|  | // SPDX-License-Identifier: GPL-2.0 | 
|  | /* | 
|  | * Copyright 2018, Breno Leitao, IBM Corp. | 
|  | * Licensed under GPLv2. | 
|  | * | 
|  | * Sigfuz(tm): A PowerPC TM-aware signal fuzzer. | 
|  | * | 
|  | * This is a new selftest that raises SIGUSR1 signals and handles it in a set | 
|  | * of different ways, trying to create different scenario for testing | 
|  | * purpose. | 
|  | * | 
|  | * This test works raising a signal and calling sigreturn interleaved with | 
|  | * TM operations, as starting, suspending and terminating a transaction. The | 
|  | * test depends on random numbers, and, based on them, it sets different TM | 
|  | * states. | 
|  | * | 
|  | * Other than that, the test fills out the user context struct that is passed | 
|  | * to the sigreturn system call with random data, in order to make sure that | 
|  | * the signal handler syscall can handle different and invalid states | 
|  | * properly. | 
|  | * | 
|  | * This selftest has command line parameters to control what kind of tests the | 
|  | * user wants to run, as for example, if a transaction should be started prior | 
|  | * to signal being raised, or, after the signal being raised and before the | 
|  | * sigreturn. If no parameter is given, the default is enabling all options. | 
|  | * | 
|  | * This test does not check if the user context is being read and set | 
|  | * properly by the kernel. Its purpose, at this time, is basically | 
|  | * guaranteeing that the kernel does not crash on invalid scenarios. | 
|  | */ | 
|  |  | 
|  | #include <stdio.h> | 
|  | #include <limits.h> | 
|  | #include <sys/wait.h> | 
|  | #include <unistd.h> | 
|  | #include <stdlib.h> | 
|  | #include <signal.h> | 
|  | #include <string.h> | 
|  | #include <ucontext.h> | 
|  | #include <sys/mman.h> | 
|  | #include <pthread.h> | 
|  | #include "utils.h" | 
|  |  | 
|  | /* Selftest defaults */ | 
|  | #define COUNT_MAX	600		/* Number of interactions */ | 
|  | #define THREADS		16		/* Number of threads */ | 
|  |  | 
|  | /* Arguments options */ | 
|  | #define ARG_MESS_WITH_TM_AT	0x1 | 
|  | #define ARG_MESS_WITH_TM_BEFORE	0x2 | 
|  | #define ARG_MESS_WITH_MSR_AT	0x4 | 
|  | #define ARG_FOREVER		0x10 | 
|  | #define ARG_COMPLETE		(ARG_MESS_WITH_TM_AT |		\ | 
|  | ARG_MESS_WITH_TM_BEFORE |	\ | 
|  | ARG_MESS_WITH_MSR_AT) | 
|  |  | 
|  | static int args; | 
|  | static int nthread = THREADS; | 
|  | static int count_max = COUNT_MAX; | 
|  |  | 
|  | /* checkpoint context */ | 
|  | static ucontext_t *tmp_uc; | 
|  |  | 
|  | /* Return true with 1/x probability */ | 
|  | static int one_in_chance(int x) | 
|  | { | 
|  | return rand() % x == 0; | 
|  | } | 
|  |  | 
|  | /* Change TM states */ | 
|  | static void mess_with_tm(void) | 
|  | { | 
|  | /* Starts a transaction 33% of the time */ | 
|  | if (one_in_chance(3)) { | 
|  | asm ("tbegin.	;" | 
|  | "beq 8	;"); | 
|  |  | 
|  | /* And suspended half of them */ | 
|  | if (one_in_chance(2)) | 
|  | asm("tsuspend.	;"); | 
|  | } | 
|  |  | 
|  | /* Call 'tend' in 5% of the runs */ | 
|  | if (one_in_chance(20)) | 
|  | asm("tend.	;"); | 
|  | } | 
|  |  | 
|  | /* Signal handler that will be invoked with raise() */ | 
|  | static void trap_signal_handler(int signo, siginfo_t *si, void *uc) | 
|  | { | 
|  | ucontext_t *ucp = uc; | 
|  |  | 
|  | ucp->uc_link = tmp_uc; | 
|  |  | 
|  | /* | 
|  | * Set uc_link in three possible ways: | 
|  | *  - Setting a single 'int' in the whole chunk | 
|  | *  - Cloning ucp into uc_link | 
|  | *  - Allocating a new memory chunk | 
|  | */ | 
|  | if (one_in_chance(3)) { | 
|  | memset(ucp->uc_link, rand(), sizeof(ucontext_t)); | 
|  | } else if (one_in_chance(2)) { | 
|  | memcpy(ucp->uc_link, uc, sizeof(ucontext_t)); | 
