1 // SPDX-License-Identifier: GPL-2.0 2 #include <stdio.h> 3 #include <stdlib.h> 4 #include <pthread.h> 5 #include <semaphore.h> 6 #include <sys/types.h> 7 #include <signal.h> 8 #include <errno.h> 9 #include <linux/bitmap.h> 10 #include <linux/bitops.h> 11 #include <linux/atomic.h> 12 #include <linux/sizes.h> 13 14 #include "kvm_util.h" 15 #include "test_util.h" 16 #include "guest_modes.h" 17 #include "processor.h" 18 #include "ucall_common.h" 19 20 static bool mprotect_ro_done; 21 static bool all_vcpus_hit_ro_fault; 22 23 static void guest_code(uint64_t start_gpa, uint64_t end_gpa, uint64_t stride) 24 { 25 uint64_t gpa; 26 int i; 27 28 for (i = 0; i < 2; i++) { 29 for (gpa = start_gpa; gpa < end_gpa; gpa += stride) 30 vcpu_arch_put_guest(*((volatile uint64_t *)gpa), gpa); 31 GUEST_SYNC(i); 32 } 33 34 for (gpa = start_gpa; gpa < end_gpa; gpa += stride) 35 *((volatile uint64_t *)gpa); 36 GUEST_SYNC(2); 37 38 /* 39 * Write to the region while mprotect(PROT_READ) is underway. Keep 40 * looping until the memory is guaranteed to be read-only and a fault 41 * has occurred, otherwise vCPUs may complete their writes and advance 42 * to the next stage prematurely. 43 * 44 * For architectures that support skipping the faulting instruction, 45 * generate the store via inline assembly to ensure the exact length 46 * of the instruction is known and stable (vcpu_arch_put_guest() on 47 * fixed-length architectures should work, but the cost of paranoia 48 * is low in this case). For x86, hand-code the exact opcode so that 49 * there is no room for variability in the generated instruction. 50 */ 51 do { 52 for (gpa = start_gpa; gpa < end_gpa; gpa += stride) 53 #ifdef __x86_64__ 54 asm volatile(".byte 0x48,0x89,0x00" :: "a"(gpa) : "memory"); /* mov %rax, (%rax) */ 55 #elif defined(__aarch64__) 56 asm volatile("str %0, [%0]" :: "r" (gpa) : "memory"); 57 #else 58 vcpu_arch_put_guest(*((volatile uint64_t *)gpa), gpa); 59 #endif 60 } while (!READ_ONCE(mprotect_ro_done) || !READ_ONCE(all_vcpus_hit_ro_fault)); 61 62 /* 63 * Only architectures that write the entire range can explicitly sync, 64 * as other architectures will be stuck on the write fault. 65 */ 66 #if defined(__x86_64__) || defined(__aarch64__) 67 GUEST_SYNC(3); 68 #endif 69 70 for (gpa = start_gpa; gpa < end_gpa; gpa += stride) 71 vcpu_arch_put_guest(*((volatile uint64_t *)gpa), gpa); 72 GUEST_SYNC(4); 73 74 GUEST_ASSERT(0); 75 } 76 77 struct vcpu_info { 78 struct kvm_vcpu *vcpu; 79 uint64_t start_gpa; 80 uint64_t end_gpa; 81 }; 82 83 static int nr_vcpus; 84 static atomic_t rendezvous; 85 static atomic_t nr_ro_faults; 86 87 static void rendezvous_with_boss(void) 88 { 89 int orig = atomic_read(&rendezvous); 90 91 if (orig > 0) { 92 atomic_dec_and_test(&rendezvous); 93 while (atomic_read(&rendezvous) > 0) 94 cpu_relax(); 95 } else { 96 atomic_inc(&rendezvous); 97 while (atomic_read(&rendezvous) < 0) 98 cpu_relax(); 99 } 100 } 101 102 static void assert_sync_stage(struct kvm_vcpu *vcpu, int stage) 103 { 104 struct ucall uc; 105 106 TEST_ASSERT_EQ(get_ucall(vcpu, &uc), UCALL_SYNC); 107 TEST_ASSERT_EQ(uc.args[1], stage); 108 } 109 110 static void run_vcpu(struct kvm_vcpu *vcpu, int stage) 111 { 112 vcpu_run(vcpu); 113 assert_sync_stage(vcpu, stage); 114 } 115 116 static void *vcpu_worker(void *data) 117 { 118 