From: Jinchao Wang <wangjinchao600@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
"Naveen N . Rao" <naveen@kernel.org>,
linux-mm@kvack.org, linux-trace-kernel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Jinchao Wang <wangjinchao600@gmail.com>
Subject: [PATCH 14/17] mm/ksw: add simplified silent corruption test
Date: Thu, 28 Aug 2025 15:32:47 +0800 [thread overview]
Message-ID: <20250828073311.1116593-15-wangjinchao600@gmail.com> (raw)
In-Reply-To: <20250828073311.1116593-1-wangjinchao600@gmail.com>
Introduce a lightweight test case simulating “silent” stack corruption
where hapless() is unaware its local variable may have been modified.
This test is much simpler than real production scenarios but demonstrates
the core logic.
Test logic:
- buggy(): exposes a local variable via a global pointer without resetting
it, creating a dangling reference.
- unwitting(): a background kernel thread accesses the global pointer and
modifies the pointed memory.
- hapless(): operates on its local variable, unaware it may be modified.
This controlled, minimal scenario provides a simple way to validate
KStackWatch’s detection of unintended stack modifications or silient
corruption.
Signed-off-by: Jinchao Wang <wangjinchao600@gmail.com>
---
mm/kstackwatch/kstackwatch_test.c | 90 ++++++++++++++++++++++++++++++-
1 file changed, 89 insertions(+), 1 deletion(-)
diff --git a/mm/kstackwatch/kstackwatch_test.c b/mm/kstackwatch/kstackwatch_test.c
index 138163472b03..1f0d616db7c5 100644
--- a/mm/kstackwatch/kstackwatch_test.c
+++ b/mm/kstackwatch/kstackwatch_test.c
@@ -22,6 +22,9 @@ static struct proc_dir_entry *test_proc;
#define BUFFER_SIZE 4
#define MAX_DEPTH 4
+/* global variables for silient corruption test */
+static u64 *g_corrupt_ptr;
+
/*
* Test Case 0: Write to the canary position directly (Canary Test)
* use a u64 buffer array to ensure the canary will be placed
@@ -63,6 +66,86 @@ static void canary_test_overflow(void)
pr_info("KSW: test: canary overflow test completed\n");
}
+static void do_something(int min_ms, int max_ms)
+{
+ u32 rand;
+
+ get_random_bytes(&rand, sizeof(rand));
+ rand = min_ms + rand % (max_ms - min_ms + 1);
+ msleep(rand);
+}
+
+static void silent_corruption_buggy(int i)
+{
+ u64 local_var;
+
+ pr_info("KSW: test: starting %s\n", __func__);
+
+ pr_info("KSW: test: %s %d local_var addr: 0x%px\n", __func__, i,
+ &local_var);
+ WRITE_ONCE(g_corrupt_ptr, &local_var);
+
+ //buggy: return without reset g_corrupt_ptr
+}
+
+static int silent_corruption_unwitting(void *data)
+{
+ pr_debug("KSW: test: starting %s\n", __func__);
+ u64 *local_ptr;
+
+ do {
+ local_ptr = READ_ONCE(g_corrupt_ptr);
+ do_something(0, 300);
+ } while (!local_ptr);
+
+ local_ptr[0] = 0;
+
+ return 0;
+}
+
+static void silent_corruption_hapless(int i)
+{
+ u64 local_var;
+
+ pr_debug("KSW: test: starting %s %d\n", __func__, i);
+ get_random_bytes(&local_var, sizeof(local_var));
+ local_var = 0xff0000 + local_var % 0xffff;
+ pr_debug("KSW: test: %s local_var addr: 0x%px\n", __func__, &local_var);
+
+ do_something(50, 150);
+ if (local_var >= 0xff0000)
+ pr_info("KSW: test: %s %d happy with 0x%llx", __func__, i,
+ local_var);
+ else
+ pr_info("KSW: test: %s %d unhappy with 0x%llx", __func__, i,
+ local_var);
+}
+
+/*
+ * Test Case 2: Silient Corruption
+ * buggy() does not protect its local var correctly
+ * unwitting() simply does its intended work
