1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Linux Kernel Dump Test Module for testing kernel crashes conditions: 4 * induces system failures at predefined crashpoints and under predefined 5 * operational conditions in order to evaluate the reliability of kernel 6 * sanity checking and crash dumps obtained using different dumping 7 * solutions. 8 * 9 * Copyright (C) IBM Corporation, 2006 10 * 11 * Author: Ankita Garg <ankita@in.ibm.com> 12 * 13 * It is adapted from the Linux Kernel Dump Test Tool by 14 * Fernando Luis Vazquez Cao <http://lkdtt.sourceforge.net> 15 * 16 * Debugfs support added by Simon Kagstrom <simon.kagstrom@netinsight.net> 17 * 18 * See Documentation/fault-injection/provoke-crashes.rst for instructions 19 */ 20 #include "lkdtm.h" 21 #include <linux/fs.h> 22 #include <linux/module.h> 23 #include <linux/buffer_head.h> 24 #include <linux/kprobes.h> 25 #include <linux/list.h> 26 #include <linux/init.h> 27 #include <linux/slab.h> 28 #include <linux/debugfs.h> 29 #include <linux/utsname.h> 30 31 #define DEFAULT_COUNT 10 32 33 static int lkdtm_debugfs_open(struct inode *inode, struct file *file); 34 static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, 35 size_t count, loff_t *off); 36 static ssize_t direct_entry(struct file *f, const char __user *user_buf, 37 size_t count, loff_t *off); 38 39 #ifdef CONFIG_KPROBES 40 static int lkdtm_kprobe_handler(struct kprobe *kp, struct pt_regs *regs); 41 static ssize_t lkdtm_debugfs_entry(struct file *f, 42 const char __user *user_buf, 43 size_t count, loff_t *off); 44 # define CRASHPOINT_KPROBE(_symbol) \ 45 .kprobe = { \ 46 .symbol_name = (_symbol), \ 47 .pre_handler = lkdtm_kprobe_handler, \ 48 }, 49 # define CRASHPOINT_WRITE(_symbol) \ 50 (_symbol) ? lkdtm_debugfs_entry : direct_entry 51 #else 52 # define CRASHPOINT_KPROBE(_symbol) 53 # define CRASHPOINT_WRITE(_symbol) direct_entry 54 #endif 55 56 /* Crash points */ 57 struct crashpoint { 58 const char *name; 59 const struct file_operations fops; 60 struct kprobe kprobe; 61 }; 62 63 #define CRASHPOINT(_name, _symbol) \ 64 { \ 65 .name = _name, \ 66 .fops = { \ 67 .read = lkdtm_debugfs_read, \ 68 .llseek = generic_file_llseek, \ 69 .open = lkdtm_debugfs_open, \ 70 .write = CRASHPOINT_WRITE(_symbol) \ 71 }, \ 72 CRASHPOINT_KPROBE(_symbol) \ 73 } 74 75 /* Define the possible places where we can trigger a crash point. */ 76 static struct crashpoint crashpoints[] = { 77 CRASHPOINT("DIRECT", NULL), 78 #ifdef CONFIG_KPROBES 79 CRASHPOINT("INT_HARDWARE_ENTRY", "do_IRQ"), 80 CRASHPOINT("INT_HW_IRQ_EN", "handle_irq_event"), 81 CRASHPOINT("INT_TASKLET_ENTRY", "tasklet_action"), 82 CRASHPOINT("FS_DEVRW", "ll_rw_block"), 83 CRASHPOINT("MEM_SWAPOUT", "shrink_inactive_list"), 84 CRASHPOINT("TIMERADD", "hrtimer_start"), 85 CRASHPOINT("SCSI_QUEUE_RQ", "scsi_queue_rq"), 86 #endif 87 }; 88 89 90 /* Crash types. */ 91 struct crashtype { 92 const char *name; 93 void (*func)(void); 94 }; 95 96 #define CRASHTYPE(_name) \ 97 { \ 98 .name = __stringify(_name), \ 99 .func = lkdtm_ ## _name, \ 100 } 101 102 /* Define the possible types of crashes that can be triggered. */ 103 static const struct crashtype crashtypes[] = { 104 CRASHTYPE(PANIC), 