1 // SPDX-License-Identifier: GPL-2.0-only
3 * Test handling of code that might set PTE/PMD dirty in read-only VMAs.
4 * Setting a PTE/PMD dirty must not accidentally set the PTE/PMD writable.
6 * Copyright 2023, Red Hat, Inc.
12 #include <asm-generic/unistd.h>
20 #include <sys/syscall.h>
21 #include <sys/ioctl.h>
22 #include <linux/userfaultfd.h>
23 #include <linux/mempolicy.h>
25 #include "../kselftest.h"
28 static size_t pagesize;
29 static size_t thpsize;
31 static int pagemap_fd;
32 static sigjmp_buf env;
34 static void signal_handler(int sig)
41 static void do_test_write_sigsegv(char *mem)
46 if (signal(SIGSEGV, signal_handler) == SIG_ERR) {
47 ksft_test_result_fail("signal() failed\n");
51 ret = sigsetjmp(env, 1);
55 if (signal(SIGSEGV, SIG_DFL) == SIG_ERR)
56 ksft_test_result_fail("signal() failed\n");
58 ksft_test_result(ret == 1 && *mem == orig,
59 "SIGSEGV generated, page not modified\n");
62 static char *mmap_thp_range(int prot, char **_mmap_mem, size_t *_mmap_size)
64 const size_t mmap_size = 2 * thpsize;
67 mmap_mem = mmap(NULL, mmap_size, prot, MAP_PRIVATE|MAP_ANON,
69 if (mmap_mem == MAP_FAILED) {
70 ksft_test_result_fail("mmap() failed\n");
73 mem = (char *)(((uintptr_t)mmap_mem + thpsize) & ~(thpsize - 1));
75 if (madvise(mem, thpsize, MADV_HUGEPAGE)) {
76 ksft_test_result_skip("MADV_HUGEPAGE failed\n");
77 munmap(mmap_mem, mmap_size);
81 *_mmap_mem = mmap_mem;
82 *_mmap_size = mmap_size;
86 static void test_ptrace_write(void)
92 ksft_print_msg("[INFO] PTRACE write access\n");
94 mem = mmap(NULL, pagesize, PROT_READ, MAP_PRIVATE|MAP_ANON, -1, 0);
95 if (mem == MAP_FAILED) {
96 ksft_test_result_fail("mmap() failed\n");
100 /* Fault in the shared zeropage. */
102 ksft_test_result_fail("Memory not zero\n");
107 * Unshare the page (populating a fresh anon page that might be set
108 * dirty in the PTE) in the read-only VMA using ptrace (FOLL_FORCE).
110 lseek(mem_fd, (uintptr_t) mem, SEEK_SET);
111 ret = write(mem_fd, &data, 1);
112 if (ret != 1 || *mem != data) {
113 ksft_test_result_fail("write() failed\n");
117 do_test_write_sigsegv(mem);
119 munmap(mem, pagesize);
122 static void test_ptrace_write_thp(void)
124 char *mem, *mmap_mem;
129 ksft_print_msg("[INFO] PTRACE write access to THP\n");
131 mem = mmap_thp_range(PROT_READ, &mmap_mem, &mmap_size);
132 if (mem == MAP_FAILED)
136 * Write to the first subpage in the read-only VMA using
137 * ptrace(FOLL_FORCE), eventually placing a fresh THP that is marked
140 lseek(mem_fd, (uintptr_t) mem, SEEK_SET);
141 ret = write(mem_fd, &data, 1);
142 if (ret != 1 || *mem != data) {
143 ksft_test_result_fail("write() failed\n");
147 /* MM populated a THP if we got the last subpage populated as well. */
148 if (!pagemap_is_populated(pagemap_fd, mem + thpsize - pagesize)) {
149 ksft_test_result_skip("Did not get a THP populated\n");
153 do_test_write_sigsegv(mem);
155 munmap(mmap_mem, mmap_size);
158 static void test_page_migration(void)
162 ksft_print_msg("[INFO] Page migration\n");
164 mem = mmap(NULL, pagesize, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON,
166 if (mem == MAP_FAILED) {
167 ksft_test_result_fail("mmap() failed\n");
171 /* Populate a fresh page and dirty it. */
172 memset(mem, 1, pagesize);
173 if (mprotect(mem, pagesize, PROT_READ)) {
174 ksft_test_result_fail("mprotect() failed\n");
178 /* Trigger page migration. Might not be available or fail. */
179 if (syscall(__NR_mbind, mem, pagesize, MPOL_LOCAL, NULL, 0x7fful,
181 ksft_test_result_skip("mbind() failed\n");
185 do_test_write_sigsegv(mem);
187 munmap(mem, pagesize);
190 static void test_page_migration_thp(void)
192 char *mem, *mmap_mem;
195 ksft_print_msg("[INFO] Page migration of THP\n");
197 mem = mmap_thp_range(PROT_READ|PROT_WRITE, &mmap_mem, &mmap_size);
198 if (mem == MAP_FAILED)
202 * Write to the first page, which might populate a fresh anon THP
