drivers/misc/lkdtm.c at v4.6-rc2

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / drivers / misc / lkdtm.c
at v4.6-rc2 1018 lines 24 kB view raw
wrap content
   1/*
   2 * Kprobe module for testing crash dumps
   3 *
   4 * This program is free software; you can redistribute it and/or modify
   5 * it under the terms of the GNU General Public License as published by
   6 * the Free Software Foundation; either version 2 of the License, or
   7 * (at your option) any later version.
   8 *
   9 * This program is distributed in the hope that it will be useful,
  10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 * GNU General Public License for more details.
  13 *
  14 * You should have received a copy of the GNU General Public License
  15 * along with this program; if not, write to the Free Software
  16 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  17 *
  18 * Copyright (C) IBM Corporation, 2006
  19 *
  20 * Author: Ankita Garg <ankita@in.ibm.com>
  21 *
  22 * This module induces system failures at predefined crashpoints to
  23 * evaluate the reliability of crash dumps obtained using different dumping
  24 * solutions.
  25 *
  26 * It is adapted from the Linux Kernel Dump Test Tool by
  27 * Fernando Luis Vazquez Cao <http://lkdtt.sourceforge.net>
  28 *
  29 * Debugfs support added by Simon Kagstrom <simon.kagstrom@netinsight.net>
  30 *
  31 * See Documentation/fault-injection/provoke-crashes.txt for instructions
  32 */
  33#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  34
  35#include <linux/kernel.h>
  36#include <linux/fs.h>
  37#include <linux/module.h>
  38#include <linux/buffer_head.h>
  39#include <linux/kprobes.h>
  40#include <linux/list.h>
  41#include <linux/init.h>
  42#include <linux/interrupt.h>
  43#include <linux/hrtimer.h>
  44#include <linux/slab.h>
  45#include <scsi/scsi_cmnd.h>
  46#include <linux/debugfs.h>
  47#include <linux/vmalloc.h>
  48#include <linux/mman.h>
  49#include <asm/cacheflush.h>
  50
  51#ifdef CONFIG_IDE
  52#include <linux/ide.h>
  53#endif
  54
  55/*
  56 * Make sure our attempts to over run the kernel stack doesn't trigger
  57 * a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we
  58 * recurse past the end of THREAD_SIZE by default.
  59 */
  60#if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0)
  61#define REC_STACK_SIZE (CONFIG_FRAME_WARN / 2)
  62#else
  63#define REC_STACK_SIZE (THREAD_SIZE / 8)
  64#endif
  65#define REC_NUM_DEFAULT ((THREAD_SIZE / REC_STACK_SIZE) * 2)
  66
  67#define DEFAULT_COUNT 10
  68#define EXEC_SIZE 64
  69
  70enum cname {
  71	CN_INVALID,
  72	CN_INT_HARDWARE_ENTRY,
  73	CN_INT_HW_IRQ_EN,
  74	CN_INT_TASKLET_ENTRY,
  75	CN_FS_DEVRW,
  76	CN_MEM_SWAPOUT,
  77	CN_TIMERADD,
  78	CN_SCSI_DISPATCH_CMD,
  79	CN_IDE_CORE_CP,
  80	CN_DIRECT,
  81};
  82
  83enum ctype {
  84	CT_NONE,
  85	CT_PANIC,
  86	CT_BUG,
  87	CT_WARNING,
  88	CT_EXCEPTION,
  89	CT_LOOP,
  90	CT_OVERFLOW,
  91	CT_CORRUPT_STACK,
  92	CT_UNALIGNED_LOAD_STORE_WRITE,
  93	CT_OVERWRITE_ALLOCATION,
  94	CT_WRITE_AFTER_FREE,
  95	CT_READ_AFTER_FREE,
  96	CT_WRITE_BUDDY_AFTER_FREE,
  97	CT_READ_BUDDY_AFTER_FREE,
  98	CT_SOFTLOCKUP,
  99	CT_HARDLOCKUP,
 100	CT_SPINLOCKUP,
 101	CT_HUNG_TASK,
 102	CT_EXEC_DATA,
 103	CT_EXEC_STACK,
 104	CT_EXEC_KMALLOC,
 105	CT_EXEC_VMALLOC,
 106	CT_EXEC_USERSPACE,
 107	CT_ACCESS_USERSPACE,
 108	CT_WRITE_RO,