105 CRASHTYPE(BUG), 106 CRASHTYPE(WARNING), 107 CRASHTYPE(WARNING_MESSAGE), 108 CRASHTYPE(EXCEPTION), 109 CRASHTYPE(LOOP), 110 CRASHTYPE(EXHAUST_STACK), 111 CRASHTYPE(CORRUPT_STACK), 112 CRASHTYPE(CORRUPT_STACK_STRONG), 113 CRASHTYPE(REPORT_STACK), 114 CRASHTYPE(REPORT_STACK_CANARY), 115 CRASHTYPE(CORRUPT_LIST_ADD), 116 CRASHTYPE(CORRUPT_LIST_DEL), 117 CRASHTYPE(STACK_GUARD_PAGE_LEADING), 118 CRASHTYPE(STACK_GUARD_PAGE_TRAILING), 119 CRASHTYPE(UNSET_SMEP), 120 CRASHTYPE(CORRUPT_PAC), 121 CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE), 122 CRASHTYPE(SLAB_LINEAR_OVERFLOW), 123 CRASHTYPE(VMALLOC_LINEAR_OVERFLOW), 124 CRASHTYPE(WRITE_AFTER_FREE), 125 CRASHTYPE(READ_AFTER_FREE), 126 CRASHTYPE(WRITE_BUDDY_AFTER_FREE), 127 CRASHTYPE(READ_BUDDY_AFTER_FREE), 128 CRASHTYPE(SLAB_INIT_ON_ALLOC), 129 CRASHTYPE(BUDDY_INIT_ON_ALLOC), 130 CRASHTYPE(SLAB_FREE_DOUBLE), 131 CRASHTYPE(SLAB_FREE_CROSS), 132 CRASHTYPE(SLAB_FREE_PAGE), 133 CRASHTYPE(SOFTLOCKUP), 134 CRASHTYPE(HARDLOCKUP), 135 CRASHTYPE(SPINLOCKUP), 136 CRASHTYPE(HUNG_TASK), 137 CRASHTYPE(OVERFLOW_SIGNED), 138 CRASHTYPE(OVERFLOW_UNSIGNED), 139 CRASHTYPE(ARRAY_BOUNDS), 140 CRASHTYPE(EXEC_DATA), 141 CRASHTYPE(EXEC_STACK), 142 CRASHTYPE(EXEC_KMALLOC), 143 CRASHTYPE(EXEC_VMALLOC), 144 CRASHTYPE(EXEC_RODATA), 145 CRASHTYPE(EXEC_USERSPACE), 146 CRASHTYPE(EXEC_NULL), 147 CRASHTYPE(ACCESS_USERSPACE), 148 CRASHTYPE(ACCESS_NULL), 149 CRASHTYPE(WRITE_RO), 150 CRASHTYPE(WRITE_RO_AFTER_INIT), 151 CRASHTYPE(WRITE_KERN), 152 CRASHTYPE(WRITE_OPD), 153 CRASHTYPE(REFCOUNT_INC_OVERFLOW), 154 CRASHTYPE(REFCOUNT_ADD_OVERFLOW), 155 CRASHTYPE(REFCOUNT_INC_NOT_ZERO_OVERFLOW), 156 CRASHTYPE(REFCOUNT_ADD_NOT_ZERO_OVERFLOW), 157 CRASHTYPE(REFCOUNT_DEC_ZERO), 158 CRASHTYPE(REFCOUNT_DEC_NEGATIVE), 159 CRASHTYPE(REFCOUNT_DEC_AND_TEST_NEGATIVE), 160 CRASHTYPE(REFCOUNT_SUB_AND_TEST_NEGATIVE), 161 CRASHTYPE(REFCOUNT_INC_ZERO), 162 CRASHTYPE(REFCOUNT_ADD_ZERO), 163 CRASHTYPE(REFCOUNT_INC_SATURATED), 164 CRASHTYPE(REFCOUNT_DEC_SATURATED), 165 CRASHTYPE(REFCOUNT_ADD_SATURATED), 166 CRASHTYPE(REFCOUNT_INC_NOT_ZERO_SATURATED), 167 CRASHTYPE(REFCOUNT_ADD_NOT_ZERO_SATURATED), 168 CRASHTYPE(REFCOUNT_DEC_AND_TEST_SATURATED), 169 CRASHTYPE(REFCOUNT_SUB_AND_TEST_SATURATED), 170 CRASHTYPE(REFCOUNT_TIMING), 171 CRASHTYPE(ATOMIC_TIMING), 172 CRASHTYPE(USERCOPY_HEAP_SIZE_TO), 173 CRASHTYPE(USERCOPY_HEAP_SIZE_FROM), 174 CRASHTYPE(USERCOPY_HEAP_WHITELIST_TO), 175 CRASHTYPE(USERCOPY_HEAP_WHITELIST_FROM), 176 CRASHTYPE(USERCOPY_STACK_FRAME_TO), 177 CRASHTYPE(USERCOPY_STACK_FRAME_FROM), 178 CRASHTYPE(USERCOPY_STACK_BEYOND), 179 CRASHTYPE(USERCOPY_KERNEL), 180 CRASHTYPE(STACKLEAK_ERASING), 181 CRASHTYPE(CFI_FORWARD_PROTO), 182 CRASHTYPE(FORTIFIED_OBJECT), 183 CRASHTYPE(FORTIFIED_SUBOBJECT), 184 CRASHTYPE(FORTIFIED_STRSCPY), 185 CRASHTYPE(DOUBLE_FAULT), 186 #ifdef CONFIG_PPC_64S_HASH_MMU 187 CRASHTYPE(PPC_SLB_MULTIHIT), 188 #endif 189 }; 190 191 192 /* Global kprobe entry and crashtype. */ 193 static struct kprobe *lkdtm_kprobe; 194 static struct crashpoint *lkdtm_crashpoint; 195 static const struct crashtype *lkdtm_crashtype; 196 197 /* Module parameters */ 198 static int recur_count = -1; 199 module_param(recur_count, int, 