// SPDX-License-Identifier: GPL-2.0

/*
 * Copyright 2020, Sandipan Das, IBM Corp.
 *
 * Test if the signal information reports the correct memory protection
 * key upon getting a key access violation fault for a page that was
 * attempted to be protected by two different keys from two competing
 * threads at the same time.
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>

#include <unistd.h>
#include <pthread.h>
#include <sys/mman.h>

#include "pkeys.h"

#define PPC_INST_NOP	0x60000000
#define PPC_INST_BLR	0x4e800020
#define PROT_RWX	(PROT_READ | PROT_WRITE | PROT_EXEC)

#define NUM_ITERATIONS	1000000

static volatile sig_atomic_t perm_pkey, rest_pkey;
static volatile sig_atomic_t rights, fault_count;
static volatile unsigned int *volatile fault_addr;
static pthread_barrier_t iteration_barrier;

static void segv_handler(int signum, siginfo_t *sinfo, void *ctx)
{
	void *pgstart;
	size_t pgsize;
	int pkey;

	pkey = siginfo_pkey(sinfo);

	/* Check if this fault originated from a pkey access violation */
	if (sinfo->si_code != SEGV_PKUERR) {
		sigsafe_err("got a fault for an unexpected reason\n");
		_exit(1);
	}

	/* Check if this fault originated from the expected address */
	if (sinfo->si_addr != (void *) fault_addr) {
		sigsafe_err("got a fault for an unexpected address\n");
		_exit(1);
	}

	/* Check if this fault originated from the restrictive pkey */
	if (pkey != rest_pkey) {
		sigsafe_err("got a fault for an unexpected pkey\n");
		_exit(1);
	}

	/* Check if too many faults have occurred for the same iteration */
	if (fault_count > 0) {
		sigsafe_err("got too many faults for the same address\n");
		_exit(1);
	}

	pgsize = getpagesize();
	pgstart = (void *) ((unsigned long) fault_addr & ~(pgsize - 1));

	/*
	 * If the current fault occurred due to lack of execute rights,
	 * reassociate the page with the exec-only pkey since execute
	 * rights cannot be changed directly for the faulting pkey as
	 * IAMR is inaccessible from userspace.
	 *
	 * Otherwise, if the current fault occurred due to lack of
	 * read-write rights, change the AMR permission bits for the
	 * pkey.
	 *
	 * This will let the test continue.
	 */
	if (rights == PKEY_DISABLE_EXECUTE &&
	    mprotect(pgstart, pgsize, PROT_EXEC))
		_exit(1);
	else
		pkey_set_rights(pkey, 0);

	fault_count++;
}

struct region {
	unsigned long rights;
	unsigned int *base;
	size_t size;
};

static void *protect(void *p)
{
	unsigned long rights;
	unsigned int *base;
	size_t size;
	int tid, i;

	tid = gettid();
	base = ((struct region *) p)->base;
	size = ((struct region *) p)->size;
	FAIL_IF_EXIT(!base);

	/* No read, write and execute restrictions */
	rights = 0;

	printf("tid %d, pkey permissions are %s\n", tid, pkey_rights(rights));

	/* Allocate the permissive pkey */
	perm_pkey = sys_pkey_alloc(0, rights);
	FAIL_IF_EXIT(perm_pkey < 0);

	/*
	 * Repeatedly try to protect the common region with a permissive
	 * pkey
	 */
	for (i = 0; i < NUM_ITERATIONS; i++) {
		/*
		 * Wait until the other thread has finished allocating the
		 * restrictive pkey or until the next iteration has begun
		 */
		pthread_barrier_wait(&iteration_barrier);

		/* Try to associate the permissive pkey with the region */
		FAIL_IF_EXIT(sys_pkey_mprotect(base, size, PROT_RWX,
					       perm_pkey));
	}

	/* Free the permissive pkey */
	sys_pkey_free(perm_pkey);

	return NULL;
}

static void *protect_access(void *p)
{
	size_t size, numinsns;
	unsigned int *base;
	int tid, i;

	tid = gettid();
	base = ((struct region *) p)->base;
	size = ((struct region *) p)->size;
	rights = ((struct region *) p)->rights;
	numinsns = size / sizeof(base[0]);
	FAIL_IF_EXIT(!base);

	/* Allocate the restrictive pkey */
	rest_pkey = sys_pkey_alloc(0, rights);
	FAIL_IF_EXIT(rest_pkey < 0);

	printf("tid %d, pkey permissions are %s\n", tid, pkey_rights(rights));
	printf("tid %d, %s randomly in range [%p, %p]\n", tid,
	       (rights == PKEY_DISABLE_EXECUTE) ? "execute" :
	       (rights == PKEY_DISABLE_WRITE)  ? "write" : "read",
	       base, base + numinsns);

	/*
	 * Repeatedly try to protect the common region with a restrictive
	 * pkey and read, write or execute from it
	 */
	for (i = 0; i < NUM_ITERATIONS; i++) {
		/*
		 * Wait until the other thread has finished allocating the
		 * permissive pkey or until the next iteration has begun
		 */
		pthread_barrier_wait(&iteration_barrier);

		/* Try to associate the restrictive pkey with the region */
		FAIL_IF_EXIT(sys_pkey_mprotect(base, size, PROT_RWX,
					       rest_pkey));

		/* Choose a random instruction word address from the region */
		fault_addr = base + (rand() % numinsns);
		fault_count = 0;

		switch (rights) {
		/* Read protection test */
		case PKEY_DISABLE_ACCESS:
			/*
			 * Read an instruction word from the region and
			 * verify if it has not been overwritten to
			 * something unexpected
			 */
			FAIL_IF_EXIT(*fault_addr != PPC_INST_NOP &&
				     *fault_addr != PPC_INST_BLR);
			break;