+ * hapless() is unaware know what happened
+ */
+static void silent_corruption_test(void)
+{
+ struct task_struct *unwitting;
+
+ pr_info("KSW: test: starting %s\n", __func__);
+ WRITE_ONCE(g_corrupt_ptr, NULL);
+
+ unwitting = kthread_run(silent_corruption_unwitting, NULL,
+ "unwitting");
+ if (IS_ERR(unwitting)) {
+ pr_err("KSW: test: failed to create thread2\n");
+ return;
+ }
+
+ silent_corruption_buggy(0);
+ for (int i = 0; i < 10; i++)
+ silent_corruption_hapless(i);
+}
+
static ssize_t test_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *pos)
{
@@ -90,6 +173,10 @@ static ssize_t test_proc_write(struct file *file, const char __user *buffer,
pr_info("KSW: test: triggering canary overflow test\n");
canary_test_overflow();
break;
+ case 2:
+ pr_info("KSW: test: triggering silent corruption test\n");
+ silent_corruption_test();
+ break;
default:
pr_err("KSW: test: Unknown test number %d\n", test_num);
return -EINVAL;
@@ -110,7 +197,8 @@ static ssize_t test_proc_read(struct file *file, char __user *buffer,
"==================================\n"
"Usage:\n"
" echo 'test0' > /proc/kstackwatch_test - Canary write test\n"
- " echo 'test1' > /proc/kstackwatch_test - Canary overflow test\n";
+ " echo 'test1' > /proc/kstackwatch_test - Canary overflow test\n"
+ " echo 'test2' > /proc/kstackwatch_test - Silent corruption test\n";
return simple_read_from_buffer(buffer, count, pos, usage,
strlen(usage));
--
2.43.0
next prev parent reply other threads:[~2025-08-28 7:35 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-28 7:32 [PATCH 00/17] mm/ksw: Introduce real-time Kernel Stack Watch debugging tool Jinchao Wang
2025-08-28 7:32 ` [PATCH 01/17] mm/ksw: add build system support Jinchao Wang
2025-08-28 7:32 ` [PATCH 02/17] mm/ksw: add ksw_config struct and parser Jinchao Wang
2025-08-28 7:32 ` [PATCH 03/17] mm/ksw: add /proc/kstackwatch interface Jinchao Wang
2025-08-28 7:32 ` [PATCH 04/17] mm/ksw: add HWBP pre-allocation support Jinchao Wang
2025-08-28 7:32 ` [PATCH 05/17] x86/HWBP: introduce arch_reinstall_hw_breakpoint() for atomic context Jinchao Wang
2025-08-28 7:32 ` [PATCH 06/17] mm/ksw: add atomic watch on/off operations Jinchao Wang
2025-08-28 7:32 ` [PATCH 07/17] mm/ksw: add stack probe support Jinchao Wang
2025-08-28 7:32 ` [PATCH 08/17] mm/ksw: implement stack canary and local var resolution logic Jinchao Wang
2025-08-28 7:32 ` [PATCH 09/17] mm/ksw: add per-task recursion depth tracking Jinchao Wang
2025-08-28 7:32 ` [PATCH 10/17] mm/ksw: coordinate watch and stack for full functionality Jinchao Wang
2025-08-28 7:32 ` [PATCH 11/17] mm/ksw: add self-debug functions for kstackwatch watch Jinchao Wang
2025-08-28 7:32 ` [PATCH 12/17] mm/ksw: add test module Jinchao Wang
2025-08-28 7:32 ` [PATCH 13/17] mm/ksw: add stack overflow test Jinchao Wang
2025-08-28 7:32 ` Jinchao Wang [this message]
2025-08-28 7:32 ` [PATCH 15/17] mm/ksw: add recursive corruption test Jinchao Wang
2025-08-28 7:32 ` [PATCH 16/17] tools/kstackwatch: add interactive test script for KStackWatch Jinchao Wang
2025-08-28 7:32 ` [PATCH 17/17] MAINTAINERS: add entry for KStackWatch (Kernel Stack Watch) Jinchao Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250828073311.1116593-15-wangjinchao600@gmail.com \
--to=wangjinchao600@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=naveen@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox