From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0638D3C533 for ; Thu, 17 Oct 2024 21:24:56 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 73EED6B0083; Thu, 17 Oct 2024 17:24:56 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6EE8C6B0088; Thu, 17 Oct 2024 17:24:56 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 541736B0089; Thu, 17 Oct 2024 17:24:56 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 294C66B0083 for ; Thu, 17 Oct 2024 17:24:56 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 60C6AAC8D2 for ; Thu, 17 Oct 2024 21:24:33 +0000 (UTC) X-FDA: 82684373940.16.0033AAA Received: from mail-io1-f49.google.com (mail-io1-f49.google.com [209.85.166.49]) by imf07.hostedemail.com (Postfix) with ESMTP id 614AF4001F for ; Thu, 17 Oct 2024 21:24:39 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=linuxfoundation.org header.s=google header.b=cL0Asb78; dmarc=pass (policy=none) header.from=linuxfoundation.org; spf=pass (imf07.hostedemail.com: domain of skhan@linuxfoundation.org designates 209.85.166.49 as permitted sender) smtp.mailfrom=skhan@linuxfoundation.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729200175; a=rsa-sha256; cv=none; b=bvFOErns0pr/upjt/b9jXGu8226a04YE18tAjnguPWkwaTBGAHdFg5PUWNVwGDhlaRYPNy x73cta/juGdqSkKCJLuS3XsoGN3KjHAyPxrJi4gwb3odYi1RbLwVz6edTmVQSntNqUeDZY m1Kr4v+eoOHpG9Q/05gyRgDbcPCbrCU= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=linuxfoundation.org header.s=google header.b=cL0Asb78; dmarc=pass (policy=none) header.from=linuxfoundation.org; spf=pass (imf07.hostedemail.com: domain of skhan@linuxfoundation.org designates 209.85.166.49 as permitted sender) smtp.mailfrom=skhan@linuxfoundation.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1729200175; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=gMbCxgTGFZeo8xghXumUnHGUAo1uXMmJhzYDvhqP+2w=; b=bAMCjUXnk5wRGGX41hgGD7nRivV5FBREtnzp1+W9R2O/Jy5t43CnD2jYce8gQRcSnbfD/B S+e0jM5/AYgw9Luu01f4rLqiePeZVq7vMi3kwZLw9eula2+3fhMiG78y4RcSAgROx5dQTS b5buPboifcqgL6NuJncQy9Zw92Gx9+4= Received: by mail-io1-f49.google.com with SMTP id ca18e2360f4ac-83a9317f93dso69934539f.3 for ; Thu, 17 Oct 2024 14:24:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; t=1729200292; x=1729805092; darn=kvack.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=gMbCxgTGFZeo8xghXumUnHGUAo1uXMmJhzYDvhqP+2w=; b=cL0Asb78ZVMiaUfcsikUpW/Qd5KOkpkPf5PWwfEDF0CSrZfIr5hiFMc8/tR6tL4488 7p4xOCKLV2yRT+H1lwS78QgMdQsItAcr3ohMml+YTWdGPrIBIGGVX4d+8sWlZdIx4ZXA DmrTeabK6zKEBfigMun/q/EtHwIlCuZkeqsF4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729200292; x=1729805092; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gMbCxgTGFZeo8xghXumUnHGUAo1uXMmJhzYDvhqP+2w=; b=kuwVZGpSwCJ6gSJoDOWDZUEwDbdqi7B5POIJ5A6sjURb4A6DGhDw4C6lKRiMgoLO// 7kd2tsYfmfYknxLulrgbj8aEC4dZ6gP5Bm+S5EBU42J5e7wQ0dGHqEp3yUYIslJoh5Im pU1+uxMTwSUC+KbjffOW8hiIpZ2s6OaTYJMG8lK6tGncI280QUy8R8ZT/upWx7cAh55t 8y8DmehbJ0F47qOM+54Gp4BSgerKfZfJYP6avIARFVFniAuzvZhBb8n1MBp6UQE9fbLM 6f00C4PTBhjCGubnrgCZbr2U/DHPbaTjLMdqcW5u/sDdU7/jR+Ast86rQy080yof3R5g LVsg== X-Forwarded-Encrypted: i=1; AJvYcCUf/3pOAlUNcmpClM6k3TbxelXsqPDldAmQ8ITUXHvmfqMTKn3pP9bFUzhkHG8bzHNwz6H7UDTDjw==@kvack.org X-Gm-Message-State: AOJu0YxeDF7ysGDBhgWVBufjJPJBH3r8JgzIeE1+jmGEM1fJO9iuREjc tw/aqAODQ2LHkzwfvqxqPAR0HS/RjDcmHONix2M9nR3zT9E44m1RIFZA+t4DOsA= X-Google-Smtp-Source: AGHT+IHC3/MvC+py8nduUW2aOgWAkhavkA1wA78l3+pmvg9lkRGXKBxpxvl3gpbXsZYPTh4UEQlbNw== X-Received: by 2002:a05:6e02:16cf:b0:3a3:af94:461f with SMTP id e9e14a558f8ab-3a3f4050131mr2223035ab.1.1729200292152; Thu, 17 Oct 2024 14:24:52 -0700 (PDT) Received: from [192.168.1.128] ([38.175.170.29]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4dc10c2b54esm67348173.110.2024.10.17.14.24.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 17 Oct 2024 14:24:51 -0700 (PDT) Message-ID: <1d0bbc60-fda7-4c14-bf02-948bdbf8f029@linuxfoundation.org> Date: Thu, 17 Oct 2024 15:24:49 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 4/4] selftests/mm: add self tests for guard page feature To: Lorenzo Stoakes , Andrew Morton Cc: Suren Baghdasaryan , "Liam R . Howlett" , Matthew Wilcox , Vlastimil Babka , "Paul E . McKenney" , Jann Horn , David Hildenbrand , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Muchun Song , Richard Henderson , Ivan Kokshaysky , Matt Turner , Thomas Bogendoerfer , "James E . J . Bottomley" , Helge Deller , Chris Zankel , Max Filippov , Arnd Bergmann , linux-alpha@vger.kernel.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, linux-arch@vger.kernel.org, Shuah Khan , Christian Brauner , linux-kselftest@vger.kernel.org, Sidhartha Kumar , Jeff Xu , Christoph Hellwig , Shuah Khan References: <8b1add3c511effb62d68183cae8a954d8339286c.1729196871.git.lorenzo.stoakes@oracle.com> Content-Language: en-US From: Shuah Khan In-Reply-To: <8b1add3c511effb62d68183cae8a954d8339286c.1729196871.git.lorenzo.stoakes@oracle.