Commit | Line | Data |
---|---|---|
10ffebbe | 1 | =========================================== |
de1ba09b AM |
2 | Fault injection capabilities infrastructure |
3 | =========================================== | |
4 | ||
1892ce4c | 5 | See also drivers/md/md-faulty.c and "every_nth" module option for scsi_debug. |
de1ba09b AM |
6 | |
7 | ||
8 | Available fault injection capabilities | |
9 | -------------------------------------- | |
10 | ||
10ffebbe | 11 | - failslab |
de1ba09b AM |
12 | |
13 | injects slab allocation failures. (kmalloc(), kmem_cache_alloc(), ...) | |
14 | ||
10ffebbe | 15 | - fail_page_alloc |
de1ba09b AM |
16 | |
17 | injects page allocation failures. (alloc_pages(), get_free_pages(), ...) | |
18 | ||
2c739ced AL |
19 | - fail_usercopy |
20 | ||
21 | injects failures in user memory access functions. (copy_from_user(), get_user(), ...) | |
22 | ||
10ffebbe | 23 | - fail_futex |
ab51fbab DB |
24 | |
25 | injects futex deadlock and uaddr fault errors. | |
26 | ||
400edd8c CL |
27 | - fail_sunrpc |
28 | ||
29 | injects kernel RPC client and server failures. | |
30 | ||
10ffebbe | 31 | - fail_make_request |
de1ba09b | 32 | |
5d0ffa2b | 33 | injects disk IO errors on devices permitted by setting |
de1ba09b | 34 | /sys/block/<device>/make-it-fail or |
ed00aabd | 35 | /sys/block/<device>/<partition>/make-it-fail. (submit_bio_noacct()) |
de1ba09b | 36 | |
10ffebbe | 37 | - fail_mmc_request |
1e4cb22b PF |
38 | |
39 | injects MMC data errors on devices permitted by setting | |
40 | debugfs entries under /sys/kernel/debug/mmc0/fail_mmc_request | |
41 | ||
10ffebbe | 42 | - fail_function |
4b1a29a7 MH |
43 | |
44 | injects error return on specific functions, which are marked by | |
45 | ALLOW_ERROR_INJECTION() macro, by setting debugfs entries | |
46 | under /sys/kernel/debug/fail_function. No boot option supported. | |
47 | ||
10ffebbe | 48 | - NVMe fault injection |
cf4182f3 TT |
49 | |
50 | inject NVMe status code and retry flag on devices permitted by setting | |
51 | debugfs entries under /sys/kernel/debug/nvme*/fault_inject. The default | |
52 | status code is NVME_SC_INVALID_OPCODE with no retry. The status code and | |
53 | retry flag can be set via the debugfs. | |
54 | ||
55 | ||
de1ba09b AM |
56 | Configure fault-injection capabilities behavior |
57 | ----------------------------------------------- | |
58 | ||
10ffebbe MCC |
59 | debugfs entries |
60 | ^^^^^^^^^^^^^^^ | |
de1ba09b AM |
61 | |
62 | fault-inject-debugfs kernel module provides some debugfs entries for runtime | |
63 | configuration of fault-injection capabilities. | |
64 | ||
156f5a78 | 65 | - /sys/kernel/debug/fail*/probability: |
de1ba09b AM |
66 | |
67 | likelihood of failure injection, in percent. | |
10ffebbe | 68 | |
de1ba09b AM |
69 | Format: <percent> |
70 | ||
5d0ffa2b DM |
71 | Note that one-failure-per-hundred is a very high error rate |
72 | for some testcases. Consider setting probability=100 and configure | |
156f5a78 | 73 | /sys/kernel/debug/fail*/interval for such testcases. |
de1ba09b | 74 | |
156f5a78 | 75 | - /sys/kernel/debug/fail*/interval: |
de1ba09b AM |
76 | |
77 | specifies the interval between failures, for calls to | |
78 | should_fail() that pass all the other tests. | |
79 | ||
80 | Note that if you enable this, by setting interval>1, you will | |
