1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Linux Kernel Dump Test Module for testing kernel crashes conditions: 4 * induces system failures at predefined crashpoints and under predefined 5 * operational conditions in order to evaluate the reliability of kernel 6 * sanity checking and crash dumps obtained using different dumping 7 * solutions. 8 * 9 * Copyright (C) IBM Corporation, 2006 10 * 11 * Author: Ankita Garg <ankita@in.ibm.com> 12 * 13 * It is adapted from the Linux Kernel Dump Test Tool by 14 * Fernando Luis Vazquez Cao <http://lkdtt.sourceforge.net> 15 * 16 * Debugfs support added by Simon Kagstrom <simon.kagstrom@netinsight.net> 17 * 18 * See Documentation/fault-injection/provoke-crashes.rst for instructions 19 */ 20 #include "lkdtm.h" 21 #include <linux/fs.h> 22 #include <linux/module.h> 23 #include <linux/buffer_head.h> 24 #include <linux/kprobes.h> 25 #include <linux/list.h> 26 #include <linux/init.h> 27 #include <linux/slab.h> 28 #include <linux/debugfs.h> 29 #include <linux/utsname.h> 30 31 #define DEFAULT_COUNT 10 32 33 static int lkdtm_debugfs_open(struct inode *inode, struct file *file); 34 static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, 35 size_t count, loff_t *off); 36 static ssize_t direct_entry(struct file *f, const char __user *user_buf, 37 size_t count, loff_t *off); 38 39 #ifdef CONFIG_KPROBES 40 static int lkdtm_kprobe_handler(struct kprobe *kp, struct pt_regs *regs); 41 static ssize_t lkdtm_debugfs_entry(struct file *f, 42 const char __user *user_buf, 43 size_t count, loff_t *off); 44 # define CRASHPOINT_KPROBE(_symbol) \ 45 .kprobe = { \ 46 .symbol_name = (_symbol), \ 47 .pre_handler = lkdtm_kprobe_handler, \ 48 }, 49 # define CRASHPOINT_WRITE(_symbol) \ 50 (_symbol) ? lkdtm_debugfs_entry : direct_entry 51 #else 52 # define CRASHPOINT_KPROBE(_symbol) 53 # define CRASHPOINT_WRITE(_symbol) direct_entry 54 #endif 55 56 /* Crash points */ 57 struct crashpoint { 58 const char *name; 59 const struct file_operations fops; 60 struct kprobe kprobe; 61 }; 62 63 #define CRASHPOINT(_name, _symbol) \ 64 { \ 65 .name = _name, \ 66 .fops = { \ 67 .read = lkdtm_debugfs_read, \ 68 .llseek = generic_file_llseek, \ 69 .open = lkdtm_debugfs_open, \ 70 .write = CRASHPOINT_WRITE(_symbol) \ 71 }, \ 72 CRASHPOINT_KPROBE(_symbol) \ 73 } 74 75 /* Define the possible places where we can trigger a crash point. */ 76 static struct crashpoint crashpoints[] = { 77 CRASHPOINT("DIRECT", NULL), 78 #ifdef CONFIG_KPROBES 79 CRASHPOINT("INT_HARDWARE_ENTRY", "do_IRQ"), 80 CRASHPOINT("INT_HW_IRQ_EN", "handle_irq_event"), 81 CRASHPOINT("INT_TASKLET_ENTRY", "tasklet_action"), 82 CRASHPOINT("FS_DEVRW", "ll_rw_block"), 83 CRASHPOINT("MEM_SWAPOUT", "shrink_inactive_list"), 84 CRASHPOINT("TIMERADD", "hrtimer_start"), 85 CRASHPOINT("SCSI_QUEUE_RQ", "scsi_queue_rq"), 86 #endif 87 }; 88 89 /* List of possible types for crashes that can be triggered. */ 90 static const struct crashtype_category *crashtype_categories[] = { 91 &bugs_crashtypes, 92 &heap_crashtypes, 93 &perms_crashtypes, 94 &refcount_crashtypes, 95 &usercopy_crashtypes, 96 &stackleak_crashtypes, 97 &cfi_crashtypes, 98 &fortify_crashtypes, 99 #ifdef CONFIG_PPC_64S_HASH_MMU 100 &powerpc_crashtypes, 101 #endif 102 }; 103 104 /* Global kprobe entry and crashtype. */ 105 static struct kprobe *lkdtm_kprobe; 106 static struct crashpoint *lkdtm_crashpoint; 