 109	CT_WRITE_RO_AFTER_INIT,
 110	CT_WRITE_KERN,
 111	CT_WRAP_ATOMIC
 112};
 113
 114static char* cp_name[] = {
 115	"INT_HARDWARE_ENTRY",
 116	"INT_HW_IRQ_EN",
 117	"INT_TASKLET_ENTRY",
 118	"FS_DEVRW",
 119	"MEM_SWAPOUT",
 120	"TIMERADD",
 121	"SCSI_DISPATCH_CMD",
 122	"IDE_CORE_CP",
 123	"DIRECT",
 124};
 125
 126static char* cp_type[] = {
 127	"PANIC",
 128	"BUG",
 129	"WARNING",
 130	"EXCEPTION",
 131	"LOOP",
 132	"OVERFLOW",
 133	"CORRUPT_STACK",
 134	"UNALIGNED_LOAD_STORE_WRITE",
 135	"OVERWRITE_ALLOCATION",
 136	"WRITE_AFTER_FREE",
 137	"READ_AFTER_FREE",
 138	"WRITE_BUDDY_AFTER_FREE",
 139	"READ_BUDDY_AFTER_FREE",
 140	"SOFTLOCKUP",
 141	"HARDLOCKUP",
 142	"SPINLOCKUP",
 143	"HUNG_TASK",
 144	"EXEC_DATA",
 145	"EXEC_STACK",
 146	"EXEC_KMALLOC",
 147	"EXEC_VMALLOC",
 148	"EXEC_USERSPACE",
 149	"ACCESS_USERSPACE",
 150	"WRITE_RO",
 151	"WRITE_RO_AFTER_INIT",
 152	"WRITE_KERN",
 153	"WRAP_ATOMIC"
 154};
 155
 156static struct jprobe lkdtm;
 157
 158static int lkdtm_parse_commandline(void);
 159static void lkdtm_handler(void);
 160
 161static char* cpoint_name;
 162static char* cpoint_type;
 163static int cpoint_count = DEFAULT_COUNT;
 164static int recur_count = REC_NUM_DEFAULT;
 165
 166static enum cname cpoint = CN_INVALID;
 167static enum ctype cptype = CT_NONE;
 168static int count = DEFAULT_COUNT;
 169static DEFINE_SPINLOCK(count_lock);
 170static DEFINE_SPINLOCK(lock_me_up);
 171
 172static u8 data_area[EXEC_SIZE];
 173
 174static const unsigned long rodata = 0xAA55AA55;
 175static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
 176
 177module_param(recur_count, int, 0644);
 178MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test");
 179module_param(cpoint_name, charp, 0444);
 180MODULE_PARM_DESC(cpoint_name, " Crash Point, where kernel is to be crashed");
 181module_param(cpoint_type, charp, 0444);
 182MODULE_PARM_DESC(cpoint_type, " Crash Point Type, action to be taken on "\
 183				"hitting the crash point");
 184module_param(cpoint_count, int, 0644);
 185MODULE_PARM_DESC(cpoint_count, " Crash Point Count, number of times the "\
 186				"crash point is to be hit to trigger action");
 187
 188static unsigned int jp_do_irq(unsigned int irq)
 189{
 190	lkdtm_handler();
 191	jprobe_return();
 192	return 0;
 193}
 194
 195static irqreturn_t jp_handle_irq_event(unsigned int irq,
 196				       struct irqaction *action)
 197{
 198	lkdtm_handler();
 199	jprobe_return();
 200	return 0;
 201}
 202
 203static void jp_tasklet_action(struct softirq_action *a)
 204{
 205	lkdtm_handler();
 206	jprobe_return();
 207}
 208
 209static void jp_ll_rw_block(int rw, int nr, struct buffer_head *bhs[])
 210{
 211	lkdtm_handler();
 212	jprobe_return();
 213}
 214
 215struct scan_control;
 216
 217static unsigned long jp_shrink_inactive_list(unsigned long max_scan,
 218					     struct zone *zone,
 219					     struct scan_control *sc)
 220{
 221	lkdtm_handler();
 222	jprobe_return();
 223	return 0;
 224}
 225
 226static int jp_hrtimer_start(struct hrtimer *timer, ktime_t tim,
 227			    const enum hrtimer_mode mode)
 228{
 229	lkdtm_handler();
 230	jprobe_return();
 231	return 0;
 232}
 233
 234static int jp_scsi_dispatch_cmd(struct scsi_cmnd *cmd)
 235{
 236	lkdtm_handler();
 237	jprobe_return();
 238	return 0;
 239}
 240
 241#ifdef CONFIG_IDE
 242static int jp_generic_ide_ioctl(ide_drive_t *drive, struct file *file,
