVERWRITE_ALLOCATION,
106 static char* cp_name[] = {
107 "INT_HARDWARE_ENTRY",
118 static char* cp_type[] = {
126 "UNALIGNED_LOAD_STORE_WRITE",
127 "OVERWRITE_ALLOCATION",
142 static struct jprobe lkdtm;
144 static int lkdtm_parse_commandline(void);
145 static void lkdtm_handler(void);
147 static char* cpoint_name;
148 static char* cpoint_type;
149 static int cpoint_count = DEFAULT_COUNT;
150 static int recur_count = REC_NUM_DEFAULT;
152 static enum cname cpoint = CN_INVALID;
153 static enum ctype cptype = CT_NONE;
154 static int count = DEFAULT_COUNT;
155 static DEFINE_SPINLOCK(count_lock);
156 static DEFINE_SPINLOCK(lock_me_up);
158 static u8 data_area[EXEC_SIZE];
160 static const unsigned long rodata = 0xAA55AA55;
162 module_param(recur_count, int, 0644);
163 MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test");
164 module_param(cpoint_name, charp, 0444);
165 MODULE_PARM_DESC(cpoint_name, " Crash Point, where kernel is to be crashed");
166 module_param(cpoint_type, charp, 0444);
167 MODULE_PARM_DESC(cpoint_type, " Crash Point Type, action to be taken on "\
168 "hitting the crash point");
169 module_param(cpoint_count, int, 0644);
170 MODULE_PARM_DESC(cpoint_count, " Crash Point Count, number of times the "\
171 "crash point is to be hit to trigger action");
173 static unsigned int jp_do_irq(unsigned int irq)
180 static irqreturn_t jp_handle_irq_event(unsigned int irq,
181 struct irqaction *action)
188 static void jp_tasklet_action(struct softirq_action *a)
194 static void jp_ll_rw_block(int rw, int nr, struct buffer_head *bhs[])
202 static unsigned long jp_shrink_inactive_list(unsigned long max_scan,
204 struct scan_control *sc)
211 static int jp_hrtimer_start(struct hrtimer *timer, ktime_t tim,
212 const enum hrtimer_mode mode)
219 static int jp_scsi_dispatch_cmd(struct scsi_cmnd *cmd)
227 int jp_generic_ide_ioctl(ide_drive_t *drive, struct file *file,
228 struct block_device *bdev, unsigned int cmd,
237 /* Return the crashpoint number or NONE if the name is invalid */
238 static enum ctype parse_cp_type(const char *what, size_t count)
242 for (i = 0; i < ARRAY_SIZE(cp_type); i++) {
243 if (!strcmp(what, cp_type[i]))
250 static const char *cp_type_to_str(enum ctype type)
252 if (type == CT_NONE || type < 0 || type > ARRAY_SIZE(cp_type))
255 return cp_type[type - 1];
258 static const char *cp_name_to_str(enum cname name)
260 if (name == CN_INVALID || name < 0 || name > ARRAY_SIZE(cp_name))
263 return cp_name[name - 1];
267 static int lkdtm_parse_commandline(void)
272 if (cpoint_count < 1 || recur_count < 1)
275 spin_lock_irqsave(&count_lock, flags);
276 count = cpoint_count;
277 spin_unlock_irqrestore(&count_lock, flags);
279 /* No special parameters */
280 if (!cpoint_type && !cpoint_name)
283 /* Neither or both of these need to be set */
284 if (!cpoint_type || !cpoint_name)
287 cptype = parse_cp_type(cpoint_type, strlen(cpoint_type));
288 if (cptype == CT_NONE)
291 for (i = 0; i < ARRAY_SIZE(cp_name); i++) {
292 if (!strcmp(cpoint_name, cp_name[i])) {
298 /* Could not find a valid crash point */
302 static int recursive_loop(int remaining)
304 char buf[REC_STACK_SIZE];
306 /* Make sure compiler does not optimize this away. */
307 memset(buf, (remaining & 0xff) | 0x1, REC_STACK_SIZE);