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 614AF4001F X-Stat-Signature: nr1asi46gdqgjqfjpx7iqukiqq3boop9 X-Rspam-User: X-HE-Tag: 1729200279-874031 X-HE-Meta: U2FsdGVkX1/XV22d8k4M5ATpLswhzI3Aioie8/m8IKmJ3Oc+H/ctecVGAy5tVyWuE9b9dDGPPocdG8MB6CN0bcDBBuNIb3NkGrdl6nMo8TSc6Csba84FQCWS7ywUC9bv01rous6g/YEPgzky4iQDK3ERWW8ksXbEe4FbgepiQFdQRCtBejLEJnodgZuEWrqqkpVIt0hYePlVUvrFtFNprDTMc7tCpSSFkztCSULdm5LZjHGaOZCkvttItKeO3se/lf9UMYe1FgrMLWvcc2DRYZzaxDkHi5/aPasRj4ZO50yW+rkTVt/K36ELxyXVeJ/r0j8unocC7KywkwmF0gU6tw5ZyIbd4FIzxHNJAgQXDG50tmxEJW148bf4SXzjfRx1bTaPMrH0xGOeUvdcMjCQ0PeDx7EatNbCkzzp3VFObP0pAhqKskH5zWRtDGTBneuTgtQ7OgiPjrROY1pAxydVA6MCTlwaauvtVlX9FoJjCenpxnRhpuWQX5iwc9nC6vMwU/vXKow2sLxNfSBFBc5JVJbJFANrqNxqxhOjVWR3jMJYefzTuJsNFHuUNB4eimID14nXQ6h/0xN0X3ePJ9rib2ILSehZBjLapDOXiD/WnP5kzpwvtxXZWflB785iqYaZ8K3799G1etsAzftFEsUKAObB/vVwPG0cMhuRKEGViCbWar7fLLbcCpVfQu6FZl7eyrrbO6gLxiXgEMxWvT+RLTQHius1dbLWiFES8/lQ1XhLzJDV+8DkjzCCI38sTJlD5Q3jlJdyYY42NyrV/mAjY/Ci0sqRr6jgwY+i/aKz1w4f+hcHXPhaEruMH4dhlnV+SIhnJaUnjYInSStEpTqM567gbxJe/3xDPArMi1Pkb4a+w7aoaGTgcWDa5UH7RzLcLo/a/s/R/L6obhgbLfGvoGjKtmRnd0vVHNc83Svef4TicyShXmbcUxBymb7VID8sOGo06mcuwa6xtf44PP2 R1jFuNfI lvZVT5tRLwcIWf+BYNMEtmCHHYKgVYtHdxJI2agLNIRmtfv8Sqc4kgV7mxThHiGHYsFj+1H8QlsR5o0HtGENNAI8nIiqKwdkPxDMG09L1HpT/FmAPrCo7XcHr4FIKXS/OZj5aN1GnUKgIWu9dmymzvjPmQop1+hqXpg5p6MZRFOHsOhrCXNiWEn3SyqqJ7f0iHM058qwKiA8iBiGren2cn06IgdLe6GYhlsyoptBujZ2KjnKa1mTtUjde3MXjLZAZbubWxnU2M2OdYxF0LB2KuRvyiOBmG2XXQvYAhsPZWKRAwKn6Wk4CKDfYkf1XGR3JLQagzNKYcVZLmnFGYEkRHVlQrNTfrKbE5unLrMnoIOfq4OftPY98cs4mXw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 10/17/24 14:42, Lorenzo Stoakes wrote: > Utilise the kselftest harmness to implement tests for the guard page Splleing NIT - harmness -> harness > implementation. > > We start by implement basic tests asserting that guard pages can be implmenting? By the way checkpatch will catch spelling stuuf. Please see comments about warnings below. > established (poisoned), cleared (remedied) and that touching poisoned pages > result in SIGSEGV. We also assert that, in remedying a range, non-poison > pages remain intact. > > We then examine different operations on regions containing poison markers > behave to ensure correct behaviour: > > * Operations over multiple VMAs operate as expected. > * Invoking MADV_GUARD_POISION / MADV_GUARD_REMEDY via process_madvise() in > batches works correctly. > * Ensuring that munmap() correctly tears down poison markers. > * Using mprotect() to adjust protection bits does not in any way override > or cause issues with poison markers. > * Ensuring that splitting and merging VMAs around poison markers causes no > issue - i.e. that a marker which 'belongs' to one VMA can function just > as well 'belonging' to another. > * Ensuring that madvise(..., MADV_DONTNEED) does not remove poison markers. > * Ensuring that mlock()'ing a range containing poison markers does not > cause issues. > * Ensuring that mremap() can move a poisoned range and retain poison > markers. > * Ensuring that mremap() can expand a poisoned range and retain poison > markers (perhaps moving the range). > * Ensuring that mremap() can shrink a poisoned range and retain poison > markers. > * Ensuring that forking a process correctly retains poison markers. > * Ensuring that forking a VMA with VM_WIPEONFORK set behaves sanely. > * Ensuring that lazyfree simply clears poison markers. > * Ensuring that userfaultfd can co-exist with guard pages. > * Ensuring that madvise(..., MADV_POPULATE_READ) and > madvise(..., MADV_POPULATE_WRITE) error out when encountering > poison markers. > * Ensuring that madvise(..., MADV_COLD) and madvise(..., MADV_PAGEOUT) do > not remove poison markers. Good summary of test. Does the test require root access? If so does it check and skip appropriately? > > Signed-off-by: Lorenzo Stoakes > --- > tools/testing/selftests/mm/.gitignore | 1 + > tools/testing/selftests/mm/Makefile | 1 + > tools/testing/selftests/mm/guard-pages.c | 1168 ++++++++++++++++++++++ > 3 files changed, 1170 insertions(+) > create mode 100644 tools/testing/selftests/mm/guard-pages.c > > diff --git a/tools/testing/selftests/mm/.gitignore b/tools/testing/selftests/mm/.gitignore > index 689bbd520296..8f01f4da1c0d 100644 > --- a/tools/testing/selftests/mm/.gitignore > +++ b/tools/testing/selftests/mm/.gitignore > @@ -54,3 +54,4 @@ droppable > hugetlb_dio > pkey_sighandler_tests_32 > pkey_sighandler_tests_64 > +guard-pages > diff --git a/tools/testing/selftests/mm/Makefile b/tools/testing/selftests/mm/Makefile > index 02e1204971b0..15c734d6cfec 100644 > --- a/tools/testing/selftests/mm/Makefile > +++ b/tools/testing/selftests/mm/Makefile > @@ -79,6 +79,7 @@ TEST_GEN_FILES += hugetlb_fault_after_madv > TEST_GEN_FILES += hugetlb_madv_vs_map > TEST_GEN_FILES += hugetlb_dio > TEST_GEN_FILES += droppable > +TEST_GEN_FILES += guard-pages > > ifneq ($(ARCH),arm64) > TEST_GEN_FILES += soft-dirty > diff --git a/tools/testing/selftests/mm/guard-pages.c b/tools/testing/selftests/mm/guard-pages.c > new file mode 100644 > index 000000000000..2ab0ff3ba5a0 > --- /dev/null > +++ b/tools/testing/selftests/mm/guard-pages.c > @@ -0,0 +1,1168 @@ > +// SPDX-License-Identifier: GPL-2.0-or-later > + > +#define _GNU_SOURCE > +#include "../kselftest_harness.h" > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +/* These may not yet be available in the uAPI so define if not. */ > + > +#ifndef MADV_GUARD_POISON > +#define MADV_GUARD_POISON 102 > +#endif > + > +#ifndef MADV_GUARD_UNPOISON > +#define MADV_GUARD_UNPOISON 103 > +#endif > + > +volatile bool signal_jump_set; Can you add a comment about why volatile is needed. By the way did you happen to run checkpatck on this. There are several instances where single statement blocks with braces {} I noticed a few and ran checkpatch on your patch. There are 45 warnings regarding codeing style. Please run checkpatch and clean them up so we can avoid followup checkpatch cleanup patches. > +sigjmp_buf signal_jmp_buf; > + > +static int userfaultfd(int flags) > +{ > + return syscall(SYS_userfaultfd, flags); > +} > + > +static void handle_fatal(int c) > +{ > + if (!signal_jump_set) > + return; > + > + siglongjmp(signal_jmp_buf, c); > +} > + > +static int pidfd_open(pid_t pid, unsigned int flags) > +{ > + return syscall(SYS_pidfd_open, pid, flags); > +} > + > +/* > + * Enable our signal catcher and try to read/write the specified buffer. The > + * return value indicates whether the read/write succeeds without a fatal > + * signal. > + */ > +static bool try_access_buf(char *ptr, bool write) > +{ > + bool failed; > + > + /* Tell signal handler to jump back here on fatal signal. */ > + signal_jump_set = true; > + /* If a fatal signal arose, we will jump back here and failed is set. */ > + failed = sigsetjmp(signal_jmp_buf, 0) != 0; > + > + if (!failed) { > + if (write) { > + *ptr = 'x'; > + } else { > + const volatile char *chr = ptr; > + > + /* Force read. */ > + (void)*chr; > + } > + } > + > + signal_jump_set = false; > + return !failed; > +} > + > +/* Try and read from a buffer, return true if no fatal signal. */ > +static bool try_read_buf(char *ptr) > +{ > + return try_access_buf(ptr, false); > +} > + > +/* Try and write to a buffer, return true if no fatal signal. */ > +static bool try_write_buf(char *ptr) > +{ > + return try_access_buf(ptr, true); > +} > + > +/* > + * Try and BOTH read from AND write to a buffer, return true if BOTH operations > + * succeed. > + */ > +static bool try_read_write_buf(char *ptr) > +{ > + return try_read_buf(ptr) && try_write_buf(ptr); > +} > + > +FIXTURE(guard_pages) > +{ > + unsigned long page_size; > +}; > + > +FIXTURE_SETUP(guard_pages) > +{ > + struct sigaction act = { > + .sa_handler = &handle_fatal, > + .sa_flags = SA_NODEFER, > + }; > + > + sigemptyset(&act.sa_mask); > + if (sigaction(SIGSEGV, &act, NULL)) { > + perror("sigaction"); > + ksft_exit_fail(); Replase the above two with ksft_exit_fail_perror() There is no need for perror("sigaction"); followed by ksft_exit_fail(); > + } > + > + self->page_size = (unsigned long)sysconf(_SC_PAGESIZE); > +}; > + > +FIXTURE_TEARDOWN(guard_pages) > +{ > + struct sigaction act = { > + .sa_handler = SIG_DFL, > + .sa_flags = SA_NODEFER, > + }; > + > + sigemptyset(&act.sa_mask); > + sigaction(SIGSEGV, &act, NULL); > +} > + > +TEST_F(guard_pages, basic) > +{ > + const unsigned long NUM_PAGES = 10; > + const unsigned long page_size = self->page_size; > + char *ptr; > + int i; > + > + ptr = mmap(NULL, NUM_PAGES * page_size, PROT_READ | PROT_WRITE, > + MAP_PRIVATE | MAP_ANON, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Trivially assert we can touch the first page. */ > + ASSERT_TRUE(try_read_write_buf(ptr)); > + > + ASSERT_EQ(madvise(ptr, page_size, MADV_GUARD_POISON), 0); > + > + /* Establish that 1st page SIGSEGV's. */ > + ASSERT_FALSE(try_read_write_buf(ptr)); > + > + /* Ensure we can touch everything else.*/ > + for (i = 1; i < NUM_PAGES; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Establish a guard page at the end of the mapping. */ > + ASSERT_EQ(madvise(&ptr[(NUM_PAGES - 1) * page_size], page_size, > + MADV_GUARD_POISON), 0); > + > + /* Check that both guard pages result in SIGSEGV. */ > + ASSERT_FALSE(try_read_write_buf(ptr)); > + ASSERT_FALSE(try_read_write_buf(&ptr[(NUM_PAGES - 1) * page_size])); > + > + /* Unpoison the first. */ > + ASSERT_FALSE(madvise(ptr, page_size, MADV_GUARD_UNPOISON)); > + > + /* Make sure we can touch it. */ > + ASSERT_TRUE(try_read_write_buf(ptr)); > + > + /* Unpoison the last. */ > + ASSERT_FALSE(madvise(&ptr[(NUM_PAGES - 1) * page_size], page_size, > + MADV_GUARD_UNPOISON)); > + > + /* Make sure we can touch it. */ > + ASSERT_TRUE(try_read_write_buf(&ptr[(NUM_PAGES - 1) * page_size])); > + > + /* > + * Test setting a _range_ of pages, namely the first 3. The first of > + * these be faulted in, so this also tests that we can poison backed > + * pages. > + */ > + ASSERT_EQ(madvise(ptr, 3 * page_size, MADV_GUARD_POISON), 0); > + > + /* Make sure they are all poisoned. */ > + for (i = 0; i < 3; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + This one here and > + /* Make sure the rest are not. */ > + for (i = 3; i < NUM_PAGES; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Unpoison them. */ > + ASSERT_EQ(madvise(ptr, NUM_PAGES * page_size, MADV_GUARD_UNPOISON), 0); > + > + /* Now make sure we can touch everything. */ > + for (i = 0; i < NUM_PAGES; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Now unpoison everything, make sure we don't remove existing entries */ > + ASSERT_EQ(madvise(ptr, NUM_PAGES * page_size, MADV_GUARD_UNPOISON), 0); > + > + for (i = 0; i < NUM_PAGES * page_size; i += page_size) { > + ASSERT_EQ(ptr[i], 'x'); > + } > + > + ASSERT_EQ(munmap(ptr, NUM_PAGES * page_size), 0); > +} > + > +/* Assert that operations applied across multiple VMAs work as expected. */ > +TEST_F(guard_pages, multi_vma) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr_region, *ptr, *ptr1, *ptr2, *ptr3; > + int i; > + > + /* Reserve a 100 page region over which we can install VMAs. */ > + ptr_region = mmap(NULL, 100 * page_size, PROT_NONE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr_region, MAP_FAILED); > + > + /* Place a VMA of 10 pages size at the start of the region. */ > + ptr1 = mmap(ptr_region, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr1, MAP_FAILED); > + > + /* Place a VMA of 5 pages size 50 pages into the region. */ > + ptr2 = mmap(&ptr_region[50 * page_size], 5 * page_size, > + PROT_READ | PROT_WRITE, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr2, MAP_FAILED); > + > + /* Place a VMA of 20 pages size at the end of the region. */ > + ptr3 = mmap(&ptr_region[80 * page_size], 20 * page_size, > + PROT_READ | PROT_WRITE, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr3, MAP_FAILED); > + > + /* Unmap gaps. */ > + ASSERT_EQ(munmap(&ptr_region[10 * page_size], 40 * page_size), 0); > + ASSERT_EQ(munmap(&ptr_region[55 * page_size], 25 * page_size), 0); > + > + /* > + * We end up with VMAs like this: > + * > + * 0 10 .. 