 243			struct block_device *bdev, unsigned int cmd,
 244			unsigned long arg)
 245{
 246	lkdtm_handler();
 247	jprobe_return();
 248	return 0;
 249}
 250#endif
 251
 252/* Return the crashpoint number or NONE if the name is invalid */
 253static enum ctype parse_cp_type(const char *what, size_t count)
 254{
 255	int i;
 256
 257	for (i = 0; i < ARRAY_SIZE(cp_type); i++) {
 258		if (!strcmp(what, cp_type[i]))
 259			return i + 1;
 260	}
 261
 262	return CT_NONE;
 263}
 264
 265static const char *cp_type_to_str(enum ctype type)
 266{
 267	if (type == CT_NONE || type < 0 || type > ARRAY_SIZE(cp_type))
 268		return "None";
 269
 270	return cp_type[type - 1];
 271}
 272
 273static const char *cp_name_to_str(enum cname name)
 274{
 275	if (name == CN_INVALID || name < 0 || name > ARRAY_SIZE(cp_name))
 276		return "INVALID";
 277
 278	return cp_name[name - 1];
 279}
 280
 281
 282static int lkdtm_parse_commandline(void)
 283{
 284	int i;
 285	unsigned long flags;
 286
 287	if (cpoint_count < 1 || recur_count < 1)
 288		return -EINVAL;
 289
 290	spin_lock_irqsave(&count_lock, flags);
 291	count = cpoint_count;
 292	spin_unlock_irqrestore(&count_lock, flags);
 293
 294	/* No special parameters */
 295	if (!cpoint_type && !cpoint_name)
 296		return 0;
 297
 298	/* Neither or both of these need to be set */
 299	if (!cpoint_type || !cpoint_name)
 300		return -EINVAL;
 301
 302	cptype = parse_cp_type(cpoint_type, strlen(cpoint_type));
 303	if (cptype == CT_NONE)
 304		return -EINVAL;
 305
 306	for (i = 0; i < ARRAY_SIZE(cp_name); i++) {
 307		if (!strcmp(cpoint_name, cp_name[i])) {
 308			cpoint = i + 1;
 309			return 0;
 310		}
 311	}
 312
 313	/* Could not find a valid crash point */
 314	return -EINVAL;
 315}
 316
 317static int recursive_loop(int remaining)
 318{
 319	char buf[REC_STACK_SIZE];
 320
 321	/* Make sure compiler does not optimize this away. */
 322	memset(buf, (remaining & 0xff) | 0x1, REC_STACK_SIZE);
 323	if (!remaining)
 324		return 0;
 325	else
 326		return recursive_loop(remaining - 1);
 327}
 328
 329static void do_nothing(void)
 330{
 331	return;
 332}
 333
 334/* Must immediately follow do_nothing for size calculuations to work out. */
 335static void do_overwritten(void)
 336{
 337	pr_info("do_overwritten wasn't overwritten!\n");
 338	return;
 339}
 340
 341static noinline void corrupt_stack(void)
 342{
 343	/* Use default char array length that triggers stack protection. */
 344	char data[8];
 345
 346	memset((void *)data, 0, 64);
 347}
 348
 349static void noinline execute_location(void *dst)
 350{
 351	void (*func)(void) = dst;
 352
 353	pr_info("attempting ok execution at %p\n", do_nothing);
 354	do_nothing();
 355
 356	memcpy(dst, do_nothing, EXEC_SIZE);
 357	flush_icache_range((unsigned long)dst, (unsigned long)dst + EXEC_SIZE);
 358	pr_info("attempting bad execution at %p\n", func);
 359	func();
 360}
 361
 362static void execute_user_location(void *dst)
 363{
 364	/* Intentionally crossing kernel/user memory boundary. */
 365	void (*func)(void) = dst;
 366
 367	pr_info("attempting ok execution at %p\n", do_nothing);
 368	do_nothing();
 369
 370	if (copy_to_user((void __user *)dst, do_nothing, EXEC_SIZE))
 371		return;
 372	flush_icache_range((unsigned long)dst, (unsigned long)dst + EXEC_SIZE);
 373	pr_info("attempting bad execution at %p\n", func);
 374	func();
 375}
 376