|  | } else if (one_in_chance(2)) { | 
|  | if (tmp_uc) { | 
|  | free(tmp_uc); | 
|  | tmp_uc = NULL; | 
|  | } | 
|  | tmp_uc = malloc(sizeof(ucontext_t)); | 
|  | ucp->uc_link = tmp_uc; | 
|  | /* Trying to cause a major page fault at Kernel level */ | 
|  | madvise(ucp->uc_link, sizeof(ucontext_t), MADV_DONTNEED); | 
|  | } | 
|  |  | 
|  | if (args & ARG_MESS_WITH_MSR_AT) { | 
|  | /* Changing the checkpointed registers */ | 
|  | if (one_in_chance(4)) { | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |= MSR_TS_S; | 
|  | } else { | 
|  | if (one_in_chance(2)) { | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |= | 
|  | MSR_TS_T; | 
|  | } else if (one_in_chance(2)) { | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |= | 
|  | MSR_TS_T | MSR_TS_S; | 
|  | } | 
|  | } | 
|  |  | 
|  | /* Checking the current register context */ | 
|  | if (one_in_chance(2)) { | 
|  | ucp->uc_mcontext.gp_regs[PT_MSR] |= MSR_TS_S; | 
|  | } else if (one_in_chance(2)) { | 
|  | if (one_in_chance(2)) | 
|  | ucp->uc_mcontext.gp_regs[PT_MSR] |= | 
|  | MSR_TS_T; | 
|  | else if (one_in_chance(2)) | 
|  | ucp->uc_mcontext.gp_regs[PT_MSR] |= | 
|  | MSR_TS_T | MSR_TS_S; | 
|  | } | 
|  | } | 
|  |  | 
|  | if (one_in_chance(20)) { | 
|  | /* Nested transaction start */ | 
|  | if (one_in_chance(5)) | 
|  | mess_with_tm(); | 
|  |  | 
|  | /* Return without changing any other context info */ | 
|  | return; | 
|  | } | 
|  |  | 
|  | if (one_in_chance(10)) | 
|  | ucp->uc_mcontext.gp_regs[PT_MSR] = random(); | 
|  | if (one_in_chance(10)) | 
|  | ucp->uc_mcontext.gp_regs[PT_NIP] = random(); | 
|  | if (one_in_chance(10)) | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] = random(); | 
|  | if (one_in_chance(10)) | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_NIP] = random(); | 
|  |  | 
|  | ucp->uc_mcontext.gp_regs[PT_TRAP] = random(); | 
|  | ucp->uc_mcontext.gp_regs[PT_DSISR] = random(); | 
|  | ucp->uc_mcontext.gp_regs[PT_DAR] = random(); | 
|  | ucp->uc_mcontext.gp_regs[PT_ORIG_R3] = random(); | 
|  | ucp->uc_mcontext.gp_regs[PT_XER] = random(); | 
|  | ucp->uc_mcontext.gp_regs[PT_RESULT] = random(); | 
|  | ucp->uc_mcontext.gp_regs[PT_SOFTE] = random(); | 
|  | ucp->uc_mcontext.gp_regs[PT_DSCR] = random(); | 
|  | ucp->uc_mcontext.gp_regs[PT_CTR] = random(); | 
|  | ucp->uc_mcontext.gp_regs[PT_LNK] = random(); | 
|  | ucp->uc_mcontext.gp_regs[PT_CCR] = random(); | 
|  | ucp->uc_mcontext.gp_regs[PT_REGS_COUNT] = random(); | 
|  |  | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_TRAP] = random(); | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_DSISR] = random(); | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_DAR] = random(); | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_ORIG_R3] = random(); | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_XER] = random(); | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_RESULT] = random(); | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_SOFTE] = random(); | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_DSCR] = random(); | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_CTR] = random(); | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_LNK] = random(); | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_CCR] = random(); | 
|  | ucp->uc_link->uc_mcontext.gp_regs[PT_REGS_COUNT] = random(); | 
|  |  | 
|  | if (args & ARG_MESS_WITH_TM_BEFORE) { | 
|  | if (one_in_chance(2)) | 
|  | mess_with_tm(); | 
|  | } | 
|  | } | 
|  |  | 
|  | static void seg_signal_handler(int signo, siginfo_t *si, void *uc) | 
|  | { | 
|  | /* Clear exit for process that segfaults */ | 
|  | exit(0); | 
|  | } | 
|  |  | 
|  | static void *sigfuz_test(void *thrid) | 