50 55 .. 80 100 > + * [---] [---] [---] > + */ > + > + /* Now poison the whole range and make sure all VMAs are poisoned. */ > + > + /* > + * madvise() is certifiable and lets you perform operations over gaps, > + * everything works, but it indicates an error and errno is set to > + * -ENOMEM. Also if anything runs out of memory it is set to > + * -ENOMEM. You are meant to guess which is which. > + */ > + ASSERT_EQ(madvise(ptr_region, 100 * page_size, MADV_GUARD_POISON), -1); > + ASSERT_EQ(errno, ENOMEM); > + > + for (i = 0; i < 10; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr1[i * page_size])); > + } > + > + for (i = 0; i < 5; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr2[i * page_size])); > + } > + > + for (i = 0; i < 20; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr3[i * page_size])); > + } > + > + /* Now unpoison the range and assert the opposite. */ > + > + ASSERT_EQ(madvise(ptr_region, 100 * page_size, MADV_GUARD_UNPOISON), -1); > + ASSERT_EQ(errno, ENOMEM); > + > + for (i = 0; i < 10; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr1[i * page_size])); > + } > + > + for (i = 0; i < 5; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr2[i * page_size])); > + } > + > + for (i = 0; i < 20; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr3[i * page_size])); > + } > + > + /* Now map incompatible VMAs in the gaps. */ > + ptr = mmap(&ptr_region[10 * page_size], 40 * page_size, > + PROT_READ | PROT_WRITE | PROT_EXEC, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + ptr = mmap(&ptr_region[55 * page_size], 25 * page_size, > + PROT_READ | PROT_WRITE | PROT_EXEC, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* > + * We end up with VMAs like this: > + * > + * 0 10 .. 50 55 .. 80 100 > + * [---][xxxx][---][xxxx][---] > + * > + * Where 'x' signifies VMAs that cannot be merged with those adjacent to > + * them. > + */ > + > + /* Multiple VMAs adjacent to one another should result in no error. */ > + ASSERT_EQ(madvise(ptr_region, 100 * page_size, MADV_GUARD_POISON), 0); > + for (i = 0; i < 100; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr_region[i * page_size])); > + } > + ASSERT_EQ(madvise(ptr_region, 100 * page_size, MADV_GUARD_UNPOISON), 0); > + for (i = 0; i < 100; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr_region[i * page_size])); > + } > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr_region, 100 * page_size), 0); > +} > + > +/* > + * Assert that batched operations performed using process_madvise() work as > + * expected. > + */ > +TEST_F(guard_pages, process_madvise) > +{ > + const unsigned long page_size = self->page_size; > + pid_t pid = getpid(); > + int pidfd = pidfd_open(pid, 0); > + char *ptr_region, *ptr1, *ptr2, *ptr3; > + ssize_t count; > + struct iovec vec[6]; > + > + ASSERT_NE(pidfd, -1); > + > + /* Reserve region to map over. */ > + ptr_region = mmap(NULL, 100 * page_size, PROT_NONE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr_region, MAP_FAILED); > + > + /* 10 pages offset 1 page into reserve region. */ > + ptr1 = mmap(&ptr_region[page_size], 10 * page_size, > + PROT_READ | PROT_WRITE, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr1, MAP_FAILED); > + /* We want poison markers at start/end of each VMA. */ > + vec[0].iov_base = ptr1; > + vec[0].iov_len = page_size; > + vec[1].iov_base = &ptr1[9 * page_size]; > + vec[1].iov_len = page_size; > + > + /* 5 pages offset 50 pages into reserve region. */ > + ptr2 = mmap(&ptr_region[50 * page_size], 5 * page_size, > + PROT_READ | PROT_WRITE, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr2, MAP_FAILED); > + vec[2].iov_base = ptr2; > + vec[2].iov_len = page_size; > + vec[3].iov_base = &ptr2[4 * page_size]; > + vec[3].iov_len = page_size; > + > + /* 20 pages offset 79 pages into reserve region. */ > + ptr3 = mmap(&ptr_region[79 * page_size], 20 * page_size, > + PROT_READ | PROT_WRITE, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr3, MAP_FAILED); > + vec[4].iov_base = ptr3; > + vec[4].iov_len = page_size; > + vec[5].iov_base = &ptr3[19 * page_size]; > + vec[5].iov_len = page_size; > + > + /* Free surrounding VMAs. */ > + ASSERT_EQ(munmap(ptr_region, page_size), 0); > + ASSERT_EQ(munmap(&ptr_region[11 * page_size], 39 * page_size), 0); > + ASSERT_EQ(munmap(&ptr_region[55 * page_size], 24 * page_size), 0); > + ASSERT_EQ(munmap(&ptr_region[99 * page_size], page_size), 0); > + > + /* Now poison in one step. */ > + count = process_madvise(pidfd, vec, 6, MADV_GUARD_POISON, 0); > + > + /* OK we don't have permission to do this, skip. */ > + if (count == -1 && errno == EPERM) > + ksft_exit_skip("No process_madvise() permissions\n"); Can you make this a bit more informative? What would user do if they see this message? Are they supposed to run the test as root? > + > + /* Returns the number of bytes advised. */ > + ASSERT_EQ(count, 6 * page_size); > + > + /* Now make sure the poisoning was applied. */ > + > + ASSERT_FALSE(try_read_write_buf(ptr1)); > + ASSERT_FALSE(try_read_write_buf(&ptr1[9 * page_size])); > + > + ASSERT_FALSE(try_read_write_buf(ptr2)); > + ASSERT_FALSE(try_read_write_buf(&ptr2[4 * page_size])); > + > + ASSERT_FALSE(try_read_write_buf(ptr3)); > + ASSERT_FALSE(try_read_write_buf(&ptr3[19 * page_size])); > + > + /* Now do the same with unpoison... */ > + count = process_madvise(pidfd, vec, 6, MADV_GUARD_UNPOISON, 0); > + > + /* ...and everything should now succeed. */ > + > + ASSERT_TRUE(try_read_write_buf(ptr1)); > + ASSERT_TRUE(try_read_write_buf(&ptr1[9 * page_size])); > + > + ASSERT_TRUE(try_read_write_buf(ptr2)); > + ASSERT_TRUE(try_read_write_buf(&ptr2[4 * page_size])); > + > + ASSERT_TRUE(try_read_write_buf(ptr3)); > + ASSERT_TRUE(try_read_write_buf(&ptr3[19 * page_size])); > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr1, 10 * page_size), 0); > + ASSERT_EQ(munmap(ptr2, 5 * page_size), 0); > + ASSERT_EQ(munmap(ptr3, 20 * page_size), 0); > + close(pidfd); > +} > + > +/* Assert that unmapping ranges does not leave poison behind. */ > +TEST_F(guard_pages, munmap) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr, *ptr_new1, *ptr_new2; > + > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Poison first and last pages. */ > + ASSERT_EQ(madvise(ptr, page_size, MADV_GUARD_POISON), 0); > + ASSERT_EQ(madvise(&ptr[9 * page_size], page_size, MADV_GUARD_POISON), 0); > + > + /* Assert that they are poisoned. */ > + ASSERT_FALSE(try_read_write_buf(ptr)); > + ASSERT_FALSE(try_read_write_buf(&ptr[9 * page_size])); > + > + /* Unmap them. */ > + ASSERT_EQ(munmap(ptr, page_size), 0); > + ASSERT_EQ(munmap(&ptr[9 * page_size], page_size), 0); > + > + /* Map over them.*/ > + ptr_new1 = mmap(ptr, page_size, PROT_READ | PROT_WRITE, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr_new1, MAP_FAILED); > + ptr_new2 = mmap(&ptr[9 * page_size], page_size, PROT_READ | PROT_WRITE, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr_new2, MAP_FAILED); > + > + /* Assert that they are now not poisoned. */ > + ASSERT_TRUE(try_read_write_buf(ptr_new1)); > + ASSERT_TRUE(try_read_write_buf(ptr_new2)); > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr, 10 * page_size), 0); > +} > + > +/* Assert that mprotect() operations have no bearing on guard poison markers. */ > +TEST_F(guard_pages, mprotect) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr; > + int i; > + > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Poison the middle of the range. */ > + ASSERT_EQ(madvise(&ptr[5 * page_size], 2 * page_size, > + MADV_GUARD_POISON), 0); > + > + /* Assert that it is indeed poisoned. */ > + ASSERT_FALSE(try_read_write_buf(&ptr[5 * page_size])); > + ASSERT_FALSE(try_read_write_buf(&ptr[6 * page_size])); > + > + /* Now make these pages read-only. */ > + ASSERT_EQ(mprotect(&ptr[5 * page_size], 2 * page_size, PROT_READ), 0); > + > + /* Make sure the range is still poisoned. */ > + ASSERT_FALSE(try_read_buf(&ptr[5 * page_size])); > + ASSERT_FALSE(try_read_buf(&ptr[6 * page_size])); > + > + /* Make sure we can poison again without issue.*/ > + ASSERT_EQ(madvise(&ptr[5 * page_size], 2 * page_size, > + MADV_GUARD_POISON), 0); > + > + /* Make sure the range is, yet again, still poisoned. */ > + ASSERT_FALSE(try_read_buf(&ptr[5 * page_size])); > + ASSERT_FALSE(try_read_buf(&ptr[6 * page_size])); > + > + /* Now unpoison the whole range. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_UNPOISON), 0); > + > + /* Make sure the whole range is readable. */ > + for (i = 0; i < 10; i++) { > + ASSERT_TRUE(try_read_buf(&ptr[i * page_size])); > + } > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr, 10 * page_size), 0); > +} > + > +/* Split and merge VMAs and make sure guard pages still behave. */ > +TEST_F(guard_pages, split_merge) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr, *ptr_new; > + int i; > + > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Poison the whole range. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_POISON), 0); > + > + /* Make sure the whole range is poisoned. */ > + for (i = 0; i < 10; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Now unmap some pages in the range so we split. */ > + ASSERT_EQ(munmap(&ptr[2 * page_size], page_size), 0); > + ASSERT_EQ(munmap(&ptr[5 * page_size], page_size), 0); > + ASSERT_EQ(munmap(&ptr[8 * page_size], page_size), 0); > + > + /* Make sure the remaining ranges are poisoned post-split. */ > + for (i = 0; i < 2; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + for (i = 2; i < 5; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + for (i = 6; i < 8; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + for (i = 9; i < 10; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Now map them again - the unmap will have cleared the poison. */ > + ptr_new = mmap(&ptr[2 * page_size], page_size, PROT_READ | PROT_WRITE, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr_new, MAP_FAILED); > + ptr_new = mmap(&ptr[5 * page_size], page_size, PROT_READ | PROT_WRITE, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr_new, MAP_FAILED); > + ptr_new = mmap(&ptr[8 * page_size], page_size, PROT_READ | PROT_WRITE, > + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr_new, MAP_FAILED); > + > + /* Now make sure poisoning is as expected. */ > + for (i = 0; i < 10; i++) { > + bool result = try_read_write_buf(&ptr[i * page_size]); > + > + if (i == 2 || i == 5 || i == 8) { > + ASSERT_TRUE(result); > + } else { > + ASSERT_FALSE(result); > + } > + } > + > + /* Now poison everything again. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_POISON), 0); > + > + /* Make sure the whole range is poisoned. */ > + for (i = 0; i < 10; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Now split the range into three. */ > + ASSERT_EQ(mprotect(ptr, 3 * page_size, PROT_READ), 0); > + ASSERT_EQ(mprotect(&ptr[7 * page_size], 3 * page_size, PROT_READ), 0); > + > + /* Make sure the whole range is poisoned for read. */ > + for (i = 0; i < 10; i++) { > + ASSERT_FALSE(try_read_buf(&ptr[i * page_size])); > + } > + > + /* Now reset protection bits so we merge the whole thing. */ > + ASSERT_EQ(mprotect(ptr, 3 * page_size, PROT_READ | PROT_WRITE), 0); > + ASSERT_EQ(mprotect(&ptr[7 * page_size], 3 * page_size, > + PROT_READ | PROT_WRITE), 0); > + > + /* Make sure the whole range is still poisoned. */ > + for (i = 0; i < 10; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Split range into 3 again... */ > + ASSERT_EQ(mprotect(ptr, 3 * page_size, PROT_READ), 0); > + ASSERT_EQ(mprotect(&ptr[7 * page_size], 3 * page_size, PROT_READ), 0); > + > + /* ...and unpoison the whole range. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_UNPOISON), 0); > + > + /* Make sure the whole range is remedied for read. */ > + for (i = 0; i < 10; i++) { > + ASSERT_TRUE(try_read_buf(&ptr[i * page_size])); > + } > + > + /* Merge them again. */ > + ASSERT_EQ(mprotect(ptr, 3 * page_size, PROT_READ | PROT_WRITE), 0); > + ASSERT_EQ(mprotect(&ptr[7 * page_size], 3 * page_size, > + PROT_READ | PROT_WRITE), 0); > + > + /* Now ensure the merged range is remedied for read/write. */ > + for (i = 0; i < 10; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr, 10 * page_size), 0); > +} > + > +/* Assert that MADV_DONTNEED does not remove guard poison markers. */ > +TEST_F(guard_pages, dontneed) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr; > + int i; > + > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Back the whole range. */ > + for (i = 0; i < 10; i++) { > + ptr[i * page_size] = 'y'; > + } > + > + /* Poison every other page. */ > + for (i = 0; i < 10; i += 2) { > + ASSERT_EQ(madvise(&ptr[i * page_size], > + page_size, MADV_GUARD_POISON), 0); > + } > + > + /* Indicate that we don't need any of the range. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_DONTNEED), 0); > + > + /* Check to ensure poison markers are still in place. */ > + for (i = 0; i < 10; i++) { > + bool result = try_read_buf(&ptr[i * page_size]); > + > + if (i % 2 == 0) { > + ASSERT_FALSE(result); > + } else { > + ASSERT_TRUE(result); > + /* Make sure we really did get reset to zero page. */ > + ASSERT_EQ(ptr[i * page_size], '\0'); > + } > + > + /* Now write... */ > + result = try_write_buf(&ptr[i * page_size]); > + > + /* ...and make sure same result. */ > + if (i % 2 == 0) { You don't need { here > + ASSERT_FALSE(result); > + } else { > + ASSERT_TRUE(result); > + } Same here. > + } > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr, 10 * page_size), 0); > +} > + > +/* Assert that mlock()'ed pages work correctly with poison markers. */ > +TEST_F(guard_pages, mlock) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr; > + int i; > + > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Populate. */ > + for (i = 0; i < 10; i++) { > + ptr[i * page_size] = 'y'; > + } > + > + /* Lock. */ > + ASSERT_EQ(mlock(ptr, 10 * page_size), 0); > + > + /* Now try to poison, should fail with EINVAL. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_POISON), -1); > + ASSERT_EQ(errno, EINVAL); > + > + /* OK unlock. */ > + ASSERT_EQ(munlock(ptr, 10 * page_size), 0); > + > + /* Poison first half of range, should now succeed. */ > + ASSERT_EQ(madvise(ptr, 5 * page_size, MADV_GUARD_POISON), 0); > + > + /* Make sure poison works. */ > + for (i = 0; i < 10; i++) { > + bool result = try_read_write_buf(&ptr[i * page_size]); > + > + if (i < 5) { > + ASSERT_FALSE(result); > + } else { > + ASSERT_TRUE(result); > + ASSERT_EQ(ptr[i * page_size], 'x'); > + } > + } > + > + /* > + * Now lock the latter part of the range. We can't lock the poisoned > + * pages, as this would result in the pages being populated and the > + * poisoning would cause this to error out. > + */ > + ASSERT_EQ(mlock(&ptr[5 * page_size], 5 * page_size), 0); > + > + /* > + * Now unpoison, we do not permit mlock()'d ranges to be remedied as it is > + * a non-destructive operation. > + */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_UNPOISON), 0); > + > + /* Now check that everything is remedied. */ > + for (i = 0; i < 10; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr, 10 * page_size), 0); > +} > + > +/* > + * Assert that moving, extending and shrinking memory via mremap() retains > + * poison markers where possible. > + * > + * - Moving a mapping alone should retain markers as they are. > + */ > +TEST_F(guard_pages, mremap_move) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr, *ptr_new; > + > + /* Map 5 pages. */ > + ptr = mmap(NULL, 5 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Place poison markers at both ends of the 5 page span. */ > + ASSERT_EQ(madvise(ptr, page_size, MADV_GUARD_POISON), 0); > + ASSERT_EQ(madvise(&ptr[4 * page_size], page_size, MADV_GUARD_POISON), 0); > + > + /* Make sure the poison is in effect. */ > + ASSERT_FALSE(try_read_write_buf(ptr)); > + ASSERT_FALSE(try_read_write_buf(&ptr[4 * page_size])); > + > + /* Map a new region we will move this range into. Doing this ensures > + * that we have reserved a range to map into. > + */ > + ptr_new = mmap(NULL, 5 * page_size, PROT_NONE, MAP_ANON | MAP_PRIVATE, > + -1, 0); > + ASSERT_NE(ptr_new, MAP_FAILED); > + > + ASSERT_EQ(mremap(ptr, 