 377static void lkdtm_do_action(enum ctype which)
 378{
 379	switch (which) {
 380	case CT_PANIC:
 381		panic("dumptest");
 382		break;
 383	case CT_BUG:
 384		BUG();
 385		break;
 386	case CT_WARNING:
 387		WARN_ON(1);
 388		break;
 389	case CT_EXCEPTION:
 390		*((int *) 0) = 0;
 391		break;
 392	case CT_LOOP:
 393		for (;;)
 394			;
 395		break;
 396	case CT_OVERFLOW:
 397		(void) recursive_loop(recur_count);
 398		break;
 399	case CT_CORRUPT_STACK:
 400		corrupt_stack();
 401		break;
 402	case CT_UNALIGNED_LOAD_STORE_WRITE: {
 403		static u8 data[5] __attribute__((aligned(4))) = {1, 2,
 404				3, 4, 5};
 405		u32 *p;
 406		u32 val = 0x12345678;
 407
 408		p = (u32 *)(data + 1);
 409		if (*p == 0)
 410			val = 0x87654321;
 411		*p = val;
 412		 break;
 413	}
 414	case CT_OVERWRITE_ALLOCATION: {
 415		size_t len = 1020;
 416		u32 *data = kmalloc(len, GFP_KERNEL);
 417
 418		data[1024 / sizeof(u32)] = 0x12345678;
 419		kfree(data);
 420		break;
 421	}
 422	case CT_WRITE_AFTER_FREE: {
 423		int *base, *again;
 424		size_t len = 1024;
 425		/*
 426		 * The slub allocator uses the first word to store the free
 427		 * pointer in some configurations. Use the middle of the
 428		 * allocation to avoid running into the freelist
 429		 */
 430		size_t offset = (len / sizeof(*base)) / 2;
 431
 432		base = kmalloc(len, GFP_KERNEL);
 433		pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);
 434		pr_info("Attempting bad write to freed memory at %p\n",
 435			&base[offset]);
 436		kfree(base);
 437		base[offset] = 0x0abcdef0;
 438		/* Attempt to notice the overwrite. */
 439		again = kmalloc(len, GFP_KERNEL);
 440		kfree(again);
 441		if (again != base)
 442			pr_info("Hmm, didn't get the same memory range.\n");
 443
 444		break;
 445	}
 446	case CT_READ_AFTER_FREE: {
 447		int *base, *val, saw;
 448		size_t len = 1024;
 449		/*
 450		 * The slub allocator uses the first word to store the free
 451		 * pointer in some configurations. Use the middle of the
 452		 * allocation to avoid running into the freelist
 453		 */
 454		size_t offset = (len / sizeof(*base)) / 2;
 455
 456		base = kmalloc(len, GFP_KERNEL);
 457		if (!base)
 458			break;
 459
 460		val = kmalloc(len, GFP_KERNEL);
 461		if (!val)
 462			break;
 463
 464		*val = 0x12345678;
 465		base[offset] = *val;
 466		pr_info("Value in memory before free: %x\n", base[offset]);
 467
 468		kfree(base);
 469
 470		pr_info("Attempting bad read from freed memory\n");
 471		saw = base[offset];
 472		if (saw != *val) {
 473			/* Good! Poisoning happened, so declare a win. */
 474			pr_info("Memory correctly poisoned (%x)\n", saw);
 475			BUG();
 476		}
 477		pr_info("Memory was not poisoned\n");
 478
 479		kfree(val);
 480		break;
 481	}
 482	case CT_WRITE_BUDDY_AFTER_FREE: {
 483		unsigned long p = __get_free_page(GFP_KERNEL);
 484		if (!p)
 485			break;
 486		pr_info("Writing to the buddy page before free\n");
 487		memset((void *)p, 0x3, PAGE_SIZE);
 488		free_page(p);
 489		schedule();
 490		pr_info("Attempting bad write to the buddy page after free\n");
 491		memset((void *)p, 0x78, PAGE_SIZE);
 492		/* Attempt to notice the overwrite. */
 493		p = __get_free_page(GFP_KERNEL);
 494		free_page(p);
 495		schedule();
 496
 497		break;
 498	}
 499	case CT_READ_BUDDY_AFTER_FREE: {
 500		unsigned long p = __get_free_page(GFP_KERNEL);
 501		int saw, *val = kmalloc(1024, GFP_KERNEL);
