Merge branches 'doc.2016.11.14a', 'fixes.2016.11.14a', 'list.2016.10.31a' and...

void lkdtm_HUNG_TASK(void);

void lkdtm_ATOMIC_UNDERFLOW(void);

void lkdtm_ATOMIC_OVERFLOW(void);

void lkdtm_CORRUPT_LIST_ADD(void);

void lkdtm_CORRUPT_LIST_DEL(void);

/* lkdtm_heap.c */

void lkdtm_OVERWRITE_ALLOCATION(void);

 * test source files.

 */

#include "lkdtm.h"

#include <linux/list.h>

#include <linux/sched.h>

struct lkdtm_list {

	struct list_head node;

};

/*

 * Make sure our attempts to over run the kernel stack doesn't trigger

 * a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we

	pr_info("attempting bad atomic overflow\n");

	atomic_inc(&over);

}

void lkdtm_CORRUPT_LIST_ADD(void)

{

	/*

	 * Initially, an empty list via LIST_HEAD:

	 *	test_head.next = &test_head

	 *	test_head.prev = &test_head

	 */

	LIST_HEAD(test_head);

	struct lkdtm_list good, bad;

	void *target[2] = { };

	void *redirection = ⌖

	pr_info("attempting good list addition\n");

	/*

	 * Adding to the list performs these actions:

	 *	test_head.next->prev = &good.node

	 *	good.node.next = test_head.next

	 *	good.node.prev = test_head

	 *	test_head.next = good.node

	 */

	list_add(&good.node, &test_head);

	pr_info("attempting corrupted list addition\n");

	/*

	 * In simulating this "write what where" primitive, the "what" is

	 * the address of &bad.node, and the "where" is the address held

	 * by "redirection".

	 */

	test_head.next = redirection;

	list_add(&bad.node, &test_head);

	if (target[0] == NULL && target[1] == NULL)

		pr_err("Overwrite did not happen, but no BUG?!\n");

	else

		pr_err("list_add() corruption not detected!\n");

}

void lkdtm_CORRUPT_LIST_DEL(void)

{

	LIST_HEAD(test_head);

	struct lkdtm_list item;

	void *target[2] = { };

	void *redirection = ⌖

	list_add(&item.node, &test_head);

	pr_info("attempting good list removal\n");

	list_del(&item.node);

	pr_info("attempting corrupted list removal\n");

	list_add(&item.node, &test_head);

	/* As with the list_add() test above, this corrupts "next". */

	item.node.next = redirection;

	list_del(&item.node);

	if (target[0] == NULL && target[1] == NULL)

		pr_err("Overwrite did not happen, but no BUG?!\n");

	else

		pr_err("list_del() corruption not detected!\n");

}

	CRASHTYPE(EXCEPTION),

	CRASHTYPE(LOOP),

	CRASHTYPE(OVERFLOW),

	CRASHTYPE(CORRUPT_LIST_ADD),

	CRASHTYPE(CORRUPT_LIST_DEL),

	CRASHTYPE(CORRUPT_STACK),

	CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),

	CRASHTYPE(OVERWRITE_ALLOCATION),

}

#endif	/* CONFIG_GENERIC_BUG */

/*

 * Since detected data corruption should stop operation on the affected

 * structures, this returns false if the corruption condition is found.

 */

#define CHECK_DATA_CORRUPTION(condition, fmt, ...)			 \

	do {								 \

		if (unlikely(condition)) {				 \

			if (IS_ENABLED(CONFIG_BUG_ON_DATA_CORRUPTION)) { \

				pr_err(fmt, ##__VA_ARGS__);		 \

				BUG();					 \

			} else						 \

				WARN(1, fmt, ##__VA_ARGS__);		 \

			return false;					 \

		}							 \

	} while (0)

#endif	/* _LINUX_BUG_H */

	list->prev = list;

}

#ifdef CONFIG_DEBUG_LIST

extern bool __list_add_valid(struct list_head *new,

			      struct list_head *prev,

			      struct list_head *next);

extern bool __list_del_entry_valid(struct list_head *entry);

#else

static inline bool __list_add_valid(struct list_head *new,

				struct list_head *prev,

				struct list_head *next)

{

	return true;

}

static inline bool __list_del_entry_valid(struct list_head *entry)

{

	return true;

}

#endif

/*

 * Insert a new entry between two known consecutive entries.

 *

 * This is only for internal list manipulation where we know

 * the prev/next entries already!

 */

#ifndef CONFIG_DEBUG_LIST

static inline void __list_add(struct list_head *new,

			      struct list_head *prev,

			      struct list_head *next)

{

	if (!__list_add_valid(new, prev, next))

		return;

	next->prev = new;

	new->next = next;

	new->prev = prev;

	WRITE_ONCE(prev->next, new);

}

#else

extern void __list_add(struct list_head *new,

			      struct list_head *prev,

			      struct list_head *next);

#endif

/**

 * list_add - add a new entry

 * Note: list_empty() on entry does not return true after this, the entry is

 * in an undefined state.

 */

#ifndef CONFIG_DEBUG_LIST

static inline void __list_del_entry(struct list_head *entry)

{

	if (!__list_del_entry_valid(entry))

		return;

	__list_del(entry->prev, entry->next);

}

static inline void list_del(struct list_head *entry)

{

	__list_del(entry->prev, entry->next);

	__list_del_entry(entry);

	entry->next = LIST_POISON1;

	entry->prev = LIST_POISON2;

}

#else

extern void __list_del_entry(struct list_head *entry);

extern void list_del(struct list_head *entry);

#endif

/**

 * list_replace - replace old entry by new one