81 | probably want to set probability=100. | |
82 | ||
156f5a78 | 83 | - /sys/kernel/debug/fail*/times: |
de1ba09b | 84 | |
00574752 WS |
85 | specifies how many times failures may happen at most. A value of -1 |
86 | means "no limit". Note, though, that this file only accepts unsigned | |
87 | values. So, if you want to specify -1, you better use 'printf' instead | |
88 | of 'echo', e.g.: $ printf %#x -1 > times | |
de1ba09b | 89 | |
156f5a78 | 90 | - /sys/kernel/debug/fail*/space: |
de1ba09b AM |
91 | |
92 | specifies an initial resource "budget", decremented by "size" | |
93 | on each call to should_fail(,size). Failure injection is | |
94 | suppressed until "space" reaches zero. | |
95 | ||
156f5a78 | 96 | - /sys/kernel/debug/fail*/verbose |
de1ba09b AM |
97 | |
98 | Format: { 0 | 1 | 2 } | |
10ffebbe | 99 | |
5d0ffa2b DM |
100 | specifies the verbosity of the messages when failure is |
101 | injected. '0' means no messages; '1' will print only a single | |
102 | log line per failure; '2' will print a call trace too -- useful | |
103 | to debug the problems revealed by fault injection. | |
de1ba09b | 104 | |
156f5a78 | 105 | - /sys/kernel/debug/fail*/task-filter: |
de1ba09b | 106 | |
5d0ffa2b | 107 | Format: { 'Y' | 'N' } |
10ffebbe | 108 | |
5d0ffa2b | 109 | A value of 'N' disables filtering by process (default). |
de1ba09b AM |
110 | Any positive value limits failures to only processes indicated by |
111 | /proc/<pid>/make-it-fail==1. | |
112 | ||
10ffebbe MCC |
113 | - /sys/kernel/debug/fail*/require-start, |
114 | /sys/kernel/debug/fail*/require-end, | |
115 | /sys/kernel/debug/fail*/reject-start, | |
116 | /sys/kernel/debug/fail*/reject-end: | |
de1ba09b AM |
117 | |
118 | specifies the range of virtual addresses tested during | |
119 | stacktrace walking. Failure is injected only if some caller | |
329409ae AM |
120 | in the walked stacktrace lies within the required range, and |
121 | none lies within the rejected range. | |
122 | Default required range is [0,ULONG_MAX) (whole of virtual address space). | |
123 | Default rejected range is [0,0). | |
de1ba09b | 124 | |
156f5a78 | 125 | - /sys/kernel/debug/fail*/stacktrace-depth: |
de1ba09b AM |
126 | |
127 | specifies the maximum stacktrace depth walked during search | |
5d0ffa2b DM |
128 | for a caller within [require-start,require-end) OR |
129 | [reject-start,reject-end). | |
de1ba09b | 130 | |
156f5a78 | 131 | - /sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem: |
de1ba09b | 132 | |
5d0ffa2b | 133 | Format: { 'Y' | 'N' } |
10ffebbe | 134 | |
bad3fbb2 DY |
135 | default is 'Y', setting it to 'N' will also inject failures into |
136 | highmem/user allocations (__GFP_HIGHMEM allocations). | |
de1ba09b | 137 | |
156f5a78 GL |
138 | - /sys/kernel/debug/failslab/ignore-gfp-wait: |
139 | - /sys/kernel/debug/fail_page_alloc/ignore-gfp-wait: | |
de1ba09b | 140 | |
5d0ffa2b | 141 | Format: { 'Y' | 'N' } |
10ffebbe | 142 | |
bad3fbb2 DY |
143 | default is 'Y', setting it to 'N' will also inject failures |
144 | into allocations that can sleep (__GFP_DIRECT_RECLAIM allocations). | |
de1ba09b | 145 | |
156f5a78 | 146 | - /sys/kernel/debug/fail_page_alloc/min-order: |
54114994 AM |
147 | |
148 | specifies the minimum page allocation order to be injected | |
149 | failures. | |
150 | ||