 502		int *base;
 503
 504		if (!p)
 505			break;
 506
 507		if (!val)
 508			break;
 509
 510		base = (int *)p;
 511
 512		*val = 0x12345678;
 513		base[0] = *val;
 514		pr_info("Value in memory before free: %x\n", base[0]);
 515		free_page(p);
 516		pr_info("Attempting to read from freed memory\n");
 517		saw = base[0];
 518		if (saw != *val) {
 519			/* Good! Poisoning happened, so declare a win. */
 520			pr_info("Memory correctly poisoned (%x)\n", saw);
 521			BUG();
 522		}
 523		pr_info("Buddy page was not poisoned\n");
 524
 525		kfree(val);
 526		break;
 527	}
 528	case CT_SOFTLOCKUP:
 529		preempt_disable();
 530		for (;;)
 531			cpu_relax();
 532		break;
 533	case CT_HARDLOCKUP:
 534		local_irq_disable();
 535		for (;;)
 536			cpu_relax();
 537		break;
 538	case CT_SPINLOCKUP:
 539		/* Must be called twice to trigger. */
 540		spin_lock(&lock_me_up);
 541		/* Let sparse know we intended to exit holding the lock. */
 542		__release(&lock_me_up);
 543		break;
 544	case CT_HUNG_TASK:
 545		set_current_state(TASK_UNINTERRUPTIBLE);
 546		schedule();
 547		break;
 548	case CT_EXEC_DATA:
 549		execute_location(data_area);
 550		break;
 551	case CT_EXEC_STACK: {
 552		u8 stack_area[EXEC_SIZE];
 553		execute_location(stack_area);
 554		break;
 555	}
 556	case CT_EXEC_KMALLOC: {
 557		u32 *kmalloc_area = kmalloc(EXEC_SIZE, GFP_KERNEL);
 558		execute_location(kmalloc_area);
 559		kfree(kmalloc_area);
 560		break;
 561	}
 562	case CT_EXEC_VMALLOC: {
 563		u32 *vmalloc_area = vmalloc(EXEC_SIZE);
 564		execute_location(vmalloc_area);
 565		vfree(vmalloc_area);
 566		break;
 567	}
 568	case CT_EXEC_USERSPACE: {
 569		unsigned long user_addr;
 570
 571		user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
 572				    PROT_READ | PROT_WRITE | PROT_EXEC,
 573				    MAP_ANONYMOUS | MAP_PRIVATE, 0);
 574		if (user_addr >= TASK_SIZE) {
 575			pr_warn("Failed to allocate user memory\n");
 576			return;
 577		}
 578		execute_user_location((void *)user_addr);
 579		vm_munmap(user_addr, PAGE_SIZE);
 580		break;
 581	}
 582	case CT_ACCESS_USERSPACE: {
 583		unsigned long user_addr, tmp = 0;
 584		unsigned long *ptr;
 585
 586		user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
 587				    PROT_READ | PROT_WRITE | PROT_EXEC,
 588				    MAP_ANONYMOUS | MAP_PRIVATE, 0);
 589		if (user_addr >= TASK_SIZE) {
 590			pr_warn("Failed to allocate user memory\n");
 591			return;
 592		}
 593
 594		if (copy_to_user((void __user *)user_addr, &tmp, sizeof(tmp))) {
 595			pr_warn("copy_to_user failed\n");
 596			vm_munmap(user_addr, PAGE_SIZE);
 597			return;
 598		}
 599
 600		ptr = (unsigned long *)user_addr;
 601
 602		pr_info("attempting bad read at %p\n", ptr);
 603		tmp = *ptr;
 604		tmp += 0xc0dec0de;
 605
 606		pr_info("attempting bad write at %p\n", ptr);
 607		*ptr = tmp;
 608
 609		vm_munmap(user_addr, PAGE_SIZE);
 610
 611		break;
 612	}
 613	case CT_WRITE_RO: {
 614		/* Explicitly cast away "const" for the test. */
 615		unsigned long *ptr = (unsigned long *)&rodata;
 616
 617		pr_info("attempting bad rodata write at %p\n", ptr);
 618		*ptr ^= 0xabcd1234;
 619
 620		break;
 621	}
 622	case CT_WRITE_RO_AFTER_INIT: {
 623		unsigned long *ptr = &ro_after_init;
 624
 625		/*
 626		 * Verify we were written to during init. Since an Oops
 627		 * is considered a "success", a failure is to just skip the
 628		 * real test.
