tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1// SPDX-License-Identifier: GPL-2.0+
2//
3// Copyright 2019, Michael Ellerman, IBM Corp.
4//
5// Test that out-of-bounds reads/writes behave as expected.
6
7#include <setjmp.h>
8#include <stdbool.h>
9#include <stdio.h>
10#include <stdlib.h>
11#include <string.h>
12#include <sys/types.h>
13#include <sys/wait.h>
14#include <unistd.h>
15
16#include "utils.h"
17
18// Old distros (Ubuntu 16.04 at least) don't define this
19#ifndef SEGV_BNDERR
20#define SEGV_BNDERR 3
21#endif
22
23// 64-bit kernel is always here
24#define PAGE_OFFSET (0xcul << 60)
25
26static unsigned long kernel_virt_end;
27
28static volatile int fault_code;
29static volatile unsigned long fault_addr;
30static jmp_buf setjmp_env;
31
32static void segv_handler(int n, siginfo_t *info, void *ctxt_v)
33{
34 fault_code = info->si_code;
35 fault_addr = (unsigned long)info->si_addr;
36 siglongjmp(setjmp_env, 1);
37}
38
39int bad_access(char *p, bool write)
40{
41 char x;
42
43 fault_code = 0;
44 fault_addr = 0;
45
46 if (sigsetjmp(setjmp_env, 1) == 0) {
47 if (write)
48 *p = 1;
49 else
50 x = *p;
51
52 printf("Bad - no SEGV! (%c)\n", x);
53 return 1;
54 }
55
56 // If we see MAPERR that means we took a page fault rather than an SLB
57 // miss. We only expect to take page faults for addresses within the
58 // valid kernel range.
59 FAIL_IF(fault_code == SEGV_MAPERR && \
60 (fault_addr < PAGE_OFFSET || fault_addr >= kernel_virt_end));
61
62 FAIL_IF(fault_code != SEGV_MAPERR && fault_code != SEGV_BNDERR);
63
64 return 0;
65}
66
67static int using_hash_mmu(bool *using_hash)
68{
69 char line[128];
70 FILE *f;
71 int rc;
72
73 f = fopen("/proc/cpuinfo", "r");
74 FAIL_IF(!f);
75
76 rc = 0;
77 while (fgets(line, sizeof(line), f) != NULL) {
78 if (strcmp(line, "MMU : Hash\n") == 0) {
79 *using_hash = true;
80 goto out;
81 }
82
83 if (strcmp(line, "MMU : Radix\n") == 0) {
84 *using_hash = false;
85 goto out;
86 }
87 }
88
89 rc = -1;
90out:
91 fclose(f);
92 return rc;
93}
94
95static int test(void)
96{
97 unsigned long i, j, addr, region_shift, page_shift, page_size;
98 struct sigaction sig;
99 bool hash_mmu;
100
101 sig = (struct sigaction) {
102 .sa_sigaction = segv_handler,
103 .sa_flags = SA_SIGINFO,
104 };
105
106 FAIL_IF(sigaction(SIGSEGV, &sig, NULL) != 0);
107
108 FAIL_IF(using_hash_mmu(&hash_mmu));
109
110 page_size = sysconf(_SC_PAGESIZE);
111 if (page_size == (64 * 1024))
112 page_shift = 16;
113 else
114 page_shift = 12;
115
116 if (page_size == (64 * 1024) || !hash_mmu) {
117 region_shift = 52;
118
119 // We have 7 512T regions (4 kernel linear, vmalloc, io, vmemmap)
120 kernel_virt_end = PAGE_OFFSET + (7 * (512ul << 40));
121 } else if (page_size == (4 * 1024) && hash_mmu) {
122 region_shift = 46;
123
124 // We have 7 64T regions (4 kernel linear, vmalloc, io, vmemmap)
125 kernel_virt_end = PAGE_OFFSET + (7 * (64ul << 40));
126 } else
127 FAIL_IF(true);
128
129 printf("Using %s MMU, PAGE_SIZE = %dKB start address 0x%016lx\n",
130 hash_mmu ? "hash" : "radix",
131 (1 << page_shift) >> 10,
132 1ul << region_shift);
133
134 // This generates access patterns like:
135 // 0x0010000000000000
136 // 0x0010000000010000
137 // 0x0010000000020000
138 // ...
139 // 0x0014000000000000
140 // 0x0018000000000000
141 // 0x0020000000000000
142 // 0x0020000000010000
143 // 0x0020000000020000
144 // ...
145 // 0xf400000000000000
146 // 0xf800000000000000
147
148 for (i = 1; i <= ((0xful << 60) >> region_shift); i++) {
149 for (j = page_shift - 1; j < 60; j++) {
150 unsigned long base, delta;
151
152 base = i << region_shift;
153 delta = 1ul << j;
154
155 if (delta >= base)
156 break;
157
158 addr = (base | delta) & ~((1 << page_shift) - 1);
159
160 FAIL_IF(bad_access((char *)addr, false));
161 FAIL_IF(bad_access((char *)addr, true));
162 }
163 }
164
165 return 0;
166}
167
168int main(void)
169{
170 return test_harness(test, "bad_accesses");
171}