xref: /OK3568_Linux_fs/kernel/tools/testing/selftests/powerpc/tm/tm-poison.c (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0-only
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun  * Copyright 2019, Gustavo Romero, Michael Neuling, IBM Corp.
4*4882a593Smuzhiyun  *
5*4882a593Smuzhiyun  * This test will spawn two processes. Both will be attached to the same
6*4882a593Smuzhiyun  * CPU (CPU 0). The child will be in a loop writing to FP register f31 and
7*4882a593Smuzhiyun  * VMX/VEC/Altivec register vr31 a known value, called poison, calling
8*4882a593Smuzhiyun  * sched_yield syscall after to allow the parent to switch on the CPU.
9*4882a593Smuzhiyun  * Parent will set f31 and vr31 to 1 and in a loop will check if f31 and
10*4882a593Smuzhiyun  * vr31 remain 1 as expected until a given timeout (2m). If the issue is
11*4882a593Smuzhiyun  * present child's poison will leak into parent's f31 or vr31 registers,
12*4882a593Smuzhiyun  * otherwise, poison will never leak into parent's f31 and vr31 registers.
13*4882a593Smuzhiyun  */
14*4882a593Smuzhiyun 
15*4882a593Smuzhiyun #define _GNU_SOURCE
16*4882a593Smuzhiyun #include <stdio.h>
17*4882a593Smuzhiyun #include <stdlib.h>
18*4882a593Smuzhiyun #include <unistd.h>
19*4882a593Smuzhiyun #include <inttypes.h>
20*4882a593Smuzhiyun #include <sched.h>
21*4882a593Smuzhiyun #include <sys/types.h>
22*4882a593Smuzhiyun #include <signal.h>
23*4882a593Smuzhiyun #include <inttypes.h>
24*4882a593Smuzhiyun 
25*4882a593Smuzhiyun #include "tm.h"
26*4882a593Smuzhiyun 
tm_poison_test(void)27*4882a593Smuzhiyun int tm_poison_test(void)
28*4882a593Smuzhiyun {
29*4882a593Smuzhiyun 	int cpu, pid;
30*4882a593Smuzhiyun 	cpu_set_t cpuset;
31*4882a593Smuzhiyun 	uint64_t poison = 0xdeadbeefc0dec0fe;
32*4882a593Smuzhiyun 	uint64_t unknown = 0;
33*4882a593Smuzhiyun 	bool fail_fp = false;
34*4882a593Smuzhiyun 	bool fail_vr = false;
35*4882a593Smuzhiyun 
36*4882a593Smuzhiyun 	SKIP_IF(!have_htm());
37*4882a593Smuzhiyun 
38*4882a593Smuzhiyun 	cpu = pick_online_cpu();
39*4882a593Smuzhiyun 	FAIL_IF(cpu < 0);
40*4882a593Smuzhiyun 
41*4882a593Smuzhiyun 	// Attach both Child and Parent to the same CPU
42*4882a593Smuzhiyun 	CPU_ZERO(&cpuset);
43*4882a593Smuzhiyun 	CPU_SET(cpu, &cpuset);
44*4882a593Smuzhiyun 	FAIL_IF(sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0);
45*4882a593Smuzhiyun 
46*4882a593Smuzhiyun 	pid = fork();
47*4882a593Smuzhiyun 	if (!pid) {
48*4882a593Smuzhiyun 		/**
49*4882a593Smuzhiyun 		 * child
50*4882a593Smuzhiyun 		 */
51*4882a593Smuzhiyun 		while (1) {
52*4882a593Smuzhiyun 			sched_yield();
53*4882a593Smuzhiyun 			asm (
54*4882a593Smuzhiyun 				"mtvsrd 31, %[poison];" // f31 = poison
55*4882a593Smuzhiyun 				"mtvsrd 63, %[poison];" // vr31 = poison
56*4882a593Smuzhiyun 
57*4882a593Smuzhiyun 				: : [poison] "r" (poison) : );
58*4882a593Smuzhiyun 		}
59*4882a593Smuzhiyun 	}
60*4882a593Smuzhiyun 
61*4882a593Smuzhiyun 	/**
62*4882a593Smuzhiyun 	 * parent
63*4882a593Smuzhiyun 	 */
64*4882a593Smuzhiyun 	asm (
65*4882a593Smuzhiyun 		/*
66*4882a593Smuzhiyun 		 * Set r3, r4, and f31 to known value 1 before entering
67*4882a593Smuzhiyun 		 * in transaction. They won't be written after that.
