2 * Linux Kernel Dump Test Module for testing kernel crashes conditions:
3 * induces system failures at predefined crashpoints and under predefined
4 * operational conditions in order to evaluate the reliability of kernel
5 * sanity checking and crash dumps obtained using different dumping
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
22 * Copyright (C) IBM Corporation, 2006
24 * Author: Ankita Garg <ankita@in.ibm.com>
26 * It is adapted from the Linux Kernel Dump Test Tool by
27 * Fernando Luis Vazquez Cao <http://lkdtt.sourceforge.net>
29 * Debugfs support added by Simon Kagstrom <simon.kagstrom@netinsight.net>
31 * See Documentation/fault-injection/provoke-crashes.txt for instructions
33 #define pr_fmt(fmt) "lkdtm: " fmt
35 #include <linux/kernel.h>
37 #include <linux/module.h>
38 #include <linux/buffer_head.h>
39 #include <linux/kprobes.h>
40 #include <linux/list.h>
41 #include <linux/init.h>
42 #include <linux/interrupt.h>
43 #include <linux/hrtimer.h>
44 #include <linux/slab.h>
45 #include <scsi/scsi_cmnd.h>
46 #include <linux/debugfs.h>
47 #include <linux/vmalloc.h>
48 #include <linux/mman.h>
49 #include <asm/cacheflush.h>
52 #include <linux/ide.h>
58 * Make sure our attempts to over run the kernel stack doesn't trigger
59 * a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we
60 * recurse past the end of THREAD_SIZE by default.
62 #if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0)
63 #define REC_STACK_SIZE (CONFIG_FRAME_WARN / 2)
65 #define REC_STACK_SIZE (THREAD_SIZE / 8)
67 #define REC_NUM_DEFAULT ((THREAD_SIZE / REC_STACK_SIZE) * 2)
69 #define DEFAULT_COUNT 10
74 CN_INT_HARDWARE_ENTRY
,
94 CT_UNALIGNED_LOAD_STORE_WRITE
,
95 CT_OVERWRITE_ALLOCATION
,
98 CT_WRITE_BUDDY_AFTER_FREE
,
99 CT_READ_BUDDY_AFTER_FREE
,
112 CT_WRITE_RO_AFTER_INIT
,
116 CT_USERCOPY_HEAP_SIZE_TO
,
117 CT_USERCOPY_HEAP_SIZE_FROM
,
118 CT_USERCOPY_HEAP_FLAG_TO
,
119 CT_USERCOPY_HEAP_FLAG_FROM
,
120 CT_USERCOPY_STACK_FRAME_TO
,
121 CT_USERCOPY_STACK_FRAME_FROM
,
122 CT_USERCOPY_STACK_BEYOND
,
125 static char* cp_name
[] = {
126 "INT_HARDWARE_ENTRY",
137 static char* cp_type
[] = {
145 "UNALIGNED_LOAD_STORE_WRITE",
146 "OVERWRITE_ALLOCATION",
149 "WRITE_BUDDY_AFTER_FREE",
150 "READ_BUDDY_AFTER_FREE",
163 "WRITE_RO_AFTER_INIT",
167 "USERCOPY_HEAP_SIZE_TO",
168 "USERCOPY_HEAP_SIZE_FROM",
169 "USERCOPY_HEAP_FLAG_TO",
170 "USERCOPY_HEAP_FLAG_FROM",
171 "USERCOPY_STACK_FRAME_TO",
172 "USERCOPY_STACK_FRAME_FROM",
173 "USERCOPY_STACK_BEYOND",
176 static struct jprobe lkdtm
;
178 static int lkdtm_parse_commandline(void);
179 static void lkdtm_handler(void);
181 static char* cpoint_name
;
182 static char* cpoint_type
;
183 static int cpoint_count
= DEFAULT_COUNT
;
184 static int recur_count
= REC_NUM_DEFAULT
;
185 static int alloc_size
= 1024;
186 static size_t cache_size
;
188 static enum cname cpoint
= CN_INVALID
;
189 static enum ctype cptype
= CT_NONE
;
190 static int count
= DEFAULT_COUNT
;
191 static DEFINE_SPINLOCK(count_lock
);
192 static DEFINE_SPINLOCK(lock_me_up
);
194 static u8 data_area
[EXEC_SIZE
];
195 static struct kmem_cache
*bad_cache
;
197 static const unsigned char test_text
[] = "This is a test.\n";
198 static const unsigned long rodata
= 0xAA55AA55;
199 static unsigned long ro_after_init __ro_after_init
= 0x55AA5500;
201 module_param(recur_count
, int, 0644);
202 MODULE_PARM_DESC(recur_count
, " Recursion level for the stack overflow test");
203 module_param(cpoint_name
, charp
, 0444);
204 MODULE_PARM_DESC(cpoint_name
, " Crash Point, where kernel is to be crashed");
205 module_param(cpoint_type
, charp
, 0444);
206 MODULE_PARM_DESC(cpoint_type
, " Crash Point Type, action to be taken on "\