311 return recursive_loop(remaining - 1);
314 static void do_nothing(void)
319 static noinline void corrupt_stack(void)
321 /* Use default char array length that triggers stack protection. */
324 memset((void *)data, 0, 64);
327 static void execute_location(void *dst)
329 void (*func)(void) = dst;
331 memcpy(dst, do_nothing, EXEC_SIZE);
335 static void execute_user_location(void *dst)
337 void (*func)(void) = dst;
339 if (copy_to_user(dst, do_nothing, EXEC_SIZE))
344 static void lkdtm_do_action(enum ctype which)
364 (void) recursive_loop(recur_count);
366 case CT_CORRUPT_STACK:
369 case CT_UNALIGNED_LOAD_STORE_WRITE: {
370 static u8 data[5] __attribute__((aligned(4))) = {1, 2,
373 u32 val = 0x12345678;
375 p = (u32 *)(data + 1);
381 case CT_OVERWRITE_ALLOCATION: {
383 u32 *data = kmalloc(len, GFP_KERNEL);
385 data[1024 / sizeof(u32)] = 0x12345678;
389 case CT_WRITE_AFTER_FREE: {
391 u32 *data = kmalloc(len, GFP_KERNEL);
395 memset(data, 0x78, len);
409 /* Must be called twice to trigger. */
410 spin_lock(&lock_me_up);
413 set_current_state(TASK_UNINTERRUPTIBLE);
417 execute_location(data_area);
419 case CT_EXEC_STACK: {
420 u8 stack_area[EXEC_SIZE];
421 execute_location(stack_area);
424 case CT_EXEC_KMALLOC: {
425 u32 *kmalloc_area = kmalloc(EXEC_SIZE, GFP_KERNEL);
426 execute_location(kmalloc_area);
430 case CT_EXEC_VMALLOC: {
431 u32 *vmalloc_area = vmalloc(EXEC_SIZE);
432 execute_location(vmalloc_area);
436 case CT_EXEC_USERSPACE: {
437 unsigned long user_addr;
439 user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
440 PROT_READ | PROT_WRITE | PROT_EXEC,
441 MAP_ANONYMOUS | MAP_PRIVATE, 0);
442 if (user_addr >= TASK_SIZE) {
443 pr_warn("Failed to allocate user memory\n");
446 execute_user_location((void *)user_addr);
447 vm_munmap(user_addr, PAGE_SIZE);
450 case CT_ACCESS_USERSPACE: {
451 unsigned long user_addr, tmp;
454 user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
455 PROT_READ | PROT_WRITE | PROT_EXEC,
456 MAP_ANONYMOUS | MAP_PRIVATE, 0);
457 if (user_addr >= TASK_SIZE) {
458 pr_warn("Failed to allocate user memory\n");
462 ptr = (unsigned long *)user_addr;
467 vm_munmap(user_addr, PAGE_SIZE);
474 ptr = (unsigned long *)&rodata;
486 static void lkdtm_handler(void)
491 spin_lock_irqsave(&count_lock, flags);
493 printk(KERN_INFO "lkdtm: Crash point %s of type %s hit, trigger in %d rounds\n",
494 cp_name_to_str(cpoint), cp_type_to_str(cptype), count);
498 count = cpoint_count;
500 spin_unlock_irqrestore(&count_lock, flags);
503 lkdtm_do_action(cptype);
506 static int lkdtm_register_cpoint(enum cname which)
511 if (lkdtm.entry != NULL)
512 unregister_jprobe(&lkdtm);
516 lkdtm_do_action(cptype);
518 case CN_INT_HARDWARE_ENTRY:
519 lkdtm.kp.symbol_name = "do_IRQ";
520 lkdtm.entry = (kprobe_opcode_t*) jp_do_irq;
522 case CN_INT_HW_IRQ_EN:
523 lkdtm.kp.symbol_name = "handle_IRQ_event";
524 lkdtm.entry = (kprobe_opcode_t*) jp_handle_irq_event;
526 case CN_INT_TASKLET_ENTRY:
527 lkdtm.kp.symbol_name = "tasklet_action";
528 lkdtm.entry = (kprobe_opcode_t*) jp_tasklet_action;
531 lkdtm.kp.symbol_name = "ll_rw_block";
532 lkdtm.entry = (kprobe_opcode_t*) jp_ll_rw_block;
535 lkdtm.kp.symbol_name = "shrink_inactive_list";
536 lkdtm.entry = (kprobe_opcode_t*) jp_shrink_inactive_list;
