1// SPDX-License-Identifier: LGPL-2.1-or-later 2/* 3 * Copyright (C) 2005-2006 David Gibson & Adam Litke, IBM Corporation. 4 * Copyright (C) 2006 Hugh Dickins <hugh@veritas.com> 5 * Author: David Gibson & Adam Litke 6 */ 7 8/*\ 9 * [Descripiton] 10 * 11 * At one stage, a misconversion of hugetlb_vmtruncate_list to a 12 * prio_tree meant that on 32-bit machines, truncates at or above 4GB 13 * could truncate lower pages, resulting in BUG_ON()s. 14 * 15 * WARNING: The offsets and addresses used within are specifically 16 * calculated to trigger the bug as it existed. Don't mess with them 17 * unless you *really* know what you're doing. 18 * 19 * The kernel bug in question was fixed with commit 20 * 856fc2950555. 21 */ 22 23#define _GNU_SOURCE 24#include <stdio.h> 25#include <sys/mount.h> 26#include <limits.h> 27#include <sys/param.h> 28#include <sys/types.h> 29 30#include "hugetlb.h" 31 32#define RANDOM_CONSTANT 0x1234ABCD 33#define MNTPOINT "hugetlbfs/" 34static int page_size; 35static long hpage_size; 36static int fd = -1; 37 38static void run_test(void) 39{ 40 off_t buggy_offset; 41 void *p, *q; 42 volatile int *pi; 43 int err; 44 45 /* 46 * First, we make a 2 page sane hugepage mapping. Then we 47 * memset() it to ensure that the ptes are instantiated for 48 * it. Then we attempt to replace the second half of the map 49 * with one at a bogus offset. We leave the first page of 50 * sane mapping in place to ensure that the corresponding 51 * pud/pmd/whatever entries aren't cleaned away. It's those 52 * bad entries which can trigger bad_pud() checks if the 53 * backout path for the bogus mapping is buggy, which it was 54 * in some kernels. 55 */ 56 tst_res(TINFO, "Initial free hugepages: %lu", 57 SAFE_READ_MEMINFO(MEMINFO_HPAGE_FREE)); 58 59 /* First get arena of three hpages size, at file offset 4GB */ 60 p = SAFE_MMAP(NULL, 2*hpage_size, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0); 61 62 tst_res(TINFO, "After Mapping reference map, Free hugepages: %lu", 63 SAFE_READ_MEMINFO(MEMINFO_HPAGE_FREE)); 64 tst_res(TINFO, "Mapped Address Range: %p-%p", p, p+2*hpage_size-1); 65 66 memset(p, 0, 2*hpage_size); 67 pi = p; 68 *pi = RANDOM_CONSTANT; 69 70 tst_res(TINFO, "After instantiate the pages, Free hugepages: %lu", 71 SAFE_READ_MEMINFO(MEMINFO_HPAGE_FREE)); 72 73 /* 74 * Toggle the permissions on the first page. This forces TLB 75 * entries (including hash page table on powerpc) to be 76 * flushed, so that the page tables must be accessed for the 77 * test further down. In the buggy case, those page tables 78 * can get thrown away by a pud_clear() 79 */ 80 err = mprotect(p, hpage_size, PROT_READ); 81 if (err) 82 tst_brk(TBROK|TERRNO, "mprotect(%p, 0x%lx, PROT_READ)", p, hpage_size); 83 84 /* Replace top hpage by hpage mapping at confusing file offset */ 85 buggy_offset = page_size; 86 tst_res(TINFO, "Replacing map at %p with map from offset 0x%lx...", 87 p + hpage_size, (unsigned long)buggy_offset); 88 q = mmap(p + hpage_size, hpage_size, PROT_READ|PROT_WRITE, 89 MAP_FIXED|MAP_PRIVATE, fd, buggy_offset); 90 if (q != MAP_FAILED) { 91 tst_res(TFAIL|TERRNO, "bogus offset mmap() succeeded at %p", q); 92 goto cleanup; 93 } 94 if (errno != EINVAL) { 95 tst_res(TFAIL|TERRNO, "bogus mmap() failed should be \"%s\" but it is", 96 tst_strerrno(EINVAL)); 97 goto cleanup; 98 } 99 100 tst_res(TINFO, "After Mapping with buggy offset, Free hugepages: %lu", 101 SAFE_READ_MEMINFO(MEMINFO_HPAGE_FREE)); 102 103 if (*pi != RANDOM_CONSTANT) { 104 tst_res(TFAIL, "Pre-existing mapping clobbered: %x instead of %x", 105 *pi, RANDOM_CONSTANT); 106 goto cleanup; 107 } 108 109 /* 110 * The real test is whether we got a bad_pud() or similar 111 * during the run. The check above, combined with the earlier 112 * mprotect()s to flush the TLB are supposed to catch it, but 113 * it's hard to be certain. Once bad_pud() is called 114 * behaviour can be very strange. 115 */ 116 117 tst_res(TPASS, "Successful but inconclusive"); 118cleanup: 119 SAFE_MUNMAP(p, 2*hpage_size); 120} 121 122static void setup(void) 123{ 124 page_size = getpagesize(); 125 hpage_size = SAFE_READ_MEMINFO("Hugepagesize:")*1024; 126 fd = tst_creat_unlinked(MNTPOINT, 0); 127} 128 129static void cleanup(void) 130{ 131 if (fd >= 0) 132 SAFE_CLOSE(fd); 133} 134 135static struct tst_test test = { 136 .tags = (struct tst_tag[]) { 137 {"linux-git", "856fc2950555"}, 138 {} 139 }, 140 .needs_root = 1, 141 .mntpoint = MNTPOINT, 142 .needs_hugetlbfs = 1, 143 .setup = setup, 144 .cleanup = cleanup, 145 .test_all = run_test, 146 .hugepages = {4, TST_NEEDS}, 147}; 148