mirror of
https://github.com/torvalds/linux.git
synced 2024-11-21 19:41:42 +00:00
docs: fault-injection: add requirements of error injectable functions
Add a section about the requirements of the error injectable functions and the type of errors. Since this section must be read before using ALLOW_ERROR_INJECTION() macro, that section is referred from the comment of the macro too. Link: https://lkml.kernel.org/r/167081321427.387937.15475445689482551048.stgit@devnote3 Link: https://lore.kernel.org/all/20221211115218.2e6e289bb85f8cf53c11aa97@kernel.org/T/#u Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com> Cc: Borislav Petkov (AMD) <bp@alien8.de> Cc: Chris Mason <clm@meta.com> Cc: Christoph Hellwig <hch@infradead.org> Cc: Florent Revest <revest@chromium.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Kees Cook <keescook@chromium.org> Cc: KP Singh <kpsingh@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
This commit is contained in:
parent
6338bb05c1
commit
bef7ec4e8f
@ -231,6 +231,71 @@ proc entries
|
|||||||
This feature is intended for systematic testing of faults in a single
|
This feature is intended for systematic testing of faults in a single
|
||||||
system call. See an example below.
|
system call. See an example below.
|
||||||
|
|
||||||
|
|
||||||
|
Error Injectable Functions
|
||||||
|
--------------------------
|
||||||
|
|
||||||
|
This part is for the kenrel developers considering to add a function to
|
||||||
|
ALLOW_ERROR_INJECTION() macro.
|
||||||
|
|
||||||
|
Requirements for the Error Injectable Functions
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Since the function-level error injection forcibly changes the code path
|
||||||
|
and returns an error even if the input and conditions are proper, this can
|
||||||
|
cause unexpected kernel crash if you allow error injection on the function
|
||||||
|
which is NOT error injectable. Thus, you (and reviewers) must ensure;
|
||||||
|
|
||||||
|
- The function returns an error code if it fails, and the callers must check
|
||||||
|
it correctly (need to recover from it).
|
||||||
|
|
||||||
|
- The function does not execute any code which can change any state before
|
||||||
|
the first error return. The state includes global or local, or input
|
||||||
|
variable. For example, clear output address storage (e.g. `*ret = NULL`),
|
||||||
|
increments/decrements counter, set a flag, preempt/irq disable or get
|
||||||
|
a lock (if those are recovered before returning error, that will be OK.)
|
||||||
|
|
||||||
|
The first requirement is important, and it will result in that the release
|
||||||
|
(free objects) functions are usually harder to inject errors than allocate
|
||||||
|
functions. If errors of such release functions are not correctly handled
|
||||||
|
it will cause a memory leak easily (the caller will confuse that the object
|
||||||
|
has been released or corrupted.)
|
||||||
|
|
||||||
|
The second one is for the caller which expects the function should always
|
||||||
|
does something. Thus if the function error injection skips whole of the
|
||||||
|
function, the expectation is betrayed and causes an unexpected error.
|
||||||
|
|
||||||
|
Type of the Error Injectable Functions
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Each error injectable functions will have the error type specified by the
|
||||||
|
ALLOW_ERROR_INJECTION() macro. You have to choose it carefully if you add
|
||||||
|
a new error injectable function. If the wrong error type is chosen, the
|
||||||
|
kernel may crash because it may not be able to handle the error.
|
||||||
|
There are 4 types of errors defined in include/asm-generic/error-injection.h
|
||||||
|
|
||||||
|
EI_ETYPE_NULL
|
||||||
|
This function will return `NULL` if it fails. e.g. return an allocateed
|
||||||
|
object address.
|
||||||
|
|
||||||
|
EI_ETYPE_ERRNO
|
||||||
|
This function will return an `-errno` error code if it fails. e.g. return
|
||||||
|
-EINVAL if the input is wrong. This will include the functions which will
|
||||||
|
return an address which encodes `-errno` by ERR_PTR() macro.
|
||||||
|
|
||||||
|
EI_ETYPE_ERRNO_NULL
|
||||||
|
This function will return an `-errno` or `NULL` if it fails. If the caller
|
||||||
|
of this function checks the return value with IS_ERR_OR_NULL() macro, this
|
||||||
|
type will be appropriate.
|
||||||
|
|
||||||
|
EI_ETYPE_TRUE
|
||||||
|
This function will return `true` (non-zero positive value) if it fails.
|
||||||
|
|
||||||
|
If you specifies a wrong type, for example, EI_TYPE_ERRNO for the function
|
||||||
|
which returns an allocated object, it may cause a problem because the returned
|
||||||
|
value is not an object address and the caller can not access to the address.
|
||||||
|
|
||||||
|
|
||||||
How to add new fault injection capability
|
How to add new fault injection capability
|
||||||
-----------------------------------------
|
-----------------------------------------
|
||||||
|
|
||||||
|
@ -19,8 +19,10 @@ struct pt_regs;
|
|||||||
|
|
||||||
#ifdef CONFIG_FUNCTION_ERROR_INJECTION
|
#ifdef CONFIG_FUNCTION_ERROR_INJECTION
|
||||||
/*
|
/*
|
||||||
* Whitelist generating macro. Specify functions which can be
|
* Whitelist generating macro. Specify functions which can be error-injectable
|
||||||
* error-injectable using this macro.
|
* using this macro. If you unsure what is required for the error-injectable
|
||||||
|
* functions, please read Documentation/fault-injection/fault-injection.rst
|
||||||
|
* 'Error Injectable Functions' section.
|
||||||
*/
|
*/
|
||||||
#define ALLOW_ERROR_INJECTION(fname, _etype) \
|
#define ALLOW_ERROR_INJECTION(fname, _etype) \
|
||||||
static struct error_injection_entry __used \
|
static struct error_injection_entry __used \
|
||||||
|
Loading…
Reference in New Issue
Block a user