1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2018 Jan Stancek. All rights reserved.
4 */
5 /*
6 * Test: Spawn 2 threads. First thread maps, writes and unmaps
7 * an area. Second thread tries to read from it. Second thread
8 * races against first thread. There is no synchronization
9 * between threads, but each mmap/munmap increases a counter
10 * that is checked to determine when has read occurred. If a read
11 * hit SIGSEGV in between mmap/munmap it is a failure. If a read
12 * between mmap/munmap worked, then its value must match expected
13 * value.
14 *
15 * Can trigger panics/stalls since at least 4.14 on some arches:
16 * fc8efd2ddfed ("mm/memory.c: do_fault: avoid usage of stale vm_area_struct")
17 * Can trigger user-space stalls on aarch64:
18 * 7a30df49f63a ("mm: mmu_gather: remove __tlb_reset_range() for force flush")
19 * https://lore.kernel.org/linux-mm/[email protected]
20 * Can trigger "still mapped when deleted" BUG at mm/filemap.c:171, on aarch64 since 4.20
21 * e1b98fa31664 ("locking/rwsem: Add missing ACQUIRE to read_slowpath exit when queue is empty")
22 * 99143f82a255 ("lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop")
23 */
24 #include <errno.h>
25 #include <float.h>
26 #include <pthread.h>
27 #include <sched.h>
28 #include <setjmp.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include "lapi/abisize.h"
32 #include "tst_test.h"
33 #include "tst_safe_pthread.h"
34
35 #define GIGABYTE (1L*1024*1024*1024)
36 #define TEST_FILENAME "ashfile"
37
38 /* seconds remaining before reaching timeout */
39 #define STOP_THRESHOLD 10
40
41 #define PROGRESS_SEC 3
42
43 static int file_size = 1024;
44 static int num_iter = 5000;
45
46 static void *distant_area;
47 static jmp_buf jmpbuf;
48 static volatile unsigned char *map_address;
49 static unsigned long page_sz;
50
51 static unsigned long mapped_sigsegv_count;
52 static unsigned long map_count;
53 static unsigned long threads_spawned;
54 static unsigned long data_matched;
55 static unsigned long repeated_reads;
56
57 /* sequence id for each map/unmap performed */
58 static int mapcnt, unmapcnt;
59 /* stored sequence id before making read attempt */
60 static int br_map, br_unmap;
61
62 /* compare "before read" counters with "after read" counters */
was_area_mapped(int br_m,int br_u,int ar_m,int ar_u)63 static inline int was_area_mapped(int br_m, int br_u, int ar_m, int ar_u)
64 {
65 return (br_m == ar_m && br_u == ar_u && br_m > br_u);
66 }
67
sig_handler(int signal,siginfo_t * info,LTP_ATTRIBUTE_UNUSED void * ut)68 static void sig_handler(int signal, siginfo_t *info,
69 LTP_ATTRIBUTE_UNUSED void *ut)
70 {
71 int ar_m, ar_u;
72
73 switch (signal) {
74 case SIGSEGV:
75 /* if we hit SIGSEGV between map/unmap, something is wrong */
76 ar_u = tst_atomic_load(&unmapcnt);
77 ar_m = tst_atomic_load(&mapcnt);
78 if (was_area_mapped(br_map, br_unmap, ar_m, ar_u)) {
79 tst_res(TFAIL, "got sigsegv while mapped");
80 _exit(TFAIL);
81 }
82
83 mapped_sigsegv_count++;
84 longjmp(jmpbuf, 1);
85 break;
86 default:
87 tst_res(TFAIL, "Unexpected signal - %d, addr: %p, exiting",
88 signal, info->si_addr);
89 _exit(TBROK);
90 }
91 }
92
map_write_unmap(void * ptr)93 void *map_write_unmap(void *ptr)
94 {
95 int *fd = ptr;
96 void *tmp;
97 int i, j;
98
99 for (i = 0; i < num_iter; i++) {
100 map_address = SAFE_MMAP(distant_area,
101 (size_t) file_size, PROT_WRITE | PROT_READ,
102 MAP_SHARED, *fd, 0);
103 tst_atomic_inc(&mapcnt);
104
105 for (j = 0; j < file_size; j++)
106 map_address[j] = 'b';
107
108 tmp = (void *)map_address;
109 tst_atomic_inc(&unmapcnt);
110 SAFE_MUNMAP(tmp, file_size);
111
112 map_count++;
113 }
114
115 return NULL;
116 }
117
read_mem(LTP_ATTRIBUTE_UNUSED void * ptr)118 void *read_mem(LTP_ATTRIBUTE_UNUSED void *ptr)
119 {
120 volatile int i; /* longjmp could clobber i */
121 int j, ar_map, ar_unmap;
122 unsigned char c;
123
124 for (i = 0; i < num_iter; i++) {
125 if (setjmp(jmpbuf) == 1)
126 continue;
127
128 for (j = 0; j < file_size; j++) {
129 read_again:
130 br_map = tst_atomic_load(&mapcnt);
131 br_unmap = tst_atomic_load(&unmapcnt);
132
133 c = map_address[j];
134
135 ar_unmap = tst_atomic_load(&unmapcnt);
136 ar_map = tst_atomic_load(&mapcnt);
137
138 /*
139 * Read above is racing against munmap and mmap
140 * in other thread. While the address might be valid
141 * the mapping could be in various stages of being
142 * 'ready'. We only check the value, if we can be sure
143 * read hapenned in between single mmap and munmap as
144 * observed by first thread.
