Commit | Line | Data |
---|---|---|
10ffebbe | 1 | =========================================== |
de1ba09b AM |
2 | Fault injection capabilities infrastructure |
3 | =========================================== | |
4 | ||
1892ce4c | 5 | See also drivers/md/md-faulty.c and "every_nth" module option for scsi_debug. |
de1ba09b AM |
6 | |
7 | ||
8 | Available fault injection capabilities | |
9 | -------------------------------------- | |
10 | ||
10ffebbe | 11 | - failslab |
de1ba09b AM |
12 | |
13 | injects slab allocation failures. (kmalloc(), kmem_cache_alloc(), ...) | |
14 | ||
10ffebbe | 15 | - fail_page_alloc |
de1ba09b AM |
16 | |
17 | injects page allocation failures. (alloc_pages(), get_free_pages(), ...) | |
18 | ||
2c739ced AL |
19 | - fail_usercopy |
20 | ||
21 | injects failures in user memory access functions. (copy_from_user(), get_user(), ...) | |
22 | ||
10ffebbe | 23 | - fail_futex |
ab51fbab DB |
24 | |
25 | injects futex deadlock and uaddr fault errors. | |
26 | ||
400edd8c CL |
27 | - fail_sunrpc |
28 | ||
29 | injects kernel RPC client and server failures. | |
30 | ||
10ffebbe | 31 | - fail_make_request |
de1ba09b | 32 | |
5d0ffa2b | 33 | injects disk IO errors on devices permitted by setting |
de1ba09b | 34 | /sys/block/<device>/make-it-fail or |
ed00aabd | 35 | /sys/block/<device>/<partition>/make-it-fail. (submit_bio_noacct()) |
de1ba09b | 36 | |
10ffebbe | 37 | - fail_mmc_request |
1e4cb22b PF |
38 | |
39 | injects MMC data errors on devices permitted by setting | |
40 | debugfs entries under /sys/kernel/debug/mmc0/fail_mmc_request | |
41 | ||
10ffebbe | 42 | - fail_function |
4b1a29a7 MH |
43 | |
44 | injects error return on specific functions, which are marked by | |
45 | ALLOW_ERROR_INJECTION() macro, by setting debugfs entries | |
46 | under /sys/kernel/debug/fail_function. No boot option supported. | |
47 | ||
10ffebbe | 48 | - NVMe fault injection |
cf4182f3 TT |
49 | |
50 | inject NVMe status code and retry flag on devices permitted by setting | |
51 | debugfs entries under /sys/kernel/debug/nvme*/fault_inject. The default | |
52 | status code is NVME_SC_INVALID_OPCODE with no retry. The status code and | |
53 | retry flag can be set via the debugfs. | |
54 | ||
55 | ||
de1ba09b AM |
56 | Configure fault-injection capabilities behavior |
57 | ----------------------------------------------- | |
58 | ||
10ffebbe MCC |
59 | debugfs entries |
60 | ^^^^^^^^^^^^^^^ | |
de1ba09b AM |
61 | |
62 | fault-inject-debugfs kernel module provides some debugfs entries for runtime | |
63 | configuration of fault-injection capabilities. | |
64 | ||
156f5a78 | 65 | - /sys/kernel/debug/fail*/probability: |
de1ba09b AM |
66 | |
67 | likelihood of failure injection, in percent. | |
10ffebbe | 68 | |
de1ba09b AM |
69 | Format: <percent> |
70 | ||
5d0ffa2b DM |
71 | Note that one-failure-per-hundred is a very high error rate |
72 | for some testcases. Consider setting probability=100 and configure | |
156f5a78 | 73 | /sys/kernel/debug/fail*/interval for such testcases. |
de1ba09b | 74 | |
156f5a78 | 75 | - /sys/kernel/debug/fail*/interval: |
de1ba09b AM |
76 | |
77 | specifies the interval between failures, for calls to | |
78 | should_fail() that pass all the other tests. | |
79 | ||
80 | Note that if you enable this, by setting interval>1, you will | |
81 | probably want to set probability=100. | |
82 | ||
156f5a78 | 83 | - /sys/kernel/debug/fail*/times: |
de1ba09b | 84 | |
00574752 | 85 | specifies how many times failures may happen at most. A value of -1 |
d472cf79 | 86 | means "no limit". |
de1ba09b | 87 | |
156f5a78 | 88 | - /sys/kernel/debug/fail*/space: |
de1ba09b AM |
89 | |
90 | specifies an initial resource "budget", decremented by "size" | |
91 | on each call to should_fail(,size). Failure injection is | |
92 | suppressed until "space" reaches zero. | |
93 | ||
156f5a78 | 94 | - /sys/kernel/debug/fail*/verbose |
de1ba09b AM |
95 | |
96 | Format: { 0 | 1 | 2 } | |
10ffebbe | 97 | |
5d0ffa2b DM |
98 | specifies the verbosity of the messages when failure is |
99 | injected. '0' means no messages; '1' will print only a single | |
100 | log line per failure; '2' will print a call trace too -- useful | |
101 | to debug the problems revealed by fault injection. | |
de1ba09b | 102 | |
156f5a78 | 103 | - /sys/kernel/debug/fail*/task-filter: |
de1ba09b | 104 | |
5d0ffa2b | 105 | Format: { 'Y' | 'N' } |
10ffebbe | 106 | |
5d0ffa2b | 107 | A value of 'N' disables filtering by process (default). |
de1ba09b AM |
108 | Any positive value limits failures to only processes indicated by |
109 | /proc/<pid>/make-it-fail==1. | |
110 | ||
10ffebbe MCC |
111 | - /sys/kernel/debug/fail*/require-start, |
112 | /sys/kernel/debug/fail*/require-end, | |
113 | /sys/kernel/debug/fail*/reject-start, | |
114 | /sys/kernel/debug/fail*/reject-end: | |
de1ba09b AM |
115 | |
116 | specifies the range of virtual addresses tested during | |
117 | stacktrace walking. Failure is injected only if some caller | |
329409ae AM |
118 | in the walked stacktrace lies within the required range, and |
119 | none lies within the rejected range. | |
120 | Default required range is [0,ULONG_MAX) (whole of virtual address space). | |
121 | Default rejected range is [0,0). | |
de1ba09b | 122 | |
156f5a78 | 123 | - /sys/kernel/debug/fail*/stacktrace-depth: |
de1ba09b AM |
124 | |
125 | specifies the maximum stacktrace depth walked during search | |
5d0ffa2b DM |
126 | for a caller within [require-start,require-end) OR |
127 | [reject-start,reject-end). | |
de1ba09b | 128 | |
156f5a78 | 129 | - /sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem: |
de1ba09b | 130 | |
5d0ffa2b | 131 | Format: { 'Y' | 'N' } |
10ffebbe | 132 | |
bad3fbb2 DY |
133 | default is 'Y', setting it to 'N' will also inject failures into |
134 | highmem/user allocations (__GFP_HIGHMEM allocations). | |
de1ba09b | 135 | |
156f5a78 GL |
136 | - /sys/kernel/debug/failslab/ignore-gfp-wait: |
137 | - /sys/kernel/debug/fail_page_alloc/ignore-gfp-wait: | |
de1ba09b | 138 | |
5d0ffa2b | 139 | Format: { 'Y' | 'N' } |
10ffebbe | 140 | |
bad3fbb2 DY |
141 | default is 'Y', setting it to 'N' will also inject failures |
142 | into allocations that can sleep (__GFP_DIRECT_RECLAIM allocations). | |
de1ba09b | 143 | |
156f5a78 | 144 | - /sys/kernel/debug/fail_page_alloc/min-order: |
54114994 AM |
145 | |
146 | specifies the minimum page allocation order to be injected | |
147 | failures. | |
148 | ||
ab51fbab DB |
149 | - /sys/kernel/debug/fail_futex/ignore-private: |
150 | ||
151 | Format: { 'Y' | 'N' } | |
10ffebbe | 152 | |
ab51fbab DB |