205 memset(mem, 1, pagesize);
206 if (mprotect(mem, thpsize, PROT_READ)) {
207 ksft_test_result_fail("mprotect() failed\n");
211 /* MM populated a THP if we got the last subpage populated as well. */
212 if (!pagemap_is_populated(pagemap_fd, mem + thpsize - pagesize)) {
213 ksft_test_result_skip("Did not get a THP populated\n");
217 /* Trigger page migration. Might not be available or fail. */
218 if (syscall(__NR_mbind, mem, thpsize, MPOL_LOCAL, NULL, 0x7fful,
220 ksft_test_result_skip("mbind() failed\n");
224 do_test_write_sigsegv(mem);
226 munmap(mmap_mem, mmap_size);
229 static void test_pte_mapped_thp(void)
231 char *mem, *mmap_mem;
234 ksft_print_msg("[INFO] PTE-mapping a THP\n");
236 mem = mmap_thp_range(PROT_READ|PROT_WRITE, &mmap_mem, &mmap_size);
237 if (mem == MAP_FAILED)
241 * Write to the first page, which might populate a fresh anon THP
244 memset(mem, 1, pagesize);
245 if (mprotect(mem, thpsize, PROT_READ)) {
246 ksft_test_result_fail("mprotect() failed\n");
250 /* MM populated a THP if we got the last subpage populated as well. */
251 if (!pagemap_is_populated(pagemap_fd, mem + thpsize - pagesize)) {
252 ksft_test_result_skip("Did not get a THP populated\n");
256 /* Trigger PTE-mapping the THP by mprotect'ing the last subpage. */
257 if (mprotect(mem + thpsize - pagesize, pagesize,
258 PROT_READ|PROT_WRITE)) {
259 ksft_test_result_fail("mprotect() failed\n");
263 do_test_write_sigsegv(mem);
265 munmap(mmap_mem, mmap_size);
268 static void test_uffdio_copy(void)
270 struct uffdio_register uffdio_register;
271 struct uffdio_copy uffdio_copy;
272 struct uffdio_api uffdio_api;
276 ksft_print_msg("[INFO] UFFDIO_COPY\n");
278 src = malloc(pagesize);
279 memset(src, 1, pagesize);
280 dst = mmap(NULL, pagesize, PROT_READ, MAP_PRIVATE|MAP_ANON, -1, 0);
281 if (dst == MAP_FAILED) {
282 ksft_test_result_fail("mmap() failed\n");
286 uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
288 ksft_test_result_skip("__NR_userfaultfd failed\n");
292 uffdio_api.api = UFFD_API;
293 uffdio_api.features = 0;
294 if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) {
295 ksft_test_result_fail("UFFDIO_API failed\n");
299 uffdio_register.range.start = (unsigned long) dst;
300 uffdio_register.range.len = pagesize;
301 uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
302 if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register)) {
303 ksft_test_result_fail("UFFDIO_REGISTER failed\n");
307 /* Place a page in a read-only VMA, which might set the PTE dirty. */
308 uffdio_copy.dst = (unsigned long) dst;
309 uffdio_copy.src = (unsigned long) src;
310 uffdio_copy.len = pagesize;
311 uffdio_copy.mode = 0;
312 if (ioctl(uffd, UFFDIO_COPY, &uffdio_copy)) {
313 ksft_test_result_fail("UFFDIO_COPY failed\n");
317 do_test_write_sigsegv(dst);
321 munmap(dst, pagesize);
329 pagesize = getpagesize();
330 thpsize = read_pmd_pagesize();
332 ksft_print_msg("[INFO] detected THP size: %zu KiB\n",
339 ksft_set_plan(tests);
341 mem_fd = open("/proc/self/mem", O_RDWR);
343 ksft_exit_fail_msg("opening /proc/self/mem failed\n");
344 pagemap_fd = open("/proc/self/pagemap", O_RDONLY);
346 ksft_exit_fail_msg("opening /proc/self/pagemap failed\n");
349 * On some ptrace(FOLL_FORCE) write access via /proc/self/mem in
350 * read-only VMAs, the kernel may set the PTE/PMD dirty.
354 test_ptrace_write_thp();
356 * On page migration, the kernel may set the PTE/PMD dirty when
357 * remapping the page.
359 test_page_migration();
361 test_page_migration_thp();
362 /* PTE-mapping a THP might propagate the dirty PMD bit to the PTEs. */
364 test_pte_mapped_thp();
365 /* Placing a fresh page via userfaultfd may set the PTE dirty. */
368 err = ksft_get_fail_cnt();
370 ksft_exit_fail_msg("%d out of %d tests failed\n",
371 err, ksft_test_num());
projects / J-linux.git / blob