ab51fbab DB |
151 | - /sys/kernel/debug/fail_futex/ignore-private: |
152 | ||
153 | Format: { 'Y' | 'N' } | |
10ffebbe | 154 | |
ab51fbab DB |
155 | default is 'N', setting it to 'Y' will disable failure injections |
156 | when dealing with private (address space) futexes. | |
157 | ||
400edd8c CL |
158 | - /sys/kernel/debug/fail_sunrpc/ignore-client-disconnect: |
159 | ||
160 | Format: { 'Y' | 'N' } | |
161 | ||
162 | default is 'N', setting it to 'Y' will disable disconnect | |
163 | injection on the RPC client. | |
164 | ||
165 | - /sys/kernel/debug/fail_sunrpc/ignore-server-disconnect: | |
166 | ||
167 | Format: { 'Y' | 'N' } | |
168 | ||
169 | default is 'N', setting it to 'Y' will disable disconnect | |
170 | injection on the RPC server. | |
171 | ||
4b1a29a7 MH |
172 | - /sys/kernel/debug/fail_function/inject: |
173 | ||
174 | Format: { 'function-name' | '!function-name' | '' } | |
10ffebbe | 175 | |
4b1a29a7 MH |
176 | specifies the target function of error injection by name. |
177 | If the function name leads '!' prefix, given function is | |
178 | removed from injection list. If nothing specified ('') | |
179 | injection list is cleared. | |
180 | ||
181 | - /sys/kernel/debug/fail_function/injectable: | |
182 | ||
183 | (read only) shows error injectable functions and what type of | |
184 | error values can be specified. The error type will be one of | |
185 | below; | |
186 | - NULL: retval must be 0. | |
187 | - ERRNO: retval must be -1 to -MAX_ERRNO (-4096). | |
188 | - ERR_NULL: retval must be 0 or -1 to -MAX_ERRNO (-4096). | |
189 | ||
00574752 | 190 | - /sys/kernel/debug/fail_function/<function-name>/retval: |
4b1a29a7 | 191 | |
00574752 WS |
192 | specifies the "error" return value to inject to the given function. |
193 | This will be created when the user specifies a new injection entry. | |
194 | Note that this file only accepts unsigned values. So, if you want to | |
195 | use a negative errno, you better use 'printf' instead of 'echo', e.g.: | |
196 | $ printf %#x -12 > retval | |
4b1a29a7 | 197 | |
10ffebbe MCC |
198 | Boot option |
199 | ^^^^^^^^^^^ | |
de1ba09b AM |
200 | |
201 | In order to inject faults while debugfs is not available (early boot time), | |
10ffebbe | 202 | use the boot option:: |
de1ba09b AM |
203 | |
204 | failslab= | |
205 | fail_page_alloc= | |
2c739ced | 206 | fail_usercopy= |
1e4cb22b | 207 | fail_make_request= |
ab51fbab | 208 | fail_futex= |
199e3f4b | 209 | mmc_core.fail_request=<interval>,<probability>,<space>,<times> |
de1ba09b | 210 | |
10ffebbe MCC |
211 | proc entries |
212 | ^^^^^^^^^^^^ | |
e41d5818 | 213 | |
10ffebbe MCC |
214 | - /proc/<pid>/fail-nth, |
215 | /proc/self/task/<tid>/fail-nth: | |
e41d5818 | 216 | |
9049f2f6 | 217 | Write to this file of integer N makes N-th call in the task fail. |
bfc74093 AM |
218 | Read from this file returns a integer value. A value of '0' indicates |
219 | that the fault setup with a previous write to this file was injected. | |
220 | A positive integer N indicates that the fault wasn't yet injected. | |
e41d5818 DV |
221 | Note that this file enables all types of faults (slab, futex, etc). |
222 | This setting takes precedence over all other generic debugfs settings | |
223 | like probability, interval, times, etc. But per-capability settings | |
