1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Linux Kernel Dump Test Module for testing kernel crashes conditions: 4 * induces system failures at predefined crashpoints and under predefined 5 * operational conditions in order to evaluate the reliability of kernel 6 * sanity checking and crash dumps obtained using different dumping 7 * solutions. 8 * 9 * Copyright (C) IBM Corporation, 2006 10 * 11 * Author: Ankita Garg <ankita@in.ibm.com> 12 * 13 * It is adapted from the Linux Kernel Dump Test Tool by 14 * Fernando Luis Vazquez Cao <http://lkdtt.sourceforge.net> 15 * 16 * Debugfs support added by Simon Kagstrom <simon.kagstrom@netinsight.net> 17 * 18 * See Documentation/fault-injection/provoke-crashes.txt for instructions 19 */ 20 #include "lkdtm.h" 21 #include <linux/fs.h> 22 #include <linux/module.h> 23 #include <linux/buffer_head.h> 24 #include <linux/kprobes.h> 25 #include <linux/list.h> 26 #include <linux/init.h> 27 #include <linux/slab.h> 28 #include <linux/debugfs.h> 29 30 #define DEFAULT_COUNT 10 31 32 static int lkdtm_debugfs_open(struct inode *inode, struct file *file); 33 static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, 34 size_t count, loff_t *off); 35 static ssize_t direct_entry(struct file *f, const char __user *user_buf, 36 size_t count, loff_t *off); 37 38 #ifdef CONFIG_KPROBES 39 static int lkdtm_kprobe_handler(struct kprobe *kp, struct pt_regs *regs); 40 static ssize_t lkdtm_debugfs_entry(struct file *f, 41 const char __user *user_buf, 42 size_t count, loff_t *off); 43 # define CRASHPOINT_KPROBE(_symbol) \ 44 .kprobe = { \ 45 .symbol_name = (_symbol), \ 46 .pre_handler = lkdtm_kprobe_handler, \ 47 }, 48 # define CRASHPOINT_WRITE(_symbol) \ 49 (_symbol) ? lkdtm_debugfs_entry : direct_entry 50 #else 51 # define CRASHPOINT_KPROBE(_symbol) 52 # define CRASHPOINT_WRITE(_symbol) direct_entry 53 #endif 54 55 /* Crash points */ 56 struct crashpoint { 57 const char *name; 58 const struct file_operations fops; 59 struct kprobe kprobe; 60 }; 61 62 #define CRASHPOINT(_name, _symbol) \ 63 { \ 64 .name = _name, \ 65 .fops = { \ 66 .read = lkdtm_debugfs_read, \ 67 .llseek = generic_file_llseek, \ 68 .open = lkdtm_debugfs_open, \ 69 .write = CRASHPOINT_WRITE(_symbol) \ 70 }, \ 71 CRASHPOINT_KPROBE(_symbol) \ 72 } 73 74 /* Define the possible places where we can trigger a crash point. */ 75 static struct crashpoint crashpoints[] = { 76 CRASHPOINT("DIRECT", NULL), 77 #ifdef CONFIG_KPROBES 78 CRASHPOINT("INT_HARDWARE_ENTRY", "do_IRQ"), 79 CRASHPOINT("INT_HW_IRQ_EN", "handle_irq_event"), 80 CRASHPOINT("INT_TASKLET_ENTRY", "tasklet_action"), 81 CRASHPOINT("FS_DEVRW", "ll_rw_block"), 82 CRASHPOINT("MEM_SWAPOUT", "shrink_inactive_list"), 83 CRASHPOINT("TIMERADD", "hrtimer_start"), 84 CRASHPOINT("SCSI_DISPATCH_CMD", "scsi_dispatch_cmd"), 85 CRASHPOINT("IDE_CORE_CP", "generic_ide_ioctl"), 86 #endif 87 }; 88 89 90 /* Crash types. */ 91 struct crashtype { 92 const char *name; 93 void (*func)(void); 94 }; 95 96 #define CRASHTYPE(_name) \ 97 { \ 98 .name = __stringify(_name), \ 99 .func = lkdtm_ ## _name, \ 100 } 101 102 /* Define the possible types of crashes that can be triggered. */ 103 static const struct crashtype crashtypes[] = { 104 CRASHTYPE(PANIC), 105 CRASHTYPE(BUG), 106 CRASHTYPE(WARNING), 107 CRASHTYPE(EXCEPTION), 108 CRASHTYPE(LOOP), 109 CRASHTYPE(OVERFLOW), 110 CRASHTYPE(CORRUPT_LIST_ADD), 111 CRASHTYPE(CORRUPT_LIST_DEL), 112 CRASHTYPE(CORRUPT_USER_DS), 113 CRASHTYPE(CORRUPT_STACK), 