xref: /aosp_15_r20/external/ltp/testcases/kernel/mem/hugetlb/hugemmap/hugemmap19.c (revision 49cdfc7efb34551c7342be41a7384b9c40d7cab7) 
1 // SPDX-License-Identifier: LGPL-2.1-or-later
2 /*
3  * Copyright (C) 2005-2006 David Gibson & Adam Litke, IBM Corporation.
4  * Copyright (C) 2006 Hugh Dickins <[email protected]>
5  * Author: David Gibson & Adam Litke
6  */
7 
8 /*\
9  * [Descripiton]
10  *
11  * At one stage, a misconversion of hugetlb_vmtruncate_list to a
12  * prio_tree meant that on 32-bit machines, truncates at or above 4GB
13  * could truncate lower pages, resulting in BUG_ON()s.
14  *
15  * WARNING: The offsets and addresses used within are specifically
16  * calculated to trigger the bug as it existed.  Don't mess with them
17  * unless you *really* know what you're doing.
18  *
19  * The kernel bug in question was fixed with commit
20  * 856fc2950555.
21  */
22 
23 #define _GNU_SOURCE
24 #include <stdio.h>
25 #include <sys/mount.h>
26 #include <limits.h>
27 #include <sys/param.h>
28 #include <sys/types.h>
29 
30 #include "hugetlb.h"
31 
32 #define RANDOM_CONSTANT	0x1234ABCD
33 #define MNTPOINT "hugetlbfs/"
34 static int page_size;
35 static long hpage_size;
36 static int  fd = -1;
37 
run_test(void)38 static void run_test(void)
39 {
40 	off_t buggy_offset;
41 	void *p, *q;
42 	volatile int *pi;
43 	int err;
44 
45 	/*
46 	 * First, we make a 2 page sane hugepage mapping.  Then we
47 	 * memset() it to ensure that the ptes are instantiated for
48 	 * it.  Then we attempt to replace the second half of the map
49 	 * with one at a bogus offset.  We leave the first page of
50 	 * sane mapping in place to ensure that the corresponding
51 	 * pud/pmd/whatever entries aren't cleaned away.  It's those
52 	 * bad entries which can trigger bad_pud() checks if the
53 	 * backout path for the bogus mapping is buggy, which it was
54 	 * in some kernels.
55 	 */
56 	tst_res(TINFO, "Initial free hugepages: %lu",
57 		SAFE_READ_MEMINFO(MEMINFO_HPAGE_FREE));
58 
59 	/* First get arena of three hpages size, at file offset 4GB */
60 	p = SAFE_MMAP(NULL, 2*hpage_size, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
61 
62 	tst_res(TINFO, "After Mapping reference map, Free hugepages: %lu",
63 		SAFE_READ_MEMINFO(MEMINFO_HPAGE_FREE));
64 	tst_res(TINFO, "Mapped Address Range: %p-%p", p, p+2*hpage_size-1);
65 
66 	memset(p, 0, 2*hpage_size);
67 	pi = p;
68 	*pi = RANDOM_CONSTANT;
69 
70 	tst_res(TINFO, "After instantiate the pages, Free hugepages: %lu",
71 		   SAFE_READ_MEMINFO(MEMINFO_HPAGE_FREE));
72 
73 	/*
74 	 * Toggle the permissions on the first page.  This forces TLB
75 	 * entries (including hash page table on powerpc) to be
76 	 * flushed, so that the page tables must be accessed for the
77 	 * test further down.  In the buggy case, those page tables
78 	 * can get thrown away by a pud_clear()
79 	 */
80 	err = mprotect(p, hpage_size, PROT_READ);
81 	if (err)
82 		tst_brk(TBROK|TERRNO, "mprotect(%p, 0x%lx, PROT_READ)", p, hpage_size);
83 
84 	/* Replace top hpage by hpage mapping at confusing file offset */
85 	buggy_offset = page_size;
86 	tst_res(TINFO, "Replacing map at %p with map from offset 0x%lx...",
87 	       p + hpage_size, (unsigned long)buggy_offset);
88 	q = mmap(p + hpage_size, hpage_size, PROT_READ|PROT_WRITE,
89 		 MAP_FIXED|MAP_PRIVATE, fd, buggy_offset);
90 	if (q != MAP_FAILED) {
91 		tst_res(TFAIL|TERRNO, "bogus offset mmap() succeeded at %p", q);
92 		goto cleanup;
93 	}
94 	if (errno != EINVAL) {
95 		tst_res(TFAIL|TERRNO, "bogus mmap() failed should be \"%s\" but it is",
96 		     tst_strerrno(EINVAL));
97 		goto cleanup;
98 	}
99 
100 	tst_res(TINFO, "After Mapping with buggy offset, Free hugepages: %lu",
101 		SAFE_READ_MEMINFO(MEMINFO_HPAGE_FREE));
102 
103 	if (*pi != RANDOM_CONSTANT) {
104 		tst_res(TFAIL, "Pre-existing mapping clobbered: %x instead of %x",
105 		     *pi, RANDOM_CONSTANT);
106 		goto cleanup;
107 	}
108 
109 	/*
110 	 * The real test is whether we got a bad_pud() or similar
111 	 * during the run.  The check above, combined with the earlier
112 	 * mprotect()s to flush the TLB are supposed to catch it, but
113 	 * it's hard to be certain.  Once bad_pud() is called
114 	 * behaviour can be very strange.
115 	 */
116 
117 	tst_res(TPASS, "Successful but inconclusive");
118 cleanup:
119 	SAFE_MUNMAP(p, 2*hpage_size);
120 }
121 
setup(void)122 static void setup(void)
123 {
124 	page_size = getpagesize();
125 	hpage_size = SAFE_READ_MEMINFO("Hugepagesize:")*1024;
126 	fd = tst_creat_unlinked(MNTPOINT, 0);
127 }
128 
cleanup(void)129 static void cleanup(void)
130 {
131 	if (fd >= 0)
132 		SAFE_CLOSE(fd);
133 }
134 
135 static struct tst_test test = {
136 	.tags = (struct tst_tag[]) {
137 		{"linux-git", "856fc2950555"},
138 		{}
139 	},
140 	.needs_root = 1,
141 	.mntpoint = MNTPOINT,
142 	.needs_hugetlbfs = 1,
143 	.setup = setup,
144 	.cleanup = cleanup,
145 	.test_all = run_test,
146 	.hugepages = {4, TST_NEEDS},
147 };
148