1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2018 Jan Stancek. All rights reserved.
4  */
5 /*
6  * Test: Spawn 2 threads. First thread maps, writes and unmaps
7  * an area. Second thread tries to read from it. Second thread
8  * races against first thread. There is no synchronization
9  * between threads, but each mmap/munmap increases a counter
10  * that is checked to determine when has read occurred. If a read
11  * hit SIGSEGV in between mmap/munmap it is a failure. If a read
12  * between mmap/munmap worked, then its value must match expected
13  * value.
14  *
15  * Can trigger panics/stalls since at least 4.14 on some arches:
16  *   fc8efd2ddfed ("mm/memory.c: do_fault: avoid usage of stale vm_area_struct")
17  * Can trigger user-space stalls on aarch64:
18  *   7a30df49f63a ("mm: mmu_gather: remove __tlb_reset_range() for force flush")
19  *   https://lore.kernel.org/linux-mm/1817839533.20996552.1557065445233.JavaMail.zimbra@redhat.com
20  * Can trigger "still mapped when deleted" BUG at mm/filemap.c:171, on aarch64 since 4.20
21  *   e1b98fa31664 ("locking/rwsem: Add missing ACQUIRE to read_slowpath exit when queue is empty")
22  *   99143f82a255 ("lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop")
23  */
24 #include <errno.h>
25 #include <float.h>
26 #include <pthread.h>
27 #include <sched.h>
28 #include <setjmp.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include "lapi/abisize.h"
32 #include "tst_test.h"
33 #include "tst_safe_pthread.h"
34 
35 #ifdef TST_ABI32
36 #  define DISTANT_MMAP_SIZE (256*1024*1024)
37 #else
38 #  define DISTANT_MMAP_SIZE (2L*1024*1024*1024)
39 #endif
40 #define TEST_FILENAME "ashfile"
41 
42 /* seconds remaining before reaching timeout */
43 #define STOP_THRESHOLD 10
44 
45 #define PROGRESS_SEC 3
46 
47 static int file_size = 1024;
48 static int num_iter = 5000;
49 static float exec_time = 0.05; /* default is 3 min */
50 
51 static void *distant_area;
52 static char *str_exec_time;
53 static jmp_buf jmpbuf;
54 static volatile unsigned char *map_address;
55 static unsigned long page_sz;
56 
57 static unsigned long mapped_sigsegv_count;
58 static unsigned long map_count;
59 static unsigned long threads_spawned;
60 static unsigned long data_matched;
61 static unsigned long repeated_reads;
62 
63 /* sequence id for each map/unmap performed */
64 static int mapcnt, unmapcnt;
65 /* stored sequence id before making read attempt */
66 static int br_map, br_unmap;
67 
68 static struct tst_option options[] = {
69 	{"x:", &str_exec_time, "Exec time (hours)"},
70 	{NULL, NULL, NULL}
71 };
72 
73 /* compare "before read" counters  with "after read" counters */
was_area_mapped(int br_m,int br_u,int ar_m,int ar_u)74 static inline int was_area_mapped(int br_m, int br_u, int ar_m, int ar_u)
75 {
76 	return (br_m == ar_m && br_u == ar_u && br_m > br_u);
77 }
78 
sig_handler(int signal,siginfo_t * info,LTP_ATTRIBUTE_UNUSED void * ut)79 static void sig_handler(int signal, siginfo_t *info,
80 	LTP_ATTRIBUTE_UNUSED void *ut)
81 {
82 	int ar_m, ar_u;
83 
84 	switch (signal) {
85 	case SIGSEGV:
86 		/* if we hit SIGSEGV between map/unmap, something is wrong */
87 		ar_u = tst_atomic_load(&unmapcnt);
88 		ar_m = tst_atomic_load(&mapcnt);
89 		if (was_area_mapped(br_map, br_unmap, ar_m, ar_u)) {
90 			tst_res(TFAIL, "got sigsegv while mapped");
91 			_exit(TFAIL);
92 		}
93 
94 		mapped_sigsegv_count++;
95 		longjmp(jmpbuf, 1);
96 		break;
97 	default:
98 		tst_res(TFAIL, "Unexpected signal - %d, addr: %p, exiting\n",
99 			signal, info->si_addr);
100 		_exit(TBROK);
101 	}
102 }
103 
map_write_unmap(void * ptr)104 void *map_write_unmap(void *ptr)
105 {
106 	int *fd = ptr;
107 	void *tmp;
108 	int i, j;
109 
110 	for (i = 0; i < num_iter; i++) {
111 		map_address = SAFE_MMAP(distant_area,
112 			(size_t) file_size, PROT_WRITE | PROT_READ,
113 			MAP_SHARED, *fd, 0);
114 		tst_atomic_inc(&mapcnt);
115 
116 		for (j = 0; j < file_size; j++)
117 			map_address[j] = 'b';
118 
119 		tmp = (void *)map_address;
120 		tst_atomic_inc(&unmapcnt);
121 		SAFE_MUNMAP(tmp, file_size);
122 
123 		map_count++;
124 	}
125 
126 	return NULL;
127 }
128 
read_mem(LTP_ATTRIBUTE_UNUSED void * ptr)129 void *read_mem(LTP_ATTRIBUTE_UNUSED void *ptr)
130 {
131 	volatile int i; /* longjmp could clobber i */
132 	int j, ar_map, ar_unmap;
133 	unsigned char c;
134 
135 	for (i = 0; i < num_iter; i++) {
136 		if (setjmp(jmpbuf) == 1)
137 			continue;
138 
139 		for (j = 0; j < file_size; j++) {
140 read_again:
141 			br_map = tst_atomic_load(&mapcnt);
142 			br_unmap = tst_atomic_load(&unmapcnt);
143 
144 			c = map_address[j];
145 
146 			ar_unmap = tst_atomic_load(&unmapcnt);
147 			ar_map = tst_atomic_load(&mapcnt);
148 
149 			/*
150 			 * Read above is racing against munmap and mmap
151 			 * in other thread. While the address might be valid
152 			 * the mapping could be in various stages of being
153 			 * 'ready'. We only check the value, if we can be sure
154 			 * read hapenned in between single mmap and munmap as
155 			 * observed by first thread.
156 			 */
157 			if (was_area_mapped(br_map, br_unmap, ar_map,
158 				ar_unmap)) {
159 				switch (c) {
160 				case 'a':
161 					repeated_reads++;
162 					goto read_again;
163 				case 'b':
164 					data_matched++;
165 					break;
166 				default:
167 					tst_res(TFAIL, "value[%d] is %c", j, c);
168 					break;
169 				}
170 			}
171 		}
172 	}
173 
174 	return NULL;
175 }
176 
mkfile(int size)177 int mkfile(int size)
178 {
179 	int fd, i;
180 
181 	fd = SAFE_OPEN(TEST_FILENAME, O_RDWR | O_CREAT, 0600);
182 	SAFE_UNLINK(TEST_FILENAME);
183 
184 	for (i = 0; i < size; i++)
185 		SAFE_WRITE(1, fd, "a", 1);
186 	SAFE_WRITE(1, fd, "\0", 1);
187 
188 	if (fsync(fd) == -1)
189 		tst_brk(TBROK | TERRNO, "fsync()");
190 
191 	return fd;
192 }
193 
setup(void)194 static void setup(void)
195 {
196 	struct sigaction sigptr;
197 
198 	page_sz = getpagesize();
199 
200 	/*
201 	 * Used as hint for mmap thread, so it doesn't interfere
202 	 * with other potential (temporary) mappings from libc
203 	 */
204 	distant_area = SAFE_MMAP(0, DISTANT_MMAP_SIZE, PROT_WRITE | PROT_READ,
205 			MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
206 	SAFE_MUNMAP(distant_area, (size_t)DISTANT_MMAP_SIZE);
207 	distant_area += DISTANT_MMAP_SIZE / 2;
208 
209 	if (tst_parse_float(str_exec_time, &exec_time, 0, FLT_MAX)) {
210 		tst_brk(TBROK, "Invalid number for exec_time '%s'",
211 			str_exec_time);
212 	}
213 
214 	sigptr.sa_sigaction = sig_handler;
215 	sigemptyset(&sigptr.sa_mask);
216 	sigptr.sa_flags = SA_SIGINFO | SA_NODEFER;
217 	SAFE_SIGACTION(SIGSEGV, &sigptr, NULL);
218 
219 	tst_set_timeout((int)(exec_time * 3600));
220 }
221 
run(void)222 static void run(void)
223 {
224 	pthread_t thid[2];
225 	int start, last_update;
226 
227 	start = last_update = tst_timeout_remaining();
228 	while (tst_timeout_remaining() > STOP_THRESHOLD) {
229 		int fd = mkfile(file_size);
230 
231 		tst_atomic_store(0, &mapcnt);
232 		tst_atomic_store(0, &unmapcnt);
233 
234 		SAFE_PTHREAD_CREATE(&thid[0], NULL, map_write_unmap, &fd);
235 		SAFE_PTHREAD_CREATE(&thid[1], NULL, read_mem, &fd);
236 		threads_spawned += 2;
237 
238 		SAFE_PTHREAD_JOIN(thid[0], NULL);
239 		SAFE_PTHREAD_JOIN(thid[1], NULL);
240 
241 		close(fd);
242 
243 		if (last_update - tst_timeout_remaining() >= PROGRESS_SEC) {
244 			last_update = tst_timeout_remaining();
245 			tst_res(TINFO, "[%03d] mapped: %lu, sigsegv hit: %lu, "
246 				"threads spawned: %lu",
247 				start - tst_timeout_remaining(),
248 				map_count, mapped_sigsegv_count,
249 				threads_spawned);
250 			tst_res(TINFO, "      repeated_reads: %ld, "
251 				"data_matched: %lu", repeated_reads,
252 				data_matched);
253 		}
254 	}
255 	tst_res(TPASS, "System survived.");
256 }
257 
258 static struct tst_test test = {
259 	.test_all = run,
260 	.setup = setup,
261 	.options = options,
262 	.needs_tmpdir = 1,
263 };
264