struct kvm_sregs __maybe_unused sregs; 119 struct vcpu_info *info = data; 120 struct kvm_vcpu *vcpu = info->vcpu; 121 struct kvm_vm *vm = vcpu->vm; 122 int r; 123 124 vcpu_args_set(vcpu, 3, info->start_gpa, info->end_gpa, vm->page_size); 125 126 rendezvous_with_boss(); 127 128 /* Stage 0, write all of guest memory. */ 129 run_vcpu(vcpu, 0); 130 rendezvous_with_boss(); 131 #ifdef __x86_64__ 132 vcpu_sregs_get(vcpu, &sregs); 133 /* Toggle CR0.WP to trigger a MMU context reset. */ 134 sregs.cr0 ^= X86_CR0_WP; 135 vcpu_sregs_set(vcpu, &sregs); 136 #endif 137 rendezvous_with_boss(); 138 139 /* Stage 1, re-write all of guest memory. */ 140 run_vcpu(vcpu, 1); 141 rendezvous_with_boss(); 142 143 /* Stage 2, read all of guest memory, which is now read-only. */ 144 run_vcpu(vcpu, 2); 145 146 /* 147 * Stage 3, write guest memory and verify KVM returns -EFAULT for once 148 * the mprotect(PROT_READ) lands. Only architectures that support 149 * validating *all* of guest memory sync for this stage, as vCPUs will 150 * be stuck on the faulting instruction for other architectures. Go to 151 * stage 3 without a rendezvous 152 */ 153 r = _vcpu_run(vcpu); 154 TEST_ASSERT(r == -1 && errno == EFAULT, 155 "Expected EFAULT on write to RO memory, got r = %d, errno = %d", r, errno); 156 157 atomic_inc(&nr_ro_faults); 158 if (atomic_read(&nr_ro_faults) == nr_vcpus) { 159 WRITE_ONCE(all_vcpus_hit_ro_fault, true); 160 sync_global_to_guest(vm, all_vcpus_hit_ro_fault); 161 } 162 163 #if defined(__x86_64__) || defined(__aarch64__) 164 /* 165 * Verify *all* writes from the guest hit EFAULT due to the VMA now 166 * being read-only. x86 and arm64 only at this time as skipping the 167 * instruction that hits the EFAULT requires advancing the program 168 * counter, which is arch specific and relies on inline assembly. 169 */ 170 #ifdef __x86_64__ 171 vcpu->run->kvm_valid_regs = KVM_SYNC_X86_REGS; 172 #endif 173 for (;;) { 174 r = _vcpu_run(vcpu); 175 if (!r) 176 break; 177 TEST_ASSERT_EQ(errno, EFAULT); 178 #if defined(__x86_64__) 179 WRITE_ONCE(vcpu->run->kvm_dirty_regs, KVM_SYNC_X86_REGS); 180 vcpu->run->s.regs.regs.rip += 3; 181 #elif defined(__aarch64__) 182 vcpu_set_reg(vcpu, ARM64_CORE_REG(regs.pc), 183 vcpu_get_reg(vcpu, ARM64_CORE_REG(regs.pc)) + 4); 184 #endif 185 186 } 187 assert_sync_stage(vcpu, 3); 188 #endif /* __x86_64__ || __aarch64__ */ 189 rendezvous_with_boss(); 190 191 /* 192 * Stage 4. Run to completion, waiting for mprotect(PROT_WRITE) to 193 * make the memory writable again. 194 */ 195 do { 196 r = _vcpu_run(vcpu); 197 } while (r && errno == EFAULT); 198 TEST_ASSERT_EQ(r, 0); 199 assert_sync_stage(vcpu, 4); 200 rendezvous_with_boss(); 201 202 return NULL; 203 } 204 205 static pthread_t *spawn_workers(struct kvm_vm *vm, struct kvm_vcpu **vcpus, 206 uint64_t start_gpa, uint64_t end_gpa) 207 { 208 struct vcpu_info *info; 209 uint64_t gpa, nr_bytes; 210 pthread_t *threads; 211 int i; 212 213 threads = malloc(nr_vcpus * sizeof(*threads)); 214 TEST_ASSERT(threads, "Failed to allocate vCPU threads"); 215 216 info = malloc(nr_vcpus * sizeof(*info)); 217 TEST_ASSERT(info, "Failed to allocate vCPU gpa ranges"); 218 219 nr_bytes = ((end_gpa - start_gpa) / nr_vcpus) & 220 ~((uint64_t)vm->page_size - 1); 221 TEST_ASSERT(nr_bytes, "C'mon, no way you have %d CPUs", nr_vcpus); 222 223 for (i = 0, gpa = start_gpa; i < nr_vcpus; i++, gpa += nr_bytes) { 224 info[i].vcpu = vcpus[i]; 225 info[i].start_gpa = gpa; 226 info[i].end_gpa = gpa + nr_bytes; 227 pthread_create(&threads[i], NULL, vcpu_worker, &info[i]); 228 } 229 return threads; 230 } 231 232 static void rendezvous_with_vcpus(struct timespec *time, const char *name) 233 { 234 int i, rendezvoused; 235 236 pr_info("Waiting for vCPUs to finish %s...