5 * page_size, 5 * page_size, > + MREMAP_MAYMOVE | MREMAP_FIXED, ptr_new), ptr_new); > + > + /* Make sure the poison is retained. */ > + ASSERT_FALSE(try_read_write_buf(ptr_new)); > + ASSERT_FALSE(try_read_write_buf(&ptr_new[4 * page_size])); > + > + /* > + * Clean up - we only need reference the new pointer as we overwrote the > + * PROT_NONE range and moved the existing one. > + */ > + munmap(ptr_new, 5 * page_size); > +} > + > +/* > + * Assert that moving, extending and shrinking memory via mremap() retains > + * poison markers where possible. > + * > + * - Expanding should retain, only now in different position. The user will have > + * to unpoison manually to fix up (they'd have to do the same if it were a > + * PROT_NONE mapping) > + */ > +TEST_F(guard_pages, mremap_expand) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr, *ptr_new; > + > + /* Map 10 pages... */ > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + /* ...But unmap the last 5 so we can ensure we can expand into them. */ > + ASSERT_EQ(munmap(&ptr[5 * page_size], 5 * page_size), 0); > + > + /* Place poison markers at both ends of the 5 page span. */ > + ASSERT_EQ(madvise(ptr, page_size, MADV_GUARD_POISON), 0); > + ASSERT_EQ(madvise(&ptr[4 * page_size], page_size, MADV_GUARD_POISON), 0); > + > + /* Make sure the poison is in effect. */ > + ASSERT_FALSE(try_read_write_buf(ptr)); > + ASSERT_FALSE(try_read_write_buf(&ptr[4 * page_size])); > + > + /* Now expand to 10 pages. */ > + ptr = mremap(ptr, 5 * page_size, 10 * page_size, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Make sure the poison is retained in its original positions. */ > + ASSERT_FALSE(try_read_write_buf(ptr)); > + ASSERT_FALSE(try_read_write_buf(&ptr[4 * page_size])); > + > + /* Reserve a region which we can move to and expand into. */ > + ptr_new = mmap(NULL, 20 * page_size, PROT_NONE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr_new, MAP_FAILED); > + > + /* Now move and expand into it. */ > + ptr = mremap(ptr, 10 * page_size, 20 * page_size, > + MREMAP_MAYMOVE | MREMAP_FIXED, ptr_new); > + ASSERT_EQ(ptr, ptr_new); > + > + /* Again, make sure the poison is retained in its original > + * positions. */ > + ASSERT_FALSE(try_read_write_buf(ptr)); > + ASSERT_FALSE(try_read_write_buf(&ptr[4 * page_size])); > + > + /* > + * A real user would have to unpoison, but would reasonably expect all > + * characteristics of the mapping to be retained, including poison > + * markers. > + */ > + > + /* Cleanup. */ > + munmap(ptr, 20 * page_size); > +} > +/* > + * Assert that moving, extending and shrinking memory via mremap() retains > + * poison markers where possible. > + * > + * - Shrinking will result in markers that are shrunk over being removed. Again, > + * if the user were using a PROT_NONE mapping they'd have to manually fix this > + * up also so this is OK. > + */ > +TEST_F(guard_pages, mremap_shrink) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr; > + int i; > + > + /* Map 5 pages. */ > + ptr = mmap(NULL, 5 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Place poison markers at both ends of the 5 page span. */ > + ASSERT_EQ(madvise(ptr, page_size, MADV_GUARD_POISON), 0); > + ASSERT_EQ(madvise(&ptr[4 * page_size], page_size, MADV_GUARD_POISON), 0); > + > + /* Make sure the poison is in effect. */ > + ASSERT_FALSE(try_read_write_buf(ptr)); > + ASSERT_FALSE(try_read_write_buf(&ptr[4 * page_size])); > + > + /* Now shrink to 3 pages. */ > + ptr = mremap(ptr, 5 * page_size, 3 * page_size, MREMAP_MAYMOVE); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* We expect the poison marker at the start to be retained... */ > + ASSERT_FALSE(try_read_write_buf(ptr)); > + > + /* ...But remaining pages will not have poison markers. */ > + for (i = 1; i < 3; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr[i + page_size])); > + } > + > + /* > + * As with expansion, a real user would have to unpoison and fixup. But > + * you'd have to do similar manual things with PROT_NONE mappings too. > + */ > + > + /* > + * If we expand back to the original size, the end marker will, of > + * course, no longer be present. > + */ > + ptr = mremap(ptr, 3 * page_size, 5 * page_size, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Again, we expect the poison marker at the start to be retained... */ > + ASSERT_FALSE(try_read_write_buf(ptr)); > + > + /* ...But remaining pages will not have poison markers. */ > + for (i = 1; i < 5; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr[i + page_size])); > + } > + > + /* Cleanup. */ > + munmap(ptr, 5 * page_size); > +} > + > +/* > + * Assert that forking a process with VMAs that do not have VM_WIPEONFORK set > + * retain guard pages. > + */ > +TEST_F(guard_pages, fork) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr; > + pid_t pid; > + int i; > + > + /* Map 10 pages. */ > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Poison the first 5 pages. */ > + ASSERT_EQ(madvise(ptr, 5 * page_size, MADV_GUARD_POISON), 0); > + > + pid = fork(); > + ASSERT_NE(pid, -1); > + if (!pid) { > + /* This is the child process now. */ > + > + /* Assert that the poisoning is in effect. */ > + for (i = 0; i < 10; i++) { > + bool result = try_read_write_buf(&ptr[i * page_size]); > + > + if (i < 5) { > + ASSERT_FALSE(result); > + } else { > + ASSERT_TRUE(result); > + } > + } > + > + /* Now unpoison the range.