153 | default is 'N', setting it to 'Y' will disable failure injections |
154 | when dealing with private (address space) futexes. | |
155 | ||
400edd8c CL |
156 | - /sys/kernel/debug/fail_sunrpc/ignore-client-disconnect: |
157 | ||
158 | Format: { 'Y' | 'N' } | |
159 | ||
160 | default is 'N', setting it to 'Y' will disable disconnect | |
161 | injection on the RPC client. | |
162 | ||
163 | - /sys/kernel/debug/fail_sunrpc/ignore-server-disconnect: | |
164 | ||
165 | Format: { 'Y' | 'N' } | |
166 | ||
167 | default is 'N', setting it to 'Y' will disable disconnect | |
168 | injection on the RPC server. | |
169 | ||
36f2ef2d CL |
170 | - /sys/kernel/debug/fail_sunrpc/ignore-cache-wait: |
171 | ||
172 | Format: { 'Y' | 'N' } | |
173 | ||
174 | default is 'N', setting it to 'Y' will disable cache wait | |
175 | injection on the RPC server. | |
176 | ||
4b1a29a7 MH |
177 | - /sys/kernel/debug/fail_function/inject: |
178 | ||
179 | Format: { 'function-name' | '!function-name' | '' } | |
10ffebbe | 180 | |
4b1a29a7 MH |
181 | specifies the target function of error injection by name. |
182 | If the function name leads '!' prefix, given function is | |
183 | removed from injection list. If nothing specified ('') | |
184 | injection list is cleared. | |
185 | ||
186 | - /sys/kernel/debug/fail_function/injectable: | |
187 | ||
188 | (read only) shows error injectable functions and what type of | |
189 | error values can be specified. The error type will be one of | |
190 | below; | |
191 | - NULL: retval must be 0. | |
192 | - ERRNO: retval must be -1 to -MAX_ERRNO (-4096). | |
193 | - ERR_NULL: retval must be 0 or -1 to -MAX_ERRNO (-4096). | |
194 | ||
00574752 | 195 | - /sys/kernel/debug/fail_function/<function-name>/retval: |
4b1a29a7 | 196 | |
00574752 WS |
197 | specifies the "error" return value to inject to the given function. |
198 | This will be created when the user specifies a new injection entry. | |
199 | Note that this file only accepts unsigned values. So, if you want to | |
200 | use a negative errno, you better use 'printf' instead of 'echo', e.g.: | |
201 | $ printf %#x -12 > retval | |
4b1a29a7 | 202 | |
10ffebbe MCC |
203 | Boot option |
204 | ^^^^^^^^^^^ | |
de1ba09b AM |
205 | |
206 | In order to inject faults while debugfs is not available (early boot time), | |
10ffebbe | 207 | use the boot option:: |
de1ba09b AM |
208 | |
209 | failslab= | |
210 | fail_page_alloc= | |
2c739ced | 211 | fail_usercopy= |
1e4cb22b | 212 | fail_make_request= |
ab51fbab | 213 | fail_futex= |
199e3f4b | 214 | mmc_core.fail_request=<interval>,<probability>,<space>,<times> |
de1ba09b | 215 | |
10ffebbe MCC |
216 | proc entries |
217 | ^^^^^^^^^^^^ | |
e41d5818 | 218 | |
10ffebbe MCC |
219 | - /proc/<pid>/fail-nth, |
220 | /proc/self/task/<tid>/fail-nth: | |
e41d5818 | 221 | |
9049f2f6 | 222 | Write to this file of integer N makes N-th call in the task fail. |
bfc74093 AM |
223 | Read from this file returns a integer value. A value of '0' indicates |
224 | that the fault setup with a previous write to this file was injected. | |
225 | A positive integer N indicates that the fault wasn't yet injected. | |
e41d5818 DV |
226 | Note that this file enables all types of faults (slab, futex, etc). |
227 | This setting takes precedence over all other generic debugfs settings | |
