1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * Copyright (c) 2018 Jan Stancek. All rights reserved.
4 */
5/*
6 * Test: Spawn 2 threads. First thread maps, writes and unmaps
7 * an area. Second thread tries to read from it. Second thread
8 * races against first thread. There is no synchronization
9 * between threads, but each mmap/munmap increases a counter
10 * that is checked to determine when has read occurred. If a read
11 * hit SIGSEGV in between mmap/munmap it is a failure. If a read
12 * between mmap/munmap worked, then its value must match expected
13 * value.
14 *
15 * Can trigger panics/stalls since at least 4.14 on some arches:
16 *   fc8efd2ddfed ("mm/memory.c: do_fault: avoid usage of stale vm_area_struct")
17 * Can trigger user-space stalls on aarch64:
18 *   7a30df49f63a ("mm: mmu_gather: remove __tlb_reset_range() for force flush")
19 *   https://lore.kernel.org/linux-mm/1817839533.20996552.1557065445233.JavaMail.zimbra@redhat.com
20 * Can trigger "still mapped when deleted" BUG at mm/filemap.c:171, on aarch64 since 4.20
21 *   e1b98fa31664 ("locking/rwsem: Add missing ACQUIRE to read_slowpath exit when queue is empty")
22 *   99143f82a255 ("lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop")
23 */
24#include <errno.h>
25#include <float.h>
26#include <pthread.h>
27#include <sched.h>
28#include <setjmp.h>
29#include <stdio.h>
30#include <stdlib.h>
31#include "lapi/abisize.h"
32#include "tst_test.h"
33#include "tst_safe_pthread.h"
34
35#define GIGABYTE (1L*1024*1024*1024)
36#define TEST_FILENAME "ashfile"
37
38/* seconds remaining before reaching timeout */
39#define STOP_THRESHOLD 10
40
41#define PROGRESS_SEC 3
42
43static int file_size = 1024;
44static int num_iter = 5000;
45
46static void *distant_area;
47static jmp_buf jmpbuf;
48static volatile unsigned char *map_address;
49static unsigned long page_sz;
50
51static unsigned long mapped_sigsegv_count;
52static unsigned long map_count;
53static unsigned long threads_spawned;
54static unsigned long data_matched;
55static unsigned long repeated_reads;
56
57/* sequence id for each map/unmap performed */
58static int mapcnt, unmapcnt;
59/* stored sequence id before making read attempt */
60static int br_map, br_unmap;
61
62/* compare "before read" counters  with "after read" counters */
63static inline int was_area_mapped(int br_m, int br_u, int ar_m, int ar_u)
64{
65	return (br_m == ar_m && br_u == ar_u && br_m > br_u);
66}
67
68static void sig_handler(int signal, siginfo_t *info,
69	LTP_ATTRIBUTE_UNUSED void *ut)
70{
71	int ar_m, ar_u;
72
73	switch (signal) {
74	case SIGSEGV:
75		/* if we hit SIGSEGV between map/unmap, something is wrong */
76		ar_u = tst_atomic_load(&unmapcnt);
77		ar_m = tst_atomic_load(&mapcnt);
78		if (was_area_mapped(br_map, br_unmap, ar_m, ar_u)) {
79			tst_res(TFAIL, "got sigsegv while mapped");
80			_exit(TFAIL);
81		}
82
83		mapped_sigsegv_count++;
84		longjmp(jmpbuf, 1);
85		break;
86	default:
87		tst_res(TFAIL, "Unexpected signal - %d, addr: %p, exiting",
88			signal, info->si_addr);
89		_exit(TBROK);
90	}
91}
92
93void *map_write_unmap(void *ptr)
94{
95	int *fd = ptr;
96	void *tmp;
97	int i, j;
98
99	for (i = 0; i < num_iter; i++) {
100		map_address = SAFE_MMAP(distant_area,
101			(size_t) file_size, PROT_WRITE | PROT_READ,
102			MAP_SHARED, *fd, 0);
103		tst_atomic_inc(&mapcnt);
104
105		for (j = 0; j < file_size; j++)
106			map_address[j] = 'b';
107
108		tmp = (void *)map_address;
109		tst_atomic_inc(&unmapcnt);
110		SAFE_MUNMAP(tmp, file_size);
111
112		map_count++;
113	}
114
115	return NULL;
116}
117
118void *read_mem(LTP_ATTRIBUTE_UNUSED void *ptr)
119{
120	volatile int i; /* longjmp could clobber i */
121	int j, ar_map, ar_unmap;
122	unsigned char c;
123
124	for (i = 0; i < num_iter; i++) {
125		if (setjmp(jmpbuf) == 1)
126			continue;
127
128		for (j = 0; j < file_size; j++) {
129read_again:
130			br_map = tst_atomic_load(&mapcnt);
131			br_unmap = tst_atomic_load(&unmapcnt);
132
133			c = map_address[j];
134
135			ar_unmap = tst_atomic_load(&unmapcnt);
136			ar_map = tst_atomic_load(&mapcnt);
137
138			/*
139			 * Read above is racing against munmap and mmap
140			 * in other thread. While the address might be valid
141			 * the mapping could be in various stages of being
142			 * 'ready'. We only check the value, if we can be sure
143			 * read hapenned in between single mmap and munmap as
144			 * observed by first thread.
