1 // SPDX-License-Identifier: GPL-2.0-only
3 * COW (Copy On Write) tests.
5 * Copyright 2022, Red Hat, Inc.
7 * Author(s): David Hildenbrand <david@redhat.com>
18 #include <linux/mman.h>
20 #include <sys/ioctl.h>
22 #include <linux/memfd.h>
24 #include "local_config.h"
25 #ifdef LOCAL_CONFIG_HAVE_LIBURING
27 #endif /* LOCAL_CONFIG_HAVE_LIBURING */
29 #include "../../../../mm/gup_test.h"
30 #include "../kselftest.h"
33 static size_t pagesize;
34 static int pagemap_fd;
35 static size_t thpsize;
36 static int nr_hugetlbsizes;
37 static size_t hugetlbsizes[10];
39 static bool has_huge_zeropage;
41 static void detect_huge_zeropage(void)
43 int fd = open("/sys/kernel/mm/transparent_hugepage/use_zero_page",
52 ret = pread(fd, buf, sizeof(buf), 0);
53 if (ret > 0 && ret < sizeof(buf)) {
56 enabled = strtoul(buf, NULL, 10);
58 has_huge_zeropage = true;
59 ksft_print_msg("[INFO] huge zeropage is enabled\n");
66 static bool range_is_swapped(void *addr, size_t size)
68 for (; size; addr += pagesize, size -= pagesize)
69 if (!pagemap_is_swapped(pagemap_fd, addr))
79 static int setup_comm_pipes(struct comm_pipes *comm_pipes)
81 if (pipe(comm_pipes->child_ready) < 0)
83 if (pipe(comm_pipes->parent_ready) < 0) {
84 close(comm_pipes->child_ready[0]);
85 close(comm_pipes->child_ready[1]);
92 static void close_comm_pipes(struct comm_pipes *comm_pipes)
94 close(comm_pipes->child_ready[0]);
95 close(comm_pipes->child_ready[1]);
96 close(comm_pipes->parent_ready[0]);
97 close(comm_pipes->parent_ready[1]);
100 static int child_memcmp_fn(char *mem, size_t size,
101 struct comm_pipes *comm_pipes)
103 char *old = malloc(size);
106 /* Backup the original content. */
107 memcpy(old, mem, size);
109 /* Wait until the parent modified the page. */
110 write(comm_pipes->child_ready[1], "0", 1);
111 while (read(comm_pipes->parent_ready[0], &buf, 1) != 1)
114 /* See if we still read the old values. */
115 return memcmp(old, mem, size);
118 static int child_vmsplice_memcmp_fn(char *mem, size_t size,
119 struct comm_pipes *comm_pipes)
125 ssize_t cur, total, transferred;
133 /* Backup the original content. */
134 memcpy(old, mem, size);
139 /* Trigger a read-only pin. */
140 transferred = vmsplice(fds[1], &iov, 1, 0);
143 if (transferred == 0)
146 /* Unmap it from our page tables. */
147 if (munmap(mem, size) < 0)
150 /* Wait until the parent modified it. */
151 write(comm_pipes->child_ready[1], "0", 1);
152 while (read(comm_pipes->parent_ready[0], &buf, 1) != 1)
155 /* See if we still read the old values via the pipe. */
156 for (total = 0; total < transferred; total += cur) {
157 cur = read(fds[0], new + total, transferred - total);
162 return memcmp(old, new, transferred);
165 typedef int (*child_fn)(char *mem, size_t size, struct comm_pipes *comm_pipes);
167 static void do_test_cow_in_parent(char *mem, size_t size, bool do_mprotect,
170 struct comm_pipes comm_pipes;
174 ret = setup_comm_pipes(&comm_pipes);
176 ksft_test_result_fail("pipe() failed\n");
182 ksft_test_result_fail("fork() failed\n");
183 goto close_comm_pipes;
185 exit(fn(mem, size, &comm_pipes));
188 while (read(comm_pipes.child_ready[0], &buf, 1) != 1)
193 * mprotect() optimizations might try avoiding
194 * write-faults by directly mapping pages writable.
196 ret = mprotect(mem, size, PROT_READ);
197 ret |= mprotect(mem, size, PROT_READ|PROT_WRITE);
199 ksft_test_result_fail("mprotect() failed\n");
200 write(comm_pipes.parent_ready[1], "0", 1);
202 goto close_comm_pipes;
206 /* Modify the page. */
207 memset(mem, 0xff, size);
208 write(comm_pipes.parent_ready[1], "0", 1);
212 ret = WEXITSTATUS(ret);
216 ksft_test_result(!ret, "No leak from parent into child\n");
218 close_comm_pipes(&comm_pipes);
221 static void test_cow_in_parent(char *mem, size_t size)
223 do_test_cow_in_parent(mem, size, false, child_memcmp_fn);
226 static void test_cow_in_parent_mprotect(char *mem, size_t size)
228 do_test_cow_in_parent(mem, size, true, child_memcmp_fn);
231 static void test_vmsplice_in_child(char *mem, size_t size)
233 do_test_cow_in_parent(mem, size, false, child_vmsplice_memcmp_fn);
236 static void test_vmsplice_in_child_mprotect(char *mem, size_t size)
238 do_test_cow_in_parent(mem, size, true, child_vmsplice_memcmp_fn);
241 static void do_test_vmsplice_in_parent(char *mem, size_t size,
248 ssize_t cur, total, transferred;
249 struct comm_pipes comm_pipes;
257 memcpy(old, mem, size);
259 ret = setup_comm_pipes(&comm_pipes);
261 ksft_test_result_fail("pipe() failed\n");
266 ksft_test_result_fail("pipe() failed\n");
267 goto close_comm_pipes;
271 transferred = vmsplice(fds[1], &iov, 1, 0);
272 if (transferred <= 0) {
273 ksft_test_result_fail("vmsplice() failed\n");
280 ksft_test_result_fail("fork() failed\n");
283 write(comm_pipes.child_ready[1], "0", 1);
284 while (read(comm_pipes.parent_ready[0], &buf, 1) != 1)