539 lkdtm.kp.symbol_name = "hrtimer_start";
540 lkdtm.entry = (kprobe_opcode_t*) jp_hrtimer_start;
542 case CN_SCSI_DISPATCH_CMD:
543 lkdtm.kp.symbol_name = "scsi_dispatch_cmd";
544 lkdtm.entry = (kprobe_opcode_t*) jp_scsi_dispatch_cmd;
548 lkdtm.kp.symbol_name = "generic_ide_ioctl";
549 lkdtm.entry = (kprobe_opcode_t*) jp_generic_ide_ioctl;
551 printk(KERN_INFO "lkdtm: Crash point not available\n");
556 printk(KERN_INFO "lkdtm: Invalid Crash Point\n");
561 if ((ret = register_jprobe(&lkdtm)) < 0) {
562 printk(KERN_INFO "lkdtm: Couldn't register jprobe\n");
569 static ssize_t do_register_entry(enum cname which, struct file *f,
570 const char __user *user_buf, size_t count, loff_t *off)
575 if (count >= PAGE_SIZE)
578 buf = (char *)__get_free_page(GFP_KERNEL);
581 if (copy_from_user(buf, user_buf, count)) {
582 free_page((unsigned long) buf);
585 /* NULL-terminate and remove enter */
589 cptype = parse_cp_type(buf, count);
590 free_page((unsigned long) buf);
592 if (cptype == CT_NONE)
595 err = lkdtm_register_cpoint(which);
604 /* Generic read callback that just prints out the available crash types */
605 static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf,
606 size_t count, loff_t *off)
611 buf = (char *)__get_free_page(GFP_KERNEL);
615 n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");
616 for (i = 0; i < ARRAY_SIZE(cp_type); i++)
617 n += snprintf(buf + n, PAGE_SIZE - n, "%s\n", cp_type[i]);
620 out = simple_read_from_buffer(user_buf, count, off,
622 free_page((unsigned long) buf);
627 static int lkdtm_debugfs_open(struct inode *inode, struct file *file)
633 static ssize_t int_hardware_entry(struct file *f, const char __user *buf,
634 size_t count, loff_t *off)
636 return do_register_entry(CN_INT_HARDWARE_ENTRY, f, buf, count, off);
639 static ssize_t int_hw_irq_en(struct file *f, const char __user *buf,
640 size_t count, loff_t *off)
642 return do_register_entry(CN_INT_HW_IRQ_EN, f, buf, count, off);
645 static ssize_t int_tasklet_entry(struct file *f, const char __user *buf,
646 size_t count, loff_t *off)
648 return do_register_entry(CN_INT_TASKLET_ENTRY, f, buf, count, off);
651 static ssize_t fs_devrw_entry(struct file *f, const char __user *buf,
652 size_t count, loff_t *off)
654 return do_register_entry(CN_FS_DEVRW, f, buf, count, off);
657 static ssize_t mem_swapout_entry(struct file *f, const char __user *buf,
658 size_t count, loff_t *off)
660 return do_register_entry(CN_MEM_SWAPOUT, f, buf, count, off);
663 static ssize_t timeradd_entry(struct file *f, const char __user *buf,
664 size_t count, loff_t *off)
666 return do_register_entry(CN_TIMERADD, f, buf, count, off);
669 static ssize_t scsi_dispatch_cmd_entry(struct file *f,
670 const char __user *buf, size_t count, loff_t *off)
672 return do_register_entry(CN_SCSI_DISPATCH_CMD, f, buf, count, off);
675 static ssize_t ide_core_cp_entry(struct file *f, const char __user *buf,
676 size_t count, loff_t *off)
678 return do_register_entry(CN_IDE_CORE_CP, f, buf, count, off);
681 /* Special entry to just crash directly. Available without KPROBEs */
682 static ssize_t direct_entry(struct file *f, const char __user *user_buf,
683 size_t count, loff_t *off)
688 if (count >= PAGE_SIZE)
693 buf = (char *)__get_free_page(GFP_KERNEL);
