lkdtm: add debugfs access and loosen KPROBE ties

Add adds a debugfs interface and additional failure modes to LKDTM to provide similar functionality to the provoke-crash driver submitted here: http://lwn.net/Articles/371208/ Crashes can now be induced either through module parameters (as before) or through the debugfs interface as in provoke-crash. The patch also provides a new "direct" interface, where KPROBES are not used, i.e., the crash is invoked directly upon write to the debugfs file. When built without KPROBES configured, only this mode is available. Signed-off-by: Simon Kagstrom <simon.kagstrom@netinsight.net> Cc: M. Mohan Kumar <mohan@in.ibm.com> Cc: Americo Wang <xiyou.wangcong@gmail.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Ingo Molnar <mingo@elte.hu> Cc: "Eric W. Biederman" <ebiederm@xmission.com>, Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Simon Kagstrom <simon.kagstrom@netinsight.net> 2010-03-05 16:42:49 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2010-03-06 14:26:32 -0500
commit: 0347af4ee3922220f6bfe74b87b526aa709a0365 (patch)
tree: 6b1f860991e3dae3fc110e02a1a838eb291b94ee /drivers/misc/lkdtm.c
parent: 33fd797b3e2c6a7663b9331150da0acdb31990a2 (diff)
1 files changed, 390 insertions, 82 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 3648b23d5c9..4a0648301fd 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -26,21 +26,9 @@
 * It is adapted from the Linux Kernel Dump Test Tool by
 * Fernando Luis Vazquez Cao <http://lkdtt.sourceforge.net>
 *
- * Usage :  insmod lkdtm.ko [recur_count={>0}] cpoint_name=<> cpoint_type=<>
+ * Debugfs support added by Simon Kagstrom <simon.kagstrom@netinsight.net>
- *                                                      [cpoint_count={>0}]
 *
- * recur_count : Recursion level for the stack overflow test. Default is 10.
+ * See Documentation/fault-injection/provoke-crashes.txt for instructions
- *
- * cpoint_name : Crash point where the kernel is to be crashed. It can be
- *               one of INT_HARDWARE_ENTRY, INT_HW_IRQ_EN, INT_TASKLET_ENTRY,
- *               FS_DEVRW, MEM_SWAPOUT, TIMERADD, SCSI_DISPATCH_CMD,
- *               IDE_CORE_CP
- *
- * cpoint_type : Indicates the action to be taken on hitting the crash point.
- *               It can be one of PANIC, BUG, EXCEPTION, LOOP, OVERFLOW
- *
- * cpoint_count : Indicates the number of times the crash point is to be hit
- *                to trigger an action. The default is 10.
 */
 #include <linux/kernel.h>
@@ -53,13 +41,12 @@
 #include <linux/interrupt.h>
 #include <linux/hrtimer.h>
 #include <scsi/scsi_cmnd.h>
+#include <linux/debugfs.h>
 #ifdef CONFIG_IDE
 #include <linux/ide.h>
 #endif
-#define NUM_CPOINTS 8
-#define NUM_CPOINT_TYPES 5
 #define DEFAULT_COUNT 10
 #define REC_NUM_DEFAULT 10
@@ -72,7 +59,8 @@ enum cname {
        MEM_SWAPOUT,
        TIMERADD,
        SCSI_DISPATCH_CMD,
-        IDE_CORE_CP
+        IDE_CORE_CP,
+        DIRECT,
 };
 enum ctype {
@@ -81,7 +69,11 @@ enum ctype {
        BUG,
        EXCEPTION,
        LOOP,
-        OVERFLOW
+        OVERFLOW,
+        CORRUPT_STACK,
+        UNALIGNED_LOAD_STORE_WRITE,
+        OVERWRITE_ALLOCATION,
+        WRITE_AFTER_FREE,
 };
 static char* cp_name[] = {
@@ -92,7 +84,8 @@ static char* cp_name[] = {
        "MEM_SWAPOUT",
        "TIMERADD",
        "SCSI_DISPATCH_CMD",
-        "IDE_CORE_CP"
+        "IDE_CORE_CP",
+        "DIRECT",
 };
 static char* cp_type[] = {
@@ -100,7 +93,11 @@ static char* cp_type[] = {
        "BUG",
        "EXCEPTION",
        "LOOP",
-        "OVERFLOW"
+        "OVERFLOW",
+        "CORRUPT_STACK",
+        "UNALIGNED_LOAD_STORE_WRITE",
+        "OVERWRITE_ALLOCATION",
+        "WRITE_AFTER_FREE",
 };
 static struct jprobe lkdtm;
@@ -193,34 +190,66 @@ int jp_generic_ide_ioctl(ide_drive_t *drive, struct file *file,
 }
 #endif
+/* Return the crashpoint number or NONE if the name is invalid */
+static enum ctype parse_cp_type(const char *what, size_t count)
+{
+        int i;
+        for (i = 0; i < ARRAY_SIZE(cp_type); i++) {
+                if (!strcmp(what, cp_type[i]))
+                        return i + 1;
+        }
+        return NONE;
+}
+static const char *cp_type_to_str(enum ctype type)
+{
+        if (type == NONE || type < 0 || type > ARRAY_SIZE(cp_type))
+                return "None";
+        return cp_type[type - 1];
+}
+static const char *cp_name_to_str(enum cname name)
+{
+        if (name == INVALID || name < 0 || name > ARRAY_SIZE(cp_name))
+                return "INVALID";
+        return cp_name[name - 1];
+}
 static int lkdtm_parse_commandline(void)
 {
        int i;
-        if (cpoint_name == NULL || cpoint_type == NULL ||
+        if (cpoint_count < 1 || recur_count < 1)
-                                        cpoint_count < 1 || recur_count < 1)
                return -EINVAL;
-        for (i = 0; i < NUM_CPOINTS; ++i) {
+        count = cpoint_count;
+        /* No special parameters */
+        if (!cpoint_type && !cpoint_name)
+                return 0;
+        /* Neither or both of these need to be set */
+        if (!cpoint_type || !cpoint_name)
+                return -EINVAL;