107 static const struct crashtype *lkdtm_crashtype; 108 109 /* Module parameters */ 110 static int recur_count = -1; 111 module_param(recur_count, int, 0644); 112 MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test"); 113 114 static char* cpoint_name; 115 module_param(cpoint_name, charp, 0444); 116 MODULE_PARM_DESC(cpoint_name, " Crash Point, where kernel is to be crashed"); 117 118 static char* cpoint_type; 119 module_param(cpoint_type, charp, 0444); 120 MODULE_PARM_DESC(cpoint_type, " Crash Point Type, action to be taken on "\ 121 "hitting the crash point"); 122 123 static int cpoint_count = DEFAULT_COUNT; 124 module_param(cpoint_count, int, 0644); 125 MODULE_PARM_DESC(cpoint_count, " Crash Point Count, number of times the "\ 126 "crash point is to be hit to trigger action"); 127 128 /* 129 * For test debug reporting when CI systems provide terse summaries. 130 * TODO: Remove this once reasonable reporting exists in most CI systems: 131 * https://lore.kernel.org/lkml/CAHk-=wiFvfkoFixTapvvyPMN9pq5G-+Dys2eSyBa1vzDGAO5+A@mail.gmail.com 132 */ 133 char *lkdtm_kernel_info; 134 135 /* Return the crashtype number or NULL if the name is invalid */ 136 static const struct crashtype *find_crashtype(const char *name) 137 { 138 int cat, idx; 139 140 for (cat = 0; cat < ARRAY_SIZE(crashtype_categories); cat++) { 141 for (idx = 0; idx < crashtype_categories[cat]->len; idx++) { 142 struct crashtype *crashtype; 143 144 crashtype = &crashtype_categories[cat]->crashtypes[idx]; 145 if (!strcmp(name, crashtype->name)) 146 return crashtype; 147 } 148 } 149 150 return NULL; 151 } 152 153 /* 154 * This is forced noinline just so it distinctly shows up in the stackdump 155 * which makes validation of expected lkdtm crashes easier. 156 */ 157 static noinline void lkdtm_do_action(const struct crashtype *crashtype) 158 { 159 if (WARN_ON(!crashtype || !crashtype->func)) 160 return; 161 crashtype->func(); 162 } 163 164 static int lkdtm_register_cpoint(struct crashpoint *crashpoint, 165 const struct crashtype *crashtype) 166 { 167 int ret; 168 169 /* If this doesn't have a symbol, just call immediately. */ 170 if (!crashpoint->kprobe.symbol_name) { 171 lkdtm_do_action(crashtype); 172 return 0; 173 } 174 175 if (lkdtm_kprobe != NULL) 176 unregister_kprobe(lkdtm_kprobe); 177 178 lkdtm_crashpoint = crashpoint; 179 lkdtm_crashtype = crashtype; 180 lkdtm_kprobe = &crashpoint->kprobe; 181 ret = register_kprobe(lkdtm_kprobe); 182 if (ret < 0) { 183 pr_info("Couldn't register kprobe %s\n", 184 crashpoint->kprobe.symbol_name); 185 lkdtm_kprobe = NULL; 186 lkdtm_crashpoint = NULL; 187 lkdtm_crashtype = NULL; 188 } 189 190 return ret; 191 } 192 193 #ifdef CONFIG_KPROBES 194 /* Global crash counter and spinlock. */ 195 static int crash_count = DEFAULT_COUNT; 196 static DEFINE_SPINLOCK(crash_count_lock); 197 198 /* Called by kprobe entry points. */ 199 static int lkdtm_kprobe_handler(struct kprobe *kp, struct pt_regs *regs) 200 { 201 unsigned long flags; 202 bool do_it = false; 203 204 if (WARN_ON(!lkdtm_crashpoint || !lkdtm_crashtype)) 205 return 0; 206 207 spin_lock_irqsave(&crash_count_lock, flags); 208 crash_count--; 209 pr_info("Crash point %s of type %s hit, trigger in %d rounds\n", 210 lkdtm_crashpoint->name, lkdtm_crashtype->name, crash_count); 211 212 if (crash_count == 0) { 213 do_it = true; 214 crash_count = cpoint_count; 215 } 216 spin_unlock_irqrestore(&crash_count_lock, flags); 217 218 if (do_it) 219 lkdtm_do_action(lkdtm_crashtype); 220 221 return 0; 222 } 223 224 static ssize_t lkdtm_debugfs_entry(struct file *f, 225 const char __user *user_buf, 226 size_t count, loff_t *off) 227 { 228 struct crashpoint *crashpoint = file_inode(f)->i_private; 229 const struct crashtype *crashtype = NULL; 230 char *buf; 231 int err; 232 233 if (count >= PAGE_SIZE) 234 return -EINVAL; 235 236 buf = (char *)__get_free_page(GFP_KERNEL); 237 if (!buf) 238 return -ENOMEM; 239 if (copy_from_user(buf, user_buf, count)) { 240 free_page((unsigned long) buf); 241 return -EFAULT; 242 } 243 /* NULL-terminate and remove enter */ 244 buf[count] = '\0'; 245 strim(buf); 246 247 crashtype = find_crashtype(buf); 248 free_page((unsigned long)buf); 249 250 if (!crashtype) 251 return -EINVAL; 252 253 err = lkdtm_register_cpoint(crashpoint, crashtype); 254 if (err < 0) 255 return err; 256 257 *off += count; 258 259 return count; 260 } 261 #endif 262 263 /* Generic read callback that just prints out the available crash types */ 264 static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, 265 size_t count, loff_t *off) 266 { 267 int n, cat, idx; 268 ssize_t out; 269 char *buf; 270 271 buf = (char *)__get_free_page(GFP_KERNEL); 272 if (buf == NULL) 273 return -ENOMEM; 274 275 n = scnprintf(buf, PAGE_SIZE, "Available crash types:\n"); 276 277 for (cat = 0; cat < ARRAY_SIZE(crashtype_categories); cat++) { 278 for (idx = 0; idx < crashtype_categories[cat]->len; idx++) { 279 struct crashtype *crashtype; 280 281 crashtype = &crashtype_categories[cat]->crashtypes[idx]; 282 n += scnprintf(buf + n, PAGE_SIZE - n, "%s\n", 283 crashtype->name); 284 } 285 } 286 buf[n] = '\0'; 287 288 out = simple_read_from_buffer(user_buf, count, off, 289 buf, n); 290 free_page((unsigned long) buf); 291 292 return out; 293 } 294 295 static int lkdtm_debugfs_open(struct inode *inode, struct file *file) 296 { 297 return 0; 298 } 299 300 /* Special entry to just crash directly. Available without KPROBEs */ 301 static ssize_t direct_entry(struct file *f, const char __user *user_buf, 302 size_t count, loff_t *off) 303 { 304 const struct crashtype *crashtype; 305 char *buf; 306 307 if (count >= PAGE_SIZE) 308 return -EINVAL; 309 if (count < 1) 310 return -EINVAL; 311 312 buf = (char *)__get_free_page(GFP_KERNEL); 313 if (!buf) 314 return -ENOMEM; 315 if (copy_from_user(buf, user_buf, count)) { 316 free_page((unsigned long) buf); 317 return -EFAULT; 318 } 319 /* NULL-terminate and remove enter */ 320 buf[count] = '\0'; 321 strim(buf); 322 323 crashtype = find_crashtype(buf); 324 free_page((unsigned long) buf); 325 if (!crashtype) 326 return -EINVAL; 327 328 pr_info("Performing direct entry %s\n", crashtype->name); 329 lkdtm_do_action(crashtype); 330 *off += count; 331 332 return count; 333 } 334 335 #ifndef MODULE 336 /* 337 * To avoid needing to export parse_args(), just don't use this code 338 * when LKDTM is built as a module. 339 */ 340 struct check_cmdline_args { 341 const char *param; 342 int value; 343 }; 344 345 static int lkdtm_parse_one(char *param, char *val, 346 const char *unused, void *arg) 347 { 348 struct check_cmdline_args *args = arg; 349 350 /* short circuit if we already found a value. */ 351 if (args->value != -ESRCH) 352 return 0; 353 if (strncmp(param, args->param, strlen(args->param)) == 0) { 354 bool bool_result; 355 int ret; 356 357 ret = kstrtobool(val, &bool_result); 358 if (ret == 0) 359 args->value = bool_result; 360 } 361 return 0; 362 } 363 364 int lkdtm_check_bool_cmdline(const char *param) 365 { 366 char *command_line; 367 struct check_cmdline_args args = { 368 .param = param, 369 .value = -ESRCH, 370 }; 371 372 command_line = kstrdup(saved_command_line, GFP_KERNEL); 373 if (!command_line) 374 return -ENOMEM; 375 376 parse_args("Setting sysctl args", command_line, 377 NULL, 0, -1, -1, &args, lkdtm_parse_one); 378 379 kfree(command_line); 380 381 return args.value; 382 } 383 #endif 384 385 static struct dentry *lkdtm_debugfs_root; 386 387 static int __init lkdtm_module_init(void) 388 { 389 struct crashpoint *crashpoint = NULL; 390 const struct crashtype *crashtype = NULL; 391 int ret; 392 int i; 393 394 /* Neither or both of these need to be set */ 395 if ((cpoint_type || cpoint_name) && !(cpoint_type && cpoint_name)) { 396 pr_err("Need both cpoint_type and cpoint_name or neither\n"); 397 return -EINVAL; 398 } 399 400 if (cpoint_type) { 401 crashtype = find_crashtype(cpoint_type); 402 if (!crashtype) { 403 pr_err("Unknown crashtype '%s'\n", cpoint_type); 404 return -EINVAL; 405 } 406 } 407 408 if (cpoint_name) { 409 for (i = 0; i < ARRAY_SIZE(crashpoints); i++) { 410 if (!strcmp(cpoint_name, crashpoints[i].name)) 411 crashpoint = &crashpoints[i]; 412 } 413 414 /* Refuse unknown crashpoints. */ 415 if (!crashpoint) { 416 pr_err("Invalid crashpoint %s\n", cpoint_name); 417 return -EINVAL; 418 } 419 } 420 421 #ifdef CONFIG_KPROBES 422 /* Set crash count. */ 423 crash_count = cpoint_count; 424 #endif 425 426 /* Common initialization. */ 427 lkdtm_kernel_info = kasprintf(GFP_KERNEL, "kernel (%s %s)", 428 init_uts_ns.name.release, 429 init_uts_ns.name.machine); 430 431 /* Handle test-specific initialization. */ 432 lkdtm_bugs_init(&recur_count); 433 lkdtm_perms_init(); 434 lkdtm_usercopy_init(); 435 lkdtm_heap_init(); 436 437 /* Register debugfs interface */ 438 lkdtm_debugfs_root = debugfs_create_dir("provoke-crash", NULL); 439 440 /* Install debugfs trigger files. */ 441 for (i = 0; i < ARRAY_SIZE(crashpoints); i++) { 442 struct crashpoint *cur = &crashpoints[i]; 443 444 debugfs_create_file(cur->name, 0644, lkdtm_debugfs_root, cur, 445 &cur->fops); 446 } 447 448 /* Install crashpoint if one was selected. */ 449 if (crashpoint) { 450 ret = lkdtm_register_cpoint(crashpoint, crashtype); 451 if (ret < 0) { 452 pr_info("Invalid crashpoint %s\n", crashpoint->name); 453 goto out_err; 454 } 455 pr_info("Crash point %s of type %s registered\n", 456 crashpoint->name, cpoint_type); 457 } else { 458 pr_info("No crash points registered, enable through debugfs\n"); 459 } 460 461 return 0; 462 463 out_err: 464 debugfs_remove_recursive(lkdtm_debugfs_root); 465 return ret; 466 } 467 468 static void __exit lkdtm_module_exit(void) 469 { 470 debugfs_remove_recursive(lkdtm_debugfs_root); 471 472 /* Handle test-specific clean-up. */ 473 lkdtm_heap_exit(); 474 lkdtm_usercopy_exit(); 475 476 if (lkdtm_kprobe != NULL) 477 unregister_kprobe(lkdtm_kprobe); 478 479 kfree(lkdtm_kernel_info); 480 481 pr_info("Crash point unregistered\n"); 482 } 483 484 module_init(lkdtm_module_init); 485 module_exit(lkdtm_module_exit); 486 487 MODULE_LICENSE("GPL"); 488 MODULE_DESCRIPTION("Kernel crash testing module"); 489