207 "hitting the crash point");
208 module_param(cpoint_count
, int, 0644);
209 MODULE_PARM_DESC(cpoint_count
, " Crash Point Count, number of times the "\
210 "crash point is to be hit to trigger action");
211 module_param(alloc_size
, int, 0644);
212 MODULE_PARM_DESC(alloc_size
, " Size of allocation for user copy tests "\
213 "(from 1 to PAGE_SIZE)");
215 static unsigned int jp_do_irq(unsigned int irq
)
222 static irqreturn_t
jp_handle_irq_event(unsigned int irq
,
223 struct irqaction
*action
)
230 static void jp_tasklet_action(struct softirq_action
*a
)
236 static void jp_ll_rw_block(int rw
, int nr
, struct buffer_head
*bhs
[])
244 static unsigned long jp_shrink_inactive_list(unsigned long max_scan
,
246 struct scan_control
*sc
)
253 static int jp_hrtimer_start(struct hrtimer
*timer
, ktime_t tim
,
254 const enum hrtimer_mode mode
)
261 static int jp_scsi_dispatch_cmd(struct scsi_cmnd
*cmd
)
269 static int jp_generic_ide_ioctl(ide_drive_t
*drive
, struct file
*file
,
270 struct block_device
*bdev
, unsigned int cmd
,
279 /* Return the crashpoint number or NONE if the name is invalid */
280 static enum ctype
parse_cp_type(const char *what
, size_t count
)
284 for (i
= 0; i
< ARRAY_SIZE(cp_type
); i
++) {
285 if (!strcmp(what
, cp_type
[i
]))
292 static const char *cp_type_to_str(enum ctype type
)
294 if (type
== CT_NONE
|| type
< 0 || type
> ARRAY_SIZE(cp_type
))
297 return cp_type
[type
- 1];
300 static const char *cp_name_to_str(enum cname name
)
302 if (name
== CN_INVALID
|| name
< 0 || name
> ARRAY_SIZE(cp_name
))
305 return cp_name
[name
- 1];
309 static int lkdtm_parse_commandline(void)
314 if (cpoint_count
< 1 || recur_count
< 1)
317 spin_lock_irqsave(&count_lock
, flags
);
318 count
= cpoint_count
;
319 spin_unlock_irqrestore(&count_lock
, flags
);
321 /* No special parameters */
322 if (!cpoint_type
&& !cpoint_name
)
325 /* Neither or both of these need to be set */
326 if (!cpoint_type
|| !cpoint_name
)
329 cptype
= parse_cp_type(cpoint_type
, strlen(cpoint_type
));
330 if (cptype
== CT_NONE
)
333 for (i
= 0; i
< ARRAY_SIZE(cp_name
); i
++) {
334 if (!strcmp(cpoint_name
, cp_name
[i
])) {
340 /* Could not find a valid crash point */
344 static int recursive_loop(int remaining
)
346 char buf
[REC_STACK_SIZE
];
348 /* Make sure compiler does not optimize this away. */
349 memset(buf
, (remaining
& 0xff) | 0x1, REC_STACK_SIZE
);
353 return recursive_loop(remaining
- 1);
356 static void do_nothing(void)
361 /* Must immediately follow do_nothing for size calculuations to work out. */
362 static void do_overwritten(void)
364 pr_info("do_overwritten wasn't overwritten!\n");
368 static noinline
void corrupt_stack(void)
370 /* Use default char array length that triggers stack protection. */
373 memset((void *)data
, 0, 64);
376 static noinline
void execute_location(void *dst
, bool write
)
378 void (*func
)(void) = dst
;
380 pr_info("attempting ok execution at %p\n", do_nothing
);
384 memcpy(dst
, do_nothing
, EXEC_SIZE
);
385 flush_icache_range((unsigned long)dst
,
386 (unsigned long)dst
+ EXEC_SIZE
);
388 pr_info("attempting bad execution at %p\n", func
);
392 static void execute_user_location(void *dst
)
394 /* Intentionally crossing kernel/user memory boundary. */
395 void (*func
)(void) = dst
;
397 pr_info("attempting ok execution at %p\n", do_nothing
);
400 if (copy_to_user((void __user
*)dst
, do_nothing
, EXEC_SIZE
))
402 flush_icache_range((unsigned long)dst
, (unsigned long)dst
+ EXEC_SIZE
);
403 pr_info("attempting bad execution at %p\n", func
);
408 * Instead of adding -Wno-return-local-addr, just pass the stack address
409 * through a function to obfuscate it from the compiler.