286 /* Modify page content in the child. */
287 memset(mem, 0xff, size);
292 transferred = vmsplice(fds[1], &iov, 1, 0);
293 if (transferred <= 0) {
294 ksft_test_result_fail("vmsplice() failed\n");
300 while (read(comm_pipes.child_ready[0], &buf, 1) != 1)
302 if (munmap(mem, size) < 0) {
303 ksft_test_result_fail("munmap() failed\n");
306 write(comm_pipes.parent_ready[1], "0", 1);
308 /* Wait until the child is done writing. */
310 if (!WIFEXITED(ret)) {
311 ksft_test_result_fail("wait() failed\n");
315 /* See if we still read the old values. */
316 for (total = 0; total < transferred; total += cur) {
317 cur = read(fds[0], new + total, transferred - total);
319 ksft_test_result_fail("read() failed\n");
324 ksft_test_result(!memcmp(old, new, transferred),
325 "No leak from child into parent\n");
330 close_comm_pipes(&comm_pipes);
336 static void test_vmsplice_before_fork(char *mem, size_t size)
338 do_test_vmsplice_in_parent(mem, size, true);
341 static void test_vmsplice_after_fork(char *mem, size_t size)
343 do_test_vmsplice_in_parent(mem, size, false);
346 #ifdef LOCAL_CONFIG_HAVE_LIBURING
347 static void do_test_iouring(char *mem, size_t size, bool use_fork)
349 struct comm_pipes comm_pipes;
350 struct io_uring_cqe *cqe;
351 struct io_uring_sqe *sqe;
352 struct io_uring ring;
359 ret = setup_comm_pipes(&comm_pipes);
361 ksft_test_result_fail("pipe() failed\n");
367 ksft_test_result_fail("tmpfile() failed\n");
368 goto close_comm_pipes;
375 ksft_test_result_fail("malloc() failed\n");
379 /* Skip on errors, as we might just lack kernel support. */
380 ret = io_uring_queue_init(1, &ring, 0);
382 ksft_test_result_skip("io_uring_queue_init() failed\n");
387 * Register the range as a fixed buffer. This will FOLL_WRITE | FOLL_PIN
388 * | FOLL_LONGTERM the range.
390 * Skip on errors, as we might just lack kernel support or might not
391 * have sufficient MEMLOCK permissions.
395 ret = io_uring_register_buffers(&ring, &iov, 1);
397 ksft_test_result_skip("io_uring_register_buffers() failed\n");
403 * fork() and keep the child alive until we're done. Note that
404 * we expect the pinned page to not get shared with the child.
408 ksft_test_result_fail("fork() failed\n");
409 goto unregister_buffers;
411 write(comm_pipes.child_ready[1], "0", 1);
412 while (read(comm_pipes.parent_ready[0], &buf, 1) != 1)
417 while (read(comm_pipes.child_ready[0], &buf, 1) != 1)
421 * Map the page R/O into the page table. Enable softdirty
422 * tracking to stop the page from getting mapped R/W immediately
423 * again by mprotect() optimizations. Note that we don't have an
424 * easy way to test if that worked (the pagemap does not export
425 * if the page is mapped R/O vs. R/W).
427 ret = mprotect(mem, size, PROT_READ);
429 ret |= mprotect(mem, size, PROT_READ | PROT_WRITE);
431 ksft_test_result_fail("mprotect() failed\n");
432 goto unregister_buffers;
437 * Modify the page and write page content as observed by the fixed
438 * buffer pin to the file so we can verify it.
440 memset(mem, 0xff, size);
441 sqe = io_uring_get_sqe(&ring);
443 ksft_test_result_fail("io_uring_get_sqe() failed\n");
446 io_uring_prep_write_fixed(sqe, fd, mem, size, 0, 0);
448 ret = io_uring_submit(&ring);
450 ksft_test_result_fail("io_uring_submit() failed\n");
454 ret = io_uring_wait_cqe(&ring, &cqe);
456 ksft_test_result_fail("io_uring_wait_cqe() failed\n");
460 if (cqe->res != size) {
461 ksft_test_result_fail("write_fixed failed\n");
464 io_uring_cqe_seen(&ring, cqe);
466 /* Read back the file content to the temporary buffer. */
468 while (total < size) {
469 cur = pread(fd, tmp + total, size - total, total);
471 ksft_test_result_fail("pread() failed\n");
477 /* Finally, check if we read what we expected. */
478 ksft_test_result(!memcmp(mem, tmp, size),
479 "Longterm R/W pin is reliable\n");
483 write(comm_pipes.parent_ready[1], "0", 1);
487 io_uring_unregister_buffers(&ring);
489 io_uring_queue_exit(&ring);
495 close_comm_pipes(&comm_pipes);
498 static void test_iouring_ro(char *mem, size_t size)
500 do_test_iouring(mem, size, false);
503 static void test_iouring_fork(char *mem, size_t size)
505 do_test_iouring(mem, size, true);
508 #endif /* LOCAL_CONFIG_HAVE_LIBURING */
513 RO_PIN_TEST_PREVIOUSLY_SHARED,
514 RO_PIN_TEST_RO_EXCLUSIVE,
517 static void do_test_ro_pin(char *mem, size_t size, enum ro_pin_test test,
520 struct pin_longterm_test args;
521 struct comm_pipes comm_pipes;
527 ksft_test_result_skip("gup_test not available\n");
533 ksft_test_result_fail("malloc() failed\n");
537 ret = setup_comm_pipes(&comm_pipes);
539 ksft_test_result_fail("pipe() failed\n");
546 case RO_PIN_TEST_SHARED:
547 case RO_PIN_TEST_PREVIOUSLY_SHARED:
549 * Share the pages with our child. As the pages are not pinned,
550 * this should just work.
554 ksft_test_result_fail("fork() failed\n");
555 goto close_comm_pipes;
557 write(comm_pipes.child_ready[1], "0", 1);
558 while (read(comm_pipes.parent_ready[0], &buf, 1) != 1)
563 /* Wait until our child is ready. */
564 while (read(comm_pipes.child_ready[0], &buf, 1) != 1)
567 if (test == RO_PIN_TEST_PREVIOUSLY_SHARED) {
569 * Tell the child to quit now and wait until it quit.
570 * The pages should now be mapped R/O into our page
571 * tables, but they are no longer shared.
573 write(comm_pipes.parent_ready[1], "0", 1);
576 ksft_print_msg("[INFO] wait() failed\n");
579 case RO_PIN_TEST_RO_EXCLUSIVE:
581 * Map the page R/O into the page table. Enable softdirty
582 * tracking to stop the page from getting mapped R/W immediately
583 * again by mprotect() optimizations. Note that we don't have an
584 * easy way to test if that worked (the pagemap does not export
585 * if the page is mapped R/O vs. R/W).
587 ret = mprotect(mem, size, PROT_READ);
589 ret |= mprotect(mem, size, PROT_READ | PROT_WRITE);
591 ksft_test_result_fail("mprotect() failed\n");
592 goto close_comm_pipes;
599 /* Take a R/O pin. This should trigger unsharing. */
600 args.addr = (__u64)(uintptr_t)mem;
602 args.flags = fast ? PIN_LONGTERM_TEST_FLAG_USE_FAST : 0;
603 ret = ioctl(gup_fd, PIN_LONGTERM_TEST_START, &args);
606 ksft_test_result_skip("PIN_LONGTERM_TEST_START failed\n");
608 ksft_test_result_fail("PIN_LONGTERM_TEST_START failed\n");
612 /* Modify the page. */
613 memset(mem, 0xff, size);
616 * Read back the content via the pin to the temporary buffer and
617 * test if we observed the modification.
619 tmp_val = (__u64)(uintptr_t)tmp;
620 ret = ioctl(gup_fd, PIN_LONGTERM_TEST_READ, &tmp_val);
622 ksft_test_result_fail("PIN_LONGTERM_TEST_READ failed\n");
624 ksft_test_result(!memcmp(mem, tmp, size),
625 "Longterm R/O pin is reliable\n");
627 ret = ioctl(gup_fd, PIN_LONGTERM_TEST_STOP);
629 ksft_print_msg("[INFO] PIN_LONGTERM_TEST_STOP failed\n");
632 case RO_PIN_TEST_SHARED:
633 write(comm_pipes.parent_ready[1], "0", 1);
636 ksft_print_msg("[INFO] wait() failed\n");
642 close_comm_pipes(&comm_pipes);
647 static void test_ro_pin_on_shared(char *mem, size_t size)
649 do_test_ro_pin(mem, size, RO_PIN_TEST_SHARED, false);
652 static void test_ro_fast_pin_on_shared(char *mem, size_t size)
654 do_test_ro_pin(mem, size, RO_PIN_TEST_SHARED, true);
657 static void test_ro_pin_on_ro_previously_shared(char *mem, size_t size)
659 do_test_ro_pin(mem, size, RO_PIN_TEST_PREVIOUSLY_SHARED, false);
662 static void test_ro_fast_pin_on_ro_previously_shared(char *mem, size_t size)
664 do_test_ro_pin(mem, size, RO_PIN_TEST_PREVIOUSLY_SHARED, true);
667 static void test_ro_pin_on_ro_exclusive(char *mem, size_t size)
669 do_test_ro_pin(mem, size, RO_PIN_TEST_RO_EXCLUSIVE, false);
672 static void test_ro_fast_pin_on_ro_exclusive(char *mem, size_t size)
674 do_test_ro_pin(mem, size, RO_PIN_TEST_RO_EXCLUSIVE, true);
677 typedef void (*test_fn)(char *mem, size_t size);
679 static void do_run_with_base_page(test_fn fn, bool swapout)
684 mem = mmap(NULL, pagesize, PROT_READ | PROT_WRITE,
685 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
686 if (mem == MAP_FAILED) {
687 ksft_test_result_fail("mmap() failed\n");
691 ret = madvise(mem, pagesize, MADV_NOHUGEPAGE);
692 /* Ignore if not around on a kernel. */
693 if (ret && errno != EINVAL) {
694 ksft_test_result_fail("MADV_NOHUGEPAGE failed\n");
698 /* Populate a base page. */
699 memset(mem, 0, pagesize);
702 madvise(mem, pagesize, MADV_PAGEOUT);
703 if (!pagemap_is_swapped(pagemap_fd, mem)) {
704 ksft_test_result_skip("MADV_PAGEOUT did not work, is swap enabled?\n");
711 munmap(mem, pagesize);
714 static void run_with_base_page(test_fn fn, const char *desc)
716 ksft_print_msg("[RUN] %s ... with base page\n", desc);
717 do_run_with_base_page(fn, false);
720 static void run_with_base_page_swap(test_fn fn, const char *desc)
722 ksft_print_msg("[RUN] %s ... with swapped out base page\n", desc);
723 do_run_with_base_page(fn, true);
732 THP_RUN_SINGLE_PTE_SWAPOUT,
733 THP_RUN_PARTIAL_MREMAP,
734 THP_RUN_PARTIAL_SHARED,
737 static void do_run_with_thp(test_fn fn, enum thp_run thp_run)
739 char *mem, *mmap_mem, *tmp, *mremap_mem = MAP_FAILED;
740 size_t size, mmap_size, mremap_size;
743 /* For alignment purposes, we need twice the thp size. */
744 mmap_size = 2 * thpsize;
745 mmap_mem = mmap(NULL, mmap_size, PROT_READ | PROT_WRITE,
746 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
747 if (mmap_mem == MAP_FAILED) {
748 ksft_test_result_fail("mmap() failed\n");
752 /* We need a THP-aligned memory area. */
753 mem = (char *)(((uintptr_t)mmap_mem + thpsize) & ~(thpsize - 1));
755 ret = madvise(mem, thpsize, MADV_HUGEPAGE);
757 ksft_test_result_fail("MADV_HUGEPAGE failed\n");
762 * Try to populate a THP. Touch the first sub-page and test if we get
763 * another sub-page populated automatically.
