[PATCH v4 6/7] KVM: selftests: Add the guest_memfd memory failure test

[Lisa Wang]

After modifying truncate_error_folio(), we expect memory_failure() will
return 0 instead of MF_FAILED. Also, we want to make sure
memory_failure() signaling function is same.

Test that memory_failure() returns 0 for guest_memfd, where
.error_remove_folio() is handled by not actually truncating, and
returning MF_DELAYED.

In addition, test that SIGBUS signaling behavior is not changed before
and after this modification.

There are two kinds of guest memory failure injections - madvise or
debugfs. When memory failure is injected using madvise, the
MF_ACTION_REQUIRED flag is set, and the page is mapped and dirty, the
process should get a SIGBUS. When memory is failure is injected using
debugfs, the KILL_EARLY machine check memory corruption kill policy is
set, and the page is mapped and dirty, the process should get a SIGBUS.

Co-developed-by: Ackerley Tng <ackerleytng@xxxxxxxxxx>
Signed-off-by: Ackerley Tng <ackerleytng@xxxxxxxxxx>
Signed-off-by: Lisa Wang <wyihan@xxxxxxxxxx>
---
 tools/testing/selftests/kvm/Makefile.kvm           |   2 +
 .../kvm/guest_memfd_memory_failure_test.c          | 336 +++++++++++++++++++++
 2 files changed, 338 insertions(+)