411 static noinline
unsigned char *trick_compiler(unsigned char *stack
)
416 static noinline
unsigned char *do_usercopy_stack_callee(int value
)
418 unsigned char buf
[32];
421 /* Exercise stack to avoid everything living in registers. */
422 for (i
= 0; i
< sizeof(buf
); i
++) {
423 buf
[i
] = value
& 0xff;
426 return trick_compiler(buf
);
429 static noinline
void do_usercopy_stack(bool to_user
, bool bad_frame
)
431 unsigned long user_addr
;
432 unsigned char good_stack
[32];
433 unsigned char *bad_stack
;
436 /* Exercise stack to avoid everything living in registers. */
437 for (i
= 0; i
< sizeof(good_stack
); i
++)
438 good_stack
[i
] = test_text
[i
% sizeof(test_text
)];
440 /* This is a pointer to outside our current stack frame. */
442 bad_stack
= do_usercopy_stack_callee(alloc_size
);
444 /* Put start address just inside stack. */
445 bad_stack
= task_stack_page(current
) + THREAD_SIZE
;
446 bad_stack
-= sizeof(unsigned long);
449 user_addr
= vm_mmap(NULL
, 0, PAGE_SIZE
,
450 PROT_READ
| PROT_WRITE
| PROT_EXEC
,
451 MAP_ANONYMOUS
| MAP_PRIVATE
, 0);
452 if (user_addr
>= TASK_SIZE
) {
453 pr_warn("Failed to allocate user memory\n");
458 pr_info("attempting good copy_to_user of local stack\n");
459 if (copy_to_user((void __user
*)user_addr
, good_stack
,
460 sizeof(good_stack
))) {
461 pr_warn("copy_to_user failed unexpectedly?!\n");
465 pr_info("attempting bad copy_to_user of distant stack\n");
466 if (copy_to_user((void __user
*)user_addr
, bad_stack
,
467 sizeof(good_stack
))) {
468 pr_warn("copy_to_user failed, but lacked Oops\n");
473 * There isn't a safe way to not be protected by usercopy
474 * if we're going to write to another thread's stack.
479 pr_info("attempting good copy_from_user of local stack\n");
480 if (copy_from_user(good_stack
, (void __user
*)user_addr
,
481 sizeof(good_stack
))) {
482 pr_warn("copy_from_user failed unexpectedly?!\n");
486 pr_info("attempting bad copy_from_user of distant stack\n");
487 if (copy_from_user(bad_stack
, (void __user
*)user_addr
,
488 sizeof(good_stack
))) {
489 pr_warn("copy_from_user failed, but lacked Oops\n");
495 vm_munmap(user_addr
, PAGE_SIZE
);
498 static void do_usercopy_heap_size(bool to_user
)
500 unsigned long user_addr
;
501 unsigned char *one
, *two
;
502 size_t size
= clamp_t(int, alloc_size
, 1, PAGE_SIZE
);
504 one
= kmalloc(size
, GFP_KERNEL
);
505 two
= kmalloc(size
, GFP_KERNEL
);
507 pr_warn("Failed to allocate kernel memory\n");
511 user_addr
= vm_mmap(NULL
, 0, PAGE_SIZE
,
512 PROT_READ
| PROT_WRITE
| PROT_EXEC
,
513 MAP_ANONYMOUS
| MAP_PRIVATE
, 0);
514 if (user_addr
>= TASK_SIZE
) {
515 pr_warn("Failed to allocate user memory\n");
519 memset(one
, 'A', size
);
520 memset(two
, 'B', size
);
523 pr_info("attempting good copy_to_user of correct size\n");
524 if (copy_to_user((void __user
*)user_addr
, one
, size
)) {
525 pr_warn("copy_to_user failed unexpectedly?!\n");
529 pr_info("attempting bad copy_to_user of too large size\n");
530 if (copy_to_user((void __user
*)user_addr
, one
, 2 * size
)) {
531 pr_warn("copy_to_user failed, but lacked Oops\n");
535 pr_info("attempting good copy_from_user of correct size\n");
536 if (copy_from_user(one
, (void __user
*)user_addr
,
538 pr_warn("copy_from_user failed unexpectedly?!\n");
542 pr_info("attempting bad copy_from_user of too large size\n");
543 if (copy_from_user(one
, (void __user
*)user_addr
, 2 * size
)) {
544 pr_warn("copy_from_user failed, but lacked Oops\n");
550 vm_munmap(user_addr
, PAGE_SIZE
);
556 static void do_usercopy_heap_flag(bool to_user
)
558 unsigned long user_addr
;
559 unsigned char *good_buf
= NULL
;
560 unsigned char *bad_buf
= NULL
;
562 /* Make sure cache was prepared. */
564 pr_warn("Failed to allocate kernel cache\n");
569 * Allocate one buffer from each cache (kmalloc will have the
570 * SLAB_USERCOPY flag already, but "bad_cache" won't).
572 good_buf
= kmalloc(cache_size
, GFP_KERNEL
);
573 bad_buf
= kmem_cache_alloc(bad_cache
, GFP_KERNEL
);
574 if (!good_buf
|| !bad_buf
) {
575 pr_warn("Failed to allocate buffers from caches\n");
579 /* Allocate user memory we'll poke at. */
580 user_addr
= vm_mmap(NULL
, 0, PAGE_SIZE
,
581 PROT_READ
| PROT_WRITE
| PROT_EXEC
,
582 MAP_ANONYMOUS
| MAP_PRIVATE
, 0);
583 if (user_addr
>= TASK_SIZE
) {
584 pr_warn("Failed to allocate user memory\n");
588 memset(good_buf
, 'A', cache_size
);
589 memset(bad_buf
, 'B', cache_size
);
592 pr_info("attempting good copy_to_user with SLAB_USERCOPY\n");
593 if (copy_to_user((void __user
*)user_addr
, good_buf
,
595 pr_warn("copy_to_user failed unexpectedly?!\n");
599 pr_info("attempting bad copy_to_user w/o SLAB_USERCOPY\n");
600 if (copy_to_user((void __user
*)user_addr
, bad_buf
,
602 pr_warn("copy_to_user failed, but lacked Oops\n");
606 pr_info("attempting good copy_from_user with SLAB_USERCOPY\n");
607 if (copy_from_user(good_buf
, (void __user
*)user_addr
,
609 pr_warn("copy_from_user failed unexpectedly?!\n");
613 pr_info("attempting bad copy_from_user w/o SLAB_USERCOPY\n");
614 if (copy_from_user(bad_buf
, (void __user
*)user_addr
,
616 pr_warn("copy_from_user failed, but lacked Oops\n");
622 vm_munmap(user_addr
, PAGE_SIZE
);
625 kmem_cache_free(bad_cache
, bad_buf
);
629 static void lkdtm_do_action(enum ctype which
)
649 (void) recursive_loop(recur_count
);
651 case CT_CORRUPT_STACK
:
654 case CT_UNALIGNED_LOAD_STORE_WRITE
: {
655 static u8 data
[5] __attribute__((aligned(4))) = {1, 2,
658 u32 val
= 0x12345678;
660 p
= (u32
*)(data
+ 1);
666 case CT_OVERWRITE_ALLOCATION
: {
668 u32
*data
= kmalloc(len
, GFP_KERNEL
);
670 data
[1024 / sizeof(u32
)] = 0x12345678;
674 case CT_WRITE_AFTER_FREE
: {
678 * The slub allocator uses the first word to store the free
679 * pointer in some configurations. Use the middle of the
680 * allocation to avoid running into the freelist
682 size_t offset
= (len
/ sizeof(*base
)) / 2;
684 base
= kmalloc(len
, GFP_KERNEL
);
685 pr_info("Allocated memory %p-%p\n", base
, &base
[offset
* 2]);
686 pr_info("Attempting bad write to freed memory at %p\n",
689 base
[offset
] = 0x0abcdef0;
690 /* Attempt to notice the overwrite. */
691 again
= kmalloc(len
, GFP_KERNEL
);
694 pr_info("Hmm, didn't get the same memory range.\n");
698 case CT_READ_AFTER_FREE
: {
699 int *base
, *val
, saw
;
702 * The slub allocator uses the first word to store the free
703 * pointer in some configurations. Use the middle of the
704 * allocation to avoid running into the freelist
706 size_t offset
= (len
/ sizeof(*base
)) / 2;
708 base
= kmalloc(len
, GFP_KERNEL
);
712 val
= kmalloc(len
, GFP_KERNEL
);
720 pr_info("Value in memory before free: %x\n", base
[offset
]);
724 pr_info("Attempting bad read from freed memory\n");
727 /* Good! Poisoning happened, so declare a win. */
728 pr_info("Memory correctly poisoned (%x)\n", saw
);
731 pr_info("Memory was not poisoned\n");
736 case CT_WRITE_BUDDY_AFTER_FREE
: {
737 unsigned long p
= __get_free_page(GFP_KERNEL
);
740 pr_info("Writing to the buddy page before free\n");
741 memset((void *)p
, 0x3, PAGE_SIZE
);
744 pr_info("Attempting bad write to the buddy page after free\n");
745 memset((void *)p
, 0x78, PAGE_SIZE
);
746 /* Attempt to notice the overwrite. */
747 p
= __get_free_page(GFP_KERNEL
);
753 case CT_READ_BUDDY_AFTER_FREE
: {
754 unsigned long p
= __get_free_page(GFP_KERNEL
);
761 val
= kmalloc(1024, GFP_KERNEL
);
771 pr_info("Value in memory before free: %x\n", base
[0]);
773 pr_info("Attempting to read from freed memory\n");
776 /* Good! Poisoning happened, so declare a win. */
777 pr_info("Memory correctly poisoned (%x)\n", saw
);
780 pr_info("Buddy page was not poisoned\n");
796 /* Must be called twice to trigger. */
797 spin_lock(&lock_me_up
);
798 /* Let sparse know we intended to exit holding the lock. */
799 __release(&lock_me_up
);
802 set_current_state(TASK_UNINTERRUPTIBLE
);
806 execute_location(data_area
, true);
808 case CT_EXEC_STACK
: {
809 u8 stack_area
[EXEC_SIZE
];
810 execute_location(stack_area
, true);
813 case CT_EXEC_KMALLOC
: {
814 u32
*kmalloc_area
= kmalloc(EXEC_SIZE
, GFP_KERNEL
);
815 execute_location(kmalloc_area
, true);
819 case CT_EXEC_VMALLOC
: {
820 u32
*vmalloc_area
= vmalloc(EXEC_SIZE
);
821 execute_location(vmalloc_area
, true);
826 execute_location(lkdtm_rodata_do_nothing
, false);
828 case CT_EXEC_USERSPACE
: {
829 unsigned long user_addr
;
831 user_addr
= vm_mmap(NULL
, 0, PAGE_SIZE
,
832 PROT_READ
| PROT_WRITE
| PROT_EXEC
,
833 MAP_ANONYMOUS
| MAP_PRIVATE
, 0);
834 if (user_addr
>= TASK_SIZE
) {
835 pr_warn("Failed to allocate user memory\n");
838 execute_user_location((void *)user_addr
);
839 vm_munmap(user_addr
, PAGE_SIZE
);
842 case CT_ACCESS_USERSPACE
: {
843 unsigned long user_addr
, tmp
= 0;
846 user_addr
= vm_mmap(NULL
, 0, PAGE_SIZE
,
847 PROT_READ
| PROT_WRITE
| PROT_EXEC
,
848 MAP_ANONYMOUS
| MAP_PRIVATE
, 0);
849 if (user_addr
>= TASK_SIZE
) {
850 pr_warn("Failed to allocate user memory\n");
854 if (copy_to_user((void __user
*)user_addr
, &tmp
, sizeof(tmp
))) {
855 pr_warn("copy_to_user failed\n");
856 vm_munmap(user_addr
, PAGE_SIZE
);
860 ptr
= (unsigned long *)user_addr
;
862 pr_info("attempting bad read at %p\n", ptr
);
866 pr_info("attempting bad write at %p\n", ptr
);
869 vm_munmap(user_addr
, PAGE_SIZE
);
874 /* Explicitly cast away "const" for the test. */
875 unsigned long *ptr
= (unsigned long *)&rodata
;
877 pr_info("attempting bad rodata write at %p\n", ptr
);
882 case CT_WRITE_RO_AFTER_INIT
: {
883 unsigned long *ptr
= &ro_after_init
;
886 * Verify we were written to during init. Since an Oops
887 * is considered a "success", a failure is to just skip the
890 if ((*ptr
& 0xAA) != 0xAA) {
891 pr_info("%p was NOT written during init!?\n", ptr
);
895 pr_info("attempting bad ro_after_init write at %p\n", ptr
);
900 case CT_WRITE_KERN
: {
904 size
= (unsigned long)do_overwritten
-
905 (unsigned long)do_nothing
;
906 ptr
= (unsigned char *)do_overwritten
;
908 pr_info("attempting bad %zu byte write at %p\n", size
, ptr
);
909 memcpy(ptr
, (unsigned char *)do_nothing
, size
);
910 flush_icache_range((unsigned long)ptr
,
911 (unsigned long)(ptr
+ size
));
916 case CT_ATOMIC_UNDERFLOW
: {
917 atomic_t under
= ATOMIC_INIT(INT_MIN
);
919 pr_info("attempting good atomic increment\n");
923 pr_info("attempting bad atomic underflow\n");
927 case CT_ATOMIC_OVERFLOW
: {
928 atomic_t over
= ATOMIC_INIT(INT_MAX
);
930 pr_info("attempting good atomic decrement\n");
934 pr_info("attempting bad atomic overflow\n");
939 case CT_USERCOPY_HEAP_SIZE_TO
:
940 do_usercopy_heap_size(true);
942 case CT_USERCOPY_HEAP_SIZE_FROM
:
943 do_usercopy_heap_size(false);
945 case CT_USERCOPY_HEAP_FLAG_TO
:
946 do_usercopy_heap_flag(true);
948 case CT_USERCOPY_HEAP_FLAG_FROM
:
949 do_usercopy_heap_flag(false);
951 case CT_USERCOPY_STACK_FRAME_TO
:
952 do_usercopy_stack(true, true);
954 case CT_USERCOPY_STACK_FRAME_FROM
:
955 do_usercopy_stack(false, true);
957 case CT_USERCOPY_STACK_BEYOND
:
958 do_usercopy_stack(true, false);
967 static void lkdtm_handler(void)
972 spin_lock_irqsave(&count_lock
, flags
);
974 pr_info("Crash point %s of type %s hit, trigger in %d rounds\n",
975 cp_name_to_str(cpoint
), cp_type_to_str(cptype
), count
);
979 count
= cpoint_count
;
981 spin_unlock_irqrestore(&count_lock
, flags
);
984 lkdtm_do_action(cptype
);
987 static int lkdtm_register_cpoint(enum cname which
)
992 if (lkdtm
.entry
!= NULL
)
993 unregister_jprobe(&lkdtm
);
997 lkdtm_do_action(cptype
);
999 case CN_INT_HARDWARE_ENTRY
:
1000 lkdtm
.kp
.symbol_name
= "do_IRQ";
1001 lkdtm
.entry
= (kprobe_opcode_t
*) jp_do_irq
;
1003 case CN_INT_HW_IRQ_EN
:
1004 lkdtm
.kp
.symbol_name
= "handle_IRQ_event";
1005 lkdtm
.entry
= (kprobe_opcode_t
*) jp_handle_irq_event
;
1007 case CN_INT_TASKLET_ENTRY
:
1008 lkdtm
.kp
.symbol_name
= "tasklet_action";
1009 lkdtm
.entry
= (kprobe_opcode_t
*) jp_tasklet_action
;
1012 lkdtm
.kp
.symbol_name
= "ll_rw_block";
1013 lkdtm
.entry
= (kprobe_opcode_t
*) jp_ll_rw_block
;
1015 case CN_MEM_SWAPOUT
:
1016 lkdtm
.kp
.symbol_name
= "shrink_inactive_list";
1017 lkdtm
.entry
= (kprobe_opcode_t
*) jp_shrink_inactive_list
;
1020 lkdtm
.kp
.symbol_name
= "hrtimer_start";
1021 lkdtm
.entry
= (kprobe_opcode_t
*) jp_hrtimer_start
;
1023 case CN_SCSI_DISPATCH_CMD
:
1024 lkdtm
.kp
.symbol_name
= "scsi_dispatch_cmd";
1025 lkdtm
.entry
= (kprobe_opcode_t
*) jp_scsi_dispatch_cmd
;
1027 case CN_IDE_CORE_CP
:
1029 lkdtm
.kp
.symbol_name
= "generic_ide_ioctl";
1030 lkdtm
.entry
= (kprobe_opcode_t
*) jp_generic_ide_ioctl
;
1032 pr_info("Crash point not available\n");
1037 pr_info("Invalid Crash Point\n");
1042 if ((ret
= register_jprobe(&lkdtm
)) < 0) {
1043 pr_info("Couldn't register jprobe\n");
1044 cpoint
= CN_INVALID
;
1050 static ssize_t
do_register_entry(enum cname which
, struct file
*f
,
1051 const char __user
*user_buf
, size_t count
, loff_t
*off
)
1056 if (count
>= PAGE_SIZE
)
1059 buf
= (char *)__get_free_page(GFP_KERNEL
);
1062 if (copy_from_user(buf
, user_buf
, count
)) {
1063 free_page((unsigned long) buf
);
1066 /* NULL-terminate and remove enter */
1070 cptype
= parse_cp_type(buf
, count
);
1071 free_page((unsigned long) buf
);
1073 if (cptype
== CT_NONE
)
1076 err
= lkdtm_register_cpoint(which
);
1085 /* Generic read callback that just prints out the available crash types */
1086 static ssize_t
lkdtm_debugfs_read(struct file
*f
, char __user
*user_buf
,
1087 size_t count
, loff_t
*off
)
1092 buf
= (char *)__get_free_page(GFP_KERNEL
);
1096 n
= snprintf(buf
, PAGE_SIZE
, "Available crash types:\n");
1097 for (i
= 0; i
< ARRAY_SIZE(cp_type
); i
++)
1098 n
+= snprintf(buf
+ n
, PAGE_SIZE
- n
, "%s\n", cp_type
[i
]);
1101 out
= simple_read_from_buffer(user_buf
, count
, off
,
1103 free_page((unsigned long) buf
);
1108 static int lkdtm_debugfs_open(struct inode
*inode
, struct file
*file
)
1114 static ssize_t
int_hardware_entry(struct file
*f
, const char __user
*buf
,
1115 size_t count
, loff_t
*off
)
1117 return do_register_entry(CN_INT_HARDWARE_ENTRY
, f
, buf
, count
, off
);
1120 static ssize_t
int_hw_irq_en(struct file
*f
, const char __user
*buf
,
1121 size_t count
, loff_t
*off
)
1123 return do_register_entry(CN_INT_HW_IRQ_EN
, f
, buf
, count
, off
);
1126 static ssize_t
int_tasklet_entry(struct file
*f
, const char __user
*buf
,
1127 size_t count
, loff_t
*off
)
1129 return do_register_entry(CN_INT_TASKLET_ENTRY
, f
, buf
, count
, off
);
1132 static ssize_t
fs_devrw_entry(struct file
*f
, const char __user
*buf
,
1133 size_t count
, loff_t
*off
)
1135 return do_register_entry(CN_FS_DEVRW
, f
, buf
, count
, off
);
1138 static ssize_t
mem_swapout_entry(struct file
*f
, const char __user
*buf
,
1139 size_t count
, loff_t
*off
)
1141 return do_register_entry(CN_MEM_SWAPOUT
, f
, buf
, count
, off
);
1144 static ssize_t
timeradd_entry(struct file
*f
, const char __user
*buf
,
1145 size_t count
, loff_t
*off
)
1147 return do_register_entry(CN_TIMERADD
, f
, buf
, count
, off
);
1150 static ssize_t
scsi_dispatch_cmd_entry(struct file
*f
,
1151 const char __user
*buf
, size_t count
, loff_t
*off
)
1153 return do_register_entry(CN_SCSI_DISPATCH_CMD
, f
, buf
, count
, off
);
1156 static ssize_t
ide_core_cp_entry(struct file
*f
, const char __user
*buf
,
1157 size_t count
, loff_t
*off
)
1159 return do_register_entry(CN_IDE_CORE_CP
, f
, buf
, count
, off
);
1162 /* Special entry to just crash directly. Available without KPROBEs */
1163 static ssize_t
direct_entry(struct file
*f
, const char __user
*user_buf
,
1164 size_t count
, loff_t
*off
)
1169 if (count
>= PAGE_SIZE
)
1174 buf
= (char *)__get_free_page(GFP_KERNEL
);
1177 if (copy_from_user(buf
, user_buf
, count
)) {
1178 free_page((unsigned long) buf
);
1181 /* NULL-terminate and remove enter */
1185 type
= parse_cp_type(buf
, count
);
1186 free_page((unsigned long) buf
);
1187 if (type
== CT_NONE
)
1190 pr_info("Performing direct entry %s\n", cp_type_to_str(type
));
1191 lkdtm_do_action(type
);
1197 struct crash_entry
{
1199 const struct file_operations fops
;
1202 static const struct crash_entry crash_entries
[] = {
1203 {"DIRECT", {.read
= lkdtm_debugfs_read
,
1204 .llseek
= generic_file_llseek
,
1205 .open
= lkdtm_debugfs_open
,
1206 .write
= direct_entry
} },
1207 {"INT_HARDWARE_ENTRY", {.read
= lkdtm_debugfs_read
,
1208 .llseek
= generic_file_llseek
,
1209 .open
= lkdtm_debugfs_open
,
1210 .write
= int_hardware_entry
} },
1211 {"INT_HW_IRQ_EN", {.read
= lkdtm_debugfs_read
,
1212 .llseek
= generic_file_llseek
,
1213 .open
= lkdtm_debugfs_open
,
1214 .write
= int_hw_irq_en
} },
1215 {"INT_TASKLET_ENTRY", {.read
= lkdtm_debugfs_read
,
1216 .llseek
= generic_file_llseek
,
1217 .open
= lkdtm_debugfs_open
,
1218 .write
= int_tasklet_entry
} },
1219 {"FS_DEVRW", {.read
= lkdtm_debugfs_read
,
1220 .llseek
= generic_file_llseek
,
1221 .open
= lkdtm_debugfs_open
,
1222 .write
= fs_devrw_entry
} },
1223 {"MEM_SWAPOUT", {.read
= lkdtm_debugfs_read
,
1224 .llseek
= generic_file_llseek
,
1225 .open
= lkdtm_debugfs_open
,
1226 .write
= mem_swapout_entry
} },
1227 {"TIMERADD", {.read
= lkdtm_debugfs_read
,
1228 .llseek
= generic_file_llseek
,
1229 .open
= lkdtm_debugfs_open
,
1230 .write
= timeradd_entry
} },
1231 {"SCSI_DISPATCH_CMD", {.read
= lkdtm_debugfs_read
,
1232 .llseek
= generic_file_llseek
,
1233 .open
= lkdtm_debugfs_open
,
1234 .write
= scsi_dispatch_cmd_entry
} },
1235 {"IDE_CORE_CP", {.read
= lkdtm_debugfs_read
,
1236 .llseek
= generic_file_llseek
,
1237 .open
= lkdtm_debugfs_open
,
1238 .write
= ide_core_cp_entry
} },
1241 static struct dentry
*lkdtm_debugfs_root
;
1243 static int __init
lkdtm_module_init(void)
1246 int n_debugfs_entries
= 1; /* Assume only the direct entry */
1249 /* Make sure we can write to __ro_after_init values during __init */
1250 ro_after_init
|= 0xAA;
1252 /* Prepare cache that lacks SLAB_USERCOPY flag. */
1253 cache_size
= clamp_t(int, alloc_size
, 1, PAGE_SIZE
);
1254 bad_cache
= kmem_cache_create("lkdtm-no-usercopy", cache_size
, 0,
1257 /* Register debugfs interface */
1258 lkdtm_debugfs_root
= debugfs_create_dir("provoke-crash", NULL
);
1259 if (!lkdtm_debugfs_root
) {
1260 pr_err("creating root dir failed\n");
1264 #ifdef CONFIG_KPROBES
1265 n_debugfs_entries
= ARRAY_SIZE(crash_entries
);
1268 for (i
= 0; i
< n_debugfs_entries
; i
++) {
1269 const struct crash_entry
*cur
= &crash_entries
[i
];
1272 de
= debugfs_create_file(cur
->name
, 0644, lkdtm_debugfs_root
,
1275 pr_err("could not create %s\n", cur
->name
);
1280 if (lkdtm_parse_commandline() == -EINVAL
) {
1281 pr_info("Invalid command\n");
1285 if (cpoint
!= CN_INVALID
&& cptype
!= CT_NONE
) {
1286 ret
= lkdtm_register_cpoint(cpoint
);
1288 pr_info("Invalid crash point %d\n", cpoint
);
1291 pr_info("Crash point %s of type %s registered\n",
1292 cpoint_name
, cpoint_type
);
1294 pr_info("No crash points registered, enable through debugfs\n");
1300 debugfs_remove_recursive(lkdtm_debugfs_root
);
1304 static void __exit
lkdtm_module_exit(void)
1306 debugfs_remove_recursive(lkdtm_debugfs_root
);
1308 kmem_cache_destroy(bad_cache
);
1310 unregister_jprobe(&lkdtm
);
1311 pr_info("Crash point unregistered\n");
1314 module_init(lkdtm_module_init
);
1315 module_exit(lkdtm_module_exit
);
1317 MODULE_LICENSE("GPL");
1318 MODULE_DESCRIPTION("Kprobe module for testing crash dumps");