1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2018 Jan Stancek. All rights reserved.
4  */
5 /*
6  * Test: Spawn 2 threads. First thread maps, writes and unmaps
7  * an area. Second thread tries to read from it. Second thread
8  * races against first thread. There is no synchronization
9  * between threads, but each mmap/munmap increases a counter
10  * that is checked to determine when has read occurred. If a read
11  * hit SIGSEGV in between mmap/munmap it is a failure. If a read
12  * between mmap/munmap worked, then its value must match expected
13  * value.
14  */
15 #include <errno.h>
16 #include <float.h>
17 #include <pthread.h>
18 #include <sched.h>
19 #include <setjmp.h>
20 #include <stdio.h>
21 #include <stdlib.h>
22 #include "tst_test.h"
23 #include "tst_safe_pthread.h"
24 
25 #define DISTANT_MMAP_SIZE (64*1024*1024)
26 #define TEST_FILENAME "ashfile"
27 
28 /* seconds remaining before reaching timeout */
29 #define STOP_THRESHOLD 10
30 
31 #define PROGRESS_SEC 3
32 
33 static int file_size = 1024;
34 static int num_iter = 5000;
35 static float exec_time = 0.05; /* default is 3 min */
36 
37 static void *distant_area;
38 static char *str_exec_time;
39 static jmp_buf jmpbuf;
40 static volatile unsigned char *map_address;
41 static unsigned long page_sz;
42 
43 static unsigned long mapped_sigsegv_count;
44 static unsigned long map_count;
45 static unsigned long threads_spawned;
46 static unsigned long data_matched;
47 static unsigned long repeated_reads;
48 
49 /* sequence id for each map/unmap performed */
50 static int mapcnt, unmapcnt;
51 /* stored sequence id before making read attempt */
52 static int br_map, br_unmap;
53 
54 static struct tst_option options[] = {
55 	{"x:", &str_exec_time, "Exec time (hours)"},
56 	{NULL, NULL, NULL}
57 };
58 
59 /* compare "before read" counters  with "after read" counters */
was_area_mapped(int br_m,int br_u,int ar_m,int ar_u)60 static inline int was_area_mapped(int br_m, int br_u, int ar_m, int ar_u)
61 {
62 	return (br_m == ar_m && br_u == ar_u && br_m > br_u);
63 }
64 
sig_handler(int signal,siginfo_t * info,LTP_ATTRIBUTE_UNUSED void * ut)65 static void sig_handler(int signal, siginfo_t *info,
66 	LTP_ATTRIBUTE_UNUSED void *ut)
67 {
68 	int ar_m, ar_u;
69 
70 	switch (signal) {
71 	case SIGSEGV:
72 		/* if we hit SIGSEGV between map/unmap, something is wrong */
73 		ar_u = tst_atomic_load(&unmapcnt);
74 		ar_m = tst_atomic_load(&mapcnt);
75 		if (was_area_mapped(br_map, br_unmap, ar_m, ar_u)) {
76 			tst_res(TFAIL, "got sigsegv while mapped");
77 			_exit(TFAIL);
78 		}
79 
80 		mapped_sigsegv_count++;
81 		longjmp(jmpbuf, 1);
82 		break;
83 	default:
84 		tst_res(TFAIL, "Unexpected signal - %d, addr: %p, exiting\n",
85 			signal, info->si_addr);
86 		_exit(TBROK);
87 	}
88 }
89 
map_write_unmap(void * ptr)90 void *map_write_unmap(void *ptr)
91 {
92 	int *fd = ptr;
93 	void *tmp;
94 	int i, j;
95 
96 	for (i = 0; i < num_iter; i++) {
97 		map_address = SAFE_MMAP(distant_area,
98 			(size_t) file_size, PROT_WRITE | PROT_READ,
99 			MAP_SHARED, *fd, 0);
100 		tst_atomic_inc(&mapcnt);
101 
102 		for (j = 0; j < file_size; j++)
103 			map_address[j] = 'b';
104 
105 		tmp = (void *)map_address;
106 		tst_atomic_inc(&unmapcnt);
107 		SAFE_MUNMAP(tmp, file_size);
108 
109 		map_count++;
110 	}
111 
112 	return NULL;
113 }
114 
read_mem(LTP_ATTRIBUTE_UNUSED void * ptr)115 void *read_mem(LTP_ATTRIBUTE_UNUSED void *ptr)
116 {
117 	volatile int i; /* longjmp could clobber i */
118 	int j, ar_map, ar_unmap;
119 	unsigned char c;
120 
121 	for (i = 0; i < num_iter; i++) {
122 		if (setjmp(jmpbuf) == 1)
123 			continue;
124 
125 		for (j = 0; j < file_size; j++) {
126 read_again:
127 			br_map = tst_atomic_load(&mapcnt);
128 			br_unmap = tst_atomic_load(&unmapcnt);
129 
130 			c = map_address[j];
131 
132 			ar_unmap = tst_atomic_load(&unmapcnt);
133 			ar_map = tst_atomic_load(&mapcnt);
134 
135 			/*
136 			 * Read above is racing against munmap and mmap
137 			 * in other thread. While the address might be valid
138 			 * the mapping could be in various stages of being
139 			 * 'ready'. We only check the value, if we can be sure
140 			 * read hapenned in between single mmap and munmap as
141 			 * observed by first thread.
142 			 */
143 			if (was_area_mapped(br_map, br_unmap, ar_map,
144 				ar_unmap)) {
145 				switch (c) {
146 				case 'a':
147 					repeated_reads++;
148 					goto read_again;
149 				case 'b':
150 					data_matched++;
151 					break;
152 				default:
153 					tst_res(TFAIL, "value[%d] is %c", j, c);
154 					break;
155 				}
156 			}
157 		}
158 	}
159 
160 	return NULL;
161 }
162 
mkfile(int size)163 int mkfile(int size)
164 {
165 	int fd, i;
166 
167 	fd = SAFE_OPEN(TEST_FILENAME, O_RDWR | O_CREAT, 0600);
168 	SAFE_UNLINK(TEST_FILENAME);
169 
170 	for (i = 0; i < size; i++)
171 		SAFE_WRITE(1, fd, "a", 1);
172 	SAFE_WRITE(1, fd, "\0", 1);
173 
174 	if (fsync(fd) == -1)
175 		tst_brk(TBROK | TERRNO, "fsync()");
176 
177 	return fd;
178 }
179 
setup(void)180 static void setup(void)
181 {
182 	struct sigaction sigptr;
183 
184 	page_sz = getpagesize();
185 
186 	/*
187 	 * Used as hint for mmap thread, so it doesn't interfere
188 	 * with other potential (temporary) mappings from libc
189 	 */
190 	distant_area = SAFE_MMAP(0, DISTANT_MMAP_SIZE, PROT_WRITE | PROT_READ,
191 			MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
192 	SAFE_MUNMAP(distant_area, (size_t)DISTANT_MMAP_SIZE);
193 	distant_area += DISTANT_MMAP_SIZE / 2;
194 
195 	if (tst_parse_float(str_exec_time, &exec_time, 0, FLT_MAX)) {
196 		tst_brk(TBROK, "Invalid number for exec_time '%s'",
197 			str_exec_time);
198 	}
199 
200 	sigptr.sa_sigaction = sig_handler;
201 	sigemptyset(&sigptr.sa_mask);
202 	sigptr.sa_flags = SA_SIGINFO | SA_NODEFER;
203 	SAFE_SIGACTION(SIGSEGV, &sigptr, NULL);
204 
205 	tst_set_timeout((int)(exec_time * 3600));
206 }
207 
run(void)208 static void run(void)
209 {
210 	pthread_t thid[2];
211 	int remaining = tst_timeout_remaining();
212 	int elapsed = 0;
213 
214 	while (tst_timeout_remaining() > STOP_THRESHOLD) {
215 		int fd = mkfile(file_size);
216 
217 		tst_atomic_store(0, &mapcnt);
218 		tst_atomic_store(0, &unmapcnt);
219 
220 		SAFE_PTHREAD_CREATE(&thid[0], NULL, map_write_unmap, &fd);
221 		SAFE_PTHREAD_CREATE(&thid[1], NULL, read_mem, &fd);
222 		threads_spawned += 2;
223 
224 		SAFE_PTHREAD_JOIN(thid[0], NULL);
225 		SAFE_PTHREAD_JOIN(thid[1], NULL);
226 
227 		close(fd);
228 
229 		if (remaining - tst_timeout_remaining() > PROGRESS_SEC) {
230 			remaining = tst_timeout_remaining();
231 			elapsed += PROGRESS_SEC;
232 			tst_res(TINFO, "[%d] mapped: %lu, sigsegv hit: %lu, "
233 				"threads spawned: %lu",	elapsed, map_count,
234 				mapped_sigsegv_count, threads_spawned);
235 			tst_res(TINFO, "[%d] repeated_reads: %ld, "
236 				"data_matched: %lu", elapsed, repeated_reads,
237 				data_matched);
238 		}
239 	}
240 	tst_res(TPASS, "System survived.");
241 }
242 
243 static struct tst_test test = {
244 	.test_all = run,
245 	.setup = setup,
246 	.options = options,
247 	.needs_tmpdir = 1,
248 };
249