766 if (!pagemap_is_populated(pagemap_fd, mem + pagesize)) {
767 ksft_test_result_skip("Did not get a THP populated\n");
770 memset(mem, 0, thpsize);
775 case THP_RUN_PMD_SWAPOUT:
778 case THP_RUN_PTE_SWAPOUT:
780 * Trigger PTE-mapping the THP by temporarily mapping a single
783 ret = mprotect(mem + pagesize, pagesize, PROT_READ);
785 ksft_test_result_fail("mprotect() failed\n");
788 ret = mprotect(mem + pagesize, pagesize, PROT_READ | PROT_WRITE);
790 ksft_test_result_fail("mprotect() failed\n");
794 case THP_RUN_SINGLE_PTE:
795 case THP_RUN_SINGLE_PTE_SWAPOUT:
797 * Discard all but a single subpage of that PTE-mapped THP. What
798 * remains is a single PTE mapping a single subpage.
800 ret = madvise(mem + pagesize, thpsize - pagesize, MADV_DONTNEED);
802 ksft_test_result_fail("MADV_DONTNEED failed\n");
807 case THP_RUN_PARTIAL_MREMAP:
809 * Remap half of the THP. We need some new memory location
812 mremap_size = thpsize / 2;
813 mremap_mem = mmap(NULL, mremap_size, PROT_NONE,
814 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
815 if (mem == MAP_FAILED) {
816 ksft_test_result_fail("mmap() failed\n");
819 tmp = mremap(mem + mremap_size, mremap_size, mremap_size,
820 MREMAP_MAYMOVE | MREMAP_FIXED, mremap_mem);
821 if (tmp != mremap_mem) {
822 ksft_test_result_fail("mremap() failed\n");
827 case THP_RUN_PARTIAL_SHARED:
829 * Share the first page of the THP with a child and quit the
830 * child. This will result in some parts of the THP never
833 ret = madvise(mem + pagesize, thpsize - pagesize, MADV_DONTFORK);
835 ksft_test_result_fail("MADV_DONTFORK failed\n");
840 ksft_test_result_fail("fork() failed\n");
846 /* Allow for sharing all pages again. */
847 ret = madvise(mem + pagesize, thpsize - pagesize, MADV_DOFORK);
849 ksft_test_result_fail("MADV_DOFORK failed\n");
858 case THP_RUN_PMD_SWAPOUT:
859 case THP_RUN_PTE_SWAPOUT:
860 case THP_RUN_SINGLE_PTE_SWAPOUT:
861 madvise(mem, size, MADV_PAGEOUT);
862 if (!range_is_swapped(mem, size)) {
863 ksft_test_result_skip("MADV_PAGEOUT did not work, is swap enabled?\n");
873 munmap(mmap_mem, mmap_size);
874 if (mremap_mem != MAP_FAILED)
875 munmap(mremap_mem, mremap_size);
878 static void run_with_thp(test_fn fn, const char *desc)
880 ksft_print_msg("[RUN] %s ... with THP\n", desc);
881 do_run_with_thp(fn, THP_RUN_PMD);
884 static void run_with_thp_swap(test_fn fn, const char *desc)
886 ksft_print_msg("[RUN] %s ... with swapped-out THP\n", desc);
887 do_run_with_thp(fn, THP_RUN_PMD_SWAPOUT);
890 static void run_with_pte_mapped_thp(test_fn fn, const char *desc)
892 ksft_print_msg("[RUN] %s ... with PTE-mapped THP\n", desc);
893 do_run_with_thp(fn, THP_RUN_PTE);
896 static void run_with_pte_mapped_thp_swap(test_fn fn, const char *desc)
898 ksft_print_msg("[RUN] %s ... with swapped-out, PTE-mapped THP\n", desc);
899 do_run_with_thp(fn, THP_RUN_PTE_SWAPOUT);
902 static void run_with_single_pte_of_thp(test_fn fn, const char *desc)
904 ksft_print_msg("[RUN] %s ... with single PTE of THP\n", desc);
905 do_run_with_thp(fn, THP_RUN_SINGLE_PTE);
908 static void run_with_single_pte_of_thp_swap(test_fn fn, const char *desc)
910 ksft_print_msg("[RUN] %s ... with single PTE of swapped-out THP\n", desc);
911 do_run_with_thp(fn, THP_RUN_SINGLE_PTE_SWAPOUT);
914 static void run_with_partial_mremap_thp(test_fn fn, const char *desc)
916 ksft_print_msg("[RUN] %s ... with partially mremap()'ed THP\n", desc);
917 do_run_with_thp(fn, THP_RUN_PARTIAL_MREMAP);
920 static void run_with_partial_shared_thp(test_fn fn, const char *desc)
922 ksft_print_msg("[RUN] %s ... with partially shared THP\n", desc);
923 do_run_with_thp(fn, THP_RUN_PARTIAL_SHARED);
926 static void run_with_hugetlb(test_fn fn, const char *desc, size_t hugetlbsize)
928 int flags = MAP_PRIVATE | MAP_ANONYMOUS | MAP_HUGETLB;
931 ksft_print_msg("[RUN] %s ... with hugetlb (%zu kB)\n", desc,
934 flags |= __builtin_ctzll(hugetlbsize) << MAP_HUGE_SHIFT;
936 mem = mmap(NULL, hugetlbsize, PROT_READ | PROT_WRITE, flags, -1, 0);
937 if (mem == MAP_FAILED) {
938 ksft_test_result_skip("need more free huge pages\n");
942 /* Populate an huge page. */
943 memset(mem, 0, hugetlbsize);
946 * We need a total of two hugetlb pages to handle COW/unsharing
947 * properly, otherwise we might get zapped by a SIGBUS.
