From: Jinchao Wang <wangjinchao600@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Mike Rapoport <rppt@kernel.org>,
"Naveen N . Rao" <naveen@kernel.org>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>,
Alexander Potapenko <glider@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
kasan-dev@googlegroups.com,
"David S. Miller" <davem@davemloft.net>,
Steven Rostedt <rostedt@goodmis.org>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Namhyung Kim <namhyung@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Jiri Olsa <jolsa@kernel.org>, Ian Rogers <irogers@google.com>,
Adrian Hunter <adrian.hunter@intel.com>,
"Liang, Kan" <kan.liang@linux.intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
linux-mm@kvack.org, linux-trace-kernel@vger.kernel.org,
linux-perf-users@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Jinchao Wang <wangjinchao600@gmail.com>
Subject: [PATCH v3 16/19] mm/ksw: add silent corruption test case
Date: Wed, 10 Sep 2025 13:31:14 +0800 [thread overview]
Message-ID: <20250910053147.1152253-8-wangjinchao600@gmail.com> (raw)
In-Reply-To: <20250910053147.1152253-1-wangjinchao600@gmail.com>
Introduce a new test scenario to simulate silent stack corruption:
- silent_corruption_buggy():
exposes a local variable address globally without resetting it.
- silent_corruption_unwitting():
reads the exposed pointer and modifies the memory, simulating a routine
that unknowingly writes to another stack frame.
- silent_corruption_victim():
demonstrates the effect of silent corruption on unrelated local variables.
Signed-off-by: Jinchao Wang <wangjinchao600@gmail.com>
---
mm/kstackwatch/test.c | 93 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 92 insertions(+), 1 deletion(-)
diff --git a/mm/kstackwatch/test.c b/mm/kstackwatch/test.c
index ab1a3f92b5e8..b10465381089 100644
--- a/mm/kstackwatch/test.c
+++ b/mm/kstackwatch/test.c
@@ -20,6 +20,9 @@ static struct proc_dir_entry *test_proc;
#define BUFFER_SIZE 4
#define MAX_DEPTH 6
+/* global variables for Silent corruption test */
+static u64 *g_corrupt_ptr;
+
/*
* Test Case 0: Write to the canary position directly (Canary Test)
* use a u64 buffer array to ensure the canary will be placed
@@ -61,6 +64,89 @@ static void canary_test_overflow(void)
pr_info("canary overflow test completed\n");
}
+static void do_something(int min_ms, int max_ms)
+{
+ u32 rand;
+
+ get_random_bytes(&rand, sizeof(rand));
+ rand = min_ms + rand % (max_ms - min_ms + 1);
+ msleep(rand);
+}
+
+static void silent_corruption_buggy(int i)
+{
+ u64 local_var;
+
+ pr_info("starting %s\n", __func__);
+
+ pr_info("%s %d local_var addr: 0x%lx\n", __func__, i,
+ (unsigned long)&local_var);
+ WRITE_ONCE(g_corrupt_ptr, &local_var);
+ do_something(0, 300);
+ //buggy: return without resetting g_corrupt_ptr
+}
+
+static int silent_corruption_unwitting(void *data)
+{
+ u64 *local_ptr;
+
+ pr_debug("starting %s\n", __func__);
+
+ do {
+ local_ptr = READ_ONCE(g_corrupt_ptr);
+ do_something(0, 300);
+ } while (!local_ptr);
+
+ local_ptr[0] = 0;
+
+ return 0;
+}
+
+static void silent_corruption_victim(int i)
+{
+ u64 local_var;
+
+ pr_debug("starting %s %dth\n", __func__, i);
+
+ /* local_var random in [0xff0000, 0x100ffff] */
+ get_random_bytes(&local_var, sizeof(local_var));
+ local_var = 0xff0000 + local_var & 0xffff;
+
+ pr_debug("%s local_var addr: 0x%lx\n", __func__,
+ (unsigned long)&local_var);
+
+ do_something(0, 100);
+
+ if (local_var >= 0xff0000 && local_var <= 0xffffff)
+ pr_info("%s %d happy with 0x%llx\n", __func__, i, local_var);
+ else
+ pr_info("%s %d unhappy with 0x%llx\n", __func__, i, local_var);
+}
+
+/*
+ * Test Case 2: Silent Corruption
+ * buggy() does not protect its local var correctly
+ * unwitting() simply does its intended work
+ * victim() is unaware know what happened
+ */
+static void silent_corruption_test(void)
+{
+ struct task_struct *unwitting;
+
