Fault injection capabilities infrastructure — The Linux Kernel documentation (2024)

See also drivers/md/md-faulty.c and “every_nth” module option for scsi_debug.

Available fault injection capabilities

  • failslab

    injects slab allocation failures. (kmalloc(), kmem_cache_alloc(), ...)

  • fail_page_alloc

    injects page allocation failures. (alloc_pages(), get_free_pages(), ...)

  • fail_usercopy

    injects failures in user memory access functions. (copy_from_user(), get_user(), ...)

  • fail_futex

    injects futex deadlock and uaddr fault errors.

  • fail_sunrpc

    injects kernel RPC client and server failures.

  • fail_make_request

    injects disk IO errors on devices permitted by setting/sys/block/<device>/make-it-fail or/sys/block/<device>/<partition>/make-it-fail. (submit_bio_noacct())

  • fail_mmc_request

    injects MMC data errors on devices permitted by settingdebugfs entries under /sys/kernel/debug/mmc0/fail_mmc_request

  • fail_function

    injects error return on specific functions, which are marked byALLOW_ERROR_INJECTION() macro, by setting debugfs entriesunder /sys/kernel/debug/fail_function. No boot option supported.

  • NVMe fault injection

    inject NVMe status code and retry flag on devices permitted by settingdebugfs entries under /sys/kernel/debug/nvme*/fault_inject. The defaultstatus code is NVME_SC_INVALID_OPCODE with no retry. The status code andretry flag can be set via the debugfs.

  • Null test block driver fault injection

    inject IO timeouts by setting config items under/sys/kernel/config/nullb/<disk>/timeout_inject,inject requeue requests by setting config items under/sys/kernel/config/nullb/<disk>/requeue_inject, andinject init_hctx() errors by setting config items under/sys/kernel/config/nullb/<disk>/init_hctx_fault_inject.

Configure fault-injection capabilities behavior

debugfs entries

fault-inject-debugfs kernel module provides some debugfs entries for runtimeconfiguration of fault-injection capabilities.

  • /sys/kernel/debug/fail*/probability:

    likelihood of failure injection, in percent.

    Format: <percent>

    Note that one-failure-per-hundred is a very high error ratefor some testcases. Consider setting probability=100 and configure/sys/kernel/debug/fail*/interval for such testcases.

  • /sys/kernel/debug/fail*/interval:

    specifies the interval between failures, for calls toshould_fail() that pass all the other tests.

    Note that if you enable this, by setting interval>1, you willprobably want to set probability=100.

  • /sys/kernel/debug/fail*/times:

    specifies how many times failures may happen at most. A value of -1means “no limit”.

  • /sys/kernel/debug/fail*/space:

    specifies an initial resource “budget”, decremented by “size”on each call to should_fail(,size). Failure injection issuppressed until “space” reaches zero.

  • /sys/kernel/debug/fail*/verbose

    Format: { 0 | 1 | 2 }

    specifies the verbosity of the messages when failure isinjected. ‘0’ means no messages; ‘1’ will print only a singlelog line per failure; ‘2’ will print a call trace too -- usefulto debug the problems revealed by fault injection.

  • /sys/kernel/debug/fail*/task-filter:

    Format: { ‘Y’ | ‘N’ }

    A value of ‘N’ disables filtering by process (default).Any positive value limits failures to only processes indicated by/proc/<pid>/make-it-fail==1.

  • /sys/kernel/debug/fail*/require-start,/sys/kernel/debug/fail*/require-end,/sys/kernel/debug/fail*/reject-start,/sys/kernel/debug/fail*/reject-end:

    specifies the range of virtual addresses tested duringstacktrace walking. Failure is injected only if some callerin the walked stacktrace lies within the required range, andnone lies within the rejected range.Default required range is [0,ULONG_MAX) (whole of virtual address space).Default rejected range is [0,0).

  • /sys/kernel/debug/fail*/stacktrace-depth:

    specifies the maximum stacktrace depth walked during searchfor a caller within [require-start,require-end) OR[reject-start,reject-end).