224 | (e.g. fail_futex/ignore-private) take precedence over it. | |
225 | ||
226 | This feature is intended for systematic testing of faults in a single | |
227 | system call. See an example below. | |
228 | ||
de1ba09b AM |
229 | How to add new fault injection capability |
230 | ----------------------------------------- | |
231 | ||
10ffebbe | 232 | - #include <linux/fault-inject.h> |
de1ba09b | 233 | |
10ffebbe | 234 | - define the fault attributes |
de1ba09b | 235 | |
2d87948a | 236 | DECLARE_FAULT_ATTR(name); |
de1ba09b AM |
237 | |
238 | Please see the definition of struct fault_attr in fault-inject.h | |
239 | for details. | |
240 | ||
10ffebbe | 241 | - provide a way to configure fault attributes |
de1ba09b AM |
242 | |
243 | - boot option | |
244 | ||
245 | If you need to enable the fault injection capability from boot time, you can | |
5d0ffa2b | 246 | provide boot option to configure it. There is a helper function for it: |
de1ba09b | 247 | |
5d0ffa2b | 248 | setup_fault_attr(attr, str); |
de1ba09b AM |
249 | |
250 | - debugfs entries | |
251 | ||
2c739ced | 252 | failslab, fail_page_alloc, fail_usercopy, and fail_make_request use this way. |
5d0ffa2b | 253 | Helper functions: |
de1ba09b | 254 | |
dd48c085 | 255 | fault_create_debugfs_attr(name, parent, attr); |
de1ba09b AM |
256 | |
257 | - module parameters | |
258 | ||
259 | If the scope of the fault injection capability is limited to a | |
260 | single kernel module, it is better to provide module parameters to | |
261 | configure the fault attributes. | |
262 | ||
10ffebbe | 263 | - add a hook to insert failures |
de1ba09b | 264 | |
10ffebbe | 265 | Upon should_fail() returning true, client code should inject a failure: |
de1ba09b | 266 | |
5d0ffa2b | 267 | should_fail(attr, size); |
de1ba09b AM |
268 | |
269 | Application Examples | |
270 | -------------------- | |
271 | ||
10ffebbe | 272 | - Inject slab allocation failures into module init/exit code:: |
de1ba09b | 273 | |
10ffebbe | 274 | #!/bin/bash |
de1ba09b | 275 | |
10ffebbe MCC |
276 | FAILTYPE=failslab |
277 | echo Y > /sys/kernel/debug/$FAILTYPE/task-filter | |
278 | echo 10 > /sys/kernel/debug/$FAILTYPE/probability | |
279 | echo 100 > /sys/kernel/debug/$FAILTYPE/interval | |
00574752 | 280 | printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times |
10ffebbe MCC |
281 | echo 0 > /sys/kernel/debug/$FAILTYPE/space |
282 | echo 2 > /sys/kernel/debug/$FAILTYPE/verbose | |
bad3fbb2 | 283 | echo Y > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait |
de1ba09b | 284 | |
10ffebbe MCC |
285 | faulty_system() |
286 | { | |
18584870 | 287 | bash -c "echo 1 > /proc/self/make-it-fail && exec $*" |
10ffebbe | 288 | } |
de1ba09b | 289 | |
10ffebbe MCC |
290 | if [ $# -eq 0 ] |
291 | then | |
18584870 AM |
292 | echo "Usage: $0 modulename [ modulename ... ]" |
293 | exit 1 | |
10ffebbe | 294 | fi |
18584870 | 295 | |
10ffebbe MCC |
296 | for m in $* |
297 | do | |
18584870 AM |
298 | echo inserting $m... |
299 | faulty_system modprobe $m | |
de1ba09b | 300 | |
18584870 AM |
301 | echo removing $m... |
302 | faulty_system modprobe -r $m | |
10ffebbe | 303 | done |
de1ba09b AM |
304 | |
305 | ------------------------------------------------------------------------------ | |
306 | ||
10ffebbe | 307 | - Inject page allocation failures only for a specific module:: |
