[linux-block.git] / Documentation / fault-injection / provoke-crashes.rst

.. SPDX-License-Identifier: GPL-2.0

============================================================
Provoking crashes with Linux Kernel Dump Test Module (LKDTM)
============================================================

The lkdtm module provides an interface to disrupt (and usually crash)
the kernel at predefined code locations to evaluate the reliability of
the kernel's exception handling and to test crash dumps obtained using
different dumping solutions. The module uses KPROBEs to instrument the
trigger location, but can also trigger the kernel directly without KPROBE
support via debugfs.

You can select the location of the trigger ("crash point name") and the
type of action ("crash point type") either through module arguments when
inserting the module, or through the debugfs interface.

Usage::

	insmod lkdtm.ko [recur_count={>0}] cpoint_name=<> cpoint_type=<>
			[cpoint_count={>0}]

recur_count
	Recursion level for the stack overflow test. By default this is
	dynamically calculated based on kernel configuration, with the
	goal of being just large enough to exhaust the kernel stack. The
	value can be seen at `/sys/module/lkdtm/parameters/recur_count`.

cpoint_name
	Where in the kernel to trigger the action. It can be
	one of INT_HARDWARE_ENTRY, INT_HW_IRQ_EN, INT_TASKLET_ENTRY,
	FS_DEVRW, MEM_SWAPOUT, TIMERADD, SCSI_DISPATCH_CMD,
	IDE_CORE_CP, or DIRECT

cpoint_type
	Indicates the action to be taken on hitting the crash point.
	These are numerous, and best queried directly from debugfs. Some
	of the common ones are PANIC, BUG, EXCEPTION, LOOP, and OVERFLOW.
	See the contents of `/sys/kernel/debug/provoke-crash/DIRECT` for
	a complete list.

cpoint_count
	Indicates the number of times the crash point is to be hit
	before triggering the action. The default is 10 (except for
	DIRECT, which always fires immediately).

You can also induce failures by mounting debugfs and writing the type to
<debugfs>/provoke-crash/<crashpoint>. E.g.::

  mount -t debugfs debugfs /sys/kernel/debug
  echo EXCEPTION > /sys/kernel/debug/provoke-crash/INT_HARDWARE_ENTRY

The special file `DIRECT` will induce the action directly without KPROBE
instrumentation. This mode is the only one available when the module is
built for a kernel without KPROBEs support::

  # Instead of having a BUG kill your shell, have it kill "cat":
  cat <(echo WRITE_RO) >/sys/kernel/debug/provoke-crash/DIRECT
Commit	Line	Data
ac8bf0de	1	.. SPDX-License-Identifier: GPL-2.0
10ffebbe	2
ac8bf0de KC	3	============================================================
	4	Provoking crashes with Linux Kernel Dump Test Module (LKDTM)
	5	============================================================
10ffebbe	6
ac8bf0de KC	7	The lkdtm module provides an interface to disrupt (and usually crash)
	8	the kernel at predefined code locations to evaluate the reliability of
	9	the kernel's exception handling and to test crash dumps obtained using
	10	different dumping solutions. The module uses KPROBEs to instrument the
	11	trigger location, but can also trigger the kernel directly without KPROBE
	12	support via debugfs.
10ffebbe	13
ac8bf0de KC	14	You can select the location of the trigger ("crash point name") and the
	15	type of action ("crash point type") either through module arguments when
	16	inserting the module, or through the debugfs interface.
10ffebbe MCC	17
	18	Usage::
	19
	20	insmod lkdtm.ko [recur_count={>0}] cpoint_name=<> cpoint_type=<>
	21	[cpoint_count={>0}]
	22
	23	recur_count
ac8bf0de KC	24	Recursion level for the stack overflow test. By default this is
	25	dynamically calculated based on kernel configuration, with the
	26	goal of being just large enough to exhaust the kernel stack. The
	27	value can be seen at `/sys/module/lkdtm/parameters/recur_count`.
10ffebbe MCC	28
10ffebbe MCC	29	cpoint_name
ac8bf0de	30	Where in the kernel to trigger the action. It can be
10ffebbe MCC	31	one of INT_HARDWARE_ENTRY, INT_HW_IRQ_EN, INT_TASKLET_ENTRY,
10ffebbe MCC	32	FS_DEVRW, MEM_SWAPOUT, TIMERADD, SCSI_DISPATCH_CMD,
ac8bf0de	33	IDE_CORE_CP, or DIRECT
10ffebbe MCC	34
	35	cpoint_type
	36	Indicates the action to be taken on hitting the crash point.
ac8bf0de KC	37	These are numerous, and best queried directly from debugfs. Some
	38	of the common ones are PANIC, BUG, EXCEPTION, LOOP, and OVERFLOW.
	39	See the contents of `/sys/kernel/debug/provoke-crash/DIRECT` for
	40	a complete list.
10ffebbe MCC	41
	42	cpoint_count
	43	Indicates the number of times the crash point is to be hit
ac8bf0de KC	44	before triggering the action. The default is 10 (except for
ac8bf0de KC	45	DIRECT, which always fires immediately).
10ffebbe MCC	46
10ffebbe MCC	47	You can also induce failures by mounting debugfs and writing the type to
ac8bf0de	48	<debugfs>/provoke-crash/<crashpoint>. E.g.::
10ffebbe	49
ac8bf0de KC	50	mount -t debugfs debugfs /sys/kernel/debug
ac8bf0de KC	51	echo EXCEPTION > /sys/kernel/debug/provoke-crash/INT_HARDWARE_ENTRY
10ffebbe	52
ac8bf0de KC	53	The special file `DIRECT` will induce the action directly without KPROBE
	54	instrumentation. This mode is the only one available when the module is
	55	built for a kernel without KPROBEs support::
10ffebbe	56
ac8bf0de KC	57	# Instead of having a BUG kill your shell, have it kill "cat":
ac8bf0de KC	58	cat <(echo WRITE_RO) >/sys/kernel/debug/provoke-crash/DIRECT