+        cptype = parse_cp_type(cpoint_type, strlen(cpoint_type));
+        if (cptype == NONE)
+                return -EINVAL;
+        for (i = 0; i < ARRAY_SIZE(cp_name); i++) {
                if (!strcmp(cpoint_name, cp_name[i])) {
                        cpoint = i + 1;
-                        break;
+                        return 0;
-                }
-        }
-        for (i = 0; i < NUM_CPOINT_TYPES; ++i) {
-                if (!strcmp(cpoint_type, cp_type[i])) {
-                        cptype = i + 1;
-                        break;
                }
        }
-        if (cpoint == INVALID || cptype == NONE)
+        /* Could not find a valid crash point */
-                return -EINVAL;
+        return -EINVAL;
-        count = cpoint_count;
-        return 0;
 }
 static int recursive_loop(int a)
@@ -235,53 +264,92 @@ static int recursive_loop(int a)
                return recursive_loop(a);
 }
-void lkdtm_handler(void)
+static void lkdtm_do_action(enum ctype which)
 {
-        printk(KERN_INFO "lkdtm : Crash point %s of type %s hit\n",
+        switch (which) {
-                                         cpoint_name, cpoint_type);
+        case PANIC:
-        --count;
+                panic("dumptest");
+                break;
+        case BUG:
+                BUG();
+                break;
+        case EXCEPTION:
+                *((int *) 0) = 0;
+                break;
+        case LOOP:
+                for (;;)
+                        ;
+                break;
+        case OVERFLOW:
+                (void) recursive_loop(0);
+                break;
+        case CORRUPT_STACK: {
+                volatile u32 data[8];
+                volatile u32 *p = data;
+                p[12] = 0x12345678;
+                break;
+        }
+        case UNALIGNED_LOAD_STORE_WRITE: {
+                static u8 data[5] __attribute__((aligned(4))) = {1, 2,
+                                3, 4, 5};
+                u32 *p;
+                u32 val = 0x12345678;
+                p = (u32 *)(data + 1);
+                if (*p == 0)
+                        val = 0x87654321;
+                *p = val;
+                 break;
+        }
+        case OVERWRITE_ALLOCATION: {
+                size_t len = 1020;
+                u32 *data = kmalloc(len, GFP_KERNEL);
+                data[1024 / sizeof(u32)] = 0x12345678;
+                kfree(data);
+                break;
+        }
+        case WRITE_AFTER_FREE: {
+                size_t len = 1024;
+                u32 *data = kmalloc(len, GFP_KERNEL);
+                kfree(data);
+                schedule();
+                memset(data, 0x78, len);
+                break;
+        }
+        case NONE:
+        default:
+                break;
+        }
+}
+static void lkdtm_handler(void)
+{
+        count--;
+        printk(KERN_INFO "lkdtm: Crash point %s of type %s hit, trigger in %d rounds\n",
+                        cp_name_to_str(cpoint), cp_type_to_str(cptype), count);
        if (count == 0) {
-                switch (cptype) {
+                lkdtm_do_action(cptype);
-                case NONE:
-                        break;
-                case PANIC:
-                        printk(KERN_INFO "lkdtm : PANIC\n");
-                        panic("dumptest");
-                        break;
-                case BUG:
-                        printk(KERN_INFO "lkdtm : BUG\n");
-                        BUG();
-                        break;
-                case EXCEPTION:
-                        printk(KERN_INFO "lkdtm : EXCEPTION\n");
-                        *((int *) 0) = 0;
-                        break;
-                case LOOP:
-                        printk(KERN_INFO "lkdtm : LOOP\n");
-                        for (;;);
-                        break;
-                case OVERFLOW:
-                        printk(KERN_INFO "lkdtm : OVERFLOW\n");
-                        (void) recursive_loop(0);
-                        break;
-                default:
-                        break;
-                }
                count = cpoint_count;
        }
 }
-static int __init lkdtm_module_init(void)
+static int lkdtm_register_cpoint(enum cname which)
 {
        int ret;
-        if (lkdtm_parse_commandline() == -EINVAL) {
+        cpoint = INVALID;
-                printk(KERN_INFO "lkdtm : Invalid command\n");
+        if (lkdtm.entry != NULL)
-                return -EINVAL;
+                unregister_jprobe(&lkdtm);
-        }
-        switch (cpoint) {
+        switch (which) {
+        case DIRECT:
+                lkdtm_do_action(cptype);
+                return 0;
        case INT_HARDWARE_ENTRY:
                lkdtm.kp.symbol_name = "do_IRQ";
                lkdtm.entry = (kprobe_opcode_t*) jp_do_irq;
@@ -315,28 +383,268 @@ static int __init lkdtm_module_init(void)
                lkdtm.kp.symbol_name = "generic_ide_ioctl";
                lkdtm.entry = (kprobe_opcode_t*) jp_generic_ide_ioctl;
 #else
-                printk(KERN_INFO "lkdtm : Crash point not available\n");
+                printk(KERN_INFO "lkdtm: Crash point not available\n");