de1ba09b | 308 | |
10ffebbe | 309 | #!/bin/bash |
de1ba09b | 310 | |
10ffebbe MCC |
311 | FAILTYPE=fail_page_alloc |
312 | module=$1 | |
de1ba09b | 313 | |
10ffebbe MCC |
314 | if [ -z $module ] |
315 | then | |
18584870 AM |
316 | echo "Usage: $0 <modulename>" |
317 | exit 1 | |
10ffebbe | 318 | fi |
de1ba09b | 319 | |
10ffebbe | 320 | modprobe $module |
de1ba09b | 321 | |
10ffebbe MCC |
322 | if [ ! -d /sys/module/$module/sections ] |
323 | then | |
18584870 AM |
324 | echo Module $module is not loaded |
325 | exit 1 | |
10ffebbe | 326 | fi |
18584870 | 327 | |
10ffebbe MCC |
328 | cat /sys/module/$module/sections/.text > /sys/kernel/debug/$FAILTYPE/require-start |
329 | cat /sys/module/$module/sections/.data > /sys/kernel/debug/$FAILTYPE/require-end | |
18584870 | 330 | |
10ffebbe MCC |
331 | echo N > /sys/kernel/debug/$FAILTYPE/task-filter |
332 | echo 10 > /sys/kernel/debug/$FAILTYPE/probability | |
333 | echo 100 > /sys/kernel/debug/$FAILTYPE/interval | |
00574752 | 334 | printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times |
10ffebbe MCC |
335 | echo 0 > /sys/kernel/debug/$FAILTYPE/space |
336 | echo 2 > /sys/kernel/debug/$FAILTYPE/verbose | |
bad3fbb2 DY |
337 | echo Y > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait |
338 | echo Y > /sys/kernel/debug/$FAILTYPE/ignore-gfp-highmem | |
10ffebbe | 339 | echo 10 > /sys/kernel/debug/$FAILTYPE/stacktrace-depth |
18584870 | 340 | |
10ffebbe | 341 | trap "echo 0 > /sys/kernel/debug/$FAILTYPE/probability" SIGINT SIGTERM EXIT |
18584870 | 342 | |
10ffebbe MCC |
343 | echo "Injecting errors into the module $module... (interrupt to stop)" |
344 | sleep 1000000 | |
de1ba09b | 345 | |
4b1a29a7 MH |
346 | ------------------------------------------------------------------------------ |
347 | ||
10ffebbe MCC |
348 | - Inject open_ctree error while btrfs mount:: |
349 | ||
350 | #!/bin/bash | |
351 | ||
352 | rm -f testfile.img | |
353 | dd if=/dev/zero of=testfile.img bs=1M seek=1000 count=1 | |
354 | DEVICE=$(losetup --show -f testfile.img) | |
355 | mkfs.btrfs -f $DEVICE | |
356 | mkdir -p tmpmnt | |
357 | ||
358 | FAILTYPE=fail_function | |
359 | FAILFUNC=open_ctree | |
360 | echo $FAILFUNC > /sys/kernel/debug/$FAILTYPE/inject | |
00574752 | 361 | printf %#x -12 > /sys/kernel/debug/$FAILTYPE/$FAILFUNC/retval |
10ffebbe MCC |
362 | echo N > /sys/kernel/debug/$FAILTYPE/task-filter |
363 | echo 100 > /sys/kernel/debug/$FAILTYPE/probability | |
364 | echo 0 > /sys/kernel/debug/$FAILTYPE/interval | |
00574752 | 365 | printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times |
10ffebbe MCC |
366 | echo 0 > /sys/kernel/debug/$FAILTYPE/space |
367 | echo 1 > /sys/kernel/debug/$FAILTYPE/verbose | |
368 | ||
369 | mount -t btrfs $DEVICE tmpmnt | |
370 | if [ $? -ne 0 ] | |
371 | then | |
4b1a29a7 | 372 | echo "SUCCESS!" |
10ffebbe | 373 | else |
4b1a29a7 MH |
374 | echo "FAILED!" |
375 | umount tmpmnt | |
10ffebbe | 376 | fi |
4b1a29a7 | 377 | |
10ffebbe | 378 | echo > /sys/kernel/debug/$FAILTYPE/inject |
4b1a29a7 | 379 | |
10ffebbe MCC |
380 | rmdir tmpmnt |
381 | losetup -d $DEVICE | |
382 | rm testfile.img | |
4b1a29a7 MH |
383 | |
384 | ||
c24aa64d AM |
385 | Tool to run command with failslab or fail_page_alloc |
386 | ---------------------------------------------------- | |
