[RFC PATCH 0/4] rv/tlob: Add task latency over budget RV monitor

[wen.yang@linux.dev]

From: Wen Yang <wen.yang@linux.dev>

This series introduces tlob (task latency over budget), a new per-task
Runtime Verification monitor.

Background
----------
The RV framework formalises kernel behavioural properties as
deterministic automata. Existing monitors (wwnr, sssw, opid, etc.) cover
scheduling and locking invariants; none tracks wall-clock latency of
a per-task code path, including off-CPU time. This property is needed
in ADAS perception/planning pipelines, industrial real-time
controllers, and similar mixed-criticality deployments.

tlob adds this capability. A caller demarcates a code path via a
start/stop pair; the kernel arms a per-task hrtimer for the requested
budget. If the task has not called TRACE_STOP before the timer fires,
a violation is recorded, the stop call returns -EOVERFLOW, and an
event is pushed to the caller's mmap ring.

The tracefs interface requires only tracefs write permissions, avoiding
the CAP_BPF privilege needed for equivalent eBPF-based approaches. The
DA model (patch 1) can be independently verified with standard model-
checking tools.

Design
------
The monitor is a three-state deterministic automaton (DA):

  unmonitored --trace_start--> on_cpu
  on_cpu       --switch_out--> off_cpu
  off_cpu      --switch_in---> on_cpu
  {on_cpu, off_cpu} --{trace_stop, budget_expired}--> unmonitored

Per-task state lives in a fixed-size hash table (TLOB_MAX_MONITORED
slots) with RCU-deferred free. Timing is based on CLOCK_MONOTONIC
(ktime_get()), so budgets account for off-CPU time.

Two userspace interfaces are provided:

  tracefs: uprobe pair registration via the monitor/enable files; no
           new UAPI required.

  /dev/rv ioctls (CONFIG_RV_CHARDEV):
    TLOB_IOCTL_TRACE_START  — arm the budget for a target task
    TLOB_IOCTL_TRACE_STOP   — disarm; returns -EOVERFLOW on violation

  Each /dev/rv file descriptor has a per-fd mmap ring (a physically
  contiguous control page struct tlob_mmap_page followed by an array of
  struct tlob_event records). Head/tail/dropped are userspace-readable
  without locking; overflow uses a drop-new policy.

New UAPI (include/uapi/linux/rv.h): tlob_start_args, tlob_event,
tlob_mmap_page, ioctl numbers (RV_IOC_MAGIC=0xB9, registered in
Documentation/userspace-api/ioctl/ioctl-number.rst).

Testing
-------
KUnit (patch 3): six suites (38 cases) gated on CONFIG_TLOB_KUNIT_TEST.

  ./tools/testing/kunit/kunit.py run \
    --kunitconfig kernel/trace/rv/monitors/tlob/.kunitconfig

  Coverage: automaton state transitions, start/stop API error paths,
  scheduler context-switch accounting, tracepoint payload fields,
  ring-buffer push/overflow/wakeup, and the uprobe line parser.

kselftest (patch 4): 19 TAP test points under
tools/testing/selftests/rv/. Requires CONFIG_RV_MON_TLOB=y,
CONFIG_RV_CHARDEV=y, and root.

  make -C tools/testing/selftests/rv
  sudo ./test_tlob.sh

Patch overview
--------------
Patch 1 — DOT model: formal automaton specification for verification.
Patch 2 — monitor implementation, UAPI, and documentation.
Patch 3 — KUnit in-kernel unit tests.
Patch 4 — kselftest user-space integration tests.

Wen Yang (4):
  rv/tlob: Add tlob model DOT file
  rv/tlob: Add tlob deterministic automaton monitor
  rv/tlob: Add KUnit tests for the tlob monitor
  selftests/rv: Add selftest for the tlob monitor

 Documentation/trace/rv/index.rst              |    1 +
 Documentation/trace/rv/monitor_tlob.rst       |  381 ++++++
 .../userspace-api/ioctl/ioctl-number.rst      |    1 +
 MAINTAINERS                                   |    3 +
 include/uapi/linux/rv.h                       |  181 +++
 kernel/trace/rv/Kconfig                       |   17 +
 kernel/trace/rv/Makefile                      |    3 +
 kernel/trace/rv/monitors/tlob/.kunitconfig    |    5 +
 kernel/trace/rv/monitors/tlob/Kconfig         |   63 +
 kernel/trace/rv/monitors/tlob/tlob.c          |  987 ++++++++++++++
 kernel/trace/rv/monitors/tlob/tlob.h          |  145 ++
 kernel/trace/rv/monitors/tlob/tlob_kunit.c    | 1194 +++++++++++++++++
 kernel/trace/rv/monitors/tlob/tlob_trace.h    |   42 +
 kernel/trace/rv/rv.c                          |    4 +
 kernel/trace/rv/rv_dev.c                      |  602 +++++++++
 kernel/trace/rv/rv_trace.h                    |   50 +
 tools/include/uapi/linux/rv.h                 |   54 +
 tools/testing/selftests/rv/Makefile           |   18 +
 tools/testing/selftests/rv/test_tlob.sh       |  563 ++++++++
 tools/testing/selftests/rv/tlob_helper.c      |  994 ++++++++++++++
 .../testing/selftests/rv/tlob_uprobe_target.c |  108 ++
 tools/verification/models/tlob.dot            |   25 +
 22 files changed, 5441 insertions(+)
 create mode 100644 Documentation/trace/rv/monitor_tlob.rst
 create mode 100644 include/uapi/linux/rv.h
 create mode 100644 kernel/trace/rv/monitors/tlob/.kunitconfig
 create mode 100644 kernel/trace/rv/monitors/tlob/Kconfig
 create mode 100644 kernel/trace/rv/monitors/tlob/tlob.c
 create mode 100644 kernel/trace/rv/monitors/tlob/tlob.h
 create mode 100644 kernel/trace/rv/monitors/tlob/tlob_kunit.c
 create mode 100644 kernel/trace/rv/monitors/tlob/tlob_trace.h
 create mode 100644 kernel/trace/rv/rv_dev.c
 create mode 100644 tools/include/uapi/linux/rv.h
 create mode 100644 tools/testing/selftests/rv/Makefile
 create mode 100755 tools/testing/selftests/rv/test_tlob.sh
 create mode 100644 tools/testing/selftests/rv/tlob_helper.c
 create mode 100644 tools/testing/selftests/rv/tlob_uprobe_target.c
 create mode 100644 tools/verification/models/tlob.dot

-- 
2.43.0