114 CRASHTYPE(CORRUPT_STACK_STRONG), 115 CRASHTYPE(STACK_GUARD_PAGE_LEADING), 116 CRASHTYPE(STACK_GUARD_PAGE_TRAILING), 117 CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE), 118 CRASHTYPE(OVERWRITE_ALLOCATION), 119 CRASHTYPE(WRITE_AFTER_FREE), 120 CRASHTYPE(READ_AFTER_FREE), 121 CRASHTYPE(WRITE_BUDDY_AFTER_FREE), 122 CRASHTYPE(READ_BUDDY_AFTER_FREE), 123 CRASHTYPE(SOFTLOCKUP), 124 CRASHTYPE(HARDLOCKUP), 125 CRASHTYPE(SPINLOCKUP), 126 CRASHTYPE(HUNG_TASK), 127 CRASHTYPE(EXEC_DATA), 128 CRASHTYPE(EXEC_STACK), 129 CRASHTYPE(EXEC_KMALLOC), 130 CRASHTYPE(EXEC_VMALLOC), 131 CRASHTYPE(EXEC_RODATA), 132 CRASHTYPE(EXEC_USERSPACE), 133 CRASHTYPE(EXEC_NULL), 134 CRASHTYPE(ACCESS_USERSPACE), 135 CRASHTYPE(ACCESS_NULL), 136 CRASHTYPE(WRITE_RO), 137 CRASHTYPE(WRITE_RO_AFTER_INIT), 138 CRASHTYPE(WRITE_KERN), 139 CRASHTYPE(REFCOUNT_INC_OVERFLOW), 140 CRASHTYPE(REFCOUNT_ADD_OVERFLOW), 141 CRASHTYPE(REFCOUNT_INC_NOT_ZERO_OVERFLOW), 142 CRASHTYPE(REFCOUNT_ADD_NOT_ZERO_OVERFLOW), 143 CRASHTYPE(REFCOUNT_DEC_ZERO), 144 CRASHTYPE(REFCOUNT_DEC_NEGATIVE), 145 CRASHTYPE(REFCOUNT_DEC_AND_TEST_NEGATIVE), 146 CRASHTYPE(REFCOUNT_SUB_AND_TEST_NEGATIVE), 147 CRASHTYPE(REFCOUNT_INC_ZERO), 148 CRASHTYPE(REFCOUNT_ADD_ZERO), 149 CRASHTYPE(REFCOUNT_INC_SATURATED), 150 CRASHTYPE(REFCOUNT_DEC_SATURATED), 151 CRASHTYPE(REFCOUNT_ADD_SATURATED), 152 CRASHTYPE(REFCOUNT_INC_NOT_ZERO_SATURATED), 153 CRASHTYPE(REFCOUNT_ADD_NOT_ZERO_SATURATED), 154 CRASHTYPE(REFCOUNT_DEC_AND_TEST_SATURATED), 155 CRASHTYPE(REFCOUNT_SUB_AND_TEST_SATURATED), 156 CRASHTYPE(REFCOUNT_TIMING), 157 CRASHTYPE(ATOMIC_TIMING), 158 CRASHTYPE(USERCOPY_HEAP_SIZE_TO), 159 CRASHTYPE(USERCOPY_HEAP_SIZE_FROM), 160 CRASHTYPE(USERCOPY_HEAP_WHITELIST_TO), 161 CRASHTYPE(USERCOPY_HEAP_WHITELIST_FROM), 162 CRASHTYPE(USERCOPY_STACK_FRAME_TO), 163 CRASHTYPE(USERCOPY_STACK_FRAME_FROM), 164 CRASHTYPE(USERCOPY_STACK_BEYOND), 165 CRASHTYPE(USERCOPY_KERNEL), 166 CRASHTYPE(USERCOPY_KERNEL_DS), 167 CRASHTYPE(STACKLEAK_ERASING), 168 }; 169 170 171 /* Global kprobe entry and crashtype. */ 172 static struct kprobe *lkdtm_kprobe; 173 static struct crashpoint *lkdtm_crashpoint; 174 static const struct crashtype *lkdtm_crashtype; 175 176 /* Module parameters */ 177 static int recur_count = -1; 178 module_param(recur_count, int, 0644); 179 MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test"); 180 181 static char* cpoint_name; 182 module_param(cpoint_name, charp, 0444); 183 MODULE_PARM_DESC(cpoint_name, " Crash Point, where kernel is to be crashed"); 184 185 static char* cpoint_type; 186 module_param(cpoint_type, charp, 0444); 187 MODULE_PARM_DESC(cpoint_type, " Crash Point Type, action to be taken on "\ 188 "hitting the crash point"); 189 190 static int cpoint_count = DEFAULT_COUNT; 191 module_param(cpoint_count, int, 0644); 192 MODULE_PARM_DESC(cpoint_count, " Crash Point Count, number of times the "\ 193 "crash point is to be hit to trigger action"); 194 195 196 /* Return the crashtype number or NULL if the name is invalid */ 197 static const struct crashtype *find_crashtype(const char *name) 198 { 199 int i; 200 201 for (i = 0; i < ARRAY_SIZE(crashtypes); i++) { 202 if (!strcmp(name, crashtypes[i].name)) 203 return &crashtypes[i]; 204 } 205 206 return NULL; 207 } 208 209 /* 210 * This is forced noinline just so it distinctly shows up in the stackdump 211 * which makes validation of expected lkdtm crashes easier. 