387 | In order to make it easier to accomplish the tasks mentioned above, we can use | |
388 | tools/testing/fault-injection/failcmd.sh. Please run a command | |
389 | "./tools/testing/fault-injection/failcmd.sh --help" for more information and | |
390 | see the following examples. | |
391 | ||
392 | Examples: | |
393 | ||
394 | Run a command "make -C tools/testing/selftests/ run_tests" with injecting slab | |
10ffebbe | 395 | allocation failure:: |
c24aa64d AM |
396 | |
397 | # ./tools/testing/fault-injection/failcmd.sh \ | |
398 | -- make -C tools/testing/selftests/ run_tests | |
399 | ||
400 | Same as above except to specify 100 times failures at most instead of one time | |
10ffebbe | 401 | at most by default:: |
c24aa64d AM |
402 | |
403 | # ./tools/testing/fault-injection/failcmd.sh --times=100 \ | |
404 | -- make -C tools/testing/selftests/ run_tests | |
405 | ||
406 | Same as above except to inject page allocation failure instead of slab | |
10ffebbe | 407 | allocation failure:: |
c24aa64d AM |
408 | |
409 | # env FAILCMD_TYPE=fail_page_alloc \ | |
410 | ./tools/testing/fault-injection/failcmd.sh --times=100 \ | |
10ffebbe | 411 | -- make -C tools/testing/selftests/ run_tests |
e41d5818 DV |
412 | |
413 | Systematic faults using fail-nth | |
414 | --------------------------------- | |
415 | ||
416 | The following code systematically faults 0-th, 1-st, 2-nd and so on | |
10ffebbe MCC |
417 | capabilities in the socketpair() system call:: |
418 | ||
419 | #include <sys/types.h> | |
420 | #include <sys/stat.h> | |
421 | #include <sys/socket.h> | |
422 | #include <sys/syscall.h> | |
423 | #include <fcntl.h> | |
424 | #include <unistd.h> | |
425 | #include <string.h> | |
426 | #include <stdlib.h> | |
427 | #include <stdio.h> | |
428 | #include <errno.h> | |
429 | ||
430 | int main() | |
431 | { | |
e41d5818 DV |
432 | int i, err, res, fail_nth, fds[2]; |
433 | char buf[128]; | |
434 | ||
435 | system("echo N > /sys/kernel/debug/failslab/ignore-gfp-wait"); | |
436 | sprintf(buf, "/proc/self/task/%ld/fail-nth", syscall(SYS_gettid)); | |
437 | fail_nth = open(buf, O_RDWR); | |
9049f2f6 | 438 | for (i = 1;; i++) { |
e41d5818 DV |
439 | sprintf(buf, "%d", i); |
440 | write(fail_nth, buf, strlen(buf)); | |
441 | res = socketpair(AF_LOCAL, SOCK_STREAM, 0, fds); | |
442 | err = errno; | |
bfc74093 | 443 | pread(fail_nth, buf, sizeof(buf), 0); |
e41d5818 DV |
444 | if (res == 0) { |
445 | close(fds[0]); | |
446 | close(fds[1]); | |
447 | } | |
bfc74093 AM |
448 | printf("%d-th fault %c: res=%d/%d\n", i, atoi(buf) ? 'N' : 'Y', |
449 | res, err); | |
450 | if (atoi(buf)) | |
e41d5818 DV |
451 | break; |
452 | } | |
453 | return 0; | |
10ffebbe MCC |
454 | } |
455 | ||
456 | An example output:: | |
457 | ||
458 | 1-th fault Y: res=-1/23 | |
459 | 2-th fault Y: res=-1/23 | |
460 | 3-th fault Y: res=-1/12 | |
461 | 4-th fault Y: res=-1/12 | |
462 | 5-th fault Y: res=-1/23 | |
463 | 6-th fault Y: res=-1/23 | |
464 | 7-th fault Y: res=-1/23 | |
465 | 8-th fault Y: res=-1/12 | |
466 | 9-th fault Y: res=-1/12 | |
467 | 10-th fault Y: res=-1/12 | |
468 | 11-th fault Y: res=-1/12 | |
469 | 12-th fault Y: res=-1/12 | |
470 | 13-th fault Y: res=-1/12 | |
471 | 14-th fault Y: res=-1/12 | |
472 | 15-th fault Y: res=-1/12 | |
473 | 16-th fault N: res=0/12 |