*/ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_UNPOISON), 0); > + > + exit(0); > + } > + > + /* Parent process. */ > + > + /* Parent simply waits on child. */ > + waitpid(pid, NULL, 0); > + > + /* Child unpoison does not impact parent page table state. */ > + for (i = 0; i < 10; i++) { > + bool result = try_read_write_buf(&ptr[i * page_size]); > + > + if (i < 5) { > + ASSERT_FALSE(result); > + } else { > + ASSERT_TRUE(result); > + } > + } > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr, 10 * page_size), 0); > +} > + > +/* > + * Assert that forking a process with VMAs that do have VM_WIPEONFORK set > + * behave as expected. > + */ > +TEST_F(guard_pages, fork_wipeonfork) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr; > + pid_t pid; > + int i; > + > + /* Map 10 pages. */ > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Mark wipe on fork. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_WIPEONFORK), 0); > + > + /* Poison the first 5 pages. */ > + ASSERT_EQ(madvise(ptr, 5 * page_size, MADV_GUARD_POISON), 0); > + > + pid = fork(); > + ASSERT_NE(pid, -1); > + if (!pid) { > + /* This is the child process now. */ > + > + /* Poison will have been wiped. */ > + for (i = 0; i < 10; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + exit(0); > + } > + > + /* Parent process. */ > + > + waitpid(pid, NULL, 0); > + > + /* Poison should be in effect.*/ > + for (i = 0; i < 10; i++) { > + bool result = try_read_write_buf(&ptr[i * page_size]); > + > + if (i < 5) { > + ASSERT_FALSE(result); > + } else { > + ASSERT_TRUE(result); > + } > + } > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr, 10 * page_size), 0); > +} > + > +/* Ensure that MADV_FREE frees poison entries as expected. */ > +TEST_F(guard_pages, lazyfree) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr; > + int i; > + > + /* Map 10 pages. */ > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Poison range. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_POISON), 0); > + > + /* Ensure poisoned. */ > + for (i = 0; i < 10; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Lazyfree range. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_FREE), 0); > + > + /* This should simply clear the poison markers. */ > + for (i = 0; i < 10; i++) { > + ASSERT_TRUE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr, 10 * page_size), 0); > +} > + > +/* Ensure that MADV_POPULATE_READ, MADV_POPULATE_WRITE behave as expected. */ > +TEST_F(guard_pages, populate) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr; > + > + /* Map 10 pages. */ > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Poison range. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_POISON), 0); > + > + /* Populate read should error out... */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_POPULATE_READ), -1); > + ASSERT_EQ(errno, EFAULT); > + > + /* ...as should populate write. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_POPULATE_WRITE), -1); > + ASSERT_EQ(errno, EFAULT); > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr, 10 * page_size), 0); > +} > + > +/* Ensure that MADV_COLD, MADV_PAGEOUT do not remove poison markers. */ > +TEST_F(guard_pages, cold_pageout) > +{ > + const unsigned long page_size = self->page_size; > + char *ptr; > + int i; > + > + /* Map 10 pages. */ > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Poison range. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_POISON), 0); > + > + /* Ensured poisoned. */ > + for (i = 0; i < 10; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Now mark cold. This should have no impact on poison markers. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_COLD), 0); > + > + /* Should remain poisoned. */ > + for (i = 0; i < 10; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* OK, now page out. This should equally, have no effect on markers. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_PAGEOUT), 0); > + > + /* Should remain poisoned. */ > + for (i = 0; i < 10; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Cleanup. */ > + ASSERT_EQ(munmap(ptr, 10 * page_size), 0); > +} > + > +/* Ensure that guard pages do not break userfaultd. */ > +TEST_F(guard_pages, uffd) > +{ > + const unsigned long page_size = self->page_size; > + int uffd; > + char *ptr; > + int i; > + struct uffdio_api api = { > + .api = UFFD_API, > + .features = 0, > + }; > + struct uffdio_register reg; > + struct uffdio_range range; > + > + /* Set up uffd. */ > + uffd = userfaultfd(0); > + if (uffd == -1 && errno == EPERM) > + ksft_exit_skip("No uffd permissions\n"); Same comment here about a user friendly message that say what user shoul do > + ASSERT_NE(uffd, -1); > + > + ASSERT_EQ(ioctl(uffd, UFFDIO_API, &api), 0); > + > + /* Map 10 pages. */ > + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE, > + MAP_ANON | MAP_PRIVATE, -1, 0); > + ASSERT_NE(ptr, MAP_FAILED); > + > + /* Register the range with uffd. */ > + range.start = (unsigned long)ptr; > + range.len = 10 * page_size; > + reg.range = range; > + reg.mode = UFFDIO_REGISTER_MODE_MISSING; > + ASSERT_EQ(ioctl(uffd, UFFDIO_REGISTER, ®), 0); > + > + /* Poison the range. This should not trigger the uffd. */ > + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_POISON), 0); > + > + /* The poisoning should behave as usual with no uffd intervention. */ > + for (i = 0; i < 10; i++) { > + ASSERT_FALSE(try_read_write_buf(&ptr[i * page_size])); > + } > + > + /* Cleanup. */ > + ASSERT_EQ(ioctl(uffd, UFFDIO_UNREGISTER, &range), 0); > + close(uffd); > + ASSERT_EQ(munmap(ptr, 10 * page_size), 0); > +} > + > +TEST_HARNESS_MAIN thanks, -- Shuah