1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright 2019, Gustavo Romero, Michael Neuling, IBM Corp.
4  *
5  * This test will spawn two processes. Both will be attached to the same
6  * CPU (CPU 0). The child will be in a loop writing to FP register f31 and
7  * VMX/VEC/Altivec register vr31 a known value, called poison, calling
8  * sched_yield syscall after to allow the parent to switch on the CPU.
9  * Parent will set f31 and vr31 to 1 and in a loop will check if f31 and
10  * vr31 remain 1 as expected until a given timeout (2m). If the issue is
11  * present child's poison will leak into parent's f31 or vr31 registers,
12  * otherwise, poison will never leak into parent's f31 and vr31 registers.
13  */
14 
15 #define _GNU_SOURCE
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <unistd.h>
19 #include <inttypes.h>
20 #include <sched.h>
21 #include <sys/types.h>
22 #include <signal.h>
23 #include <inttypes.h>
24 
25 #include "tm.h"
26 
27 int tm_poison_test(void)
28 {
29 	int pid;
30 	cpu_set_t cpuset;
31 	uint64_t poison = 0xdeadbeefc0dec0fe;
32 	uint64_t unknown = 0;
33 	bool fail_fp = false;
34 	bool fail_vr = false;
35 
36 	SKIP_IF(!have_htm());
37 
38 	/* Attach both Child and Parent to CPU 0 */
39 	CPU_ZERO(&cpuset);
40 	CPU_SET(0, &cpuset);
41 	sched_setaffinity(0, sizeof(cpuset), &cpuset);
42 
43 	pid = fork();
44 	if (!pid) {
45 		/**
46 		 * child
47 		 */
48 		while (1) {
49 			sched_yield();
50 			asm (
51 				"mtvsrd 31, %[poison];" // f31 = poison
52 				"mtvsrd 63, %[poison];" // vr31 = poison
53 
54 				: : [poison] "r" (poison) : );
55 		}
56 	}
57 
58 	/**
59 	 * parent
60 	 */
61 	asm (
62 		/*
63 		 * Set r3, r4, and f31 to known value 1 before entering
64 		 * in transaction. They won't be written after that.
65 		 */
66 		"       li      3, 0x1          ;"
67 		"       li      4, 0x1          ;"
68 		"       mtvsrd  31, 4           ;"
69 
70 		/*
71 		 * The Time Base (TB) is a 64-bit counter register that is
72 		 * independent of the CPU clock and which is incremented
73 		 * at a frequency of 512000000 Hz, so every 1.953125ns.
74 		 * So it's necessary 120s/0.000000001953125s = 61440000000
75 		 * increments to get a 2 minutes timeout. Below we set that
76 		 * value in r5 and then use r6 to track initial TB value,
77 		 * updating TB values in r7 at every iteration and comparing it
78 		 * to r6. When r7 (current) - r6 (initial) > 61440000000 we bail
79 		 * out since for sure we spent already 2 minutes in the loop.
80 		 * SPR 268 is the TB register.
81 		 */
82 		"       lis     5, 14           ;"
83 		"       ori     5, 5, 19996     ;"
84 		"       sldi    5, 5, 16        ;" // r5 = 61440000000
85 
86 		"       mfspr   6, 268          ;" // r6 (TB initial)
87 		"1:     mfspr   7, 268          ;" // r7 (TB current)
88 		"       subf    7, 6, 7         ;" // r7 - r6 > 61440000000 ?
89 		"       cmpd    7, 5            ;"
90 		"       bgt     3f              ;" // yes, exit
91 
92 		/*
93 		 * Main loop to check f31
94 		 */
95 		"       tbegin.                 ;" // no, try again
96 		"       beq     1b              ;" // restart if no timeout
97 		"       mfvsrd  3, 31           ;" // read f31
98 		"       cmpd    3, 4            ;" // f31 == 1 ?
99 		"       bne     2f              ;" // broken :-(
100 		"       tabort. 3               ;" // try another transaction
101 		"2:     tend.                   ;" // commit transaction
102 		"3:     mr    %[unknown], 3     ;" // record r3
103 
104 		: [unknown] "=r" (unknown)
105 		:
106 		: "cr0", "r3", "r4", "r5", "r6", "r7", "vs31"
107 
108 		);
109 
110 	/*
111 	 * On leak 'unknown' will contain 'poison' value from child,
112 	 * otherwise (no leak) 'unknown' will contain the same value
113 	 * as r3 before entering in transactional mode, i.e. 0x1.
114 	 */
115 	fail_fp = unknown != 0x1;
116 	if (fail_fp)
117 		printf("Unknown value %#"PRIx64" leaked into f31!\n", unknown);
118 	else
119 		printf("Good, no poison or leaked value into FP registers\n");
120 
121 	asm (
122 		/*
123 		 * Set r3, r4, and vr31 to known value 1 before entering
124 		 * in transaction. They won't be written after that.
125 		 */
126 		"       li      3, 0x1          ;"
127 		"       li      4, 0x1          ;"
128 		"       mtvsrd  63, 4           ;"
129 
130 		"       lis     5, 14           ;"
131 		"       ori     5, 5, 19996     ;"
132 		"       sldi    5, 5, 16        ;" // r5 = 61440000000
133 
134 		"       mfspr   6, 268          ;" // r6 (TB initial)
135 		"1:     mfspr   7, 268          ;" // r7 (TB current)
136 		"       subf    7, 6, 7         ;" // r7 - r6 > 61440000000 ?
137 		"       cmpd    7, 5            ;"
138 		"       bgt     3f              ;" // yes, exit
139 
140 		/*
141 		 * Main loop to check vr31
142 		 */
143 		"       tbegin.                 ;" // no, try again
144 		"       beq     1b              ;" // restart if no timeout
145 		"       mfvsrd  3, 63           ;" // read vr31
146 		"       cmpd    3, 4            ;" // vr31 == 1 ?
147 		"       bne     2f              ;" // broken :-(
148 		"       tabort. 3               ;" // try another transaction
149 		"2:     tend.                   ;" // commit transaction
150 		"3:     mr    %[unknown], 3     ;" // record r3
151 
152 		: [unknown] "=r" (unknown)
153 		:
154 		: "cr0", "r3", "r4", "r5", "r6", "r7", "vs63"
155 
156 		);
157 
158 	/*
159 	 * On leak 'unknown' will contain 'poison' value from child,
160 	 * otherwise (no leak) 'unknown' will contain the same value
161 	 * as r3 before entering in transactional mode, i.e. 0x1.
162 	 */
163 	fail_vr = unknown != 0x1;
164 	if (fail_vr)
165 		printf("Unknown value %#"PRIx64" leaked into vr31!\n", unknown);
166 	else
167 		printf("Good, no poison or leaked value into VEC registers\n");
168 
169 	kill(pid, SIGKILL);
170 
171 	return (fail_fp | fail_vr);
172 }
173 
174 int main(int argc, char *argv[])
175 {
176 	/* Test completes in about 4m */
177 	test_harness_set_timeout(250);
178 	return test_harness(tm_poison_test, "tm_poison_test");
179 }
180