0644); 200 MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test"); 201 202 static char* cpoint_name; 203 module_param(cpoint_name, charp, 0444); 204 MODULE_PARM_DESC(cpoint_name, " Crash Point, where kernel is to be crashed"); 205 206 static char* cpoint_type; 207 module_param(cpoint_type, charp, 0444); 208 MODULE_PARM_DESC(cpoint_type, " Crash Point Type, action to be taken on "\ 209 "hitting the crash point"); 210 211 static int cpoint_count = DEFAULT_COUNT; 212 module_param(cpoint_count, int, 0644); 213 MODULE_PARM_DESC(cpoint_count, " Crash Point Count, number of times the "\ 214 "crash point is to be hit to trigger action"); 215 216 /* 217 * For test debug reporting when CI systems provide terse summaries. 218 * TODO: Remove this once reasonable reporting exists in most CI systems: 219 * https://lore.kernel.org/lkml/CAHk-=wiFvfkoFixTapvvyPMN9pq5G-+Dys2eSyBa1vzDGAO5+A@mail.gmail.com 220 */ 221 char *lkdtm_kernel_info; 222 223 /* Return the crashtype number or NULL if the name is invalid */ 224 static const struct crashtype *find_crashtype(const char *name) 225 { 226 int i; 227 228 for (i = 0; i < ARRAY_SIZE(crashtypes); i++) { 229 if (!strcmp(name, crashtypes[i].name)) 230 return &crashtypes[i]; 231 } 232 233 return NULL; 234 } 235 236 /* 237 * This is forced noinline just so it distinctly shows up in the stackdump 238 * which makes validation of expected lkdtm crashes easier. 239 */ 240 static noinline void lkdtm_do_action(const struct crashtype *crashtype) 241 { 242 if (WARN_ON(!crashtype || !crashtype->func)) 243 return; 244 crashtype->func(); 245 } 246 247 static int lkdtm_register_cpoint(struct crashpoint *crashpoint, 248 const struct crashtype *crashtype) 249 { 250 int ret; 251 252 /* If this doesn't have a symbol, just call immediately. */ 253 if (!crashpoint->kprobe.symbol_name) { 254 lkdtm_do_action(crashtype); 255 return 0; 256 } 257 258 if (lkdtm_kprobe != NULL) 259 unregister_kprobe(lkdtm_kprobe); 260 261 lkdtm_crashpoint = crashpoint; 262 lkdtm_crashtype = crashtype; 263 lkdtm_kprobe = &crashpoint->kprobe; 264 ret = register_kprobe(lkdtm_kprobe); 265 if (ret < 0) { 266 pr_info("Couldn't register kprobe %s\n", 267 crashpoint->kprobe.symbol_name); 268 lkdtm_kprobe = NULL; 269 lkdtm_crashpoint = NULL; 270 lkdtm_crashtype = NULL; 271 } 272 273 return ret; 274 } 275 276 #ifdef CONFIG_KPROBES 277 /* Global crash counter and spinlock. */ 278 static int crash_count = DEFAULT_COUNT; 279 static DEFINE_SPINLOCK(crash_count_lock); 280 281 /* Called by kprobe entry points. */ 282 static int lkdtm_kprobe_handler(struct kprobe *kp, struct pt_regs *regs) 283 { 284 unsigned long flags; 285 bool do_it = false; 286 287 if (WARN_ON(!lkdtm_crashpoint || !lkdtm_crashtype)) 288 return 0; 289 290 spin_lock_irqsave(&crash_count_lock, flags); 291 crash_count--; 292 pr_info("Crash point %s of type %s hit, trigger in %d rounds\n", 293 lkdtm_crashpoint->name, lkdtm_crashtype->name, crash_count); 294 295 if (crash_count == 0) { 296 do_it = true; 297 crash_count = cpoint_count; 298 } 299 spin_unlock_irqrestore(&crash_count_lock, flags); 300 301 if (do_it) 302 lkdtm_do_action(lkdtm_crashtype); 303 304 return 0; 305 } 306 307 static ssize_t lkdtm_debugfs_entry(struct file *f, 308 const char __user *user_buf, 309 size_t count, loff_t *off) 310 { 311 struct crashpoint *crashpoint = file_inode(f)->i_private; 312 const struct crashtype *crashtype = NULL; 313 char *buf; 314 int err; 315 316 if (count >= PAGE_SIZE) 317 return -EINVAL; 318 319 buf = (char *)__get_free_page(GFP_KERNEL); 320 if (!buf) 321 return -ENOMEM; 322 if (copy_from_user(buf, user_buf, count)) { 323 free_page((unsigned long) buf); 324 return -EFAULT; 325 } 326 /* NULL-terminate and remove enter */ 327 buf[count] = '\0'; 328 strim(buf); 329 330 crashtype = find_crashtype(buf); 331 free_page((unsigned long)buf); 332 333 if (!crashtype) 334 return -EINVAL; 335 336 err = lkdtm_register_cpoint(crashpoint, crashtype); 337 if (err < 0) 338 return err; 339 340 *off += count; 341 342 return count; 343 } 344 #endif 345 346 /* Generic read callback that just prints out the available crash types */ 347 static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf, 348 size_t count, loff_t *off) 349 { 350 char *buf; 351 int i, n, out; 352 353 buf = (char *)__get_free_page(GFP_KERNEL); 354 if (buf == NULL) 355 return -ENOMEM; 356 357 n = scnprintf(buf, PAGE_SIZE, "Available crash types:\n"); 358 for (i = 0; i < ARRAY_SIZE(crashtypes); i++) { 359 n += scnprintf(buf + n, PAGE_SIZE - n, "%s\n", 360 crashtypes[i].name); 361 } 362 buf[n] = '\0'; 363 364 out = simple_read_from_buffer(user_buf, count, off, 365 buf, n); 366 free_page((unsigned long) buf); 367 368 return out; 369 } 370 371 static int lkdtm_debugfs_open(struct inode *inode, struct file *file) 372 { 373 return 0; 374 } 375 376 /* Special entry to just crash directly. Available without KPROBEs */ 377 static ssize_t direct_entry(struct file *f, const char __user *user_buf, 378 size_t count, loff_t *off) 379 { 380 const struct crashtype *crashtype; 381 char *buf; 382 383 if (count >= PAGE_SIZE) 384 return -EINVAL; 385 if (count < 1) 386 return -EINVAL; 387 388 buf = (char *)__get_free_page(GFP_KERNEL); 389 if (!buf) 390 return -ENOMEM; 391 if (copy_from_user(buf, user_buf, count)) { 392 free_page((unsigned long) buf); 393 return -EFAULT; 394 } 395 /* NULL-terminate and remove enter */ 396 buf[count] = '\0'; 397 strim(buf); 398 399 crashtype = find_crashtype(buf); 400 free_page((unsigned long) buf); 401 if (!crashtype) 402 return -EINVAL; 403 404 pr_info("Performing direct entry %s\n", crashtype->name); 405 lkdtm_do_action(crashtype); 406 *off += count; 407 408 return count; 409 } 410 411 #ifndef MODULE 412 /* 413 * To avoid needing to export parse_args(), just don't use this code 414 * when LKDTM is built as a module. 415 */ 416 struct check_cmdline_args { 417 const char *param; 418 int value; 419 }; 420 421 static int lkdtm_parse_one(char *param, char *val, 422 const char *unused, void *arg) 423 { 424 struct check_cmdline_args *args = arg; 425 426 /* short circuit if we already found a value. */ 427 if (args->value != -ESRCH) 428 return 0; 429 if (strncmp(param, args->param, strlen(args->param)) == 0) { 430 bool bool_result; 431 int ret; 432 433 ret = kstrtobool(val, &bool_result); 434 if (ret == 0) 435 args->value = bool_result; 436 } 437 return 0; 438 } 439 440 int