145			 */
146			if (was_area_mapped(br_map, br_unmap, ar_map,
147				ar_unmap)) {
148				switch (c) {
149				case 'a':
150					repeated_reads++;
151					goto read_again;
152				case 'b':
153					data_matched++;
154					break;
155				default:
156					tst_res(TFAIL, "value[%d] is %c", j, c);
157					break;
158				}
159			}
160		}
161	}
162
163	return NULL;
164}
165
166int mkfile(int size)
167{
168	int fd, i;
169
170	fd = SAFE_OPEN(TEST_FILENAME, O_RDWR | O_CREAT, 0600);
171	SAFE_UNLINK(TEST_FILENAME);
172
173	for (i = 0; i < size; i++)
174		SAFE_WRITE(SAFE_WRITE_ALL, fd, "a", 1);
175	SAFE_WRITE(SAFE_WRITE_ALL, fd, "\0", 1);
176
177	if (fsync(fd) == -1)
178		tst_brk(TBROK | TERRNO, "fsync()");
179
180	return fd;
181}
182
183static void setup(void)
184{
185	struct sigaction sigptr;
186	size_t distant_mmap_size;
187	size_t mem_total;
188
189	page_sz = getpagesize();
190	mem_total = SAFE_READ_MEMINFO("MemTotal:");
191	mem_total *= 1024;
192
193#ifdef TST_ABI32
194	distant_mmap_size = 256*1024*1024;
195#else
196	distant_mmap_size = (mem_total > 4 * GIGABYTE) ? 2 * GIGABYTE : mem_total / 2;
197#endif
198	/*
199	 * Used as hint for mmap thread, so it doesn't interfere
200	 * with other potential (temporary) mappings from libc
201	 */
202	distant_area = SAFE_MMAP(0, distant_mmap_size, PROT_WRITE | PROT_READ,
203			MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
204	SAFE_MUNMAP(distant_area, distant_mmap_size);
205	distant_area += distant_mmap_size / 2;
206
207	sigptr.sa_sigaction = sig_handler;
208	sigemptyset(&sigptr.sa_mask);
209	sigptr.sa_flags = SA_SIGINFO | SA_NODEFER;
210	SAFE_SIGACTION(SIGSEGV, &sigptr, NULL);
211}
212
213static void run(void)
214{
215	pthread_t thid[2];
216	int start, last_update;
217
218	start = last_update = tst_remaining_runtime();
219	while (tst_remaining_runtime()) {
220		int fd = mkfile(file_size);
221
222		tst_atomic_store(0, &mapcnt);
223		tst_atomic_store(0, &unmapcnt);
224
225		SAFE_PTHREAD_CREATE(&thid[0], NULL, map_write_unmap, &fd);
226		SAFE_PTHREAD_CREATE(&thid[1], NULL, read_mem, &fd);
227		threads_spawned += 2;
228
229		SAFE_PTHREAD_JOIN(thid[0], NULL);
230		SAFE_PTHREAD_JOIN(thid[1], NULL);
231
232		close(fd);
233
234		if (last_update - tst_remaining_runtime() >= PROGRESS_SEC) {
235			last_update = tst_remaining_runtime();
236			tst_res(TINFO, "[%03d] mapped: %lu, sigsegv hit: %lu, "
237				"threads spawned: %lu",
238				start - last_update,
239				map_count, mapped_sigsegv_count,
240				threads_spawned);
241			tst_res(TINFO, "      repeated_reads: %ld, "
242				"data_matched: %lu", repeated_reads,
243				data_matched);
244		}
245	}
246	tst_res(TPASS, "System survived.");
247}
248
249static struct tst_test test = {
250	.test_all = run,
251	.setup = setup,
252	.max_runtime = 180,
253	.needs_tmpdir = 1,
254};
255