1 // SPDX-License-Identifier: GPL-2.0+ 2 // 3 // Copyright 2019, Michael Ellerman, IBM Corp. 4 // 5 // Test that out-of-bounds reads/writes behave as expected. 6 7 #include <setjmp.h> 8 #include <stdbool.h> 9 #include <stdio.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <sys/types.h> 13 #include <sys/wait.h> 14 #include <unistd.h> 15 16 #include "utils.h" 17 18 // Old distros (Ubuntu 16.04 at least) don't define this 19 #ifndef SEGV_BNDERR 20 #define SEGV_BNDERR 3 21 #endif 22 23 // 64-bit kernel is always here 24 #define PAGE_OFFSET (0xcul << 60) 25 26 static unsigned long kernel_virt_end; 27 28 static volatile int fault_code; 29 static volatile unsigned long fault_addr; 30 static jmp_buf setjmp_env; 31 32 static void segv_handler(int n, siginfo_t *info, void *ctxt_v) 33 { 34 fault_code = info->si_code; 35 fault_addr = (unsigned long)info->si_addr; 36 siglongjmp(setjmp_env, 1); 37 } 38 39 int bad_access(char *p, bool write) 40 { 41 char x; 42 43 fault_code = 0; 44 fault_addr = 0; 45 46 if (sigsetjmp(setjmp_env, 1) == 0) { 47 if (write) 48 *p = 1; 49 else 50 x = *p; 51 52 printf("Bad - no SEGV! (%c)\n", x); 53 return 1; 54 } 55 56 // If we see MAPERR that means we took a page fault rather than an SLB 57 // miss. We only expect to take page faults for addresses within the 58 // valid kernel range. 59 FAIL_IF(fault_code == SEGV_MAPERR && \ 60 (fault_addr < PAGE_OFFSET || fault_addr >= kernel_virt_end)); 61 62 FAIL_IF(fault_code != SEGV_MAPERR && fault_code != SEGV_BNDERR); 63 64 return 0; 65 } 66 67 static int using_hash_mmu(bool *using_hash) 68 { 69 char line[128]; 70 FILE *f; 71 int rc; 72 73 f = fopen("/proc/cpuinfo", "r"); 74 FAIL_IF(!f); 75 76 rc = 0; 77 while (fgets(line, sizeof(line), f) != NULL) { 78 if (strcmp(line, "MMU : Hash\n") == 0) { 79 *using_hash = true; 80 goto out; 81 } 82 83 if (strcmp(line, "MMU : Radix\n") == 0) { 84 *using_hash = false; 85 goto out; 86 } 87 } 88 89 rc = -1; 90 out: 91 fclose(f); 92 return rc; 93 } 94 95 static int test(void) 96 { 97 unsigned long i, j, addr, region_shift, page_shift, page_size; 98 struct sigaction sig; 99 bool hash_mmu; 100 101 sig = (struct sigaction) { 102 .sa_sigaction = segv_handler, 103 .sa_flags = SA_SIGINFO, 104 }; 105 106 FAIL_IF(sigaction(SIGSEGV, &sig, NULL) != 0); 107 108 FAIL_IF(using_hash_mmu(&hash_mmu)); 109 110 page_size = sysconf(_SC_PAGESIZE); 111 if (page_size == (64 * 1024)) 112 page_shift = 16; 113 else 114 page_shift = 12; 115 116 if (page_size == (64 * 1024) || !hash_mmu) { 117 region_shift = 52; 118 119 // We have 7 512T regions (4 kernel linear, vmalloc, io, vmemmap) 120 kernel_virt_end = PAGE_OFFSET + (7 * (512ul << 40)); 121 } else if (page_size == (4 * 1024) && hash_mmu) { 122 region_shift = 46; 123 124 // We have 7 64T regions (4 kernel linear, vmalloc, io, vmemmap) 125 kernel_virt_end = PAGE_OFFSET + (7 * (64ul << 40)); 126 } else 127 FAIL_IF(true); 128 129 printf("Using %s MMU, PAGE_SIZE = %dKB start address 0x%016lx\n", 130 hash_mmu ? "hash" : "radix", 131 (1 << page_shift) >> 10, 132 1ul << region_shift); 133 134 // This generates access patterns like: 135 // 0x0010000000000000 136 // 0x0010000000010000 137 // 0x0010000000020000 138 // ... 139 // 0x0014000000000000 140 // 0x0018000000000000 141 // 0x0020000000000000 142 // 0x0020000000010000 143 // 0x0020000000020000 144 // ... 145 // 0xf400000000000000 146 // 0xf800000000000000 147 148 for (i = 1; i <= ((0xful << 60) >> region_shift); i++) { 149 for (j = page_shift - 1; j < 60; j++) { 150 unsigned long base, delta; 151 152 base = i << region_shift; 153 delta = 1ul << j; 154 155 if (delta >= base) 156 break; 157 158 addr = (base | delta) & ~((1 << page_shift) - 1); 159 160 FAIL_IF(bad_access((char *)addr, false)); 161 FAIL_IF(bad_access((char *)addr, true)); 162 } 163 } 164 165 return 0; 166 } 167 168 int main(void) 169 { 170 return test_harness(test, "bad_accesses"); 171 } 172