+                return -EINVAL;
 #endif
                break;
        default:
-                printk(KERN_INFO "lkdtm : Invalid Crash Point\n");
+                printk(KERN_INFO "lkdtm: Invalid Crash Point\n");
-                break;
+                return -EINVAL;
        }
+        cpoint = which;
        if ((ret = register_jprobe(&lkdtm)) < 0) {
-                printk(KERN_INFO "lkdtm : Couldn't register jprobe\n");
+                printk(KERN_INFO "lkdtm: Couldn't register jprobe\n");
-                return ret;
+                cpoint = INVALID;
+        }
+        return ret;
+}
+static ssize_t do_register_entry(enum cname which, struct file *f,
+                const char __user *user_buf, size_t count, loff_t *off)
+{
+        char *buf;
+        int err;
+        if (count >= PAGE_SIZE)
+                return -EINVAL;
+        buf = (char *)__get_free_page(GFP_KERNEL);
+        if (!buf)
+                return -ENOMEM;
+        if (copy_from_user(buf, user_buf, count)) {
+                free_page((unsigned long) buf);
+                return -EFAULT;
+        }
+        /* NULL-terminate and remove enter */
+        buf[count] = '\0';
+        strim(buf);
+        cptype = parse_cp_type(buf, count);
+        free_page((unsigned long) buf);
+        if (cptype == NONE)
+                return -EINVAL;
+        err = lkdtm_register_cpoint(which);
+        if (err < 0)
+                return err;
+        *off += count;
+        return count;
+}
+/* Generic read callback that just prints out the available crash types */
+static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf,
+                size_t count, loff_t *off)
+{
+        char *buf;
+        int i, n, out;
+        buf = (char *)__get_free_page(GFP_KERNEL);
+        n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");
+        for (i = 0; i < ARRAY_SIZE(cp_type); i++)
+                n += snprintf(buf + n, PAGE_SIZE - n, "%s\n", cp_type[i]);
+        buf[n] = '\0';
+        out = simple_read_from_buffer(user_buf, count, off,
+                                      buf, n);
+        free_page((unsigned long) buf);
+        return out;
+}
+static int lkdtm_debugfs_open(struct inode *inode, struct file *file)
+{
+        return 0;
+}
+static ssize_t int_hardware_entry(struct file *f, const char __user *buf,
+                size_t count, loff_t *off)
+{
+        return do_register_entry(INT_HARDWARE_ENTRY, f, buf, count, off);
+}
+static ssize_t int_hw_irq_en(struct file *f, const char __user *buf,
+                size_t count, loff_t *off)
+{
+        return do_register_entry(INT_HW_IRQ_EN, f, buf, count, off);
+}
+static ssize_t int_tasklet_entry(struct file *f, const char __user *buf,
+                size_t count, loff_t *off)
+{
+        return do_register_entry(INT_TASKLET_ENTRY, f, buf, count, off);
+}
+static ssize_t fs_devrw_entry(struct file *f, const char __user *buf,
+                size_t count, loff_t *off)
+{
+        return do_register_entry(FS_DEVRW, f, buf, count, off);
+}
+static ssize_t mem_swapout_entry(struct file *f, const char __user *buf,
+                size_t count, loff_t *off)
+{
+        return do_register_entry(MEM_SWAPOUT, f, buf, count, off);
+}
+static ssize_t timeradd_entry(struct file *f, const char __user *buf,
+                size_t count, loff_t *off)
+{
+        return do_register_entry(TIMERADD, f, buf, count, off);
+}
+static ssize_t scsi_dispatch_cmd_entry(struct file *f,
+                const char __user *buf, size_t count, loff_t *off)
+{
+        return do_register_entry(SCSI_DISPATCH_CMD, f, buf, count, off);
+}
+static ssize_t ide_core_cp_entry(struct file *f, const char __user *buf,
+                size_t count, loff_t *off)
+{
+        return do_register_entry(IDE_CORE_CP, f, buf, count, off);
+}
+/* Special entry to just crash directly. Available without KPROBEs */
+static ssize_t direct_entry(struct file *f, const char __user *user_buf,
+                size_t count, loff_t *off)
+{
+        enum ctype type;
+        char *buf;
+        if (count >= PAGE_SIZE)
+                return -EINVAL;
+        if (count < 1)
+                return -EINVAL;
+        buf = (char *)__get_free_page(GFP_KERNEL);
+        if (!buf)
+                return -ENOMEM;
+        if (copy_from_user(buf, user_buf, count)) {
+                free_page((unsigned long) buf);
+                return -EFAULT;
+        }
+        /* NULL-terminate and remove enter */
+        buf[count] = '\0';
+        strim(buf);
+        type = parse_cp_type(buf, count);
+        free_page((unsigned long) buf);
+        if (type == NONE)
+                return -EINVAL;
+        printk(KERN_INFO "lkdtm: Performing direct entry %s\n",
+                        cp_type_to_str(type));
+        lkdtm_do_action(type);
+        *off += count;
+        return count;
+}
+struct crash_entry {
+        const char *name;
+        const struct file_operations fops;
+};
+static const struct crash_entry crash_entries[] = {
+        {"DIRECT", {.read = lkdtm_debugfs_read,
+                        .open = lkdtm_debugfs_open,
+                        .write = direct_entry} },