228 | like probability, interval, times, etc. But per-capability settings | |
229 | (e.g. fail_futex/ignore-private) take precedence over it. | |
230 | ||
231 | This feature is intended for systematic testing of faults in a single | |
232 | system call. See an example below. | |
233 | ||
de1ba09b AM |
234 | How to add new fault injection capability |
235 | ----------------------------------------- | |
236 | ||
10ffebbe | 237 | - #include <linux/fault-inject.h> |
de1ba09b | 238 | |
10ffebbe | 239 | - define the fault attributes |
de1ba09b | 240 | |
2d87948a | 241 | DECLARE_FAULT_ATTR(name); |
de1ba09b AM |
242 | |
243 | Please see the definition of struct fault_attr in fault-inject.h | |
244 | for details. | |
245 | ||
10ffebbe | 246 | - provide a way to configure fault attributes |
de1ba09b AM |
247 | |
248 | - boot option | |
249 | ||
250 | If you need to enable the fault injection capability from boot time, you can | |
5d0ffa2b | 251 | provide boot option to configure it. There is a helper function for it: |
de1ba09b | 252 | |
5d0ffa2b | 253 | setup_fault_attr(attr, str); |
de1ba09b AM |
254 | |
255 | - debugfs entries | |
256 | ||
2c739ced | 257 | failslab, fail_page_alloc, fail_usercopy, and fail_make_request use this way. |
5d0ffa2b | 258 | Helper functions: |
de1ba09b | 259 | |
dd48c085 | 260 | fault_create_debugfs_attr(name, parent, attr); |
de1ba09b AM |
261 | |
262 | - module parameters | |
263 | ||
264 | If the scope of the fault injection capability is limited to a | |
265 | single kernel module, it is better to provide module parameters to | |
266 | configure the fault attributes. | |
267 | ||
10ffebbe | 268 | - add a hook to insert failures |
de1ba09b | 269 | |
10ffebbe | 270 | Upon should_fail() returning true, client code should inject a failure: |
de1ba09b | 271 | |
5d0ffa2b | 272 | should_fail(attr, size); |
de1ba09b AM |
273 | |
274 | Application Examples | |
275 | -------------------- | |
276 | ||
10ffebbe | 277 | - Inject slab allocation failures into module init/exit code:: |
de1ba09b | 278 | |
10ffebbe | 279 | #!/bin/bash |
de1ba09b | 280 | |
10ffebbe MCC |
281 | FAILTYPE=failslab |
282 | echo Y > /sys/kernel/debug/$FAILTYPE/task-filter | |
283 | echo 10 > /sys/kernel/debug/$FAILTYPE/probability | |
284 | echo 100 > /sys/kernel/debug/$FAILTYPE/interval | |
d472cf79 | 285 | echo -1 > /sys/kernel/debug/$FAILTYPE/times |
10ffebbe MCC |
286 | echo 0 > /sys/kernel/debug/$FAILTYPE/space |
287 | echo 2 > /sys/kernel/debug/$FAILTYPE/verbose | |
bad3fbb2 | 288 | echo Y > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait |
de1ba09b | 289 | |
10ffebbe MCC |
290 | faulty_system() |
291 | { | |
18584870 | 292 | bash -c "echo 1 > /proc/self/make-it-fail && exec $*" |
10ffebbe | 293 | } |
de1ba09b | 294 | |
10ffebbe MCC |
295 | if [ $# -eq 0 ] |
296 | then | |
18584870 AM |
297 | echo "Usage: $0 modulename [ modulename ... ]" |
298 | exit 1 | |
10ffebbe | 299 | fi |
18584870 | 300 | |
10ffebbe MCC |
301 | for m in $* |
302 | do | |
18584870 AM |
303 | echo inserting $m... |
304 | faulty_system modprobe $m | |
de1ba09b | 305 | |
18584870 AM |
306 | echo removing $m... |
307 | faulty_system modprobe -r $m | |
10ffebbe | 308 | done |
de1ba09b AM |
309 | |
310 | ------------------------------------------------------------------------------ | |
311 | ||