949 dummy = mmap(NULL, hugetlbsize, PROT_READ | PROT_WRITE, flags, -1, 0);
950 if (dummy == MAP_FAILED) {
951 ksft_test_result_skip("need more free huge pages\n");
954 munmap(dummy, hugetlbsize);
956 fn(mem, hugetlbsize);
958 munmap(mem, hugetlbsize);
967 * Test cases that are specific to anonymous pages: pages in private mappings
968 * that may get shared via COW during fork().
970 static const struct test_case anon_test_cases[] = {
972 * Basic COW tests for fork() without any GUP. If we miss to break COW,
973 * either the child can observe modifications by the parent or the
977 "Basic COW after fork()",
981 * Basic test, but do an additional mprotect(PROT_READ)+
982 * mprotect(PROT_READ|PROT_WRITE) in the parent before write access.
985 "Basic COW after fork() with mprotect() optimization",
986 test_cow_in_parent_mprotect,
989 * vmsplice() [R/O GUP] + unmap in the child; modify in the parent. If
990 * we miss to break COW, the child observes modifications by the parent.
991 * This is CVE-2020-29374 reported by Jann Horn.
994 "vmsplice() + unmap in child",
995 test_vmsplice_in_child
998 * vmsplice() test, but do an additional mprotect(PROT_READ)+
999 * mprotect(PROT_READ|PROT_WRITE) in the parent before write access.
1002 "vmsplice() + unmap in child with mprotect() optimization",
1003 test_vmsplice_in_child_mprotect
1006 * vmsplice() [R/O GUP] in parent before fork(), unmap in parent after
1007 * fork(); modify in the child. If we miss to break COW, the parent
1008 * observes modifications by the child.
1011 "vmsplice() before fork(), unmap in parent after fork()",
1012 test_vmsplice_before_fork,
1015 * vmsplice() [R/O GUP] + unmap in parent after fork(); modify in the
1016 * child. If we miss to break COW, the parent observes modifications by
1020 "vmsplice() + unmap in parent after fork()",
1021 test_vmsplice_after_fork,
1023 #ifdef LOCAL_CONFIG_HAVE_LIBURING
1025 * Take a R/W longterm pin and then map the page R/O into the page
1026 * table to trigger a write fault on next access. When modifying the
1027 * page, the page content must be visible via the pin.
1030 "R/O-mapping a page registered as iouring fixed buffer",
1034 * Take a R/W longterm pin and then fork() a child. When modifying the
1035 * page, the page content must be visible via the pin. We expect the
1036 * pinned page to not get shared with the child.
1039 "fork() with an iouring fixed buffer",
1043 #endif /* LOCAL_CONFIG_HAVE_LIBURING */
1045 * Take a R/O longterm pin on a R/O-mapped shared anonymous page.
1046 * When modifying the page via the page table, the page content change
1047 * must be visible via the pin.
1050 "R/O GUP pin on R/O-mapped shared page",
1051 test_ro_pin_on_shared,
1053 /* Same as above, but using GUP-fast. */
1055 "R/O GUP-fast pin on R/O-mapped shared page",
1056 test_ro_fast_pin_on_shared,
1059 * Take a R/O longterm pin on a R/O-mapped exclusive anonymous page that
1060 * was previously shared. When modifying the page via the page table,
1061 * the page content change must be visible via the pin.
1064 "R/O GUP pin on R/O-mapped previously-shared page",
1065 test_ro_pin_on_ro_previously_shared,
1067 /* Same as above, but using GUP-fast. */
1069 "R/O GUP-fast pin on R/O-mapped previously-shared page",
1070 test_ro_fast_pin_on_ro_previously_shared,
1073 * Take a R/O longterm pin on a R/O-mapped exclusive anonymous page.
1074 * When modifying the page via the page table, the page content change
1075 * must be visible via the pin.
1078 "R/O GUP pin on R/O-mapped exclusive page",
1079 test_ro_pin_on_ro_exclusive,
1081 /* Same as above, but using GUP-fast. */
1083 "R/O GUP-fast pin on R/O-mapped exclusive page",
1084 test_ro_fast_pin_on_ro_exclusive,
1088 static void run_anon_test_case(struct test_case const *test_case)
1092 run_with_base_page(test_case->fn, test_case->desc);
1093 run_with_base_page_swap(test_case->fn, test_case->desc);
1095 run_with_thp(test_case->fn, test_case->desc);
1096 run_with_thp_swap(test_case->fn, test_case->desc);
1097 run_with_pte_mapped_thp(test_case->fn, test_case->desc);
1098 run_with_pte_mapped_thp_swap(test_case->fn, test_case->desc);
1099 run_with_single_pte_of_thp(test_case->fn, test_case->desc);
1100 run_with_single_pte_of_thp_swap(test_case->fn, test_case->desc);
1101 run_with_partial_mremap_thp(test_case->fn, test_case->desc);
1102 run_with_partial_shared_thp(test_case->fn, test_case->desc);
1104 for (i = 0; i < nr_hugetlbsizes; i++)
1105 run_with_hugetlb(test_case->fn, test_case->desc,
1109 static void run_anon_test_cases(void)
1113 ksft_print_msg("[INFO] Anonymous memory tests in private mappings\n");
1115 for (i = 0; i < ARRAY_SIZE(anon_test_cases); i++)
1116 run_anon_test_case(&anon_test_cases[i]);
1119 static int tests_per_anon_test_case(void)
1121 int tests = 2 + nr_hugetlbsizes;
1128 enum anon_thp_collapse_test {
1129 ANON_THP_COLLAPSE_UNSHARED,
1130 ANON_THP_COLLAPSE_FULLY_SHARED,
1131 ANON_THP_COLLAPSE_LOWER_SHARED,
1132 ANON_THP_COLLAPSE_UPPER_SHARED,
1135 static void do_test_anon_thp_collapse(char *mem, size_t size,
1136 enum anon_thp_collapse_test test)
1138 struct comm_pipes comm_pipes;
1142 ret = setup_comm_pipes(&comm_pipes);
1144 ksft_test_result_fail("pipe() failed\n");
1149 * Trigger PTE-mapping the THP by temporarily mapping a single subpage
1150 * R/O, such that we can try collapsing it later.
