powerpc/tm/tm-poison.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * Copyright 2019, Gustavo Romero, Michael Neuling, IBM Corp.
0004  *
0005  * This test will spawn two processes. Both will be attached to the same
0006  * CPU (CPU 0). The child will be in a loop writing to FP register f31 and
0007  * VMX/VEC/Altivec register vr31 a known value, called poison, calling
0008  * sched_yield syscall after to allow the parent to switch on the CPU.
0009  * Parent will set f31 and vr31 to 1 and in a loop will check if f31 and
0010  * vr31 remain 1 as expected until a given timeout (2m). If the issue is
0011  * present child's poison will leak into parent's f31 or vr31 registers,
0012  * otherwise, poison will never leak into parent's f31 and vr31 registers.
0013  */
0014
0015 #define _GNU_SOURCE
0016 #include <stdio.h>
0017 #include <stdlib.h>
0018 #include <unistd.h>
0019 #include <inttypes.h>
0020 #include <sched.h>
0021 #include <sys/types.h>
0022 #include <signal.h>
0023
0024 #include "tm.h"
0025
0026 int tm_poison_test(void)
0027 {
0028     int cpu, pid;
0029     cpu_set_t cpuset;
0030     uint64_t poison = 0xdeadbeefc0dec0fe;
0031     uint64_t unknown = 0;
0032     bool fail_fp = false;
0033     bool fail_vr = false;
0034
0035     SKIP_IF(!have_htm());
0036     SKIP_IF(htm_is_synthetic());
0037
0038     cpu = pick_online_cpu();
0039     FAIL_IF(cpu < 0);
0040
0041     // Attach both Child and Parent to the same CPU
0042     CPU_ZERO(&cpuset);
0043     CPU_SET(cpu, &cpuset);
0044     FAIL_IF(sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0);
0045
0046     pid = fork();
0047     if (!pid) {
0048         /**
0049          * child
0050          */
0051         while (1) {
0052             sched_yield();
0053             asm (
0054                 "mtvsrd 31, %[poison];" // f31 = poison
0055                 "mtvsrd 63, %[poison];" // vr31 = poison
0056
0057                 : : [poison] "r" (poison) : );
0058         }
0059     }
0060
0061     /**
0062      * parent
0063      */
0064     asm (
0065         /*
0066          * Set r3, r4, and f31 to known value 1 before entering
0067          * in transaction. They won't be written after that.
0068          */
0069         "       li      3, 0x1          ;"
0070         "       li      4, 0x1          ;"
0071         "       mtvsrd  31, 4           ;"
0072
0073         /*
0074          * The Time Base (TB) is a 64-bit counter register that is
0075          * independent of the CPU clock and which is incremented
0076          * at a frequency of 512000000 Hz, so every 1.953125ns.
0077          * So it's necessary 120s/0.000000001953125s = 61440000000
0078          * increments to get a 2 minutes timeout. Below we set that
0079          * value in r5 and then use r6 to track initial TB value,
0080          * updating TB values in r7 at every iteration and comparing it
0081          * to r6. When r7 (current) - r6 (initial) > 61440000000 we bail
0082          * out since for sure we spent already 2 minutes in the loop.
0083          * SPR 268 is the TB register.
0084          */
0085         "       lis     5, 14           ;"
0086         "       ori     5, 5, 19996     ;"
0087         "       sldi    5, 5, 16        ;" // r5 = 61440000000
0088
0089         "       mfspr   6, 268          ;" // r6 (TB initial)
0090         "1:     mfspr   7, 268          ;" // r7 (TB current)
0091         "       subf    7, 6, 7         ;" // r7 - r6 > 61440000000 ?
0092         "       cmpd    7, 5            ;"
0093         "       bgt     3f              ;" // yes, exit
0094
0095         /*
0096          * Main loop to check f31
0097          */
0098         "       tbegin.                 ;" // no, try again
0099         "       beq     1b              ;" // restart if no timeout
0100         "       mfvsrd  3, 31           ;" // read f31
0101         "       cmpd    3, 4            ;" // f31 == 1 ?
0102         "       bne     2f              ;" // broken :-(
0103         "       tabort. 3               ;" // try another transaction
0104         "2:     tend.                   ;" // commit transaction
0105         "3:     mr    %[unknown], 3     ;" // record r3
0106
0107         : [unknown] "=r" (unknown)
0108         :
0109         : "cr0", "r3", "r4", "r5", "r6", "r7", "vs31"
0110
0111         );
0112
0113     /*
0114      * On leak 'unknown' will contain 'poison' value from child,
0115      * otherwise (no leak) 'unknown' will contain the same value
0116      * as r3 before entering in transactional mode, i.e. 0x1.
0117      */
0118     fail_fp = unknown != 0x1;
0119     if (fail_fp)
0120         printf("Unknown value %#"PRIx64" leaked into f31!\n", unknown);
0121     else
0122         printf("Good, no poison or leaked value into FP registers\n");
0123
0124     asm (
0125         /*
0126          * Set r3, r4, and vr31 to known value 1 before entering
0127          * in transaction. They won't be written after that.
0128          */
0129         "       li      3, 0x1          ;"
0130         "       li      4, 0x1          ;"
0131         "       mtvsrd  63, 4           ;"
0132
0133         "       lis     5, 14           ;"
0134         "       ori     5, 5, 19996     ;"
0135         "       sldi    5, 5, 16        ;" // r5 = 61440000000
0136
0137         "       mfspr   6, 268          ;" // r6 (TB initial)
0138         "1:     mfspr   7, 268          ;" // r7 (TB current)
0139         "       subf    7, 6, 7         ;" // r7 - r6 > 61440000000 ?
0140         "       cmpd    7, 5            ;"
0141         "       bgt     3f              ;" // yes, exit
0142
0143         /*
0144          * Main loop to check vr31
0145          */
0146         "       tbegin.                 ;" // no, try again
0147         "       beq     1b              ;" // restart if no timeout
0148         "       mfvsrd  3, 63           ;" // read vr31
0149         "       cmpd    3, 4            ;" // vr31 == 1 ?
0150         "       bne     2f              ;" // broken :-(
0151         "       tabort. 3               ;" // try another transaction
0152         "2:     tend.                   ;" // commit transaction
0153         "3:     mr    %[unknown], 3     ;" // record r3
0154
0155         : [unknown] "=r" (unknown)
0156         :
0157         : "cr0", "r3", "r4", "r5", "r6", "r7", "vs63"
0158
0159         );
0160
0161     /*
0162      * On leak 'unknown' will contain 'poison' value from child,
0163      * otherwise (no leak) 'unknown' will contain the same value
0164      * as r3 before entering in transactional mode, i.e. 0x1.
0165      */
0166     fail_vr = unknown != 0x1;
0167     if (fail_vr)
0168         printf("Unknown value %#"PRIx64" leaked into vr31!\n", unknown);
0169     else
0170         printf("Good, no poison or leaked value into VEC registers\n");
0171
0172     kill(pid, SIGKILL);
0173
0174     return (fail_fp | fail_vr);
0175 }
0176
0177 int main(int argc, char *argv[])
0178 {
0179     /* Test completes in about 4m */
0180     test_harness_set_timeout(250);
0181     return test_harness(tm_poison_test, "tm_poison_test");
0182 }