10ffebbe | 312 | - Inject page allocation failures only for a specific module:: |
de1ba09b | 313 | |
10ffebbe | 314 | #!/bin/bash |
de1ba09b | 315 | |
10ffebbe MCC |
316 | FAILTYPE=fail_page_alloc |
317 | module=$1 | |
de1ba09b | 318 | |
10ffebbe MCC |
319 | if [ -z $module ] |
320 | then | |
18584870 AM |
321 | echo "Usage: $0 <modulename>" |
322 | exit 1 | |
10ffebbe | 323 | fi |
de1ba09b | 324 | |
10ffebbe | 325 | modprobe $module |
de1ba09b | 326 | |
10ffebbe MCC |
327 | if [ ! -d /sys/module/$module/sections ] |
328 | then | |
18584870 AM |
329 | echo Module $module is not loaded |
330 | exit 1 | |
10ffebbe | 331 | fi |
18584870 | 332 | |
10ffebbe MCC |
333 | cat /sys/module/$module/sections/.text > /sys/kernel/debug/$FAILTYPE/require-start |
334 | cat /sys/module/$module/sections/.data > /sys/kernel/debug/$FAILTYPE/require-end | |
18584870 | 335 | |
10ffebbe MCC |
336 | echo N > /sys/kernel/debug/$FAILTYPE/task-filter |
337 | echo 10 > /sys/kernel/debug/$FAILTYPE/probability | |
338 | echo 100 > /sys/kernel/debug/$FAILTYPE/interval | |
d472cf79 | 339 | echo -1 > /sys/kernel/debug/$FAILTYPE/times |
10ffebbe MCC |
340 | echo 0 > /sys/kernel/debug/$FAILTYPE/space |
341 | echo 2 > /sys/kernel/debug/$FAILTYPE/verbose | |
bad3fbb2 DY |
342 | echo Y > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait |
343 | echo Y > /sys/kernel/debug/$FAILTYPE/ignore-gfp-highmem | |
10ffebbe | 344 | echo 10 > /sys/kernel/debug/$FAILTYPE/stacktrace-depth |
18584870 | 345 | |
10ffebbe | 346 | trap "echo 0 > /sys/kernel/debug/$FAILTYPE/probability" SIGINT SIGTERM EXIT |
18584870 | 347 | |
10ffebbe MCC |
348 | echo "Injecting errors into the module $module... (interrupt to stop)" |
349 | sleep 1000000 | |
de1ba09b | 350 | |
4b1a29a7 MH |
351 | ------------------------------------------------------------------------------ |
352 | ||
10ffebbe MCC |
353 | - Inject open_ctree error while btrfs mount:: |
354 | ||
355 | #!/bin/bash | |
356 | ||
357 | rm -f testfile.img | |
358 | dd if=/dev/zero of=testfile.img bs=1M seek=1000 count=1 | |
359 | DEVICE=$(losetup --show -f testfile.img) | |
360 | mkfs.btrfs -f $DEVICE | |
361 | mkdir -p tmpmnt | |
362 | ||
363 | FAILTYPE=fail_function | |
364 | FAILFUNC=open_ctree | |
365 | echo $FAILFUNC > /sys/kernel/debug/$FAILTYPE/inject | |
00574752 | 366 | printf %#x -12 > /sys/kernel/debug/$FAILTYPE/$FAILFUNC/retval |
10ffebbe MCC |
367 | echo N > /sys/kernel/debug/$FAILTYPE/task-filter |
368 | echo 100 > /sys/kernel/debug/$FAILTYPE/probability | |
369 | echo 0 > /sys/kernel/debug/$FAILTYPE/interval | |
d472cf79 | 370 | echo -1 > /sys/kernel/debug/$FAILTYPE/times |
10ffebbe MCC |
371 | echo 0 > /sys/kernel/debug/$FAILTYPE/space |
372 | echo 1 > /sys/kernel/debug/$FAILTYPE/verbose | |
373 | ||
374 | mount -t btrfs $DEVICE tmpmnt | |
375 | if [ $? -ne 0 ] | |
376 | then | |
4b1a29a7 | 377 | echo "SUCCESS!" |
10ffebbe | 378 | else |
4b1a29a7 MH |
379 | echo "FAILED!" |
380 | umount tmpmnt | |
10ffebbe | 381 | fi |
4b1a29a7 | 382 | |
10ffebbe | 383 | echo > /sys/kernel/debug/$FAILTYPE/inject |
4b1a29a7 | 384 | |
10ffebbe MCC |
385 | rmdir tmpmnt |
386 | losetup -d $DEVICE | |
387 | rm testfile.img | |
4b1a29a7 MH |
388 | |
389 | ||
c24aa64d AM |
390 | Tool to run command with failslab or fail_page_alloc |
391 | ---------------------------------------------------- | |