1152 ret = mprotect(mem + pagesize, pagesize, PROT_READ);
1154 ksft_test_result_fail("mprotect() failed\n");
1155 goto close_comm_pipes;
1157 ret = mprotect(mem + pagesize, pagesize, PROT_READ | PROT_WRITE);
1159 ksft_test_result_fail("mprotect() failed\n");
1160 goto close_comm_pipes;
1164 case ANON_THP_COLLAPSE_UNSHARED:
1165 /* Collapse before actually COW-sharing the page. */
1166 ret = madvise(mem, size, MADV_COLLAPSE);
1168 ksft_test_result_skip("MADV_COLLAPSE failed: %s\n",
1170 goto close_comm_pipes;
1173 case ANON_THP_COLLAPSE_FULLY_SHARED:
1174 /* COW-share the full PTE-mapped THP. */
1176 case ANON_THP_COLLAPSE_LOWER_SHARED:
1177 /* Don't COW-share the upper part of the THP. */
1178 ret = madvise(mem + size / 2, size / 2, MADV_DONTFORK);
1180 ksft_test_result_fail("MADV_DONTFORK failed\n");
1181 goto close_comm_pipes;
1184 case ANON_THP_COLLAPSE_UPPER_SHARED:
1185 /* Don't COW-share the lower part of the THP. */
1186 ret = madvise(mem, size / 2, MADV_DONTFORK);
1188 ksft_test_result_fail("MADV_DONTFORK failed\n");
1189 goto close_comm_pipes;
1198 ksft_test_result_fail("fork() failed\n");
1199 goto close_comm_pipes;
1202 case ANON_THP_COLLAPSE_UNSHARED:
1203 case ANON_THP_COLLAPSE_FULLY_SHARED:
1204 exit(child_memcmp_fn(mem, size, &comm_pipes));
1206 case ANON_THP_COLLAPSE_LOWER_SHARED:
1207 exit(child_memcmp_fn(mem, size / 2, &comm_pipes));
1209 case ANON_THP_COLLAPSE_UPPER_SHARED:
1210 exit(child_memcmp_fn(mem + size / 2, size / 2,
1218 while (read(comm_pipes.child_ready[0], &buf, 1) != 1)
1222 case ANON_THP_COLLAPSE_UNSHARED:
1224 case ANON_THP_COLLAPSE_UPPER_SHARED:
1225 case ANON_THP_COLLAPSE_LOWER_SHARED:
1227 * Revert MADV_DONTFORK such that we merge the VMAs and are
1228 * able to actually collapse.
1230 ret = madvise(mem, size, MADV_DOFORK);
1232 ksft_test_result_fail("MADV_DOFORK failed\n");
1233 write(comm_pipes.parent_ready[1], "0", 1);
1235 goto close_comm_pipes;
1238 case ANON_THP_COLLAPSE_FULLY_SHARED:
1239 /* Collapse before anyone modified the COW-shared page. */
1240 ret = madvise(mem, size, MADV_COLLAPSE);
1242 ksft_test_result_skip("MADV_COLLAPSE failed: %s\n",
1244 write(comm_pipes.parent_ready[1], "0", 1);
1246 goto close_comm_pipes;
1253 /* Modify the page. */
1254 memset(mem, 0xff, size);
1255 write(comm_pipes.parent_ready[1], "0", 1);
1259 ret = WEXITSTATUS(ret);
1263 ksft_test_result(!ret, "No leak from parent into child\n");
1265 close_comm_pipes(&comm_pipes);
1268 static void test_anon_thp_collapse_unshared(char *mem, size_t size)
1270 do_test_anon_thp_collapse(mem, size, ANON_THP_COLLAPSE_UNSHARED);
1273 static void test_anon_thp_collapse_fully_shared(char *mem, size_t size)
1275 do_test_anon_thp_collapse(mem, size, ANON_THP_COLLAPSE_FULLY_SHARED);
1278 static void test_anon_thp_collapse_lower_shared(char *mem, size_t size)
1280 do_test_anon_thp_collapse(mem, size, ANON_THP_COLLAPSE_LOWER_SHARED);
1283 static void test_anon_thp_collapse_upper_shared(char *mem, size_t size)
1285 do_test_anon_thp_collapse(mem, size, ANON_THP_COLLAPSE_UPPER_SHARED);
1289 * Test cases that are specific to anonymous THP: pages in private mappings
1290 * that may get shared via COW during fork().
1292 static const struct test_case anon_thp_test_cases[] = {
1294 * Basic COW test for fork() without any GUP when collapsing a THP
1297 * Re-mapping a PTE-mapped anon THP using a single PMD ("in-place
1298 * collapse") might easily get COW handling wrong when not collapsing
1299 * exclusivity information properly.
