1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Copyright 2018, Breno Leitao, IBM Corp.
4  * Licensed under GPLv2.
5  *
6  * Sigfuz(tm): A PowerPC TM-aware signal fuzzer.
7  *
8  * This is a new selftest that raises SIGUSR1 signals and handles it in a set
9  * of different ways, trying to create different scenario for testing
10  * purpose.
11  *
12  * This test works raising a signal and calling sigreturn interleaved with
13  * TM operations, as starting, suspending and terminating a transaction. The
14  * test depends on random numbers, and, based on them, it sets different TM
15  * states.
16  *
17  * Other than that, the test fills out the user context struct that is passed
18  * to the sigreturn system call with random data, in order to make sure that
19  * the signal handler syscall can handle different and invalid states
20  * properly.
21  *
22  * This selftest has command line parameters to control what kind of tests the
23  * user wants to run, as for example, if a transaction should be started prior
24  * to signal being raised, or, after the signal being raised and before the
25  * sigreturn. If no parameter is given, the default is enabling all options.
26  *
27  * This test does not check if the user context is being read and set
28  * properly by the kernel. Its purpose, at this time, is basically
29  * guaranteeing that the kernel does not crash on invalid scenarios.
30  */
31 
32 #include <stdio.h>
33 #include <limits.h>
34 #include <sys/wait.h>
35 #include <unistd.h>
36 #include <stdlib.h>
37 #include <signal.h>
38 #include <string.h>
39 #include <ucontext.h>
40 #include <sys/mman.h>
41 #include <pthread.h>
42 #include "utils.h"
43 
44 /* Selftest defaults */
45 #define COUNT_MAX	600		/* Number of interactions */
46 #define THREADS		16		/* Number of threads */
47 
48 /* Arguments options */
49 #define ARG_MESS_WITH_TM_AT	0x1
50 #define ARG_MESS_WITH_TM_BEFORE	0x2
51 #define ARG_MESS_WITH_MSR_AT	0x4
52 #define ARG_FOREVER		0x10
53 #define ARG_COMPLETE		(ARG_MESS_WITH_TM_AT |		\
54 				ARG_MESS_WITH_TM_BEFORE |	\
55 				ARG_MESS_WITH_MSR_AT)
56 
57 static int args;
58 static int nthread = THREADS;
59 static int count_max = COUNT_MAX;
60 
61 /* checkpoint context */
62 static ucontext_t *tmp_uc;
63 
64 /* Return true with 1/x probability */
one_in_chance(int x)65 static int one_in_chance(int x)
66 {
67 	return rand() % x == 0;
68 }
69 
70 /* Change TM states */
mess_with_tm(void)71 static void mess_with_tm(void)
72 {
73 	/* Starts a transaction 33% of the time */
74 	if (one_in_chance(3)) {
75 		asm ("tbegin.	;"
76 		     "beq 8	;");
77 
78 		/* And suspended half of them */
79 		if (one_in_chance(2))
80 			asm("tsuspend.	;");
81 	}
82 
83 	/* Call 'tend' in 5% of the runs */
84 	if (one_in_chance(20))
85 		asm("tend.	;");
86 }
87 
88 /* Signal handler that will be invoked with raise() */
trap_signal_handler(int signo,siginfo_t * si,void * uc)89 static void trap_signal_handler(int signo, siginfo_t *si, void *uc)
90 {
91 	ucontext_t *ucp = uc;
92 
93 	ucp->uc_link = tmp_uc;
94 
95 	/*
96 	 * Set uc_link in three possible ways:
97 	 *  - Setting a single 'int' in the whole chunk
98 	 *  - Cloning ucp into uc_link
99 	 *  - Allocating a new memory chunk
100 	 */
101 	if (one_in_chance(3)) {
102 		memset(ucp->uc_link, rand(), sizeof(ucontext_t));
103 	} else if (one_in_chance(2)) {
104 		memcpy(ucp->uc_link, uc, sizeof(ucontext_t));
105 	} else if (one_in_chance(2)) {
106 		if (tmp_uc) {
