1 From: Chris Mason <mason@suse.com>
2 Subject: slab testing module
5 drivers/char/Kconfig | 5 +
6 drivers/char/Makefile | 1
7 drivers/char/crasher.c | 225 +++++++++++++++++++++++++++++++++++++++++++++++++
8 3 files changed, 231 insertions(+)
10 --- a/drivers/char/Kconfig
11 +++ b/drivers/char/Kconfig
12 @@ -1104,5 +1104,10 @@ config DEVPORT
14 source "drivers/s390/char/Kconfig"
17 + tristate "Crasher Module"
19 + Slab cache memory tester. Only use this as a module
23 --- a/drivers/char/Makefile
24 +++ b/drivers/char/Makefile
25 @@ -105,6 +105,7 @@ obj-$(CONFIG_IPMI_HANDLER) += ipmi/
27 obj-$(CONFIG_HANGCHECK_TIMER) += hangcheck-timer.o
28 obj-$(CONFIG_TCG_TPM) += tpm/
29 +obj-$(CONFIG_CRASHER) += crasher.o
31 obj-$(CONFIG_PS3_FLASH) += ps3flash.o
34 +++ b/drivers/char/crasher.c
37 + * crasher.c, it breaks things
41 +#include <linux/module.h>
42 +#include <linux/types.h>
43 +#include <linux/kernel.h>
44 +#include <linux/init.h>
45 +#include <linux/slab.h>
46 +#include <linux/completion.h>
47 +#include <linux/jiffies.h>
48 +#include <linux/sched.h>
49 +#include <linux/moduleparam.h>
51 +static int module_exiting;
52 +static struct completion startup = COMPLETION_INITIALIZER(startup);
53 +static unsigned long rand_seed = 152L;
54 +static unsigned long seed = 152L;
55 +static int threads = 1;
56 +static int call_panic;
58 +static int trap_null, call_null, jump_null;
59 +static long trap_read, trap_write, call_bad, jump_bad;
61 +module_param(seed, ulong, 0);
62 +module_param(call_panic, bool, 0);
63 +module_param(call_bug, bool, 0);
64 +module_param(trap_null, bool, 0);
65 +module_param(trap_read, long, 0);
66 +module_param(trap_write, long, 0);
67 +module_param(call_null, bool, 0);
68 +module_param(call_bad, long, 0);
69 +module_param(jump_null, bool, 0);
70 +module_param(jump_bad, long, 0);
71 +module_param(threads, int, 0);
72 +MODULE_PARM_DESC(seed, "random seed for memory tests");
73 +MODULE_PARM_DESC(call_panic, "test option. call panic() and render the system unusable.");
74 +MODULE_PARM_DESC(call_bug, "test option. call BUG() and render the system unusable.");
75 +MODULE_PARM_DESC(trap_null, "test option. dereference a NULL pointer to simulate a crash and render the system unusable.");
76 +MODULE_PARM_DESC(trap_read, "test option. read from an invalid address to simulate a crash and render the system unusable.");
77 +MODULE_PARM_DESC(trap_write, "test option. write to an invalid address to simulate a crash and render the system unusable.");
78 +MODULE_PARM_DESC(call_null, "test option. call a NULL pointer to simulate a crash and render the system unusable.");
79 +MODULE_PARM_DESC(call_bad, "test option. call an invalid address to simulate a crash and render the system unusable.");
80 +MODULE_PARM_DESC(jump_null, "test option. jump to a NULL pointer to simulate a crash and render the system unusable.");
81 +MODULE_PARM_DESC(jump_bad, "test option. jump to an invalid address to simulate a crash and render the system unusable.");
82 +MODULE_PARM_DESC(threads, "number of threads to run");
83 +MODULE_LICENSE("GPL");
87 +static int sizes[] = { 32, 64, 128, 192, 256, 1024, 2048, 4096 };
94 +static unsigned long crasher_random(void)
96 + rand_seed = rand_seed*69069L+1;
97 + return rand_seed^jiffies;
100 +void crasher_srandom(unsigned long entropy)
102 + rand_seed ^= entropy;
106 +static char *mem_alloc(int size) {
107 + char *p = kmalloc(size, GFP_KERNEL);
111 + for (i = 0 ; i < size; i++)
112 + p[i] = (i % 119) + 8;
116 +static void mem_check(char *p, int size) {
120 + for (i = 0 ; i < size; i++) {
121 + if (p[i] != ((i % 119) + 8)) {
122 + printk(KERN_CRIT "verify error at %lX offset %d "
123 + " wanted %d found %d size %d\n",
124 + (unsigned long)(p + i), i, (i % 119) + 8,
128 + // try and trigger slab poisoning for people using this buffer
130 + memset(p, 0, size);
133 +static void mem_verify(void) {
134 + struct mem_buf bufs[NUM_ALLOC];
138 + unsigned long sleep;
139 + memset(bufs, 0, sizeof(struct mem_buf) * NUM_ALLOC);
140 + while(!module_exiting) {
141 + index = crasher_random() % NUM_ALLOC;
144 + mem_check(b->buf, b->size);
149 + size = crasher_random() % NUM_SIZES;
150 + size = sizes[size];
151 + b->buf = mem_alloc(size);
154 + sleep = crasher_random() % (HZ / 10);
155 + set_current_state(TASK_INTERRUPTIBLE);
156 + schedule_timeout(sleep);
157 + set_current_state(TASK_RUNNING);
159 + for (index = 0 ; index < NUM_ALLOC ; index++) {
162 + mem_check(b->buf, b->size);
168 +static int crasher_thread(void *unused)
170 + daemonize("crasher");
171 + complete(&startup);
173 + complete(&startup);
177 +static int __init crasher_init(void)
180 + init_completion(&startup);
181 + crasher_srandom(seed);
184 + panic("test panic from crasher module. Good Luck.\n");
188 + printk("triggering BUG\n");
194 + volatile char *p = NULL;
195 + printk("dereferencing NULL pointer.\n");
200 + const volatile char *p = (char *)trap_read;
201 + printk("reading from invalid(?) address %p.\n", p);
202 + return p[0] ? -EFAULT : -EACCES;
205 + volatile char *p = (char *)trap_write;
206 + printk("writing to invalid(?) address %p.\n", p);
212 + void(*f)(void) = NULL;
213 + printk("calling NULL pointer.\n");
218 + void(*f)(void) = (void(*)(void))call_bad;
219 + printk("calling invalid(?) address %p.\n", f);
224 + /* These two depend on the compiler doing tail call optimization. */
226 + int(*f)(void) = NULL;
227 + printk("jumping to NULL.\n");
231 + int(*f)(void) = (int(*)(void))jump_bad;
232 + printk("jumping to invalid(?) address %p.\n", f);
236 + printk("crasher module (%d threads). Testing sizes: ", threads);
237 + for (i = 0 ; i < NUM_SIZES ; i++)
238 + printk("%d ", sizes[i]);
241 + for (i = 0 ; i < threads ; i++)
242 + kernel_thread(crasher_thread, crasher_thread,
243 + CLONE_FS | CLONE_FILES);
244 + for (i = 0 ; i < threads ; i++)
245 + wait_for_completion(&startup);
249 +static void __exit crasher_exit(void)
252 + module_exiting = 1;
253 + for (i = 0 ; i < threads ; i++)
254 + wait_for_completion(&startup);
255 + printk("all crasher threads done\n");
259 +module_init(crasher_init);
260 +module_exit(crasher_exit);