1302 "Basic COW after fork() when collapsing before fork()",
1303 test_anon_thp_collapse_unshared,
1305 /* Basic COW test, but collapse after COW-sharing a full THP. */
1307 "Basic COW after fork() when collapsing after fork() (fully shared)",
1308 test_anon_thp_collapse_fully_shared,
1311 * Basic COW test, but collapse after COW-sharing the lower half of a
1315 "Basic COW after fork() when collapsing after fork() (lower shared)",
1316 test_anon_thp_collapse_lower_shared,
1319 * Basic COW test, but collapse after COW-sharing the upper half of a
1323 "Basic COW after fork() when collapsing after fork() (upper shared)",
1324 test_anon_thp_collapse_upper_shared,
1328 static void run_anon_thp_test_cases(void)
1335 ksft_print_msg("[INFO] Anonymous THP tests\n");
1337 for (i = 0; i < ARRAY_SIZE(anon_thp_test_cases); i++) {
1338 struct test_case const *test_case = &anon_thp_test_cases[i];
1340 ksft_print_msg("[RUN] %s\n", test_case->desc);
1341 do_run_with_thp(test_case->fn, THP_RUN_PMD);
1345 static int tests_per_anon_thp_test_case(void)
1347 return thpsize ? 1 : 0;
1350 typedef void (*non_anon_test_fn)(char *mem, const char *smem, size_t size);
1352 static void test_cow(char *mem, const char *smem, size_t size)
1354 char *old = malloc(size);
1356 /* Backup the original content. */
1357 memcpy(old, smem, size);
1359 /* Modify the page. */
1360 memset(mem, 0xff, size);
1362 /* See if we still read the old values via the other mapping. */
1363 ksft_test_result(!memcmp(smem, old, size),
1364 "Other mapping not modified\n");
1368 static void test_ro_pin(char *mem, const char *smem, size_t size)
1370 do_test_ro_pin(mem, size, RO_PIN_TEST, false);
1373 static void test_ro_fast_pin(char *mem, const char *smem, size_t size)
1375 do_test_ro_pin(mem, size, RO_PIN_TEST, true);
1378 static void run_with_zeropage(non_anon_test_fn fn, const char *desc)
1380 char *mem, *smem, tmp;
1382 ksft_print_msg("[RUN] %s ... with shared zeropage\n", desc);
1384 mem = mmap(NULL, pagesize, PROT_READ | PROT_WRITE,
1385 MAP_PRIVATE | MAP_ANON, -1, 0);
1386 if (mem == MAP_FAILED) {
1387 ksft_test_result_fail("mmap() failed\n");
1391 smem = mmap(NULL, pagesize, PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0);
1392 if (mem == MAP_FAILED) {
1393 ksft_test_result_fail("mmap() failed\n");
1397 /* Read from the page to populate the shared zeropage. */
1399 asm volatile("" : "+r" (tmp));
1401 fn(mem, smem, pagesize);
1403 munmap(mem, pagesize);
1404 if (smem != MAP_FAILED)
1405 munmap(smem, pagesize);
1408 static void run_with_huge_zeropage(non_anon_test_fn fn, const char *desc)
1410 char *mem, *smem, *mmap_mem, *mmap_smem, tmp;
1414 ksft_print_msg("[RUN] %s ... with huge zeropage\n", desc);
1416 if (!has_huge_zeropage) {
1417 ksft_test_result_skip("Huge zeropage not enabled\n");
1421 /* For alignment purposes, we need twice the thp size. */
1422 mmap_size = 2 * thpsize;
1423 mmap_mem = mmap(NULL, mmap_size, PROT_READ | PROT_WRITE,
1424 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
1425 if (mmap_mem == MAP_FAILED) {
1426 ksft_test_result_fail("mmap() failed\n");
1429 mmap_smem = mmap(NULL, mmap_size, PROT_READ,
1430 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
1431 if (mmap_smem == MAP_FAILED) {
1432 ksft_test_result_fail("mmap() failed\n");
1436 /* We need a THP-aligned memory area. */
1437 mem = (char *)(((uintptr_t)mmap_mem + thpsize) & ~(thpsize - 1));
1438 smem = (char *)(((uintptr_t)mmap_smem + thpsize) & ~(thpsize - 1));
1440 ret = madvise(mem, thpsize, MADV_HUGEPAGE);
1441 ret |= madvise(smem, thpsize, MADV_HUGEPAGE);
1443 ksft_test_result_fail("MADV_HUGEPAGE failed\n");
1448 * Read from the memory to populate the huge shared zeropage. Read from
1449 * the first sub-page and test if we get another sub-page populated
1453 asm volatile("" : "+r" (tmp));
1454 if (!pagemap_is_populated(pagemap_fd, mem + pagesize) ||
1455 !pagemap_is_populated(pagemap_fd, smem + pagesize)) {
1456 ksft_test_result_skip("Did not get THPs populated\n");
1460 fn(mem, smem, thpsize);
1462 munmap(mmap_mem, mmap_size);
1463 if (mmap_smem != MAP_FAILED)
1464 munmap(mmap_smem, mmap_size);
1467 static void run_with_memfd(non_anon_test_fn fn, const char *desc)
1469 char *mem, *smem, tmp;
1472 ksft_print_msg("[RUN] %s ... with memfd\n", desc);
1474 fd = memfd_create("test", 0);
1476 ksft_test_result_fail("memfd_create() failed\n");
1480 /* File consists of a single page filled with zeroes. */
1481 if (fallocate(fd, 0, 0, pagesize)) {
1482 ksft_test_result_fail("fallocate() failed\n");
1486 /* Create a private mapping of the memfd. */
1487 mem = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
1488 if (mem == MAP_FAILED) {
1489 ksft_test_result_fail("mmap() failed\n");
1492 smem = mmap(NULL, pagesize, PROT_READ, MAP_SHARED, fd, 0);