107 			free(tmp_uc);
108 			tmp_uc = NULL;
109 		}
110 		tmp_uc = malloc(sizeof(ucontext_t));
111 		ucp->uc_link = tmp_uc;
112 		/* Trying to cause a major page fault at Kernel level */
113 		madvise(ucp->uc_link, sizeof(ucontext_t), MADV_DONTNEED);
114 	}
115 
116 	if (args & ARG_MESS_WITH_MSR_AT) {
117 		/* Changing the checkpointed registers */
118 		if (one_in_chance(4)) {
119 			ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |= MSR_TS_S;
120 		} else {
121 			if (one_in_chance(2)) {
122 				ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |=
123 						 MSR_TS_T;
124 			} else if (one_in_chance(2)) {
125 				ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |=
126 						MSR_TS_T | MSR_TS_S;
127 			}
128 		}
129 
130 		/* Checking the current register context */
131 		if (one_in_chance(2)) {
132 			ucp->uc_mcontext.gp_regs[PT_MSR] |= MSR_TS_S;
133 		} else if (one_in_chance(2)) {
134 			if (one_in_chance(2))
135 				ucp->uc_mcontext.gp_regs[PT_MSR] |=
136 					MSR_TS_T;
137 			else if (one_in_chance(2))
138 				ucp->uc_mcontext.gp_regs[PT_MSR] |=
139 					MSR_TS_T | MSR_TS_S;
140 		}
141 	}
142 
143 	if (one_in_chance(20)) {
144 		/* Nested transaction start */
145 		if (one_in_chance(5))
146 			mess_with_tm();
147 
148 		/* Return without changing any other context info */
149 		return;
150 	}
151 
152 	if (one_in_chance(10))
153 		ucp->uc_mcontext.gp_regs[PT_MSR] = random();
154 	if (one_in_chance(10))
155 		ucp->uc_mcontext.gp_regs[PT_NIP] = random();
156 	if (one_in_chance(10))
157 		ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] = random();
158 	if (one_in_chance(10))
159 		ucp->uc_link->uc_mcontext.gp_regs[PT_NIP] = random();
160 
161 	ucp->uc_mcontext.gp_regs[PT_TRAP] = random();
162 	ucp->uc_mcontext.gp_regs[PT_DSISR] = random();
163 	ucp->uc_mcontext.gp_regs[PT_DAR] = random();
164 	ucp->uc_mcontext.gp_regs[PT_ORIG_R3] = random();
165 	ucp->uc_mcontext.gp_regs[PT_XER] = random();
166 	ucp->uc_mcontext.gp_regs[PT_RESULT] = random();
167 	ucp->uc_mcontext.gp_regs[PT_SOFTE] = random();
168 	ucp->uc_mcontext.gp_regs[PT_DSCR] = random();
169 	ucp->uc_mcontext.gp_regs[PT_CTR] = random();
170 	ucp->uc_mcontext.gp_regs[PT_LNK] = random();
171 	ucp->uc_mcontext.gp_regs[PT_CCR] = random();
172 	ucp->uc_mcontext.gp_regs[PT_REGS_COUNT] = random();
173 
174 	ucp->uc_link->uc_mcontext.gp_regs[PT_TRAP] = random();
175 	ucp->uc_link->uc_mcontext.gp_regs[PT_DSISR] = random();
176 	ucp->uc_link->uc_mcontext.gp_regs[PT_DAR] = random();
177 	ucp->uc_link->uc_mcontext.gp_regs[PT_ORIG_R3] = random();
178 	ucp->uc_link->uc_mcontext.gp_regs[PT_XER] = random();
179 	ucp->uc_link->uc_mcontext.gp_regs[PT_RESULT] = random();
180 	ucp->uc_link->uc_mcontext.gp_regs[PT_SOFTE] = random();
181 	ucp->uc_link->uc_mcontext.gp_regs[PT_DSCR] = random();
182 	ucp->uc_link->uc_mcontext.gp_regs[PT_CTR] = random();
183 	ucp->uc_link->uc_mcontext.gp_regs[PT_LNK] = random();
184 	ucp->uc_link->uc_mcontext.gp_regs[PT_CCR] = random();
185 	ucp->uc_link->uc_mcontext.gp_regs[PT_REGS_COUNT] = random();
186 
187 	if (args & ARG_MESS_WITH_TM_BEFORE) {
188 		if (one_in_chance(2))
189 			mess_with_tm();
190 	}
191 }
192 
seg_signal_handler(int signo,siginfo_t * si,void * uc)193 static void seg_signal_handler(int signo, siginfo_t *si, void *uc)
194 {
195 	/* Clear exit for process that segfaults */
196 	exit(0);
197 }
198 
sigfuz_test(void * thrid)199 static void *sigfuz_test(void *thrid)
200 {
201 	struct sigaction trap_sa, seg_sa;