  • /sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem:

    Format: { ‘Y’ | ‘N’ }

    default is ‘Y’, setting it to ‘N’ will also inject failures intohighmem/user allocations (__GFP_HIGHMEM allocations).

  • /sys/kernel/debug/failslab/ignore-gfp-wait:

  • /sys/kernel/debug/fail_page_alloc/ignore-gfp-wait:

    Format: { ‘Y’ | ‘N’ }

    default is ‘Y’, setting it to ‘N’ will also inject failuresinto allocations that can sleep (__GFP_DIRECT_RECLAIM allocations).

  • /sys/kernel/debug/fail_page_alloc/min-order:

    specifies the minimum page allocation order to be injectedfailures.

  • /sys/kernel/debug/fail_futex/ignore-private:

    Format: { ‘Y’ | ‘N’ }

    default is ‘N’, setting it to ‘Y’ will disable failure injectionswhen dealing with private (address space) futexes.

  • /sys/kernel/debug/fail_sunrpc/ignore-client-disconnect:

    Format: { ‘Y’ | ‘N’ }

    default is ‘N’, setting it to ‘Y’ will disable disconnectinjection on the RPC client.

  • /sys/kernel/debug/fail_sunrpc/ignore-server-disconnect:

    Format: { ‘Y’ | ‘N’ }

    default is ‘N’, setting it to ‘Y’ will disable disconnectinjection on the RPC server.

  • /sys/kernel/debug/fail_sunrpc/ignore-cache-wait:

    Format: { ‘Y’ | ‘N’ }

    default is ‘N’, setting it to ‘Y’ will disable cache waitinjection on the RPC server.

  • /sys/kernel/debug/fail_function/inject:

    Format: { ‘function-name’ | ‘!function-name’ | ‘’ }

    specifies the target function of error injection by name.If the function name leads ‘!’ prefix, given function isremoved from injection list. If nothing specified (‘’)injection list is cleared.

  • /sys/kernel/debug/fail_function/injectable:

    (read only) shows error injectable functions and what type oferror values can be specified. The error type will be one ofbelow;- NULL: retval must be 0.- ERRNO: retval must be -1 to -MAX_ERRNO (-4096).- ERR_NULL: retval must be 0 or -1 to -MAX_ERRNO (-4096).

  • /sys/kernel/debug/fail_function/<function-name>/retval:

    specifies the “error” return value to inject to the given function.This will be created when the user specifies a new injection entry.Note that this file only accepts unsigned values. So, if you want touse a negative errno, you better use ‘printf’ instead of ‘echo’, e.g.:$ printf %#x -12 > retval

Boot option

In order to inject faults while debugfs is not available (early boot time),use the boot option:

failslab=fail_page_alloc=fail_usercopy=fail_make_request=fail_futex=mmc_core.fail_request=<interval>,<probability>,<space>,<times>

proc entries

  • /proc/<pid>/fail-nth,/proc/self/task/<tid>/fail-nth:

    Write to this file of integer N makes N-th call in the task fail.Read from this file returns a integer value. A value of ‘0’ indicatesthat the fault setup with a previous write to this file was injected.A positive integer N indicates that the fault wasn’t yet injected.Note that this file enables all types of faults (slab, futex, etc).This setting takes precedence over all other generic debugfs settingslike probability, interval, times, etc. But per-capability settings(e.g. fail_futex/ignore-private) take precedence over it.

    This feature is intended for systematic testing of faults in a singlesystem call. See an example below.

Error Injectable Functions

This part is for the kernel developers considering to add a function toALLOW_ERROR_INJECTION() macro.

Requirements for the Error Injectable Functions

Since the function-level error injection forcibly changes the code pathand returns an error even if the input and conditions are proper, this cancause unexpected kernel crash if you allow error injection on the functionwhich is NOT error injectable. Thus, you (and reviewers) must ensure;

  • The function returns an error code if it fails, and the callers must checkit correctly (need to recover from it).

  • The function does not execute any code which can change any state beforethe first error return. The state includes global or local, or inputvariable. For example, clear output address storage (e.g. *ret = NULL),increments/decrements counter, set a flag, preempt/irq disable or geta lock (if those are recovered before returning error, that will be OK.)

The first requirement is important, and it will result in that the release(free objects) functions are usually harder to inject errors than allocatefunctions. If errors of such release functions are not correctly handledit will cause a memory leak easily (the caller will confuse that the objecthas been released or corrupted.)

The second one is for the caller which expects the function should alwaysdoes something. Thus if the function error injection skips whole of thefunction, the expectation is betrayed and causes an unexpected error.

Type of the Error Injectable Functions

Each error injectable functions will have the error type specified by theALLOW_ERROR_INJECTION() macro. You have to choose it carefully if you adda new error injectable function. If the wrong error type is chosen, thekernel may crash because it may not be able to handle the error.There are 4 types of errors defined in include/asm-generic/error-injection.h

EI_ETYPE_NULL

This function will return NULL if it fails. e.g. return an allocateedobject address.

EI_ETYPE_ERRNO

This function will return an -errno error code if it fails. e.g. return-EINVAL if the input is wrong. This will include the functions which willreturn an address which encodes -errno by ERR_PTR() macro.

EI_ETYPE_ERRNO_NULL

This function will return an -errno or NULL if it fails. If the callerof this function checks the return value with IS_ERR_OR_NULL() macro, thistype will be appropriate.

EI_ETYPE_TRUE

This function will return true (non-zero positive value) if it fails.

If you specifies a wrong type, for example, EI_TYPE_ERRNO for the functionwhich returns an allocated object, it may cause a problem because the returnedvalue is not an object address and the caller can not access to the address.

How to add new fault injection capability

  • #include <linux/fault-inject.h>

  • define the fault attributes

    DECLARE_FAULT_ATTR(name);

    Please see the definition of struct fault_attr in fault-inject.hfor details.

  • provide a way to configure fault attributes

  • boot option

    If you need to enable the fault injection capability from boot time, you canprovide boot option to configure it. There is a helper function for it:

    setup_fault_attr(attr, str);

  • debugfs entries

    failslab, fail_page_alloc, fail_usercopy, and fail_make_request use this way.Helper functions:

    fault_create_debugfs_attr(name, parent, attr);

  • module parameters

    If the scope of the fault injection capability is limited to asingle kernel module, it is better to provide module parameters toconfigure the fault attributes.

  • add a hook to insert failures

    Upon should_fail() returning true, client code should inject a failure:

    should_fail(attr, size);

Application Examples

  • Inject slab allocation failures into module init/exit code:

    #!/bin/bashFAILTYPE=failslabecho Y > /sys/kernel/debug/$FAILTYPE/task-filterecho 10 > /sys/kernel/debug/$FAILTYPE/probabilityecho 100 > /sys/kernel/debug/$FAILTYPE/intervalecho -1 > /sys/kernel/debug/$FAILTYPE/timesecho 0 > /sys/kernel/debug/$FAILTYPE/spaceecho 2 > /sys/kernel/debug/$FAILTYPE/verboseecho Y > /sys/kernel/debug/$FAILTYPE/ignore-gfp-waitfaulty_system(){ bash -c "echo 1 > /proc/self/make-it-fail && exec $*"}if [ $# -eq 0 ]then echo "Usage: $0 modulename [ modulename ... ]" exit 1fifor m in $*do echo inserting $m... faulty_system modprobe $m echo removing $m... faulty_system modprobe -r $mdone
  • Inject page allocation failures only for a specific module:

    #!/bin/bashFAILTYPE=fail_page_allocmodule=$1if [ -z $module ]then echo "Usage: $0 <modulename>" exit 1fimodprobe $moduleif [ ! -d /sys/module/$module/sections ]then echo Module $module is not loaded exit 1ficat /sys/module/$module/sections/.text > /sys/kernel/debug/$FAILTYPE/require-startcat /sys/module/$module/sections/.data > /sys/kernel/debug/$FAILTYPE/require-endecho N > /sys/kernel/debug/$FAILTYPE/task-filterecho 10 > /sys/kernel/debug/$FAILTYPE/probabilityecho 100 > /sys/kernel/debug/$FAILTYPE/intervalecho -1 > /sys/kernel/debug/$FAILTYPE/timesecho 0 > /sys/kernel/debug/$FAILTYPE/spaceecho 2 > /sys/kernel/debug/$FAILTYPE/verboseecho Y > /sys/kernel/debug/$FAILTYPE/ignore-gfp-waitecho Y > /sys/kernel/debug/$FAILTYPE/ignore-gfp-highmemecho 10 > /sys/kernel/debug/$FAILTYPE/stacktrace-depthtrap "echo 0 > /sys/kernel/debug/$FAILTYPE/probability" SIGINT SIGTERM EXITecho "Injecting errors into the module $module... (interrupt to stop)"sleep 1000000
  • Inject open_ctree error while btrfs mount:

    #!/bin/bashrm -f testfile.imgdd if=/dev/zero of=testfile.img bs=1M seek=1000 count=1DEVICE=$(losetup --show -f testfile.img)mkfs.btrfs -f $DEVICEmkdir -p tmpmntFAILTYPE=fail_functionFAILFUNC=open_ctreeecho $FAILFUNC > /sys/kernel/debug/$FAILTYPE/injectprintf %#x -12 > /sys/kernel/debug/$FAILTYPE/$FAILFUNC/retvalecho N > /sys/kernel/debug/$FAILTYPE/task-filterecho 100 > /sys/kernel/debug/$FAILTYPE/probabilityecho 0 > /sys/kernel/debug/$FAILTYPE/intervalecho -1 > /sys/kernel/debug/$FAILTYPE/timesecho 0 > /sys/kernel/debug/$FAILTYPE/spaceecho 1 > /sys/kernel/debug/$FAILTYPE/verbosemount -t btrfs $DEVICE tmpmntif [ $? -ne 0 ]then echo "SUCCESS!"else echo "FAILED!" umount tmpmntfiecho > /sys/kernel/debug/$FAILTYPE/injectrmdir tmpmntlosetup -d $DEVICErm testfile.img

Tool to run command with failslab or fail_page_alloc

In order to make it easier to accomplish the tasks mentioned above, we can usetools/testing/fault-injection/failcmd.sh. Please run a command“./tools/testing/fault-injection/failcmd.sh --help” for more information andsee the following examples.

Examples:

Run a command “make -C tools/testing/selftests/ run_tests” with injecting slaballocation failure:

# ./tools/testing/fault-injection/failcmd.sh \ -- make -C tools/testing/selftests/ run_tests

Same as above except to specify 100 times failures at most instead of one timeat most by default:

# ./tools/testing/fault-injection/failcmd.sh --times=100 \ -- make -C tools/testing/selftests/ run_tests

Same as above except to inject page allocation failure instead of slaballocation failure:

# env FAILCMD_TYPE=fail_page_alloc \ ./tools/testing/fault-injection/failcmd.sh --times=100 \ -- make -C tools/testing/selftests/ run_tests

Systematic faults using fail-nth

The following code systematically faults 0-th, 1-st, 2-nd and so oncapabilities in the socketpair() system call:

#include <sys/types.h>#include <sys/stat.h>#include <sys/socket.h>#include <sys/syscall.h>#include <fcntl.h>#include <unistd.h>#include <string.h>#include <stdlib.h>#include <stdio.h>#include <errno.h>int main(){ int i, err, res, fail_nth, fds[2]; char buf[128]; system("echo N > /sys/kernel/debug/failslab/ignore-gfp-wait"); sprintf(buf, "/proc/self/task/%ld/fail-nth", syscall(SYS_gettid)); fail_nth = open(buf, O_RDWR); for (i = 1;; i++) { sprintf(buf, "%d", i); write(fail_nth, buf, strlen(buf)); res = socketpair(AF_LOCAL, SOCK_STREAM, 0, fds); err = errno; pread(fail_nth, buf, sizeof(buf), 0); if (res == 0) { close(fds[0]); close(fds[1]); } printf("%d-th fault %c: res=%d/%d\n", i, atoi(buf) ? 'N' : 'Y', res, err); if (atoi(buf)) break; } return 0;}

An example output:

1-th fault Y: res=-1/232-th fault Y: res=-1/233-th fault Y: res=-1/124-th fault Y: res=-1/125-th fault Y: res=-1/236-th fault Y: res=-1/237-th fault Y: res=-1/238-th fault Y: res=-1/129-th fault Y: res=-1/1210-th fault Y: res=-1/1211-th fault Y: res=-1/1212-th fault Y: res=-1/1213-th fault Y: res=-1/1214-th fault Y: res=-1/1215-th fault Y: res=-1/1216-th fault N: res=0/12
Fault injection capabilities infrastructure — The Linux Kernel  documentation (2024)

FAQs

What are the capabilities of fault injection? ›

Available fault injection capabilities

injects kernel RPC client and server failures. injects error return on specific functions, which are marked by ALLOW_ERROR_INJECTION() macro, by setting debugfs entries under /sys/kernel/debug/fail_function.

What does the kernel need to do in case of page fault? ›

The MMU detects the page fault, but the operating system's kernel handles the exception by making the required page accessible in the physical memory or denying an illegal memory access.

What are the types of fault injection attacks? ›

Laser Fault Injection:
Fault Injection MethodRequirementsAttack control
Temperature VariationChanging the ambient temperatureLow
Electromagnetic Fault InjectionElectromagnetic pulse shape generation at desired location on chip.Medium/High
Laser Fault InjectionChip decapsulation and high precision laser spot generation.High
2 more rows
Aug 5, 2024

Why do we need fault injection? ›

Fault injection is a method to test and assess the dependability (availability, reliability, and maintainability) and performance of fault-tolerant and fail-safe systems. One of its uses is benchmarking the error sensitivity of a system when it experiences hardware faults in the processor or main memory.

How does Linux handle page faults? ›

In the event of page fault occurs, kernel switches to kernel mode if not already running in kernel mode. Then it calls a special routine called page fault handler. It takes action depending on the reason of page fault. If page was swapped out then it'll bring it back into memory.

How do you troubleshoot kernel? ›

Resolve the kernel panic error
  1. Generate the initramfs file corresponding to original kernel by using the dracut command, for example: See more code actions. ...
  2. Update the grub2. cfg file using the grub2-mkconfig command, for example: ...
  3. After the initramfs file is generated, you can restart the VM without any errors.

What is the responsibility of the kernel in Linux? ›

It manages the system's resources and facilitates communication between hardware and software components. As the heart of the Linux OS, the kernel plays a crucial role in enabling the seamless operation and integration of various software applications and system components.

What are the capabilities of injection molding? ›

  • Ability to Produce Detailed/Complex Geometries. ...
  • Efficiency. ...
  • Strength & Versatility. ...
  • Ability to Simultaneously Use Multiple Types of Plastic. ...
  • Cost Savings. ...
  • Precision. ...
  • Shorten Product Development Time. ...
  • Multiple Finishes.

What are injection attacks also capable of? ›

Injections are amongst the oldest and most dangerous attacks aimed at web applications. They can lead to data theft, data loss, loss of data integrity, denial of service, as well as full system compromise.

How practical are fault injection attacks really? ›

Therefore, we believe these attacks can be considered practical in many scenarios, especially when the attacker can physically access the target device.

What are the possible means to achieve fault injection in a circuit? ›

This can be achieved using physical- or software-based means, or using a hybrid approach. Widely studied physical fault injections include the application of high voltages, extreme temperatures and electromagnetic pulses on electronic components, such as computer memory and central processing units.

Top Articles
Latest Posts
Article information

Author: Patricia Veum II

Last Updated:

Views: 5433

Rating: 4.3 / 5 (64 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Patricia Veum II

Birthday: 1994-12-16

Address: 2064 Little Summit, Goldieton, MS 97651-0862

Phone: +6873952696715

Job: Principal Officer

Hobby: Rafting, Cabaret, Candle making, Jigsaw puzzles, Inline skating, Magic, Graffiti

Introduction: My name is Patricia Veum II, I am a vast, combative, smiling, famous, inexpensive, zealous, sparkling person who loves writing and wants to share my knowledge and understanding with you.