 629		 */
 630		if ((*ptr & 0xAA) != 0xAA) {
 631			pr_info("%p was NOT written during init!?\n", ptr);
 632			break;
 633		}
 634
 635		pr_info("attempting bad ro_after_init write at %p\n", ptr);
 636		*ptr ^= 0xabcd1234;
 637
 638		break;
 639	}
 640	case CT_WRITE_KERN: {
 641		size_t size;
 642		unsigned char *ptr;
 643
 644		size = (unsigned long)do_overwritten -
 645		       (unsigned long)do_nothing;
 646		ptr = (unsigned char *)do_overwritten;
 647
 648		pr_info("attempting bad %zu byte write at %p\n", size, ptr);
 649		memcpy(ptr, (unsigned char *)do_nothing, size);
 650		flush_icache_range((unsigned long)ptr,
 651				   (unsigned long)(ptr + size));
 652
 653		do_overwritten();
 654		break;
 655	}
 656	case CT_WRAP_ATOMIC: {
 657		atomic_t under = ATOMIC_INIT(INT_MIN);
 658		atomic_t over = ATOMIC_INIT(INT_MAX);
 659
 660		pr_info("attempting atomic underflow\n");
 661		atomic_dec(&under);
 662		pr_info("attempting atomic overflow\n");
 663		atomic_inc(&over);
 664
 665		return;
 666	}
 667	case CT_NONE:
 668	default:
 669		break;
 670	}
 671
 672}
 673
 674static void lkdtm_handler(void)
 675{
 676	unsigned long flags;
 677	bool do_it = false;
 678
 679	spin_lock_irqsave(&count_lock, flags);
 680	count--;
 681	pr_info("Crash point %s of type %s hit, trigger in %d rounds\n",
 682		cp_name_to_str(cpoint), cp_type_to_str(cptype), count);
 683
 684	if (count == 0) {
 685		do_it = true;
 686		count = cpoint_count;
 687	}
 688	spin_unlock_irqrestore(&count_lock, flags);
 689
 690	if (do_it)
 691		lkdtm_do_action(cptype);
 692}
 693
 694static int lkdtm_register_cpoint(enum cname which)
 695{
 696	int ret;
 697
 698	cpoint = CN_INVALID;
 699	if (lkdtm.entry != NULL)
 700		unregister_jprobe(&lkdtm);
 701
 702	switch (which) {
 703	case CN_DIRECT:
 704		lkdtm_do_action(cptype);
 705		return 0;
 706	case CN_INT_HARDWARE_ENTRY:
 707		lkdtm.kp.symbol_name = "do_IRQ";
 708		lkdtm.entry = (kprobe_opcode_t*) jp_do_irq;
 709		break;
 710	case CN_INT_HW_IRQ_EN:
 711		lkdtm.kp.symbol_name = "handle_IRQ_event";
 712		lkdtm.entry = (kprobe_opcode_t*) jp_handle_irq_event;
 713		break;
 714	case CN_INT_TASKLET_ENTRY:
 715		lkdtm.kp.symbol_name = "tasklet_action";
 716		lkdtm.entry = (kprobe_opcode_t*) jp_tasklet_action;
 717		break;
 718	case CN_FS_DEVRW:
 719		lkdtm.kp.symbol_name = "ll_rw_block";
 720		lkdtm.entry = (kprobe_opcode_t*) jp_ll_rw_block;
 721		break;
 722	case CN_MEM_SWAPOUT:
 723		lkdtm.kp.symbol_name = "shrink_inactive_list";
 724		lkdtm.entry = (kprobe_opcode_t*) jp_shrink_inactive_list;
 725		break;
 726	case CN_TIMERADD:
 727		lkdtm.kp.symbol_name = "hrtimer_start";
 728		lkdtm.entry = (kprobe_opcode_t*) jp_hrtimer_start;
 729		break;
 730	case CN_SCSI_DISPATCH_CMD:
 731		lkdtm.kp.symbol_name = "scsi_dispatch_cmd";
 732		lkdtm.entry = (kprobe_opcode_t*) jp_scsi_dispatch_cmd;
 733		break;
 734	case CN_IDE_CORE_CP:
 735#ifdef CONFIG_IDE
 736		lkdtm.kp.symbol_name = "generic_ide_ioctl";
 737		lkdtm.entry = (kprobe_opcode_t*) jp_generic_ide_ioctl;
 738#else
 739		pr_info("Crash point not available\n");
 740		return -EINVAL;
 741#endif
 742		break;
 743	default:
 744		pr_info("Invalid Crash Point\n");
 745		return -EINVAL;
 746	}
 747
 748	cpoint = which;
 749	if ((ret = register_jprobe(&lkdtm)) < 0) {
 750		pr_info("Couldn't register jprobe\n");
 751		cpoint = CN_INVALID;
 752	}
 753
 754	return ret;
 755}
 756
 757static ssize_t do_register_entry(enum cname which, struct file *f,
 758		const char __user *user_buf, size_t count, loff_t *off)
 759{
 760	char *buf;
 761	int err;
 762
 763	if (count >= PAGE_SIZE)
 764		return -EINVAL;
 765
 766	buf = (char *)__get_free_page(GFP_KERNEL);
 767	if (!buf)