+ pr_info("starting %s\n", __func__);
+ WRITE_ONCE(g_corrupt_ptr, NULL);
+
+ unwitting = kthread_run(silent_corruption_unwitting, NULL, "unwitting");
+ if (IS_ERR(unwitting)) {
+ pr_err("failed to create thread2\n");
+ return;
+ }
+
+ silent_corruption_buggy(0);
+ for (int i = 0; i < 10; i++)
+ silent_corruption_victim(i);
+}
+
static ssize_t test_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *pos)
{
@@ -88,6 +174,10 @@ static ssize_t test_proc_write(struct file *file, const char __user *buffer,
pr_info("triggering canary overflow test\n");
canary_test_overflow();
break;
+ case 2:
+ pr_info("triggering silent corruption test\n");
+ silent_corruption_test();
+ break;
default:
pr_err("Unknown test number %d\n", test_num);
return -EINVAL;
@@ -108,7 +198,8 @@ static ssize_t test_proc_read(struct file *file, char __user *buffer,
"==================================\n"
"Usage:\n"
" echo 'test0' > /proc/kstackwatch_test - Canary write test\n"
- " echo 'test1' > /proc/kstackwatch_test - Canary overflow test\n";
+ " echo 'test1' > /proc/kstackwatch_test - Canary overflow test\n"
+ " echo 'test2' > /proc/kstackwatch_test - Silent corruption test\n";
return simple_read_from_buffer(buffer, count, pos, usage,
strlen(usage));
--
2.43.0
next prev parent reply other threads:[~2025-09-10 5:33 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-10 5:23 [PATCH v3 00/19] mm/ksw: Introduce real-time Kernel Stack Watch debugging tool Jinchao Wang
2025-09-10 5:23 ` [PATCH v3 01/19] x86/hw_breakpoint: introduce arch_reinstall_hw_breakpoint() for atomic context Jinchao Wang
2025-09-11 0:46 ` Masami Hiramatsu
2025-09-11 1:01 ` Jinchao Wang
2025-09-10 5:23 ` [PATCH v3 02/19] HWBP: Add modify_wide_hw_breakpoint_local() API Jinchao Wang
2025-09-10 5:23 ` [PATCH v3 03/19] mm/ksw: add build system support Jinchao Wang
2025-09-10 5:23 ` [PATCH v3 04/19] mm/ksw: add ksw_config struct and parser Jinchao Wang
2025-09-10 5:23 ` [PATCH v3 05/19] mm/ksw: add /proc/kstackwatch interface Jinchao Wang
2025-09-10 5:23 ` [PATCH v3 06/19] mm/ksw: add HWBP pre-allocation Jinchao Wang
2025-09-10 5:23 ` [PATCH v3 07/19] mm/ksw: add atomic watch on/off operations Jinchao Wang
2025-09-10 5:23 ` [PATCH v3 08/19] mm/ksw: support CPU hotplug Jinchao Wang
2025-09-10 5:31 ` [PATCH v3 09/19] mm/ksw: add probe management helpers Jinchao Wang
2025-09-10 5:31 ` [PATCH v3 10/19] mm/ksw: resolve stack watch addr and len Jinchao Wang
2025-09-10 5:31 ` [PATCH v3 11/19] mm/ksw: add recursive depth tracking Jinchao Wang
2025-09-10 5:31 ` [PATCH v3 12/19] mm/ksw: manage start/stop of stack watching Jinchao Wang
2025-09-10 5:31 ` [PATCH v3 13/19] mm/ksw: add self-debug helpers Jinchao Wang
2025-09-10 5:31 ` [PATCH v3 14/19] mm/ksw: add test module Jinchao Wang
2025-09-10 5:31 ` [PATCH v3 15/19] mm/ksw: add stack overflow test Jinchao Wang
2025-09-10 5:31 ` Jinchao Wang [this message]
2025-09-10 5:31 ` [PATCH v3 17/19] mm/ksw: add recursive stack corruption test Jinchao Wang
2025-09-10 5:31 ` [PATCH v3 18/19] tools/ksw: add test script Jinchao Wang
2025-09-10 5:31 ` [PATCH v3 19/19] docs: add KStackWatch document Jinchao Wang
2025-09-12 5:51 ` [PATCH v3 00/19] mm/ksw: Introduce real-time Kernel Stack Watch debugging tool Jinchao Wang
2025-09-12 6:41 ` Alexander Potapenko
2025-09-12 8:15 ` Jinchao Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250910053147.1152253-8-wangjinchao600@gmail.com \
--to=wangjinchao600@gmail.com \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=andreyknvl@gmail.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=irogers@google.com \
--cc=jolsa@kernel.org \
--cc=kan.liang@linux.intel.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=naveen@kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=rppt@kernel.org \
--cc=ryabinin.a.a@gmail.com \
--cc=tglx@linutronix.de \
--cc=vincenzo.frascino@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox