1*4882a593Smuzhiyun.. SPDX-License-Identifier: GPL-2.0 2*4882a593Smuzhiyun 3*4882a593Smuzhiyun============================================================ 4*4882a593SmuzhiyunProvoking crashes with Linux Kernel Dump Test Module (LKDTM) 5*4882a593Smuzhiyun============================================================ 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunThe lkdtm module provides an interface to disrupt (and usually crash) 8*4882a593Smuzhiyunthe kernel at predefined code locations to evaluate the reliability of 9*4882a593Smuzhiyunthe kernel's exception handling and to test crash dumps obtained using 10*4882a593Smuzhiyundifferent dumping solutions. The module uses KPROBEs to instrument the 11*4882a593Smuzhiyuntrigger location, but can also trigger the kernel directly without KPROBE 12*4882a593Smuzhiyunsupport via debugfs. 13*4882a593Smuzhiyun 14*4882a593SmuzhiyunYou can select the location of the trigger ("crash point name") and the 15*4882a593Smuzhiyuntype of action ("crash point type") either through module arguments when 16*4882a593Smuzhiyuninserting the module, or through the debugfs interface. 17*4882a593Smuzhiyun 18*4882a593SmuzhiyunUsage:: 19*4882a593Smuzhiyun 20*4882a593Smuzhiyun insmod lkdtm.ko [recur_count={>0}] cpoint_name=<> cpoint_type=<> 21*4882a593Smuzhiyun [cpoint_count={>0}] 22*4882a593Smuzhiyun 23*4882a593Smuzhiyunrecur_count 24*4882a593Smuzhiyun Recursion level for the stack overflow test. By default this is 25*4882a593Smuzhiyun dynamically calculated based on kernel configuration, with the 26*4882a593Smuzhiyun goal of being just large enough to exhaust the kernel stack. The 27*4882a593Smuzhiyun value can be seen at `/sys/module/lkdtm/parameters/recur_count`. 28*4882a593Smuzhiyun 29*4882a593Smuzhiyuncpoint_name 30*4882a593Smuzhiyun Where in the kernel to trigger the action. It can be 31*4882a593Smuzhiyun one of INT_HARDWARE_ENTRY, INT_HW_IRQ_EN, INT_TASKLET_ENTRY, 32*4882a593Smuzhiyun FS_DEVRW, MEM_SWAPOUT, TIMERADD, SCSI_QUEUE_RQ, 33*4882a593Smuzhiyun IDE_CORE_CP, or DIRECT 34*4882a593Smuzhiyun 35*4882a593Smuzhiyuncpoint_type 36*4882a593Smuzhiyun Indicates the action to be taken on hitting the crash point. 37*4882a593Smuzhiyun These are numerous, and best queried directly from debugfs. Some 38*4882a593Smuzhiyun of the common ones are PANIC, BUG, EXCEPTION, LOOP, and OVERFLOW. 39*4882a593Smuzhiyun See the contents of `/sys/kernel/debug/provoke-crash/DIRECT` for 40*4882a593Smuzhiyun a complete list. 41*4882a593Smuzhiyun 42*4882a593Smuzhiyuncpoint_count 43*4882a593Smuzhiyun Indicates the number of times the crash point is to be hit 44*4882a593Smuzhiyun before triggering the action. The default is 10 (except for 45*4882a593Smuzhiyun DIRECT, which always fires immediately). 46*4882a593Smuzhiyun 47*4882a593SmuzhiyunYou can also induce failures by mounting debugfs and writing the type to 48*4882a593Smuzhiyun<debugfs>/provoke-crash/<crashpoint>. E.g.:: 49*4882a593Smuzhiyun 50*4882a593Smuzhiyun mount -t debugfs debugfs /sys/kernel/debug 51*4882a593Smuzhiyun echo EXCEPTION > /sys/kernel/debug/provoke-crash/INT_HARDWARE_ENTRY 52*4882a593Smuzhiyun 53*4882a593SmuzhiyunThe special file `DIRECT` will induce the action directly without KPROBE 54*4882a593Smuzhiyuninstrumentation. This mode is the only one available when the module is 55*4882a593Smuzhiyunbuilt for a kernel without KPROBEs support:: 56*4882a593Smuzhiyun 57*4882a593Smuzhiyun # Instead of having a BUG kill your shell, have it kill "cat": 58*4882a593Smuzhiyun cat <(echo WRITE_RO) >/sys/kernel/debug/provoke-crash/DIRECT 59