145 */
146 if (was_area_mapped(br_map, br_unmap, ar_map,
147 ar_unmap)) {
148 switch (c) {
149 case 'a':
150 repeated_reads++;
151 goto read_again;
152 case 'b':
153 data_matched++;
154 break;
155 default:
156 tst_res(TFAIL, "value[%d] is %c", j, c);
157 break;
158 }
159 }
160 }
161 }
162
163 return NULL;
164 }
165
mkfile(int size)166 int mkfile(int size)
167 {
168 int fd, i;
169
170 fd = SAFE_OPEN(TEST_FILENAME, O_RDWR | O_CREAT, 0600);
171 SAFE_UNLINK(TEST_FILENAME);
172
173 for (i = 0; i < size; i++)
174 SAFE_WRITE(SAFE_WRITE_ALL, fd, "a", 1);
175 SAFE_WRITE(SAFE_WRITE_ALL, fd, "\0", 1);
176
177 if (fsync(fd) == -1)
178 tst_brk(TBROK | TERRNO, "fsync()");
179
180 return fd;
181 }
182
setup(void)183 static void setup(void)
184 {
185 struct sigaction sigptr;
186 size_t distant_mmap_size;
187 size_t mem_total;
188
189 page_sz = getpagesize();
190 mem_total = SAFE_READ_MEMINFO("MemTotal:");
191 mem_total *= 1024;
192
193 #ifdef TST_ABI32
194 distant_mmap_size = 256*1024*1024;
195 #else
196 distant_mmap_size = (mem_total > 4 * GIGABYTE) ? 2 * GIGABYTE : mem_total / 2;
197 #endif
198 /*
199 * Used as hint for mmap thread, so it doesn't interfere
200 * with other potential (temporary) mappings from libc
201 */
202 distant_area = SAFE_MMAP(0, distant_mmap_size, PROT_WRITE | PROT_READ,
203 MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
204 SAFE_MUNMAP(distant_area, distant_mmap_size);
205 distant_area += distant_mmap_size / 2;
206
207 sigptr.sa_sigaction = sig_handler;
208 sigemptyset(&sigptr.sa_mask);
209 sigptr.sa_flags = SA_SIGINFO | SA_NODEFER;
210 SAFE_SIGACTION(SIGSEGV, &sigptr, NULL);
211 }
212
run(void)213 static void run(void)
214 {
215 pthread_t thid[2];
216 int start, last_update;
217
218 start = last_update = tst_remaining_runtime();
219 while (tst_remaining_runtime()) {
220 int fd = mkfile(file_size);
221
222 tst_atomic_store(0, &mapcnt);
223 tst_atomic_store(0, &unmapcnt);
224
225 SAFE_PTHREAD_CREATE(&thid[0], NULL, map_write_unmap, &fd);
226 SAFE_PTHREAD_CREATE(&thid[1], NULL, read_mem, &fd);
227 threads_spawned += 2;
228
229 SAFE_PTHREAD_JOIN(thid[0], NULL);
230 SAFE_PTHREAD_JOIN(thid[1], NULL);
231
232 close(fd);
233
234 if (last_update - tst_remaining_runtime() >= PROGRESS_SEC) {
235 last_update = tst_remaining_runtime();
236 tst_res(TINFO, "[%03d] mapped: %lu, sigsegv hit: %lu, "
237 "threads spawned: %lu",
238 start - last_update,
239 map_count, mapped_sigsegv_count,
240 threads_spawned);
241 tst_res(TINFO, " repeated_reads: %ld, "
242 "data_matched: %lu", repeated_reads,
243 data_matched);
244 }
245 }
246 tst_res(TPASS, "System survived.");
247 }
248
249 static struct tst_test test = {
250 .test_all = run,
251 .setup = setup,
252 .max_runtime = 180,
253 .needs_tmpdir = 1,
254 };
255