+        {"INT_HARDWARE_ENTRY", {.read = lkdtm_debugfs_read,
+                        .open = lkdtm_debugfs_open,
+                        .write = int_hardware_entry} },
+        {"INT_HW_IRQ_EN", {.read = lkdtm_debugfs_read,
+                        .open = lkdtm_debugfs_open,
+                        .write = int_hw_irq_en} },
+        {"INT_TASKLET_ENTRY", {.read = lkdtm_debugfs_read,
+                        .open = lkdtm_debugfs_open,
+                        .write = int_tasklet_entry} },
+        {"FS_DEVRW", {.read = lkdtm_debugfs_read,
+                        .open = lkdtm_debugfs_open,
+                        .write = fs_devrw_entry} },
+        {"MEM_SWAPOUT", {.read = lkdtm_debugfs_read,
+                        .open = lkdtm_debugfs_open,
+                        .write = mem_swapout_entry} },
+        {"TIMERADD", {.read = lkdtm_debugfs_read,
+                        .open = lkdtm_debugfs_open,
+                        .write = timeradd_entry} },
+        {"SCSI_DISPATCH_CMD", {.read = lkdtm_debugfs_read,
+                        .open = lkdtm_debugfs_open,
+                        .write = scsi_dispatch_cmd_entry} },
+        {"IDE_CORE_CP", {.read = lkdtm_debugfs_read,
+                        .open = lkdtm_debugfs_open,
+                        .write = ide_core_cp_entry} },
+};
+static struct dentry *lkdtm_debugfs_root;
+static int __init lkdtm_module_init(void)
+{
+        int ret = -EINVAL;
+        int n_debugfs_entries = 1; /* Assume only the direct entry */
+        int i;
+        /* Register debugfs interface */
+        lkdtm_debugfs_root = debugfs_create_dir("provoke-crash", NULL);
+        if (!lkdtm_debugfs_root) {
+                printk(KERN_ERR "lkdtm: creating root dir failed\n");
+                return -ENODEV;
+        }
+#ifdef CONFIG_KPROBES
+        n_debugfs_entries = ARRAY_SIZE(crash_entries);
+#endif
+        for (i = 0; i < n_debugfs_entries; i++) {
+                const struct crash_entry *cur = &crash_entries[i];
+                struct dentry *de;
+                de = debugfs_create_file(cur->name, 0644, lkdtm_debugfs_root,
+                                NULL, &cur->fops);
+                if (de == NULL) {
+                        printk(KERN_ERR "lkdtm: could not create %s\n",
+                                        cur->name);
+                        goto out_err;
+                }
+        }
+        if (lkdtm_parse_commandline() == -EINVAL) {
+                printk(KERN_INFO "lkdtm: Invalid command\n");
+                goto out_err;
+        }
+        if (cpoint != INVALID && cptype != NONE) {
+                ret = lkdtm_register_cpoint(cpoint);
+                if (ret < 0) {
+                        printk(KERN_INFO "lkdtm: Invalid crash point %d\n",
+                                        cpoint);
+                        goto out_err;
+                }
+                printk(KERN_INFO "lkdtm: Crash point %s of type %s registered\n",
+                                cpoint_name, cpoint_type);
+        } else {
+                printk(KERN_INFO "lkdtm: No crash points registered, enable through debugfs\n");
        }
-        printk(KERN_INFO "lkdtm : Crash point %s of type %s registered\n",
-                                                cpoint_name, cpoint_type);
        return 0;
+out_err:
+        debugfs_remove_recursive(lkdtm_debugfs_root);
+        return ret;
 }
 static void __exit lkdtm_module_exit(void)
 {
-        unregister_jprobe(&lkdtm);
+        debugfs_remove_recursive(lkdtm_debugfs_root);
-        printk(KERN_INFO "lkdtm : Crash point unregistered\n");
+        unregister_jprobe(&lkdtm);
+        printk(KERN_INFO "lkdtm: Crash point unregistered\n");
 }
 module_init(lkdtm_module_init);
author	Simon Kagstrom <simon.kagstrom@netinsight.net>	2010-03-05 16:42:49 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2010-03-06 14:26:32 -0500
commit	0347af4ee3922220f6bfe74b87b526aa709a0365 (patch)
tree	6b1f860991e3dae3fc110e02a1a838eb291b94ee /drivers/misc/lkdtm.c
parent	33fd797b3e2c6a7663b9331150da0acdb31990a2 (diff)

diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index 3648b23d5c9..4a0648301fd 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c
@@ -26,21 +26,9 @@
26	* It is adapted from the Linux Kernel Dump Test Tool by	26	* It is adapted from the Linux Kernel Dump Test Tool by
27	* Fernando Luis Vazquez Cao <http://lkdtt.sourceforge.net>	27	* Fernando Luis Vazquez Cao <http://lkdtt.sourceforge.net>
28	*	28	*
29	* Usage : insmod lkdtm.ko [recur_count={>0}] cpoint_name=<> cpoint_type=<>	29	* Debugfs support added by Simon Kagstrom <simon.kagstrom@netinsight.net>
30	* [cpoint_count={>0}]
31	*	30	*
32	* recur_count : Recursion level for the stack overflow test. Default is 10.	31	* See Documentation/fault-injection/provoke-crashes.txt for instructions
33	*
34	* cpoint_name : Crash point where the kernel is to be crashed. It can be
35	* one of INT_HARDWARE_ENTRY, INT_HW_IRQ_EN, INT_TASKLET_ENTRY,
36	* FS_DEVRW, MEM_SWAPOUT, TIMERADD, SCSI_DISPATCH_CMD,
37	* IDE_CORE_CP
38	*
39	* cpoint_type : Indicates the action to be taken on hitting the crash point.