diff --git a/tools/testing/selftests/kvm/Makefile.kvm b/tools/testing/selftests/kvm/Makefile.kvm
index fdec90e85467..9409ded6cbce 100644
--- a/tools/testing/selftests/kvm/Makefile.kvm
+++ b/tools/testing/selftests/kvm/Makefile.kvm
@@ -146,6 +146,7 @@ TEST_GEN_PROGS_x86 += access_tracking_perf_test
 TEST_GEN_PROGS_x86 += coalesced_io_test
 TEST_GEN_PROGS_x86 += dirty_log_perf_test
 TEST_GEN_PROGS_x86 += guest_memfd_test
+TEST_GEN_PROGS_x86 += guest_memfd_memory_failure_test
 TEST_GEN_PROGS_x86 += hardware_disable_test
 TEST_GEN_PROGS_x86 += memslot_modification_stress_test
 TEST_GEN_PROGS_x86 += memslot_perf_test
@@ -186,6 +187,7 @@ TEST_GEN_PROGS_arm64 += coalesced_io_test
 TEST_GEN_PROGS_arm64 += dirty_log_perf_test
 TEST_GEN_PROGS_arm64 += get-reg-list
 TEST_GEN_PROGS_arm64 += guest_memfd_test
+TEST_GEN_PROGS_arm64 += guest_memfd_memory_failure_test
 TEST_GEN_PROGS_arm64 += memslot_modification_stress_test
 TEST_GEN_PROGS_arm64 += memslot_perf_test
 TEST_GEN_PROGS_arm64 += mmu_stress_test
diff --git a/tools/testing/selftests/kvm/guest_memfd_memory_failure_test.c b/tools/testing/selftests/kvm/guest_memfd_memory_failure_test.c
new file mode 100644
index 000000000000..6c8032d390ae
--- /dev/null
+++ b/tools/testing/selftests/kvm/guest_memfd_memory_failure_test.c
@@ -0,0 +1,336 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright Intel Corporation, 2026
+ *
+ * Author: Ackerley Tng <ackerleytng@xxxxxxxxxx>
+ * Author: Lisa Wang <wyihan@xxxxxxxxxx>
+ */
+
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <linux/prctl.h>
+#include <sys/prctl.h>
+
+#include <linux/bitmap.h>
+#include <linux/falloc.h>
+#include <linux/sizes.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include "kvm_util.h"
+#include "test_util.h"
+#include "kselftest_harness.h"
+
+static size_t page_size, total_size;
+
+enum memory_failure_injection_method {
+	MF_INJECT_DEBUGFS,
+	MF_INJECT_MADVISE,
+};
+
+FIXTURE(guest_memfd_failure) {
+	struct kvm_vm *vm;
+	int fd;
+	unsigned long poisoned_pfn;
+};
+
+FIXTURE_VARIANT(guest_memfd_failure) {
+	enum memory_failure_injection_method method;
+	int kill_config;
+	bool map_page;
+	bool dirty_page;
+	bool sigbus_expected;
+	int return_code;
+};
+
+FIXTURE_VARIANT_ADD(guest_memfd_failure, debugfs_early_dirty) {
+	.method = MF_INJECT_DEBUGFS,
+	.kill_config = PR_MCE_KILL_EARLY,
+	.map_page = true,
+	.dirty_page = true,
+	.sigbus_expected = true,
+	.return_code = 0,
+};
+
+FIXTURE_VARIANT_ADD(guest_memfd_failure, debugfs_early_clean) {
+	.method = MF_INJECT_DEBUGFS,
+	.kill_config = PR_MCE_KILL_EARLY,
+	.map_page = true,
+	.dirty_page = false,
+	.sigbus_expected = false,
+	.return_code = 0,
+};
+
+FIXTURE_VARIANT_ADD(guest_memfd_failure, debugfs_early_unmapped) {
+	.method = MF_INJECT_DEBUGFS,
+	.kill_config = PR_MCE_KILL_EARLY,
+	.map_page = false,
+	.dirty_page = true,
+	.sigbus_expected = false,
+	.return_code = 0,
+};
+
+FIXTURE_VARIANT_ADD(guest_memfd_failure, debugfs_late_dirty) {
+	.method = MF_INJECT_DEBUGFS,
+	.kill_config = PR_MCE_KILL_LATE,
+	.map_page = true,
+	.dirty_page = true,
+	.sigbus_expected = false,
+	.return_code = 0,
+};
+
+FIXTURE_VARIANT_ADD(guest_memfd_failure, debugfs_late_clean) {
+	.method = MF_INJECT_DEBUGFS,
+	.kill_config = PR_MCE_KILL_LATE,
+	.map_page = true,
+	.dirty_page = false,
+	.sigbus_expected = false,
+	.return_code = 0,
+};
+
+FIXTURE_VARIANT_ADD(guest_memfd_failure, debugfs_late_unmapped) {