696 if (copy_from_user(buf, user_buf, count)) {
697 free_page((unsigned long) buf);
700 /* NULL-terminate and remove enter */
704 type = parse_cp_type(buf, count);
705 free_page((unsigned long) buf);
709 printk(KERN_INFO "lkdtm: Performing direct entry %s\n",
710 cp_type_to_str(type));
711 lkdtm_do_action(type);
719 const struct file_operations fops;
722 static const struct crash_entry crash_entries[] = {
723 {"DIRECT", {.read = lkdtm_debugfs_read,
724 .llseek = generic_file_llseek,
725 .open = lkdtm_debugfs_open,
726 .write = direct_entry} },
727 {"INT_HARDWARE_ENTRY", {.read = lkdtm_debugfs_read,
728 .llseek = generic_file_llseek,
729 .open = lkdtm_debugfs_open,
730 .write = int_hardware_entry} },
731 {"INT_HW_IRQ_EN", {.read = lkdtm_debugfs_read,
732 .llseek = generic_file_llseek,
733 .open = lkdtm_debugfs_open,
734 .write = int_hw_irq_en} },
735 {"INT_TASKLET_ENTRY", {.read = lkdtm_debugfs_read,
736 .llseek = generic_file_llseek,
737 .open = lkdtm_debugfs_open,
738 .write = int_tasklet_entry} },
739 {"FS_DEVRW", {.read = lkdtm_debugfs_read,
740 .llseek = generic_file_llseek,
741 .open = lkdtm_debugfs_open,
742 .write = fs_devrw_entry} },
743 {"MEM_SWAPOUT", {.read = lkdtm_debugfs_read,
744 .llseek = generic_file_llseek,
745 .open = lkdtm_debugfs_open,
746 .write = mem_swapout_entry} },
747 {"TIMERADD", {.read = lkdtm_debugfs_read,
748 .llseek = generic_file_llseek,
749 .open = lkdtm_debugfs_open,
750 .write = timeradd_entry} },
751 {"SCSI_DISPATCH_CMD", {.read = lkdtm_debugfs_read,
752 .llseek = generic_file_llseek,
753 .open = lkdtm_debugfs_open,
754 .write = scsi_dispatch_cmd_entry} },
755 {"IDE_CORE_CP", {.read = lkdtm_debugfs_read,
756 .llseek = generic_file_llseek,
757 .open = lkdtm_debugfs_open,
758 .write = ide_core_cp_entry} },
761 static struct dentry *lkdtm_debugfs_root;
763 static int __init lkdtm_module_init(void)
766 int n_debugfs_entries = 1; /* Assume only the direct entry */
769 /* Register debugfs interface */
770 lkdtm_debugfs_root = debugfs_create_dir("provoke-crash", NULL);
771 if (!lkdtm_debugfs_root) {
772 printk(KERN_ERR "lkdtm: creating root dir failed\n");
776 #ifdef CONFIG_KPROBES
777 n_debugfs_entries = ARRAY_SIZE(crash_entries);
780 for (i = 0; i < n_debugfs_entries; i++) {
781 const struct crash_entry *cur = &crash_entries[i];
784 de = debugfs_create_file(cur->name, 0644, lkdtm_debugfs_root,
787 printk(KERN_ERR "lkdtm: could not create %s\n",
793 if (lkdtm_parse_commandline() == -EINVAL) {
794 printk(KERN_INFO "lkdtm: Invalid command\n");
798 if (cpoint != CN_INVALID && cptype != CT_NONE) {
799 ret = lkdtm_register_cpoint(cpoint);
801 printk(KERN_INFO "lkdtm: Invalid crash point %d\n",
805 printk(KERN_INFO "lkdtm: Crash point %s of type %s registered\n",
806 cpoint_name, cpoint_type);
808 printk(KERN_INFO "lkdtm: No crash points registered, enable through debugfs\n");
814 debugfs_remove_recursive(lkdtm_debugfs_root);
818 static void __exit lkdtm_module_exit(void)
820 debugfs_remove_recursive(lkdtm_debugfs_root);
822 unregister_jprobe(&lkdtm);
823 printk(KERN_INFO "lkdtm: Crash point unregistered\n");
826 module_init(lkdtm_module_init);
827 module_exit(lkdtm_module_exit);
829 MODULE_LICENSE("GPL");
git.openpandora.org / pandora-kernel.git / blob