\n", name); 237 238 rendezvoused = atomic_read(&rendezvous); 239 for (i = 0; abs(rendezvoused) != 1; i++) { 240 usleep(100); 241 if (!(i & 0x3f)) 242 pr_info("\r%d vCPUs haven't rendezvoused...", 243 abs(rendezvoused) - 1); 244 rendezvoused = atomic_read(&rendezvous); 245 } 246 247 clock_gettime(CLOCK_MONOTONIC, time); 248 249 /* Release the vCPUs after getting the time of the previous action. */ 250 pr_info("\rAll vCPUs finished %s, releasing...\n", name); 251 if (rendezvoused > 0) 252 atomic_set(&rendezvous, -nr_vcpus - 1); 253 else 254 atomic_set(&rendezvous, nr_vcpus + 1); 255 } 256 257 static void calc_default_nr_vcpus(void) 258 { 259 cpu_set_t possible_mask; 260 int r; 261 262 r = sched_getaffinity(0, sizeof(possible_mask), &possible_mask); 263 TEST_ASSERT(!r, "sched_getaffinity failed, errno = %d (%s)", 264 errno, strerror(errno)); 265 266 nr_vcpus = CPU_COUNT(&possible_mask) * 3/4; 267 TEST_ASSERT(nr_vcpus > 0, "Uh, no CPUs?"); 268 } 269 270 int main(int argc, char *argv[]) 271 { 272 /* 273 * Skip the first 4gb and slot0. slot0 maps <1gb and is used to back 274 * the guest's code, stack, and page tables. Because selftests creates 275 * an IRQCHIP, a.k.a. a local APIC, KVM creates an internal memslot 276 * just below the 4gb boundary. This test could create memory at 277 * 1gb-3gb,but it's simpler to skip straight to 4gb. 278 */ 279 const uint64_t start_gpa = SZ_4G; 280 const int first_slot = 1; 281 282 struct timespec time_start, time_run1, time_reset, time_run2, time_ro, time_rw; 283 uint64_t max_gpa, gpa, slot_size, max_mem, i; 284 int max_slots, slot, opt, fd; 285 bool hugepages = false; 286 struct kvm_vcpu **vcpus; 287 pthread_t *threads; 288 struct kvm_vm *vm; 289 void *mem; 290 291 /* 292 * Default to 2gb so that maxing out systems with MAXPHADDR=46, which 293 * are quite common for x86, requires changing only max_mem (KVM allows 294 * 32k memslots, 32k * 2gb == ~64tb of guest memory). 295 */ 296 slot_size = SZ_2G; 297 298 max_slots = kvm_check_cap(KVM_CAP_NR_MEMSLOTS); 299 TEST_ASSERT(max_slots > first_slot, "KVM is broken"); 300 301 /* All KVM MMUs should be able to survive a 128gb guest. */ 302 max_mem = 128ull * SZ_1G; 303 304 calc_default_nr_vcpus(); 305 306 while ((opt = getopt(argc, argv, "c:h:m:s:H")) != -1) { 307 switch (opt) { 308 case 'c': 309 nr_vcpus = atoi_positive("Number of vCPUs", optarg); 310 break; 311 case 'm': 312 max_mem = 1ull * atoi_positive("Memory size", optarg) * SZ_1G; 313 break; 314 case 's': 315 slot_size = 1ull * atoi_positive("Slot size", optarg) * SZ_1G; 316 break; 317 case 'H': 318 hugepages = true; 319 break; 320 case 'h': 321 default: 322 printf("usage: %s [-c nr_vcpus] [-m max_mem_in_gb] [-s slot_size_in_gb] [-H]\n", argv[0]); 323 exit(1); 324 } 325 } 326 327 vcpus = malloc(nr_vcpus * sizeof(*vcpus)); 328 TEST_ASSERT(vcpus, "Failed to allocate vCPU array"); 329 330 vm = __vm_create_with_vcpus(VM_SHAPE_DEFAULT, nr_vcpus, 331 #ifdef __x86_64__ 332 max_mem / SZ_1G, 333 #else 334 max_mem / vm_guest_mode_params[VM_MODE_DEFAULT].page_size, 335 #endif 336 guest_code, vcpus); 337 338 max_gpa = vm->max_gfn << vm->page_shift; 339 TEST_ASSERT(max_gpa > (4 * slot_size), "MAXPHYADDR <4gb "); 340 341 fd = kvm_memfd_alloc(slot_size, hugepages); 342 mem = mmap(NULL, slot_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); 343 TEST_ASSERT(mem != MAP_FAILED, "mmap() failed"); 344 345 TEST_ASSERT(!madvise(mem, slot_size, MADV_NOHUGEPAGE), "madvise() failed"); 346 347 /* Pre-fault the memory to avoid taking mmap_sem on guest page faults. */ 348 for (i = 0; i < slot_size; i += vm->page_size) 349 ((uint8_t *)mem)[i] = 0xaa; 350 351 gpa = 0; 352 for (slot = first_slot; slot < max_slots; slot++) { 353 gpa = start_gpa + ((slot - first_slot) * slot_size); 354 if (gpa + slot_size > max_gpa) 355 break; 356 357 if ((gpa - start_gpa) >= max_mem) 358 break; 359 360 vm_set_user_memory_region(vm, slot, 0, gpa, slot_size, mem); 361 362 #ifdef __x86_64__ 363 /* Identity map memory in the guest using 1gb pages. */ 364 for (i = 0; i < slot_size; i += SZ_1G) 365 __virt_pg_map(vm, gpa + i, gpa + i, PG_LEVEL_1G); 366 #else 367 for (i = 0; i < slot_size; i += vm->page_size) 368 virt_pg_map(vm, gpa + i, gpa + i); 369 #endif 370 } 371 372 atomic_set(&rendezvous, nr_vcpus + 1); 373 threads = spawn_workers(vm, vcpus, start_gpa, gpa); 374 375 free(vcpus); 376 vcpus = NULL; 377 378 pr_info("Running with %lugb of guest memory and %u vCPUs\n", 379 (gpa - start_gpa) / SZ_1G, nr_vcpus); 380 381 rendezvous_with_vcpus(&time_start, "spawning"); 382 rendezvous_with_vcpus(&time_run1, "run 1"); 383 rendezvous_with_vcpus(&time_reset, "reset"); 384 rendezvous_with_vcpus(&time_run2, "run 2"); 385 386 mprotect(mem, slot_size, PROT_READ); 387 mprotect_ro_done = true; 388 sync_global_to_guest(vm, mprotect_ro_done); 389 390 rendezvous_with_vcpus(&time_ro, "mprotect RO"); 391 mprotect(mem, slot_size, PROT_READ | PROT_WRITE); 392 rendezvous_with_vcpus(&time_rw, "mprotect RW"); 393 394 time_rw = timespec_sub(time_rw, time_ro); 395 time_ro = timespec_sub(time_ro, time_run2); 396 time_run2 = timespec_sub(time_run2, time_reset); 397 time_reset = timespec_sub(time_reset, time_run1); 398 time_run1 = timespec_sub(time_run1, time_start); 399 400 pr_info("run1 = %ld.%.9lds, reset = %ld.%.9lds, run2 = %ld.%.9lds, " 401 "ro = %ld.%.9lds, rw = %ld.%.9lds\n", 402 time_run1.tv_sec, time_run1.tv_nsec, 403 time_reset.tv_sec, time_reset.tv_nsec, 404 time_run2.tv_sec, time_run2.tv_nsec, 405 time_ro.tv_sec, time_ro.tv_nsec, 406 time_rw.tv_sec, time_rw.tv_nsec); 407 408 /* 409 * Delete even numbered slots (arbitrary) and unmap the first half of 410 * the backing (also arbitrary) to verify KVM correctly drops all 411 * references to the removed regions. 412 */ 413 for (slot = (slot - 1) & ~1ull; slot >= first_slot; slot -= 2) 414 vm_set_user_memory_region(vm, slot, 0, 0, 0, NULL); 415 416 munmap(mem, slot_size / 2); 417 418 /* Sanity check that the vCPUs actually ran. */ 419 for (i = 0; i < nr_vcpus; i++) 420 pthread_join(threads[i], NULL); 421 422 /* 423 * Deliberately exit without deleting the remaining memslots or closing 424 * kvm_fd to test cleanup via mmu_notifier.release. 425 */ 426 } 427