forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
182 lines
5.4 KiB
182 lines
5.4 KiB
// SPDX-License-Identifier: GPL-2.0-only |
|
/* |
|
* Copyright 2019, Gustavo Romero, Michael Neuling, IBM Corp. |
|
* |
|
* This test will spawn two processes. Both will be attached to the same |
|
* CPU (CPU 0). The child will be in a loop writing to FP register f31 and |
|
* VMX/VEC/Altivec register vr31 a known value, called poison, calling |
|
* sched_yield syscall after to allow the parent to switch on the CPU. |
|
* Parent will set f31 and vr31 to 1 and in a loop will check if f31 and |
|
* vr31 remain 1 as expected until a given timeout (2m). If the issue is |
|
* present child's poison will leak into parent's f31 or vr31 registers, |
|
* otherwise, poison will never leak into parent's f31 and vr31 registers. |
|
*/ |
|
|
|
#define _GNU_SOURCE |
|
#include <stdio.h> |
|
#include <stdlib.h> |
|
#include <unistd.h> |
|
#include <inttypes.h> |
|
#include <sched.h> |
|
#include <sys/types.h> |
|
#include <signal.h> |
|
|
|
#include "tm.h" |
|
|
|
int tm_poison_test(void) |
|
{ |
|
int cpu, pid; |
|
cpu_set_t cpuset; |
|
uint64_t poison = 0xdeadbeefc0dec0fe; |
|
uint64_t unknown = 0; |
|
bool fail_fp = false; |
|
bool fail_vr = false; |
|
|
|
SKIP_IF(!have_htm()); |
|
SKIP_IF(htm_is_synthetic()); |
|
|
|
cpu = pick_online_cpu(); |
|
FAIL_IF(cpu < 0); |
|
|
|
// Attach both Child and Parent to the same CPU |
|
CPU_ZERO(&cpuset); |
|
CPU_SET(cpu, &cpuset); |
|
FAIL_IF(sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0); |
|
|
|
pid = fork(); |
|
if (!pid) { |
|
/** |
|
* child |
|
*/ |
|
while (1) { |
|
sched_yield(); |
|
asm ( |
|
"mtvsrd 31, %[poison];" // f31 = poison |
|
"mtvsrd 63, %[poison];" // vr31 = poison |
|
|
|
: : [poison] "r" (poison) : ); |
|
} |
|
} |
|
|
|
/** |
|
* parent |
|
*/ |
|
asm ( |
|
/* |
|
* Set r3, r4, and f31 to known value 1 before entering |
|
* in transaction. They won't be written after that. |
|
*/ |
|
" li 3, 0x1 ;" |
|
" li 4, 0x1 ;" |
|
" mtvsrd 31, 4 ;" |
|
|
|
/* |
|
* The Time Base (TB) is a 64-bit counter register that is |
|
* independent of the CPU clock and which is incremented |
|
* at a frequency of 512000000 Hz, so every 1.953125ns. |
|
* So it's necessary 120s/0.000000001953125s = 61440000000 |
|
* increments to get a 2 minutes timeout. Below we set that |
|
* value in r5 and then use r6 to track initial TB value, |
|
* updating TB values in r7 at every iteration and comparing it |
|
* to r6. When r7 (current) - r6 (initial) > 61440000000 we bail |
|
* out since for sure we spent already 2 minutes in the loop. |
|
* SPR 268 is the TB register. |
|
*/ |
|
" lis 5, 14 ;" |
|
" ori 5, 5, 19996 ;" |
|
" sldi 5, 5, 16 ;" // r5 = 61440000000 |
|
|
|
" mfspr 6, 268 ;" // r6 (TB initial) |
|
"1: mfspr 7, 268 ;" // r7 (TB current) |
|
" subf 7, 6, 7 ;" // r7 - r6 > 61440000000 ? |
|
" cmpd 7, 5 ;" |
|
" bgt 3f ;" // yes, exit |
|
|
|
/* |
|
* Main loop to check f31 |
|
*/ |
|
" tbegin. ;" // no, try again |
|
" beq 1b ;" // restart if no timeout |
|
" mfvsrd 3, 31 ;" // read f31 |
|
" cmpd 3, 4 ;" // f31 == 1 ? |
|
" bne 2f ;" // broken :-( |
|
" tabort. 3 ;" // try another transaction |
|
"2: tend. ;" // commit transaction |
|
"3: mr %[unknown], 3 ;" // record r3 |
|
|
|
: [unknown] "=r" (unknown) |
|
: |
|
: "cr0", "r3", "r4", "r5", "r6", "r7", "vs31" |
|
|
|
); |
|
|
|
/* |
|
* On leak 'unknown' will contain 'poison' value from child, |
|
* otherwise (no leak) 'unknown' will contain the same value |
|
* as r3 before entering in transactional mode, i.e. 0x1. |
|
*/ |
|
fail_fp = unknown != 0x1; |
|
if (fail_fp) |
|
printf("Unknown value %#"PRIx64" leaked into f31!\n", unknown); |
|
else |
|
printf("Good, no poison or leaked value into FP registers\n"); |
|
|
|
asm ( |
|
/* |
|
* Set r3, r4, and vr31 to known value 1 before entering |
|
* in transaction. They won't be written after that. |
|
*/ |
|
" li 3, 0x1 ;" |
|
" li 4, 0x1 ;" |
|
" mtvsrd 63, 4 ;" |
|
|
|
" lis 5, 14 ;" |
|
" ori 5, 5, 19996 ;" |
|
" sldi 5, 5, 16 ;" // r5 = 61440000000 |
|
|
|
" mfspr 6, 268 ;" // r6 (TB initial) |
|
"1: mfspr 7, 268 ;" // r7 (TB current) |
|
" subf 7, 6, 7 ;" // r7 - r6 > 61440000000 ? |
|
" cmpd 7, 5 ;" |
|
" bgt 3f ;" // yes, exit |
|
|
|
/* |
|
* Main loop to check vr31 |
|
*/ |
|
" tbegin. ;" // no, try again |
|
" beq 1b ;" // restart if no timeout |
|
" mfvsrd 3, 63 ;" // read vr31 |
|
" cmpd 3, 4 ;" // vr31 == 1 ? |
|
" bne 2f ;" // broken :-( |
|
" tabort. 3 ;" // try another transaction |
|
"2: tend. ;" // commit transaction |
|
"3: mr %[unknown], 3 ;" // record r3 |
|
|
|
: [unknown] "=r" (unknown) |
|
: |
|
: "cr0", "r3", "r4", "r5", "r6", "r7", "vs63" |
|
|
|
); |
|
|
|
/* |
|
* On leak 'unknown' will contain 'poison' value from child, |
|
* otherwise (no leak) 'unknown' will contain the same value |
|
* as r3 before entering in transactional mode, i.e. 0x1. |
|
*/ |
|
fail_vr = unknown != 0x1; |
|
if (fail_vr) |
|
printf("Unknown value %#"PRIx64" leaked into vr31!\n", unknown); |
|
else |
|
printf("Good, no poison or leaked value into VEC registers\n"); |
|
|
|
kill(pid, SIGKILL); |
|
|
|
return (fail_fp | fail_vr); |
|
} |
|
|
|
int main(int argc, char *argv[]) |
|
{ |
|
/* Test completes in about 4m */ |
|
test_harness_set_timeout(250); |
|
return test_harness(tm_poison_test, "tm_poison_test"); |
|
}
|
|
|