68*4882a593Smuzhiyun 		 */
69*4882a593Smuzhiyun 		"       li      3, 0x1          ;"
70*4882a593Smuzhiyun 		"       li      4, 0x1          ;"
71*4882a593Smuzhiyun 		"       mtvsrd  31, 4           ;"
72*4882a593Smuzhiyun 
73*4882a593Smuzhiyun 		/*
74*4882a593Smuzhiyun 		 * The Time Base (TB) is a 64-bit counter register that is
75*4882a593Smuzhiyun 		 * independent of the CPU clock and which is incremented
76*4882a593Smuzhiyun 		 * at a frequency of 512000000 Hz, so every 1.953125ns.
77*4882a593Smuzhiyun 		 * So it's necessary 120s/0.000000001953125s = 61440000000
78*4882a593Smuzhiyun 		 * increments to get a 2 minutes timeout. Below we set that
79*4882a593Smuzhiyun 		 * value in r5 and then use r6 to track initial TB value,
80*4882a593Smuzhiyun 		 * updating TB values in r7 at every iteration and comparing it
81*4882a593Smuzhiyun 		 * to r6. When r7 (current) - r6 (initial) > 61440000000 we bail
82*4882a593Smuzhiyun 		 * out since for sure we spent already 2 minutes in the loop.
83*4882a593Smuzhiyun 		 * SPR 268 is the TB register.
84*4882a593Smuzhiyun 		 */
85*4882a593Smuzhiyun 		"       lis     5, 14           ;"
86*4882a593Smuzhiyun 		"       ori     5, 5, 19996     ;"
87*4882a593Smuzhiyun 		"       sldi    5, 5, 16        ;" // r5 = 61440000000
88*4882a593Smuzhiyun 
89*4882a593Smuzhiyun 		"       mfspr   6, 268          ;" // r6 (TB initial)
90*4882a593Smuzhiyun 		"1:     mfspr   7, 268          ;" // r7 (TB current)
91*4882a593Smuzhiyun 		"       subf    7, 6, 7         ;" // r7 - r6 > 61440000000 ?
92*4882a593Smuzhiyun 		"       cmpd    7, 5            ;"
93*4882a593Smuzhiyun 		"       bgt     3f              ;" // yes, exit
94*4882a593Smuzhiyun 
95*4882a593Smuzhiyun 		/*
96*4882a593Smuzhiyun 		 * Main loop to check f31
97*4882a593Smuzhiyun 		 */
98*4882a593Smuzhiyun 		"       tbegin.                 ;" // no, try again
99*4882a593Smuzhiyun 		"       beq     1b              ;" // restart if no timeout
100*4882a593Smuzhiyun 		"       mfvsrd  3, 31           ;" // read f31
101*4882a593Smuzhiyun 		"       cmpd    3, 4            ;" // f31 == 1 ?
102*4882a593Smuzhiyun 		"       bne     2f              ;" // broken :-(
103*4882a593Smuzhiyun 		"       tabort. 3               ;" // try another transaction
104*4882a593Smuzhiyun 		"2:     tend.                   ;" // commit transaction
105*4882a593Smuzhiyun 		"3:     mr    %[unknown], 3     ;" // record r3
106*4882a593Smuzhiyun 
107*4882a593Smuzhiyun 		: [unknown] "=r" (unknown)
108*4882a593Smuzhiyun 		:
109*4882a593Smuzhiyun 		: "cr0", "r3", "r4", "r5", "r6", "r7", "vs31"
110*4882a593Smuzhiyun 
111*4882a593Smuzhiyun 		);
112*4882a593Smuzhiyun 
113*4882a593Smuzhiyun 	/*
114*4882a593Smuzhiyun 	 * On leak 'unknown' will contain 'poison' value from child,
115*4882a593Smuzhiyun 	 * otherwise (no leak) 'unknown' will contain the same value
116*4882a593Smuzhiyun 	 * as r3 before entering in transactional mode, i.e. 0x1.
117*4882a593Smuzhiyun 	 */
118*4882a593Smuzhiyun 	fail_fp = unknown != 0x1;
119*4882a593Smuzhiyun 	if (fail_fp)
120*4882a593Smuzhiyun 		printf("Unknown value %#"PRIx64" leaked into f31!\n", unknown);
121*4882a593Smuzhiyun 	else
122*4882a593Smuzhiyun 		printf("Good, no poison or leaked value into FP registers\n");
123*4882a593Smuzhiyun 
124*4882a593Smuzhiyun 	asm (
125*4882a593Smuzhiyun 		/*
126*4882a593Smuzhiyun 		 * Set r3, r4, and vr31 to known value 1 before entering
127*4882a593Smuzhiyun 		 * in transaction. They won't be written after that.