392 | In order to make it easier to accomplish the tasks mentioned above, we can use | |
393 | tools/testing/fault-injection/failcmd.sh. Please run a command | |
394 | "./tools/testing/fault-injection/failcmd.sh --help" for more information and | |
395 | see the following examples. | |
396 | ||
397 | Examples: | |
398 | ||
399 | Run a command "make -C tools/testing/selftests/ run_tests" with injecting slab | |
10ffebbe | 400 | allocation failure:: |
c24aa64d AM |
401 | |
402 | # ./tools/testing/fault-injection/failcmd.sh \ | |
403 | -- make -C tools/testing/selftests/ run_tests | |
404 | ||
405 | Same as above except to specify 100 times failures at most instead of one time | |
10ffebbe | 406 | at most by default:: |
c24aa64d AM |
407 | |
408 | # ./tools/testing/fault-injection/failcmd.sh --times=100 \ | |
409 | -- make -C tools/testing/selftests/ run_tests | |
410 | ||
411 | Same as above except to inject page allocation failure instead of slab | |
10ffebbe | 412 | allocation failure:: |
c24aa64d AM |
413 | |
414 | # env FAILCMD_TYPE=fail_page_alloc \ | |
415 | ./tools/testing/fault-injection/failcmd.sh --times=100 \ | |
10ffebbe | 416 | -- make -C tools/testing/selftests/ run_tests |
e41d5818 DV |
417 | |
418 | Systematic faults using fail-nth | |
419 | --------------------------------- | |
420 | ||
421 | The following code systematically faults 0-th, 1-st, 2-nd and so on | |
10ffebbe MCC |
422 | capabilities in the socketpair() system call:: |
423 | ||
424 | #include <sys/types.h> | |
425 | #include <sys/stat.h> | |
426 | #include <sys/socket.h> | |
427 | #include <sys/syscall.h> | |
428 | #include <fcntl.h> | |
429 | #include <unistd.h> | |
430 | #include <string.h> | |
431 | #include <stdlib.h> | |
432 | #include <stdio.h> | |
433 | #include <errno.h> | |
434 | ||
435 | int main() | |
436 | { | |
e41d5818 DV |
437 | int i, err, res, fail_nth, fds[2]; |
438 | char buf[128]; | |
439 | ||
440 | system("echo N > /sys/kernel/debug/failslab/ignore-gfp-wait"); | |
441 | sprintf(buf, "/proc/self/task/%ld/fail-nth", syscall(SYS_gettid)); | |
442 | fail_nth = open(buf, O_RDWR); | |
9049f2f6 | 443 | for (i = 1;; i++) { |
e41d5818 DV |
444 | sprintf(buf, "%d", i); |
445 | write(fail_nth, buf, strlen(buf)); | |
446 | res = socketpair(AF_LOCAL, SOCK_STREAM, 0, fds); | |
447 | err = errno; | |
bfc74093 | 448 | pread(fail_nth, buf, sizeof(buf), 0); |
e41d5818 DV |
449 | if (res == 0) { |
450 | close(fds[0]); | |
451 | close(fds[1]); | |
452 | } | |
bfc74093 AM |
453 | printf("%d-th fault %c: res=%d/%d\n", i, atoi(buf) ? 'N' : 'Y', |
454 | res, err); | |
455 | if (atoi(buf)) | |
e41d5818 DV |
456 | break; |
457 | } | |
458 | return 0; | |
10ffebbe MCC |
459 | } |
460 | ||
461 | An example output:: | |
462 | ||
463 | 1-th fault Y: res=-1/23 | |
464 | 2-th fault Y: res=-1/23 | |
465 | 3-th fault Y: res=-1/12 | |
466 | 4-th fault Y: res=-1/12 | |
467 | 5-th fault Y: res=-1/23 | |
468 | 6-th fault Y: res=-1/23 | |
469 | 7-th fault Y: res=-1/23 | |
470 | 8-th fault Y: res=-1/12 | |
471 | 9-th fault Y: res=-1/12 | |
472 | 10-th fault Y: res=-1/12 | |
473 | 11-th fault Y: res=-1/12 | |
474 | 12-th fault Y: res=-1/12 | |
475 | 13-th fault Y: res=-1/12 | |
476 | 14-th fault Y: res=-1/12 | |
477 | 15-th fault Y: res=-1/12 | |
478 | 16-th fault N: res=0/12 |