 768		return -ENOMEM;
 769	if (copy_from_user(buf, user_buf, count)) {
 770		free_page((unsigned long) buf);
 771		return -EFAULT;
 772	}
 773	/* NULL-terminate and remove enter */
 774	buf[count] = '\0';
 775	strim(buf);
 776
 777	cptype = parse_cp_type(buf, count);
 778	free_page((unsigned long) buf);
 779
 780	if (cptype == CT_NONE)
 781		return -EINVAL;
 782
 783	err = lkdtm_register_cpoint(which);
 784	if (err < 0)
 785		return err;
 786
 787	*off += count;
 788
 789	return count;
 790}
 791
 792/* Generic read callback that just prints out the available crash types */
 793static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf,
 794		size_t count, loff_t *off)
 795{
 796	char *buf;
 797	int i, n, out;
 798
 799	buf = (char *)__get_free_page(GFP_KERNEL);
 800	if (buf == NULL)
 801		return -ENOMEM;
 802
 803	n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");
 804	for (i = 0; i < ARRAY_SIZE(cp_type); i++)
 805		n += snprintf(buf + n, PAGE_SIZE - n, "%s\n", cp_type[i]);
 806	buf[n] = '\0';
 807
 808	out = simple_read_from_buffer(user_buf, count, off,
 809				      buf, n);
 810	free_page((unsigned long) buf);
 811
 812	return out;
 813}
 814
 815static int lkdtm_debugfs_open(struct inode *inode, struct file *file)
 816{
 817	return 0;
 818}
 819
 820
 821static ssize_t int_hardware_entry(struct file *f, const char __user *buf,
 822		size_t count, loff_t *off)
 823{
 824	return do_register_entry(CN_INT_HARDWARE_ENTRY, f, buf, count, off);
 825}
 826
 827static ssize_t int_hw_irq_en(struct file *f, const char __user *buf,
 828		size_t count, loff_t *off)
 829{
 830	return do_register_entry(CN_INT_HW_IRQ_EN, f, buf, count, off);
 831}
 832
 833static ssize_t int_tasklet_entry(struct file *f, const char __user *buf,
 834		size_t count, loff_t *off)
 835{
 836	return do_register_entry(CN_INT_TASKLET_ENTRY, f, buf, count, off);
 837}
 838
 839static ssize_t fs_devrw_entry(struct file *f, const char __user *buf,
 840		size_t count, loff_t *off)
 841{
 842	return do_register_entry(CN_FS_DEVRW, f, buf, count, off);
 843}
 844
 845static ssize_t mem_swapout_entry(struct file *f, const char __user *buf,
 846		size_t count, loff_t *off)
 847{
 848	return do_register_entry(CN_MEM_SWAPOUT, f, buf, count, off);
 849}
 850
 851static ssize_t timeradd_entry(struct file *f, const char __user *buf,
 852		size_t count, loff_t *off)
 853{
 854	return do_register_entry(CN_TIMERADD, f, buf, count, off);
 855}
 856
 857static ssize_t scsi_dispatch_cmd_entry(struct file *f,
 858		const char __user *buf, size_t count, loff_t *off)
 859{
 860	return do_register_entry(CN_SCSI_DISPATCH_CMD, f, buf, count, off);
 861}
 862
 863static ssize_t ide_core_cp_entry(struct file *f, const char __user *buf,
 864		size_t count, loff_t *off)
 865{
 866	return do_register_entry(CN_IDE_CORE_CP, f, buf, count, off);
 867}
 868
 869/* Special entry to just crash directly. Available without KPROBEs */
 870static ssize_t direct_entry(struct file *f, const char __user *user_buf,
 871		size_t count, loff_t *off)
 872{
 873	enum ctype type;
 874	char *buf;
 875
 876	if (count >= PAGE_SIZE)
 877		return -EINVAL;
 878	if (count < 1)
 879		return -EINVAL;
 880
 881	buf = (char *)__get_free_page(GFP_KERNEL);
 882	if (!buf)
 883		return -ENOMEM;
 884	if (copy_from_user(buf, user_buf, count)) {
 885		free_page((unsigned long) buf);
 886		return -EFAULT;
 887	}
 888	/* NULL-terminate and remove enter */
 889	buf[count] = '\0';
 890	strim(buf);
 891
 892	type = parse_cp_type(buf, count);
 893	free_page((unsigned long) buf);
 894	if (type == CT_NONE)
 895		return -EINVAL;
 896
 897	pr_info("Performing direct entry %s\n", cp_type_to_str(type));
 898	lkdtm_do_action(type);
 899	*off += count;
 900
 901	return count;
 902}
 903
 904struct crash_entry {
 905	const char *name;
 906	const struct file_operations fops;
 907};
 908
 909static const struct crash_entry crash_entries[] = {
 910	{"DIRECT", {.read = lkdtm_debugfs_read,
 911			.llseek = generic_file_llseek,
 912			.open = lkdtm_debugfs_open,
 913			.write = direct_entry} },
 914	{"INT_HARDWARE_ENTRY", {.read = lkdtm_debugfs_read,
 915			.llseek = generic_file_llseek,
 916			.open = lkdtm_debugfs_open,
 917			.write = int_hardware_entry} },
 918	{"INT_HW_IRQ_EN", {.read = lkdtm_debugfs_read,
 919			.llseek = generic_file_llseek,
 920			.open = lkdtm_debugfs_open,
 921			.write = int_hw_irq_en} },
 922	{"INT_TASKLET_ENTRY", {.read = lkdtm_debugfs_read,
 923			.llseek = generic_file_llseek,
 924			.open = lkdtm_debugfs_open,
 925			.write = int_tasklet_entry} },
 926	{"FS_DEVRW", {.read = lkdtm_debugfs_read,
 927			.llseek = generic_file_llseek,
 928			.open = lkdtm_debugfs_open,
 929			.write = fs_devrw_entry} },
 930	{"MEM_SWAPOUT", {.read = lkdtm_debugfs_read,
 931			.llseek = generic_file_llseek,
 932			.open = lkdtm_debugfs_open,
 933			.write = mem_swapout_entry} },
 934	{"TIMERADD", {.read = lkdtm_debugfs_read,
 935			.llseek = generic_file_llseek,
 936			.open = lkdtm_debugfs_open,
 937			.write = timeradd_entry} },
 938	{"SCSI_DISPATCH_CMD", {.read = lkdtm_debugfs_read,
 939			.llseek = generic_file_llseek,
 940			.open = lkdtm_debugfs_open,
 941			.write = scsi_dispatch_cmd_entry} },
 942	{"IDE_CORE_CP",	{.read = lkdtm_debugfs_read,
 943			.llseek = generic_file_llseek,
 944			.open = lkdtm_debugfs_open,
 945			.write = ide_core_cp_entry} },
 946};
 947
 948static struct dentry *lkdtm_debugfs_root;
 949
 950static int __init lkdtm_module_init(void)
 951{
 952	int ret = -EINVAL;
 953	int n_debugfs_entries = 1; /* Assume only the direct entry */
 954	int i;
 955
 956	/* Make sure we can write to __ro_after_init values during __init */
 957	ro_after_init |= 0xAA;
 958
 959	/* Register debugfs interface */
 960	lkdtm_debugfs_root = debugfs_create_dir("provoke-crash", NULL);
 961	if (!lkdtm_debugfs_root) {
 962		pr_err("creating root dir failed\n");
 963		return -ENODEV;
 964	}
 965
 966#ifdef CONFIG_KPROBES
 967	n_debugfs_entries = ARRAY_SIZE(crash_entries);
 968#endif
 969
 970	for (i = 0; i < n_debugfs_entries; i++) {
 971		const struct crash_entry *cur = &crash_entries[i];
 972		struct dentry *de;
 973
 974		de = debugfs_create_file(cur->name, 0644, lkdtm_debugfs_root,
 975				NULL, &cur->fops);
 976		if (de == NULL) {
 977			pr_err("could not create %s\n", cur->name);
 978			goto out_err;
 979		}
 980	}
 981
 982	if (lkdtm_parse_commandline() == -EINVAL) {
 983		pr_info("Invalid command\n");
 984		goto out_err;
 985	}
 986
 987	if (cpoint != CN_INVALID && cptype != CT_NONE) {
 988		ret = lkdtm_register_cpoint(cpoint);
 989		if (ret < 0) {
 990			pr_info("Invalid crash point %d\n", cpoint);
 991			goto out_err;
 992		}
 993		pr_info("Crash point %s of type %s registered\n",
 994			cpoint_name, cpoint_type);
 995	} else {
 996		pr_info("No crash points registered, enable through debugfs\n");
 997	}
 998
 999	return 0;
1000
1001out_err:
1002	debugfs_remove_recursive(lkdtm_debugfs_root);
1003	return ret;
1004}
1005
1006static void __exit lkdtm_module_exit(void)
1007{
1008	debugfs_remove_recursive(lkdtm_debugfs_root);
1009
1010	unregister_jprobe(&lkdtm);
1011	pr_info("Crash point unregistered\n");
1012}
1013
1014module_init(lkdtm_module_init);
1015module_exit(lkdtm_module_exit);
1016
1017MODULE_LICENSE("GPL");
1018MODULE_DESCRIPTION("Kprobe module for testing crash dumps");
Configure Feed

Configure Feed