+	.method = MF_INJECT_DEBUGFS,
+	.kill_config = PR_MCE_KILL_LATE,
+	.map_page = false,
+	.dirty_page = true,
+	.sigbus_expected = false,
+	.return_code = 0,
+};
+
+FIXTURE_VARIANT_ADD(guest_memfd_failure, madvise_dirty) {
+	.method = MF_INJECT_MADVISE,
+	.kill_config = PR_MCE_KILL_DEFAULT,
+	.map_page = true,
+	.dirty_page = true,
+	.sigbus_expected = true,
+	.return_code = 0,
+};
+
+FIXTURE_VARIANT_ADD(guest_memfd_failure, madvise_clean) {
+	.method = MF_INJECT_MADVISE,
+	.kill_config = PR_MCE_KILL_DEFAULT,
+	.map_page = true,
+	.dirty_page = false,
+	.sigbus_expected = false,
+	.return_code = 0,
+};
+
+FIXTURE_SETUP(guest_memfd_failure)
+{
+	self->vm = NULL;
+	self->fd = -1;
+	self->poisoned_pfn = 0;
+}
+
+static void write_memory_failure(unsigned long pfn, bool mark, int expected_return_code)
+{
+	char path[PATH_MAX];
+	char *filename;
+	char buf[20];
+	int ret;
+	int len;
+	int fd;
+
+	filename = mark ? "corrupt-pfn" : "unpoison-pfn";
+	snprintf(path, PATH_MAX, "/sys/kernel/debug/hwpoison/%s", filename);
+
+	fd = open(path, O_WRONLY);
+	TEST_ASSERT(fd >= 0, "Failed to open %s.", path);
+
+	len = snprintf(buf, sizeof(buf), "0x%lx\n", pfn);
+	if (len < 0 || (unsigned int)len >= sizeof(buf))
+		TEST_ASSERT(0, "snprintf failed or truncated.");
+
+	ret = write(fd, buf, len);
+	if (expected_return_code == 0) {
+		/*
+		 * If the memory_failure() returns 0, write() should be successful,
+		 * which returns how many bytes it writes.
+		 */
+		TEST_ASSERT(ret > 0, "Writing memory failure (path: %s) failed: %s", path,
+			    strerror(errno));
+	} else {
+		TEST_ASSERT_EQ(ret, -1);
+		/* errno is memory_failure() return code. */
+		TEST_ASSERT_EQ(errno, expected_return_code);
+	}
+
+	close(fd);
+}
+
+static void mark_memory_failure(unsigned long pfn, int expected_return_code)
+{
+	write_memory_failure(pfn, true, expected_return_code);
+}
+
+static void unmark_memory_failure(unsigned long pfn, int expected_return_code)
+{
+	write_memory_failure(pfn, false, expected_return_code);
+}
+
+FIXTURE_TEARDOWN(guest_memfd_failure)
+{
+	if (self->fd >= 0)
+		close(self->fd);
+	if (self->vm)
+		kvm_vm_free(self->vm);
+	if (self->poisoned_pfn)
+		unmark_memory_failure(self->poisoned_pfn, 0);
+}
+
+static unsigned long addr_to_pfn(void *addr)
+{
+	const uint64_t pagemap_pfn_mask = BIT(54) - 1;
+	const uint64_t pagemap_page_present = BIT(63);
+	uint64_t page_info;
+	ssize_t n_bytes;
+	int pagemap_fd;
+
+	pagemap_fd = open("/proc/self/pagemap", O_RDONLY);
+	TEST_ASSERT(pagemap_fd >= 0, "Opening pagemap should succeed.");
+
+	n_bytes = pread(pagemap_fd, &page_info, 8, (uint64_t)addr / page_size * 8);
+	TEST_ASSERT(n_bytes == 8, "pread of pagemap failed. n_bytes=%ld", n_bytes);
+
+	close(pagemap_fd);
+
+	TEST_ASSERT(page_info & pagemap_page_present, "The page for addr should be present");
+	return page_info & pagemap_pfn_mask;
+}
+
+static void do_test_memory_failure(FIXTURE_DATA(guest_memfd_failure) * self,
+				   const FIXTURE_VARIANT(guest_memfd_failure) * variant)
+{
+	unsigned long memory_failure_pfn;
+	char *memory_failure_addr;
+	char *mem;
+	int ret;
+
+	mem = mmap(NULL, total_size, PROT_READ | PROT_WRITE, MAP_SHARED, self->fd, 0);
+	TEST_ASSERT(mem != MAP_FAILED, "mmap() for guest_memfd should succeed.");
+	memory_failure_addr = mem + page_size;
+	if (variant->dirty_page)
+		*memory_failure_addr = 'A';
+	else
+		READ_ONCE(*memory_failure_addr);
+