202 	int ret, i = 0;
203 	pid_t t;
204 
205 	tmp_uc = malloc(sizeof(ucontext_t));
206 
207 	/* Main signal handler */
208 	trap_sa.sa_flags = SA_SIGINFO;
209 	trap_sa.sa_sigaction = trap_signal_handler;
210 
211 	/* SIGSEGV signal handler */
212 	seg_sa.sa_flags = SA_SIGINFO;
213 	seg_sa.sa_sigaction = seg_signal_handler;
214 
215 	/* The signal handler will enable MSR_TS */
216 	sigaction(SIGUSR1, &trap_sa, NULL);
217 
218 	/* If it does not crash, it will segfault, avoid it to retest */
219 	sigaction(SIGSEGV, &seg_sa, NULL);
220 
221 	while (i < count_max) {
222 		t = fork();
223 
224 		if (t == 0) {
225 			/* Once seed per process */
226 			srand(time(NULL) + getpid());
227 			if (args & ARG_MESS_WITH_TM_AT) {
228 				if (one_in_chance(2))
229 					mess_with_tm();
230 			}
231 			raise(SIGUSR1);
232 			exit(0);
233 		} else {
234 			waitpid(t, &ret, 0);
235 		}
236 		if (!(args & ARG_FOREVER))
237 			i++;
238 	}
239 
240 	/* If not freed already, free now */
241 	if (tmp_uc) {
242 		free(tmp_uc);
243 		tmp_uc = NULL;
244 	}
245 
246 	return NULL;
247 }
248 
signal_fuzzer(void)249 static int signal_fuzzer(void)
250 {
251 	int t, rc;
252 	pthread_t *threads;
253 
254 	threads = malloc(nthread * sizeof(pthread_t));
255 
256 	for (t = 0; t < nthread; t++) {
257 		rc = pthread_create(&threads[t], NULL, sigfuz_test,
258 				    (void *)&t);
259 		if (rc)
260 			perror("Thread creation error\n");
261 	}
262 
263 	for (t = 0; t < nthread; t++) {
264 		rc = pthread_join(threads[t], NULL);
265 		if (rc)
266 			perror("Thread join error\n");
267 	}
268 
269 	free(threads);
270 
271 	return EXIT_SUCCESS;
272 }
273 
show_help(char * name)274 static void show_help(char *name)
275 {
276 	printf("%s: Sigfuzzer for powerpc\n", name);
277 	printf("Usage:\n");
278 	printf("\t-b\t Mess with TM before raising a SIGUSR1 signal\n");
279 	printf("\t-a\t Mess with TM after raising a SIGUSR1 signal\n");
280 	printf("\t-m\t Mess with MSR[TS] bits at mcontext\n");
281 	printf("\t-x\t Mess with everything above\n");
282 	printf("\t-f\t Run forever (Press ^C to Quit)\n");
283 	printf("\t-i\t Amount of interactions.	(Default = %d)\n", COUNT_MAX);
284 	printf("\t-t\t Amount of threads.	(Default = %d)\n", THREADS);
285 	exit(-1);
286 }
287 
main(int argc,char ** argv)288 int main(int argc, char **argv)
289 {
290 	int opt;
291 
292 	while ((opt = getopt(argc, argv, "bamxt:fi:h")) != -1) {
293 		if (opt == 'b') {
294 			printf("Mess with TM before signal\n");
295 			args |= ARG_MESS_WITH_TM_BEFORE;
296 		} else if (opt == 'a') {
297 			printf("Mess with TM at signal handler\n");
298 			args |= ARG_MESS_WITH_TM_AT;
299 		} else if (opt == 'm') {
300 			printf("Mess with MSR[TS] bits in mcontext\n");
301 			args |= ARG_MESS_WITH_MSR_AT;
302 		} else if (opt == 'x') {
303 			printf("Running with all options enabled\n");
304 			args |= ARG_COMPLETE;
305 		} else if (opt == 't') {
306 			nthread = atoi(optarg);
307 			printf("Threads = %d\n", nthread);
308 		} else if (opt == 'f') {
309 			args |= ARG_FOREVER;
310 			printf("Press ^C to stop\n");
311 			test_harness_set_timeout(-1);
312 		} else if (opt == 'i') {
313 			count_max = atoi(optarg);
314 			printf("Running for %d interactions\n", count_max);
315 		} else if (opt == 'h') {
316 			show_help(argv[0]);
317 		}
318 	}
319 
320 	/* Default test suite */
321 	if (!args)
322 		args = ARG_COMPLETE;
323 
324 	test_harness(signal_fuzzer, "signal_fuzzer");
325 }
326