212 */ 213 static noinline void lkdtm_do_action(const struct crashtype *crashtype) 214 { 215 if (WARN_ON(!crashtype || !crashtype->func)) 216 return; 217 crashtype->func(); 218 } 219 220 static int lkdtm_register_cpoint(struct crashpoint *crashpoint, 221 const struct crashtype *crashtype) 222 { 223 int ret; 224 225 /* If this doesn't have a symbol, just call immediately. */ 226 if (!crashpoint->kprobe.symbol_name) { 227 lkdtm_do_action(crashtype); 228 return 0; 229 } 230 231 if (lkdtm_kprobe != NULL) 232 unregister_kprobe(lkdtm_kprobe); 233 234 lkdtm_crashpoint = crashpoint; 235 lkdtm_crashtype = crashtype; 236 lkdtm_kprobe = &crashpoint->kprobe; 237 ret = register_kprobe(lkdtm_kprobe); 238 if (ret < 0) { 239 pr_info("Couldn't register kprobe %s\n", 240 crashpoint->kprobe.symbol_name); 241 lkdtm_kprobe = NULL; 242 lkdtm_crashpoint = NULL; 243 lkdtm_crashtype = NULL; 244 } 245 246 return ret; 247 } 248 249 #ifdef CONFIG_KPROBES 250 /* Global crash counter and spinlock. */ 251 static int crash_count = DEFAULT_COUNT; 252 static DEFINE_SPINLOCK(crash_count_lock); 253 254 /* Called by kprobe entry points. */ 255 static int lkdtm_kprobe_handler(struct kprobe *kp, struct pt_regs *regs) 256 { 257 unsigned long flags; 258 bool do_it = false; 259 260 if (WARN_ON(!lkdtm_crashpoint || !lkdtm_crashtype)) 261 return 0; 262 263 spin_lock_irqsave(&crash_count_lock, flags); 264 crash_count--; 265 pr_info("Crash point %s of type %s hit, trigger in %d rounds\n", 266 lkdtm_crashpoint->name, lkdtm_crashtype->name, crash_count); 267 268 if (crash_count == 0) { 269 do_it = true; 270 crash_count = cpoint_count; 271 } 272 spin_unlock_irqrestore(&crash_count_lock, flags); 273 274 if (do_it) 275 lkdtm_do_action(lkdtm_crashtype); 276 277 return 0; 278 } 279 280 static ssize_t lkdtm_debugfs_entry(struct file *f, 281 const char __user *user_buf, 282 size_t count, loff_t *off) 283 { 284 struct crashpoint *crashpoint = file_inode(f)->i_private; 285 const struct crashtype *crashtype = NULL; 286 char *buf; 287 int err; 288 289 if (count >= PAGE_SIZE) 290 return -EINVAL; 291 292 buf = (char *)__get_free_page(GFP_KERNEL); 293 if (!buf) 294 return -ENOMEM; 295 if (copy_from_user(buf, user_buf, count)) { 296 free_page((unsigned long) buf); 297 return -EFAULT; 298 } 299 /* NULL-terminate and remove enter */ 300 buf[count] = '\0'; 301 strim(buf); 302 303 crashtype = find_crashtype(buf); 304 free_page((unsigned long)buf); 305 306 if (!crashtype) 307 return -EINVAL; 308 309 err = lkdtm_register_cpoint(crashpoint, crashtype); 310 if (err < 0) 311 return err; 312 313 *off += count; 314 315 return count; 316 } 317 #endif 318 319 /* Generic read callback that just prints out the available crash types */ 320 static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, 321 size_t count, loff_t *off) 322 { 323 char *buf; 324 int i, n, out; 325 326 buf = (char *)__get_free_page(GFP_KERNEL); 327 if (buf == NULL) 328 return -ENOMEM; 329 330 n = scnprintf(buf, PAGE_SIZE, "Available crash types:\n"); 331 for (i = 0; i < ARRAY_SIZE(crashtypes); i++) { 332 n += scnprintf(buf + n, PAGE_SIZE - n, "%s\n", 333 crashtypes[i].name); 334 } 335 buf[n] = '\0'; 336 337 out = simple_read_from_buffer(user_buf, count, off, 338 buf, n); 339 free_page((unsigned long) buf); 340 341 return out; 342 } 343 344 static int lkdtm_debugfs_open(struct inode *inode, struct file *file) 345 { 346 return 0; 347 } 348 349 /* Special entry to just crash directly. Available without KPROBEs */ 350 static ssize_t direct_entry(struct file *f, const char __user *user_buf, 