+	/* Fault in page to read pfn, then unmap page for testing if needed. */
+	memory_failure_pfn = addr_to_pfn(memory_failure_addr);
+	if (!variant->map_page)
+		madvise(memory_failure_addr, page_size, MADV_DONTNEED);
+
+	ret = prctl(PR_MCE_KILL, PR_MCE_KILL_SET, variant->kill_config, 0, 0);
+	TEST_ASSERT_EQ(ret, 0);
+
+	self->poisoned_pfn = memory_failure_pfn;
+
+	ret = 0;
+	switch (variant->method) {
+	case MF_INJECT_DEBUGFS: {
+		/* DEBUGFS injection handles return_code test inside the mark_memory_failure(). */
+		if (variant->sigbus_expected)
+			TEST_EXPECT_SIGBUS(mark_memory_failure(memory_failure_pfn,
+							       variant->return_code));
+		else
+			mark_memory_failure(memory_failure_pfn, variant->return_code);
+		break;
+	}
+	case MF_INJECT_MADVISE: {
+		/*
+		 * MADV_HWPOISON uses get_user_pages() so the page will always
+		 * be faulted in at the point of memory_failure()
+		 */
+		if (variant->sigbus_expected)
+			TEST_EXPECT_SIGBUS(ret = madvise(memory_failure_addr,
+							 page_size, MADV_HWPOISON));
+		else
+			ret = madvise(memory_failure_addr, page_size, MADV_HWPOISON);
+
+		if (variant->return_code == 0)
+			TEST_ASSERT(ret == variant->return_code, "Memory failure failed. Errno: %s",
+							strerror(errno));
+		else {
+			/* errno is memory_failure() return code. */
+			TEST_ASSERT_EQ(errno, variant->return_code);
+		}
+		break;
+	}
+	default:
+		TEST_FAIL("Unhandled memory failure injection method %d.", variant->method);
+	}
+
+	TEST_EXPECT_SIGBUS(READ_ONCE(*memory_failure_addr));
+	TEST_EXPECT_SIGBUS(*memory_failure_addr = 'A');
+
+	ret = munmap(mem, total_size);
+	TEST_ASSERT(!ret, "munmap() should succeed.");
+
+	ret = fallocate(self->fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, 0, total_size);
+	TEST_ASSERT(!ret, "Truncate the entire file (cleanup) should succeed.");
+
+	ret = prctl(PR_MCE_KILL, PR_MCE_KILL_SET, PR_MCE_KILL_DEFAULT, 0, 0);
+	TEST_ASSERT_EQ(ret, 0);
+
+	unmark_memory_failure(memory_failure_pfn, 0);
+	self->poisoned_pfn = 0;
+}
+
+TEST_F(guest_memfd_failure, test_memory_failure)
+{
+	unsigned long vm_types, vm_type;
+
+	total_size = page_size * 4;
+
+	vm_types = kvm_check_cap(KVM_CAP_VM_TYPES);
+	if (!vm_types)
+		vm_types = BIT(VM_TYPE_DEFAULT);
+
+	for_each_set_bit(vm_type, &vm_types, BITS_PER_TYPE(vm_types)) {
+		uint64_t flags;
+
+		self->vm = vm_create_barebones_type(vm_type);
+		flags = vm_check_cap(self->vm, KVM_CAP_GUEST_MEMFD_FLAGS);
+		if (!(flags & GUEST_MEMFD_FLAG_INIT_SHARED)) {
+			kvm_vm_free(self->vm);
+			self->vm = NULL;
+			continue;
+		}
+
+		self->fd = vm_create_guest_memfd(self->vm, total_size,
+						 GUEST_MEMFD_FLAG_MMAP | GUEST_MEMFD_FLAG_INIT_SHARED);
+		ASSERT_GE(self->fd, 0) TH_LOG("vm_create_guest_memfd failed");
+
+		do_test_memory_failure(self, variant);
+
+		close(self->fd);
+		self->fd = -1;
+		kvm_vm_free(self->vm);
+		self->vm = NULL;
+	}
+}
+
+static bool can_inject_memory_failure(void)
+{
+	int fd;
+
+	fd = open("/sys/kernel/debug/hwpoison/corrupt-pfn", O_WRONLY);
+	if (fd < 0)
+		return false;
+
+	close(fd);
+	return true;
+}
+
+int main(int argc, char **argv)
+{
+	TEST_REQUIRE(kvm_check_cap(KVM_CAP_GUEST_MEMFD_FLAGS) & GUEST_MEMFD_FLAG_INIT_SHARED);
+	__TEST_REQUIRE(can_inject_memory_failure(),
+		       "Insufficient permissions to access hwpoison debugfs (requires CAP_SYS_ADMIN / root))");
+	page_size = getpagesize();
+
+	return test_harness_run(argc, argv);
+}

-- 
2.54.0.1013.g208068f2d8-goog