lkdtm_check_bool_cmdline(const char *param) 441 { 442 char *command_line; 443 struct check_cmdline_args args = { 444 .param = param, 445 .value = -ESRCH, 446 }; 447 448 command_line = kstrdup(saved_command_line, GFP_KERNEL); 449 if (!command_line) 450 return -ENOMEM; 451 452 parse_args("Setting sysctl args", command_line, 453 NULL, 0, -1, -1, &args, lkdtm_parse_one); 454 455 kfree(command_line); 456 457 return args.value; 458 } 459 #endif 460 461 static struct dentry *lkdtm_debugfs_root; 462 463 static int __init lkdtm_module_init(void) 464 { 465 struct crashpoint *crashpoint = NULL; 466 const struct crashtype *crashtype = NULL; 467 int ret; 468 int i; 469 470 /* Neither or both of these need to be set */ 471 if ((cpoint_type || cpoint_name) && !(cpoint_type && cpoint_name)) { 472 pr_err("Need both cpoint_type and cpoint_name or neither\n"); 473 return -EINVAL; 474 } 475 476 if (cpoint_type) { 477 crashtype = find_crashtype(cpoint_type); 478 if (!crashtype) { 479 pr_err("Unknown crashtype '%s'\n", cpoint_type); 480 return -EINVAL; 481 } 482 } 483 484 if (cpoint_name) { 485 for (i = 0; i < ARRAY_SIZE(crashpoints); i++) { 486 if (!strcmp(cpoint_name, crashpoints[i].name)) 487 crashpoint = &crashpoints[i]; 488 } 489 490 /* Refuse unknown crashpoints. */ 491 if (!crashpoint) { 492 pr_err("Invalid crashpoint %s\n", cpoint_name); 493 return -EINVAL; 494 } 495 } 496 497 #ifdef CONFIG_KPROBES 498 /* Set crash count. */ 499 crash_count = cpoint_count; 500 #endif 501 502 /* Common initialization. */ 503 lkdtm_kernel_info = kasprintf(GFP_KERNEL, "kernel (%s %s)", 504 init_uts_ns.name.release, 505 init_uts_ns.name.machine); 506 507 /* Handle test-specific initialization. */ 508 lkdtm_bugs_init(&recur_count); 509 lkdtm_perms_init(); 510 lkdtm_usercopy_init(); 511 lkdtm_heap_init(); 512 513 /* Register debugfs interface */ 514 lkdtm_debugfs_root = debugfs_create_dir("provoke-crash", NULL); 515 516 /* Install debugfs trigger files. */ 517 for (i = 0; i < ARRAY_SIZE(crashpoints); i++) { 518 struct crashpoint *cur = &crashpoints[i]; 519 520 debugfs_create_file(cur->name, 0644, lkdtm_debugfs_root, cur, 521 &cur->fops); 522 } 523 524 /* Install crashpoint if one was selected. */ 525 if (crashpoint) { 526 ret = lkdtm_register_cpoint(crashpoint, crashtype); 527 if (ret < 0) { 528 pr_info("Invalid crashpoint %s\n", crashpoint->name); 529 goto out_err; 530 } 531 pr_info("Crash point %s of type %s registered\n", 532 crashpoint->name, cpoint_type); 533 } else { 534 pr_info("No crash points registered, enable through debugfs\n"); 535 } 536 537 return 0; 538 539 out_err: 540 debugfs_remove_recursive(lkdtm_debugfs_root); 541 return ret; 542 } 543 544 static void __exit lkdtm_module_exit(void) 545 { 546 debugfs_remove_recursive(lkdtm_debugfs_root); 547 548 /* Handle test-specific clean-up. */ 549 lkdtm_heap_exit(); 550 lkdtm_usercopy_exit(); 551 552 if (lkdtm_kprobe != NULL) 553 unregister_kprobe(lkdtm_kprobe); 554 555 kfree(lkdtm_kernel_info); 556 557 pr_info("Crash point unregistered\n"); 558 } 559 560 module_init(lkdtm_module_init); 561 module_exit(lkdtm_module_exit); 562 563 MODULE_LICENSE("GPL"); 564 MODULE_DESCRIPTION("Kernel crash testing module"); 565