40	* It can be one of PANIC, BUG, EXCEPTION, LOOP, OVERFLOW
41	*
42	* cpoint_count : Indicates the number of times the crash point is to be hit
43	* to trigger an action. The default is 10.
44	*/	32	*/
45		33
46	#include <linux/kernel.h>	34	#include <linux/kernel.h>
@@ -53,13 +41,12 @@
53	#include <linux/interrupt.h>	41	#include <linux/interrupt.h>
54	#include <linux/hrtimer.h>	42	#include <linux/hrtimer.h>
55	#include <scsi/scsi_cmnd.h>	43	#include <scsi/scsi_cmnd.h>
		44	#include <linux/debugfs.h>
56		45
57	#ifdef CONFIG_IDE	46	#ifdef CONFIG_IDE
58	#include <linux/ide.h>	47	#include <linux/ide.h>
59	#endif	48	#endif
60		49
61	#define NUM_CPOINTS 8
62	#define NUM_CPOINT_TYPES 5
63	#define DEFAULT_COUNT 10	50	#define DEFAULT_COUNT 10
64	#define REC_NUM_DEFAULT 10	51	#define REC_NUM_DEFAULT 10
65		52
@@ -72,7 +59,8 @@ enum cname {
72	MEM_SWAPOUT,	59	MEM_SWAPOUT,
73	TIMERADD,	60	TIMERADD,
74	SCSI_DISPATCH_CMD,	61	SCSI_DISPATCH_CMD,
75	IDE_CORE_CP	62	IDE_CORE_CP,
		63	DIRECT,
76	};	64	};
77		65
78	enum ctype {	66	enum ctype {
@@ -81,7 +69,11 @@ enum ctype {
81	BUG,	69	BUG,
82	EXCEPTION,	70	EXCEPTION,
83	LOOP,	71	LOOP,
84	OVERFLOW	72	OVERFLOW,
		73	CORRUPT_STACK,
		74	UNALIGNED_LOAD_STORE_WRITE,
		75	OVERWRITE_ALLOCATION,
		76	WRITE_AFTER_FREE,
85	};	77	};
86		78
87	static char* cp_name[] = {	79	static char* cp_name[] = {
@@ -92,7 +84,8 @@ static char* cp_name[] = {
92	"MEM_SWAPOUT",	84	"MEM_SWAPOUT",
93	"TIMERADD",	85	"TIMERADD",
94	"SCSI_DISPATCH_CMD",	86	"SCSI_DISPATCH_CMD",
95	"IDE_CORE_CP"	87	"IDE_CORE_CP",
		88	"DIRECT",
96	};	89	};
97		90
98	static char* cp_type[] = {	91	static char* cp_type[] = {
@@ -100,7 +93,11 @@ static char* cp_type[] = {
100	"BUG",	93	"BUG",
101	"EXCEPTION",	94	"EXCEPTION",
102	"LOOP",	95	"LOOP",
103	"OVERFLOW"	96	"OVERFLOW",
		97	"CORRUPT_STACK",
		98	"UNALIGNED_LOAD_STORE_WRITE",
		99	"OVERWRITE_ALLOCATION",
		100	"WRITE_AFTER_FREE",
104	};	101	};
105		102
106	static struct jprobe lkdtm;	103	static struct jprobe lkdtm;
@@ -193,34 +190,66 @@ int jp_generic_ide_ioctl(ide_drive_t drive, struct file file,
193	}	190	}
194	#endif	191	#endif
195		192
		193	/* Return the crashpoint number or NONE if the name is invalid */
		194	static enum ctype parse_cp_type(const char *what, size_t count)
		195	{
		196	int i;
		197
		198	for (i = 0; i < ARRAY_SIZE(cp_type); i++) {
		199	if (!strcmp(what, cp_type[i]))
		200	return i + 1;
		201	}
		202
		203	return NONE;
		204	}
		205
		206	static const char *cp_type_to_str(enum ctype type)
		207	{
		208	if (type == NONE \|\| type < 0 \|\| type > ARRAY_SIZE(cp_type))
		209	return "None";
		210
		211	return cp_type[type - 1];
		212	}
		213
		214	static const char *cp_name_to_str(enum cname name)
		215	{
		216	if (name == INVALID \|\| name < 0 \|\| name > ARRAY_SIZE(cp_name))
		217	return "INVALID";
		218
		219	return cp_name[name - 1];
		220	}
		221
		222
196	static int lkdtm_parse_commandline(void)	223	static int lkdtm_parse_commandline(void)
197	{	224	{
198	int i;	225	int i;
199		226
200	if (cpoint_name == NULL \|\| cpoint_type == NULL \|\|	227	if (cpoint_count < 1 \|\| recur_count < 1)
201	cpoint_count < 1 \|\| recur_count < 1)
202	return -EINVAL;	228	return -EINVAL;
203		229
204	for (i = 0; i < NUM_CPOINTS; ++i) {	230	count = cpoint_count;
		231
		232	/* No special parameters */
		233	if (!cpoint_type && !cpoint_name)
		234	return 0;
		235
		236	/* Neither or both of these need to be set */
		237	if (!cpoint_type \|\| !cpoint_name)
		238	return -EINVAL;
		239
		240	cptype = parse_cp_type(cpoint_type, strlen(cpoint_type));
		241	if (cptype == NONE)
		242	return -EINVAL;
		243
		244	for (i = 0; i < ARRAY_SIZE(cp_name); i++) {
205	if (!strcmp(cpoint_name, cp_name[i])) {	245	if (!strcmp(cpoint_name, cp_name[i])) {
206	cpoint = i + 1;	246	cpoint = i + 1;
207	break;	247	return 0;
208	}
209	}
210
211	for (i = 0; i < NUM_CPOINT_TYPES; ++i) {
212	if (!strcmp(cpoint_type, cp_type[i])) {
213	cptype = i + 1;
214	break;
215	}	248	}
216	}	249	}
217		250