128*4882a593Smuzhiyun 		 */
129*4882a593Smuzhiyun 		"       li      3, 0x1          ;"
130*4882a593Smuzhiyun 		"       li      4, 0x1          ;"
131*4882a593Smuzhiyun 		"       mtvsrd  63, 4           ;"
132*4882a593Smuzhiyun 
133*4882a593Smuzhiyun 		"       lis     5, 14           ;"
134*4882a593Smuzhiyun 		"       ori     5, 5, 19996     ;"
135*4882a593Smuzhiyun 		"       sldi    5, 5, 16        ;" // r5 = 61440000000
136*4882a593Smuzhiyun 
137*4882a593Smuzhiyun 		"       mfspr   6, 268          ;" // r6 (TB initial)
138*4882a593Smuzhiyun 		"1:     mfspr   7, 268          ;" // r7 (TB current)
139*4882a593Smuzhiyun 		"       subf    7, 6, 7         ;" // r7 - r6 > 61440000000 ?
140*4882a593Smuzhiyun 		"       cmpd    7, 5            ;"
141*4882a593Smuzhiyun 		"       bgt     3f              ;" // yes, exit
142*4882a593Smuzhiyun 
143*4882a593Smuzhiyun 		/*
144*4882a593Smuzhiyun 		 * Main loop to check vr31
145*4882a593Smuzhiyun 		 */
146*4882a593Smuzhiyun 		"       tbegin.                 ;" // no, try again
147*4882a593Smuzhiyun 		"       beq     1b              ;" // restart if no timeout
148*4882a593Smuzhiyun 		"       mfvsrd  3, 63           ;" // read vr31
149*4882a593Smuzhiyun 		"       cmpd    3, 4            ;" // vr31 == 1 ?
150*4882a593Smuzhiyun 		"       bne     2f              ;" // broken :-(
151*4882a593Smuzhiyun 		"       tabort. 3               ;" // try another transaction
152*4882a593Smuzhiyun 		"2:     tend.                   ;" // commit transaction
153*4882a593Smuzhiyun 		"3:     mr    %[unknown], 3     ;" // record r3
154*4882a593Smuzhiyun 
155*4882a593Smuzhiyun 		: [unknown] "=r" (unknown)
156*4882a593Smuzhiyun 		:
157*4882a593Smuzhiyun 		: "cr0", "r3", "r4", "r5", "r6", "r7", "vs63"
158*4882a593Smuzhiyun 
159*4882a593Smuzhiyun 		);
160*4882a593Smuzhiyun 
161*4882a593Smuzhiyun 	/*
162*4882a593Smuzhiyun 	 * On leak 'unknown' will contain 'poison' value from child,
163*4882a593Smuzhiyun 	 * otherwise (no leak) 'unknown' will contain the same value
164*4882a593Smuzhiyun 	 * as r3 before entering in transactional mode, i.e. 0x1.
165*4882a593Smuzhiyun 	 */
166*4882a593Smuzhiyun 	fail_vr = unknown != 0x1;
167*4882a593Smuzhiyun 	if (fail_vr)
168*4882a593Smuzhiyun 		printf("Unknown value %#"PRIx64" leaked into vr31!\n", unknown);
169*4882a593Smuzhiyun 	else
170*4882a593Smuzhiyun 		printf("Good, no poison or leaked value into VEC registers\n");
171*4882a593Smuzhiyun 
172*4882a593Smuzhiyun 	kill(pid, SIGKILL);
173*4882a593Smuzhiyun 
174*4882a593Smuzhiyun 	return (fail_fp | fail_vr);
175*4882a593Smuzhiyun }
176*4882a593Smuzhiyun 
main(int argc,char * argv[])177*4882a593Smuzhiyun int main(int argc, char *argv[])
178*4882a593Smuzhiyun {
179*4882a593Smuzhiyun 	/* Test completes in about 4m */
180*4882a593Smuzhiyun 	test_harness_set_timeout(250);
181*4882a593Smuzhiyun 	return test_harness(tm_poison_test, "tm_poison_test");
182*4882a593Smuzhiyun }
183