|  | { | 
|  | struct sigaction trap_sa, seg_sa; | 
|  | int ret, i = 0; | 
|  | pid_t t; | 
|  |  | 
|  | tmp_uc = malloc(sizeof(ucontext_t)); | 
|  |  | 
|  | /* Main signal handler */ | 
|  | trap_sa.sa_flags = SA_SIGINFO; | 
|  | trap_sa.sa_sigaction = trap_signal_handler; | 
|  |  | 
|  | /* SIGSEGV signal handler */ | 
|  | seg_sa.sa_flags = SA_SIGINFO; | 
|  | seg_sa.sa_sigaction = seg_signal_handler; | 
|  |  | 
|  | /* The signal handler will enable MSR_TS */ | 
|  | sigaction(SIGUSR1, &trap_sa, NULL); | 
|  |  | 
|  | /* If it does not crash, it will segfault, avoid it to retest */ | 
|  | sigaction(SIGSEGV, &seg_sa, NULL); | 
|  |  | 
|  | while (i < count_max) { | 
|  | t = fork(); | 
|  |  | 
|  | if (t == 0) { | 
|  | /* Once seed per process */ | 
|  | srand(time(NULL) + getpid()); | 
|  | if (args & ARG_MESS_WITH_TM_AT) { | 
|  | if (one_in_chance(2)) | 
|  | mess_with_tm(); | 
|  | } | 
|  | raise(SIGUSR1); | 
|  | exit(0); | 
|  | } else { | 
|  | waitpid(t, &ret, 0); | 
|  | } | 
|  | if (!(args & ARG_FOREVER)) | 
|  | i++; | 
|  | } | 
|  |  | 
|  | /* If not freed already, free now */ | 
|  | if (tmp_uc) { | 
|  | free(tmp_uc); | 
|  | tmp_uc = NULL; | 
|  | } | 
|  |  | 
|  | return NULL; | 
|  | } | 
|  |  | 
|  | static int signal_fuzzer(void) | 
|  | { | 
|  | int t, rc; | 
|  | pthread_t *threads; | 
|  |  | 
|  | threads = malloc(nthread * sizeof(pthread_t)); | 
|  |  | 
|  | for (t = 0; t < nthread; t++) { | 
|  | rc = pthread_create(&threads[t], NULL, sigfuz_test, | 
|  | (void *)&t); | 
|  | if (rc) | 
|  | perror("Thread creation error\n"); | 
|  | } | 
|  |  | 
|  | for (t = 0; t < nthread; t++) { | 
|  | rc = pthread_join(threads[t], NULL); | 
|  | if (rc) | 
|  | perror("Thread join error\n"); | 
|  | } | 
|  |  | 
|  | free(threads); | 
|  |  | 
|  | return EXIT_SUCCESS; | 
|  | } | 
|  |  | 
|  | static void show_help(char *name) | 
|  | { | 
|  | printf("%s: Sigfuzzer for powerpc\n", name); | 
|  | printf("Usage:\n"); | 
|  | printf("\t-b\t Mess with TM before raising a SIGUSR1 signal\n"); | 
|  | printf("\t-a\t Mess with TM after raising a SIGUSR1 signal\n"); | 
|  | printf("\t-m\t Mess with MSR[TS] bits at mcontext\n"); | 
|  | printf("\t-x\t Mess with everything above\n"); | 
|  | printf("\t-f\t Run forever (Press ^C to Quit)\n"); | 
|  | printf("\t-i\t Amount of interactions.	(Default = %d)\n", COUNT_MAX); | 
|  | printf("\t-t\t Amount of threads.	(Default = %d)\n", THREADS); | 
|  | exit(-1); | 
|  | } | 
|  |  | 
|  | int main(int argc, char **argv) | 
|  | { | 
|  | int opt; | 
|  |  | 
|  | while ((opt = getopt(argc, argv, "bamxt:fi:h")) != -1) { | 
|  | if (opt == 'b') { | 
|  | printf("Mess with TM before signal\n"); | 
|  | args |= ARG_MESS_WITH_TM_BEFORE; | 
|  | } else if (opt == 'a') { | 
|  | printf("Mess with TM at signal handler\n"); | 
|  | args |= ARG_MESS_WITH_TM_AT; | 
|  | } else if (opt == 'm') { | 
|  | printf("Mess with MSR[TS] bits in mcontext\n"); | 
|  | args |= ARG_MESS_WITH_MSR_AT; | 
|  | } else if (opt == 'x') { | 
|  | printf("Running with all options enabled\n"); | 
|  | args |= ARG_COMPLETE; | 
|  | } else if (opt == 't') { | 
|  | nthread = atoi(optarg); | 
|  | printf("Threads = %d\n", nthread); | 
|  | } else if (opt == 'f') { | 
|  | args |= ARG_FOREVER; | 
|  | printf("Press ^C to stop\n"); | 
|  | test_harness_set_timeout(-1); | 
|  | } else if (opt == 'i') { | 
|  | count_max = atoi(optarg); | 
|  | printf("Running for %d interactions\n", count_max); | 
|  | } else if (opt == 'h') { | 
|  | show_help(argv[0]); | 
|  | } | 
|  | } | 
|  |  | 
|  | /* Default test suite */ | 
|  | if (!args) | 
|  | args = ARG_COMPLETE; | 
|  |  | 
|  | test_harness(signal_fuzzer, "signal_fuzzer"); | 
|  | } |