351 size_t count, loff_t *off) 352 { 353 const struct crashtype *crashtype; 354 char *buf; 355 356 if (count >= PAGE_SIZE) 357 return -EINVAL; 358 if (count < 1) 359 return -EINVAL; 360 361 buf = (char *)__get_free_page(GFP_KERNEL); 362 if (!buf) 363 return -ENOMEM; 364 if (copy_from_user(buf, user_buf, count)) { 365 free_page((unsigned long) buf); 366 return -EFAULT; 367 } 368 /* NULL-terminate and remove enter */ 369 buf[count] = '\0'; 370 strim(buf); 371 372 crashtype = find_crashtype(buf); 373 free_page((unsigned long) buf); 374 if (!crashtype) 375 return -EINVAL; 376 377 pr_info("Performing direct entry %s\n", crashtype->name); 378 lkdtm_do_action(crashtype); 379 *off += count; 380 381 return count; 382 } 383 384 static struct dentry *lkdtm_debugfs_root; 385 386 static int __init lkdtm_module_init(void) 387 { 388 struct crashpoint *crashpoint = NULL; 389 const struct crashtype *crashtype = NULL; 390 int ret = -EINVAL; 391 int i; 392 393 /* Neither or both of these need to be set */ 394 if ((cpoint_type || cpoint_name) && !(cpoint_type && cpoint_name)) { 395 pr_err("Need both cpoint_type and cpoint_name or neither\n"); 396 return -EINVAL; 397 } 398 399 if (cpoint_type) { 400 crashtype = find_crashtype(cpoint_type); 401 if (!crashtype) { 402 pr_err("Unknown crashtype '%s'\n", cpoint_type); 403 return -EINVAL; 404 } 405 } 406 407 if (cpoint_name) { 408 for (i = 0; i < ARRAY_SIZE(crashpoints); i++) { 409 if (!strcmp(cpoint_name, crashpoints[i].name)) 410 crashpoint = &crashpoints[i]; 411 } 412 413 /* Refuse unknown crashpoints. */ 414 if (!crashpoint) { 415 pr_err("Invalid crashpoint %s\n", cpoint_name); 416 return -EINVAL; 417 } 418 } 419 420 #ifdef CONFIG_KPROBES 421 /* Set crash count. */ 422 crash_count = cpoint_count; 423 #endif 424 425 /* Handle test-specific initialization. */ 426 lkdtm_bugs_init(&recur_count); 427 lkdtm_perms_init(); 428 lkdtm_usercopy_init(); 429 430 /* Register debugfs interface */ 431 lkdtm_debugfs_root = debugfs_create_dir("provoke-crash", NULL); 432 if (!lkdtm_debugfs_root) { 433 pr_err("creating root dir failed\n"); 434 return -ENODEV; 435 } 436 437 /* Install debugfs trigger files. */ 438 for (i = 0; i < ARRAY_SIZE(crashpoints); i++) { 439 struct crashpoint *cur = &crashpoints[i]; 440 struct dentry *de; 441 442 de = debugfs_create_file(cur->name, 0644, lkdtm_debugfs_root, 443 cur, &cur->fops); 444 if (de == NULL) { 445 pr_err("could not create crashpoint %s\n", cur->name); 446 goto out_err; 447 } 448 } 449 450 /* Install crashpoint if one was selected. */ 451 if (crashpoint) { 452 ret = lkdtm_register_cpoint(crashpoint, crashtype); 453 if (ret < 0) { 454 pr_info("Invalid crashpoint %s\n", crashpoint->name); 455 goto out_err; 456 } 457 pr_info("Crash point %s of type %s registered\n", 458 crashpoint->name, cpoint_type); 459 } else { 460 pr_info("No crash points registered, enable through debugfs\n"); 461 } 462 463 return 0; 464 465 out_err: 466 debugfs_remove_recursive(lkdtm_debugfs_root); 467 return ret; 468 } 469 470 static void __exit lkdtm_module_exit(void) 471 { 472 debugfs_remove_recursive(lkdtm_debugfs_root); 473 474 /* Handle test-specific clean-up. */ 475 lkdtm_usercopy_exit(); 476 477 if (lkdtm_kprobe != NULL) 478 unregister_kprobe(lkdtm_kprobe); 479 480 pr_info("Crash point unregistered\n"); 481 } 482 483 module_init(lkdtm_module_init); 484 module_exit(lkdtm_module_exit); 485 486 MODULE_LICENSE("GPL"); 487 MODULE_DESCRIPTION("Kernel crash testing module"); 488