		/* Write protection test */
		case PKEY_DISABLE_WRITE:
			/*
			 * Write an instruction word to the region and
			 * verify if the overwrite has succeeded
			 */
			*fault_addr = PPC_INST_BLR;
			FAIL_IF_EXIT(*fault_addr != PPC_INST_BLR);
			break;

		/* Execute protection test */
		case PKEY_DISABLE_EXECUTE:
			/* Jump to the region and execute instructions */
			asm volatile(
				"mtctr	%0; bctrl"
				: : "r"(fault_addr) : "ctr", "lr");
			break;
		}

		/*
		 * Restore the restrictions originally imposed by the
		 * restrictive pkey as the signal handler would have
		 * cleared out the corresponding AMR bits
		 */
		pkey_set_rights(rest_pkey, rights);
	}

	/* Free restrictive pkey */
	sys_pkey_free(rest_pkey);

	return NULL;
}

static void reset_pkeys(unsigned long rights)
{
	int pkeys[NR_PKEYS], i;

	/* Exhaustively allocate all available pkeys */
	for (i = 0; i < NR_PKEYS; i++)
		pkeys[i] = sys_pkey_alloc(0, rights);

	/* Free all allocated pkeys */
	for (i = 0; i < NR_PKEYS; i++)
		sys_pkey_free(pkeys[i]);
}

static int test(void)
{
	pthread_t prot_thread, pacc_thread;
	struct sigaction act;
	pthread_attr_t attr;
	size_t numinsns;
	struct region r;
	int ret, i;

	srand(time(NULL));
	ret = pkeys_unsupported();
	if (ret)
		return ret;

	/* Allocate the region */
	r.size = getpagesize();
	r.base = mmap(NULL, r.size, PROT_RWX,
		      MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	FAIL_IF(r.base == MAP_FAILED);

	/*
	 * Fill the region with no-ops with a branch at the end
	 * for returning to the caller
	 */
	numinsns = r.size / sizeof(r.base[0]);
	for (i = 0; i < numinsns - 1; i++)
		r.base[i] = PPC_INST_NOP;
	r.base[i] = PPC_INST_BLR;

	/* Setup SIGSEGV handler */
	act.sa_handler = 0;
	act.sa_sigaction = segv_handler;
	FAIL_IF(sigprocmask(SIG_SETMASK, 0, &act.sa_mask) != 0);
	act.sa_flags = SA_SIGINFO;
	act.sa_restorer = 0;
	FAIL_IF(sigaction(SIGSEGV, &act, NULL) != 0);

	/*
	 * For these tests, the parent process should clear all bits of
	 * AMR and IAMR, i.e. impose no restrictions, for all available
	 * pkeys. This will be the base for the initial AMR and IAMR
	 * values for all the test thread pairs.
	 *
	 * If the AMR and IAMR bits of all available pkeys are cleared
	 * before running the tests and a fault is generated when
	 * attempting to read, write or execute instructions from a
	 * pkey protected region, the pkey responsible for this must be
	 * the one from the protect-and-access thread since the other
	 * one is fully permissive. Despite that, if the pkey reported
	 * by siginfo is not the restrictive pkey, then there must be a
	 * kernel bug.
	 */
	reset_pkeys(0);

	/* Setup barrier for protect and protect-and-access threads */
	FAIL_IF(pthread_attr_init(&attr) != 0);
	FAIL_IF(pthread_barrier_init(&iteration_barrier, NULL, 2) != 0);

	/* Setup and start protect and protect-and-read threads */
	puts("starting thread pair (protect, protect-and-read)");
	r.rights = PKEY_DISABLE_ACCESS;
	FAIL_IF(pthread_create(&prot_thread, &attr, &protect, &r) != 0);
	FAIL_IF(pthread_create(&pacc_thread, &attr, &protect_access, &r) != 0);
	FAIL_IF(pthread_join(prot_thread, NULL) != 0);
	FAIL_IF(pthread_join(pacc_thread, NULL) != 0);

	/* Setup and start protect and protect-and-write threads */
	puts("starting thread pair (protect, protect-and-write)");
	r.rights = PKEY_DISABLE_WRITE;
	FAIL_IF(pthread_create(&prot_thread, &attr, &protect, &r) != 0);
	FAIL_IF(pthread_create(&pacc_thread, &attr, &protect_access, &r) != 0);
	FAIL_IF(pthread_join(prot_thread, NULL) != 0);
	FAIL_IF(pthread_join(pacc_thread, NULL) != 0);

	/* Setup and start protect and protect-and-execute threads */
	puts("starting thread pair (protect, protect-and-execute)");
	r.rights = PKEY_DISABLE_EXECUTE;
	FAIL_IF(pthread_create(&prot_thread, &attr, &protect, &r) != 0);
	FAIL_IF(pthread_create(&pacc_thread, &attr, &protect_access, &r) != 0);
	FAIL_IF(pthread_join(prot_thread, NULL) != 0);
	FAIL_IF(pthread_join(pacc_thread, NULL) != 0);

	/* Cleanup */
	FAIL_IF(pthread_attr_destroy(&attr) != 0);
	FAIL_IF(pthread_barrier_destroy(&iteration_barrier) != 0);
	munmap(r.base, r.size);

	return 0;
}

int main(void)
{
	return test_harness(test, "pkey_siginfo");
}