1493 if (mem == MAP_FAILED) {
1494 ksft_test_result_fail("mmap() failed\n");
1498 /* Fault the page in. */
1500 asm volatile("" : "+r" (tmp));
1502 fn(mem, smem, pagesize);
1504 munmap(mem, pagesize);
1505 if (smem != MAP_FAILED)
1506 munmap(smem, pagesize);
1511 static void run_with_tmpfile(non_anon_test_fn fn, const char *desc)
1513 char *mem, *smem, tmp;
1517 ksft_print_msg("[RUN] %s ... with tmpfile\n", desc);
1521 ksft_test_result_fail("tmpfile() failed\n");
1527 ksft_test_result_skip("fileno() failed\n");
1531 /* File consists of a single page filled with zeroes. */
1532 if (fallocate(fd, 0, 0, pagesize)) {
1533 ksft_test_result_fail("fallocate() failed\n");
1537 /* Create a private mapping of the memfd. */
1538 mem = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
1539 if (mem == MAP_FAILED) {
1540 ksft_test_result_fail("mmap() failed\n");
1543 smem = mmap(NULL, pagesize, PROT_READ, MAP_SHARED, fd, 0);
1544 if (mem == MAP_FAILED) {
1545 ksft_test_result_fail("mmap() failed\n");
1549 /* Fault the page in. */
1551 asm volatile("" : "+r" (tmp));
1553 fn(mem, smem, pagesize);
1555 munmap(mem, pagesize);
1556 if (smem != MAP_FAILED)
1557 munmap(smem, pagesize);
1562 static void run_with_memfd_hugetlb(non_anon_test_fn fn, const char *desc,
1565 int flags = MFD_HUGETLB;
1566 char *mem, *smem, tmp;
1569 ksft_print_msg("[RUN] %s ... with memfd hugetlb (%zu kB)\n", desc,
1570 hugetlbsize / 1024);
1572 flags |= __builtin_ctzll(hugetlbsize) << MFD_HUGE_SHIFT;
1574 fd = memfd_create("test", flags);
1576 ksft_test_result_skip("memfd_create() failed\n");
1580 /* File consists of a single page filled with zeroes. */
1581 if (fallocate(fd, 0, 0, hugetlbsize)) {
1582 ksft_test_result_skip("need more free huge pages\n");
1586 /* Create a private mapping of the memfd. */
1587 mem = mmap(NULL, hugetlbsize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd,
1589 if (mem == MAP_FAILED) {
1590 ksft_test_result_skip("need more free huge pages\n");
1593 smem = mmap(NULL, hugetlbsize, PROT_READ, MAP_SHARED, fd, 0);
1594 if (mem == MAP_FAILED) {
1595 ksft_test_result_fail("mmap() failed\n");
1599 /* Fault the page in. */
1601 asm volatile("" : "+r" (tmp));
1603 fn(mem, smem, hugetlbsize);
1605 munmap(mem, hugetlbsize);
1606 if (mem != MAP_FAILED)
1607 munmap(smem, hugetlbsize);
1612 struct non_anon_test_case {
1614 non_anon_test_fn fn;
1618 * Test cases that target any pages in private mappings that are not anonymous:
1619 * pages that may get shared via COW ndependent of fork(). This includes
1620 * the shared zeropage(s), pagecache pages, ...
1622 static const struct non_anon_test_case non_anon_test_cases[] = {
1624 * Basic COW test without any GUP. If we miss to break COW, changes are
1625 * visible via other private/shared mappings.
1632 * Take a R/O longterm pin. When modifying the page via the page table,
1633 * the page content change must be visible via the pin.
1636 "R/O longterm GUP pin",
1639 /* Same as above, but using GUP-fast. */
1641 "R/O longterm GUP-fast pin",
1646 static void run_non_anon_test_case(struct non_anon_test_case const *test_case)
1650 run_with_zeropage(test_case->fn, test_case->desc);
1651 run_with_memfd(test_case->fn, test_case->desc);
1652 run_with_tmpfile(test_case->fn, test_case->desc);
1654 run_with_huge_zeropage(test_case->fn, test_case->desc);
1655 for (i = 0; i < nr_hugetlbsizes; i++)
1656 run_with_memfd_hugetlb(test_case->fn, test_case->desc,
1660 static void run_non_anon_test_cases(void)
1664 ksft_print_msg("[RUN] Non-anonymous memory tests in private mappings\n");
1666 for (i = 0; i < ARRAY_SIZE(non_anon_test_cases); i++)
1667 run_non_anon_test_case(&non_anon_test_cases[i]);
1670 static int tests_per_non_anon_test_case(void)
1672 int tests = 3 + nr_hugetlbsizes;
1679 int main(int argc, char **argv)
1683 ksft_print_header();
1685 pagesize = getpagesize();
1686 thpsize = read_pmd_pagesize();
1688 ksft_print_msg("[INFO] detected THP size: %zu KiB\n",
1690 nr_hugetlbsizes = detect_hugetlb_page_sizes(hugetlbsizes,
1691 ARRAY_SIZE(hugetlbsizes));
1692 detect_huge_zeropage();
1694 ksft_set_plan(ARRAY_SIZE(anon_test_cases) * tests_per_anon_test_case() +
1695 ARRAY_SIZE(anon_thp_test_cases) * tests_per_anon_thp_test_case() +
1696 ARRAY_SIZE(non_anon_test_cases) * tests_per_non_anon_test_case());
1698 gup_fd = open("/sys/kernel/debug/gup_test", O_RDWR);
1699 pagemap_fd = open("/proc/self/pagemap", O_RDONLY);
1701 ksft_exit_fail_msg("opening pagemap failed\n");
1703 run_anon_test_cases();
1704 run_anon_thp_test_cases();
1705 run_non_anon_test_cases();
1707 err = ksft_get_fail_cnt();
1709 ksft_exit_fail_msg("%d out of %d tests failed\n",
1710 err, ksft_test_num());
1711 return ksft_exit_pass();
projects / platform / kernel / linux-starfive.git / blob