218	if (cpoint == INVALID \|\| cptype == NONE)	251	/* Could not find a valid crash point */
219	return -EINVAL;	252	return -EINVAL;
220
221	count = cpoint_count;
222
223	return 0;
224	}	253	}
225		254
226	static int recursive_loop(int a)	255	static int recursive_loop(int a)
@@ -235,53 +264,92 @@ static int recursive_loop(int a)
235	return recursive_loop(a);	264	return recursive_loop(a);
236	}	265	}
237		266
238	void lkdtm_handler(void)	267	static void lkdtm_do_action(enum ctype which)
239	{	268	{
240	printk(KERN_INFO "lkdtm : Crash point %s of type %s hit\n",	269	switch (which) {
241	cpoint_name, cpoint_type);	270	case PANIC:
242	--count;	271	panic("dumptest");
		272	break;
		273	case BUG:
		274	BUG();
		275	break;
		276	case EXCEPTION:
		277	((int ) 0) = 0;
		278	break;
		279	case LOOP:
		280	for (;;)
		281	;
		282	break;
		283	case OVERFLOW:
		284	(void) recursive_loop(0);
		285	break;
		286	case CORRUPT_STACK: {
		287	volatile u32 data[8];
		288	volatile u32 *p = data;
		289
		290	p[12] = 0x12345678;
		291	break;
		292	}
		293	case UNALIGNED_LOAD_STORE_WRITE: {
		294	static u8 data[5] __attribute__((aligned(4))) = {1, 2,
		295	3, 4, 5};
		296	u32 *p;
		297	u32 val = 0x12345678;
		298
		299	p = (u32 *)(data + 1);
		300	if (*p == 0)
		301	val = 0x87654321;
		302	*p = val;
		303	break;
		304	}
		305	case OVERWRITE_ALLOCATION: {
		306	size_t len = 1020;
		307	u32 *data = kmalloc(len, GFP_KERNEL);
		308
		309	data[1024 / sizeof(u32)] = 0x12345678;
		310	kfree(data);
		311	break;
		312	}
		313	case WRITE_AFTER_FREE: {
		314	size_t len = 1024;
		315	u32 *data = kmalloc(len, GFP_KERNEL);
		316
		317	kfree(data);
		318	schedule();
		319	memset(data, 0x78, len);
		320	break;
		321	}
		322	case NONE:
		323	default:
		324	break;
		325	}
		326
		327	}
		328
		329	static void lkdtm_handler(void)
		330	{
		331	count--;
		332	printk(KERN_INFO "lkdtm: Crash point %s of type %s hit, trigger in %d rounds\n",
		333	cp_name_to_str(cpoint), cp_type_to_str(cptype), count);
243		334
244	if (count == 0) {	335	if (count == 0) {
245	switch (cptype) {	336	lkdtm_do_action(cptype);
246	case NONE:
247	break;
248	case PANIC:
249	printk(KERN_INFO "lkdtm : PANIC\n");
250	panic("dumptest");
251	break;
252	case BUG:
253	printk(KERN_INFO "lkdtm : BUG\n");
254	BUG();
255	break;
256	case EXCEPTION:
257	printk(KERN_INFO "lkdtm : EXCEPTION\n");
258	((int ) 0) = 0;
259	break;
260	case LOOP:
261	printk(KERN_INFO "lkdtm : LOOP\n");
262	for (;;);
263	break;
264	case OVERFLOW:
265	printk(KERN_INFO "lkdtm : OVERFLOW\n");
266	(void) recursive_loop(0);
267	break;
268	default:
269	break;
270	}
271	count = cpoint_count;	337	count = cpoint_count;
272	}	338	}
273	}	339	}
274		340
275	static int __init lkdtm_module_init(void)	341	static int lkdtm_register_cpoint(enum cname which)
276	{	342	{
277	int ret;	343	int ret;
278		344
279	if (lkdtm_parse_commandline() == -EINVAL) {	345	cpoint = INVALID;
280	printk(KERN_INFO "lkdtm : Invalid command\n");	346	if (lkdtm.entry != NULL)
281	return -EINVAL;	347	unregister_jprobe(&lkdtm);
282	}
283		348
284	switch (cpoint) {	349	switch (which) {
		350	case DIRECT:
		351	lkdtm_do_action(cptype);
		352	return 0;
285	case INT_HARDWARE_ENTRY:	353	case INT_HARDWARE_ENTRY:
286	lkdtm.kp.symbol_name = "do_IRQ";	354	lkdtm.kp.symbol_name = "do_IRQ";
287	lkdtm.entry = (kprobe_opcode_t*) jp_do_irq;	355	lkdtm.entry = (kprobe_opcode_t*) jp_do_irq;
@@ -315,28 +383,268 @@ static int __init lkdtm_module_init(void)
315	lkdtm.kp.symbol_name = "generic_ide_ioctl";	383	lkdtm.kp.symbol_name = "generic_ide_ioctl";
316	lkdtm.entry = (kprobe_opcode_t*) jp_generic_ide_ioctl;	384	lkdtm.entry = (kprobe_opcode_t*) jp_generic_ide_ioctl;
317	#else	385	#else
318	printk(KERN_INFO "lkdtm : Crash point not available\n");	386	printk(KERN_INFO "lkdtm: Crash point not available\n");
		387	return -EINVAL;
319	#endif	388	#endif
320	break;	389	break;
321	default:	390	default:
322	printk(KERN_INFO "lkdtm : Invalid Crash Point\n");	391	printk(KERN_INFO "lkdtm: Invalid Crash Point\n");
323	break;	392	return -EINVAL;
324	}	393	}
325		394
		395	cpoint = which;
326	if ((ret = register_jprobe(&lkdtm)) < 0) {	396	if ((ret = register_jprobe(&lkdtm)) < 0) {
327	printk(KERN_INFO "lkdtm : Couldn't register jprobe\n");	397	printk(KERN_INFO "lkdtm: Couldn't register jprobe\n");
328	return ret;	398	cpoint = INVALID;
		399	}
		400
		401	return ret;
		402	}
		403
		404	static ssize_t do_register_entry(enum cname which, struct file *f,
		405	const char __user user_buf, size_t count, loff_t off)
		406	{
		407	char *buf;
		408	int err;
		409
		410	if (count >= PAGE_SIZE)
		411	return -EINVAL;
		412
		413	buf = (char *)__get_free_page(GFP_KERNEL);
		414	if (!buf)
		415	return -ENOMEM;
		416	if (copy_from_user(buf, user_buf, count)) {
		417	free_page((unsigned long) buf);
		418	return -EFAULT;
		419	}
		420	/* NULL-terminate and remove enter */
		421	buf[count] = '\0';
		422	strim(buf);
		423
		424	cptype = parse_cp_type(buf, count);
		425	free_page((unsigned long) buf);
		426
		427	if (cptype == NONE)
		428	return -EINVAL;
		429
		430	err = lkdtm_register_cpoint(which);
		431	if (err < 0)
		432	return err;
		433
		434	*off += count;
		435
		436	return count;
		437	}
		438
		439	/* Generic read callback that just prints out the available crash types */
		440	static ssize_t lkdtm_debugfs_read(struct file f, char __user user_buf,
		441	size_t count, loff_t *off)
		442	{
		443	char *buf;
		444	int i, n, out;
		445
		446	buf = (char *)__get_free_page(GFP_KERNEL);
		447
		448	n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");
		449	for (i = 0; i < ARRAY_SIZE(cp_type); i++)
		450	n += snprintf(buf + n, PAGE_SIZE - n, "%s\n", cp_type[i]);
		451	buf[n] = '\0';
		452
		453	out = simple_read_from_buffer(user_buf, count, off,
		454	buf, n);
		455	free_page((unsigned long) buf);
		456
		457	return out;
		458	}
		459
		460	static int lkdtm_debugfs_open(struct inode inode, struct file file)
		461	{
		462	return 0;
		463	}
		464
		465
		466	static ssize_t int_hardware_entry(struct file f, const char __user buf,
		467	size_t count, loff_t *off)
		468	{
		469	return do_register_entry(INT_HARDWARE_ENTRY, f, buf, count, off);
		470	}
		471
		472	static ssize_t int_hw_irq_en(struct file f, const char __user buf,
		473	size_t count, loff_t *off)
		474	{
		475	return do_register_entry(INT_HW_IRQ_EN, f, buf, count, off);
		476	}
		477
		478	static ssize_t int_tasklet_entry(struct file f, const char __user buf,
		479	size_t count, loff_t *off)
		480	{
		481	return do_register_entry(INT_TASKLET_ENTRY, f, buf, count, off);
		482	}
		483
		484	static ssize_t fs_devrw_entry(struct file f, const char __user buf,
		485	size_t count, loff_t *off)
		486	{
		487	return do_register_entry(FS_DEVRW, f, buf, count, off);
		488	}
		489
		490	static ssize_t mem_swapout_entry(struct file f, const char __user buf,
		491	size_t count, loff_t *off)
		492	{
		493	return do_register_entry(MEM_SWAPOUT, f, buf, count, off);
		494	}
		495
		496	static ssize_t timeradd_entry(struct file f, const char __user buf,
		497	size_t count, loff_t *off)
		498	{
		499	return do_register_entry(TIMERADD, f, buf, count, off);
		500	}
		501
		502	static ssize_t scsi_dispatch_cmd_entry(struct file *f,
		503	const char __user buf, size_t count, loff_t off)
		504	{
		505	return do_register_entry(SCSI_DISPATCH_CMD, f, buf, count, off);
		506	}
		507
		508	static ssize_t ide_core_cp_entry(struct file f, const char __user buf,
		509	size_t count, loff_t *off)
		510	{
		511	return do_register_entry(IDE_CORE_CP, f, buf, count, off);
		512	}
		513
		514	/* Special entry to just crash directly. Available without KPROBEs */
		515	static ssize_t direct_entry(struct file f, const char __user user_buf,
		516	size_t count, loff_t *off)
		517	{
		518	enum ctype type;
		519	char *buf;
		520
		521	if (count >= PAGE_SIZE)
		522	return -EINVAL;
		523	if (count < 1)
		524	return -EINVAL;
		525
		526	buf = (char *)__get_free_page(GFP_KERNEL);
		527	if (!buf)
		528	return -ENOMEM;
		529	if (copy_from_user(buf, user_buf, count)) {
		530	free_page((unsigned long) buf);
		531	return -EFAULT;
		532	}
		533	/* NULL-terminate and remove enter */
		534	buf[count] = '\0';
		535	strim(buf);
		536
		537	type = parse_cp_type(buf, count);
		538	free_page((unsigned long) buf);
		539	if (type == NONE)
		540	return -EINVAL;
		541
		542	printk(KERN_INFO "lkdtm: Performing direct entry %s\n",
		543	cp_type_to_str(type));
		544	lkdtm_do_action(type);
		545	*off += count;
		546
		547	return count;
		548	}
		549
		550	struct crash_entry {
		551	const char *name;
		552	const struct file_operations fops;
		553	};
		554
		555	static const struct crash_entry crash_entries[] = {
		556	{"DIRECT", {.read = lkdtm_debugfs_read,
		557	.open = lkdtm_debugfs_open,
		558	.write = direct_entry} },
		559	{"INT_HARDWARE_ENTRY", {.read = lkdtm_debugfs_read,
		560	.open = lkdtm_debugfs_open,
		561	.write = int_hardware_entry} },
		562	{"INT_HW_IRQ_EN", {.read = lkdtm_debugfs_read,
		563	.open = lkdtm_debugfs_open,
		564	.write = int_hw_irq_en} },
		565	{"INT_TASKLET_ENTRY", {.read = lkdtm_debugfs_read,
		566	.open = lkdtm_debugfs_open,
		567	.write = int_tasklet_entry} },
		568	{"FS_DEVRW", {.read = lkdtm_debugfs_read,
		569	.open = lkdtm_debugfs_open,
		570	.write = fs_devrw_entry} },
		571	{"MEM_SWAPOUT", {.read = lkdtm_debugfs_read,
		572	.open = lkdtm_debugfs_open,
		573	.write = mem_swapout_entry} },
		574	{"TIMERADD", {.read = lkdtm_debugfs_read,
		575	.open = lkdtm_debugfs_open,
		576	.write = timeradd_entry} },
		577	{"SCSI_DISPATCH_CMD", {.read = lkdtm_debugfs_read,
		578	.open = lkdtm_debugfs_open,
		579	.write = scsi_dispatch_cmd_entry} },
		580	{"IDE_CORE_CP", {.read = lkdtm_debugfs_read,
		581	.open = lkdtm_debugfs_open,
		582	.write = ide_core_cp_entry} },
		583	};
		584
		585	static struct dentry *lkdtm_debugfs_root;
		586
		587	static int __init lkdtm_module_init(void)
		588	{
		589	int ret = -EINVAL;
		590	int n_debugfs_entries = 1; /* Assume only the direct entry */
		591	int i;
		592
		593	/* Register debugfs interface */
		594	lkdtm_debugfs_root = debugfs_create_dir("provoke-crash", NULL);
		595	if (!lkdtm_debugfs_root) {
		596	printk(KERN_ERR "lkdtm: creating root dir failed\n");
		597	return -ENODEV;
		598	}
		599
		600	#ifdef CONFIG_KPROBES
		601	n_debugfs_entries = ARRAY_SIZE(crash_entries);
		602	#endif
		603
		604	for (i = 0; i < n_debugfs_entries; i++) {
		605	const struct crash_entry *cur = &crash_entries[i];
		606	struct dentry *de;
		607
		608	de = debugfs_create_file(cur->name, 0644, lkdtm_debugfs_root,
		609	NULL, &cur->fops);
		610	if (de == NULL) {
		611	printk(KERN_ERR "lkdtm: could not create %s\n",
		612	cur->name);
		613	goto out_err;
		614	}
		615	}
		616
		617	if (lkdtm_parse_commandline() == -EINVAL) {
		618	printk(KERN_INFO "lkdtm: Invalid command\n");
		619	goto out_err;
		620	}
		621
		622	if (cpoint != INVALID && cptype != NONE) {
		623	ret = lkdtm_register_cpoint(cpoint);
		624	if (ret < 0) {
		625	printk(KERN_INFO "lkdtm: Invalid crash point %d\n",
		626	cpoint);
		627	goto out_err;
		628	}
		629	printk(KERN_INFO "lkdtm: Crash point %s of type %s registered\n",
		630	cpoint_name, cpoint_type);
		631	} else {
		632	printk(KERN_INFO "lkdtm: No crash points registered, enable through debugfs\n");
329	}	633	}
330		634
331	printk(KERN_INFO "lkdtm : Crash point %s of type %s registered\n",
332	cpoint_name, cpoint_type);
333	return 0;	635	return 0;
		636
		637	out_err:
		638	debugfs_remove_recursive(lkdtm_debugfs_root);
		639	return ret;
334	}	640	}
335		641
336	static void __exit lkdtm_module_exit(void)	642	static void __exit lkdtm_module_exit(void)
337	{	643	{
338	unregister_jprobe(&lkdtm);	644	debugfs_remove_recursive(lkdtm_debugfs_root);
339	printk(KERN_INFO "lkdtm : Crash point unregistered\n");	645
		646	unregister_jprobe(&lkdtm);
		647	printk(KERN_INFO "lkdtm: Crash point unregistered\n");
340	}	648	}
341		649
342	module_init(lkdtm_module_init);	650	module_init(lkdtm_module_init);