Linux 6.6 th1520 pinctrl/emmc #2
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RevySR
force-pushed
the
linux-6.6-th1520-pinctrl
branch
3 times, most recently
from
1ce1e6e to
bacd73a
Compare
Add bindings for the pin controllers on the T-Head TH1520 RISC-V SoC. Signed-off-by: Emil Renner Berthing <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Add pinctrl driver for the T-Head TH1520 RISC-V SoC. Signed-off-by: Emil Renner Berthing <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Add nodes for pin controllers on the T-Head TH1520 RISC-V SoC. Signed-off-by: Emil Renner Berthing <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Add gpio-ranges properties to the TH1520 device tree, so user space can change basic pinconf settings for GPIOs and are not allowed to use pads already used by other functions. Adjust number of GPIOs available for the different controllers. Signed-off-by: Emil Renner Berthing <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Adjust labels for the TH1520 GPIO controllers such that GPIOs can be referenced by the names used by the documentation. Eg. GPIO0_X -> <&gpio0 X Y> GPIO1_X -> <&gpio1 X Y> GPIO2_X -> <&gpio2 X Y> GPIO3_X -> <&gpio3 X Y> GPIO4_X -> <&gpio4 X Y> AOGPIO_X -> <&aogpio X Y> Remove labels for the parent GPIO devices that shouldn't need to be referenced. Signed-off-by: Emil Renner Berthing <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Add names for the GPIO00-GPIO14 lines of the SO-DIMM module. Signed-off-by: Emil Renner Berthing <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Add pinctrl settings for UART0 used as the default debug console on both the Lichee Pi 4A and BeagleV Ahead boards. Signed-off-by: Emil Renner Berthing <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Add nodes for the 5 user controllable LEDs on the BeagleV Ahead board. Signed-off-by: Emil Renner Berthing <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
th1520 uart/console depends on pinctrl Signed-off-by: Han Gao <[email protected]>
Signed-off-by: Han Gao <[email protected]>
Signed-off-by: Han Gao <[email protected]>
RevySR
force-pushed
the
linux-6.6-th1520-pinctrl
branch
7 times, most recently
from
d32b80c to
5edcb12
Compare
Add compatible value for the T-Head TH1520 dwcmshc controller. Acked-by: Guo Ren <[email protected]> Acked-by: Krzysztof Kozlowski <[email protected]> Signed-off-by: Drew Fustini <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Expose __sdhci_execute_tuning() so that it can be called from the mmc host controller drivers. In the sdhci-of-dwcmshc driver, sdhci_dwcmshc_th1520_ops sets platform_execute_tuning to th1520_execute_tuning(). That function has to manipulate phy registers before tuning can be performed. To avoid copying the code verbatim from __sdhci_execute_tuning() into th1520_execute_tuning(), make it possible for __sdhci_execute_tuning() to be called from sdhci-of-dwcmshc. Acked-by: Adrian Hunter <[email protected]> Signed-off-by: Drew Fustini <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Add support for the mmc controller in the T-Head TH1520 with the new compatible "thead,th1520-dwcmshc". Implement custom sdhci_ops for set_uhs_signaling, reset, voltage_switch, and platform_execute_tuning. Acked-by: Adrian Hunter <[email protected]> Signed-off-by: Drew Fustini <[email protected]> Reviewed-by: Jisheng Zhang <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Enable the mmc controller driver and dma controller driver needed for T-Head TH1520 based boards, like the LicheePi 4A and BeagleV-Ahead, to boot from eMMC storage. Reviewed-by: Guo Ren <[email protected]> Signed-off-by: Drew Fustini <[email protected]> Reviewed-by: Emil Renner Berthing <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Add node for the fixed reference clock used for emmc and sdio nodes. Add emmc node for the 1st dwcmshc instance which is typically connected to an eMMC device. Add sdio0 node for the 2nd dwcmshc instance which is typically connected to microSD slot. Add sdio1 node for the 3rd dwcmshc instance which is typically connected to an SDIO WiFi module. The node names are based on Table 1-2 C910/C906 memory map in the TH1520 System User Manual. Link: https://git.beagleboard.org/beaglev-ahead/beaglev-ahead/-/tree/main/docs Signed-off-by: Drew Fustini <[email protected]> Reviewed-by: Emil Renner Berthing <[email protected]> Reviewed-by: Guo Ren <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Add emmc node properties for the eMMC device and add sdio0 node properties for the microSD slot. Set the frequency for the sdhci reference clock. Signed-off-by: Drew Fustini <[email protected]> Reviewed-by: Guo Ren <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Add emmc node properties for the eMMC device and add sdio0 node properties for the microSD slot. Set the frequency for the sdhci reference clock. Signed-off-by: Drew Fustini <[email protected]> Reviewed-by: Guo Ren <[email protected]> Signed-off-by: Drew Fustini <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Han Gao <[email protected]>
Signed-off-by: Han Gao <[email protected]>
This makes the packages produced by make bindeb-pkg work with the Lichee Pi 4a "Debian" image. Signed-off-by: Han Gao <[email protected]> Signed-off-by: Emil Renner Berthing <[email protected]>
Signed-off-by: Han Gao <[email protected]>
This reverts commit 5fd8d0e. Signed-off-by: Han Gao <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
…s in tail_call This patch solves the 10 tail_call testing issues in test_bpf. At this point, all tests of test_bpf in BPF_JIT mode have passed. Here is the comparison between s64ilp32, s64lp64 and s32ilp32: - s64lp64 ``` ... test_bpf: Summary: 1026 PASSED, 0 FAILED, [1014/1014 JIT'ed] test_bpf: #0 Tail call leaf jited:1 188 PASS test_bpf: #1 Tail call 2 jited:1 180 PASS test_bpf: #2 Tail call 3 jited:1 203 PASS test_bpf: #3 Tail call 4 jited:1 225 PASS test_bpf: #4 Tail call load/store leaf jited:1 145 PASS test_bpf: #5 Tail call load/store jited:1 195 PASS test_bpf: #6 Tail call error path, max count reached jited:1 997 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 155563 PASS test_bpf: #8 Tail call error path, NULL target jited:1 164 PASS test_bpf: #9 Tail call error path, index out of range jited:1 136 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` - s64ilp32 ``` ... test_bpf: Summary: 1026 PASSED, 0 FAILED, [1014/1014 JIT'ed] test_bpf: #0 Tail call leaf jited:1 160 PASS test_bpf: #1 Tail call 2 jited:1 221 PASS test_bpf: #2 Tail call 3 jited:1 251 PASS test_bpf: #3 Tail call 4 jited:1 275 PASS test_bpf: #4 Tail call load/store leaf jited:1 198 PASS test_bpf: #5 Tail call load/store jited:1 262 PASS test_bpf: #6 Tail call error path, max count reached jited:1 1390 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 204492 PASS test_bpf: #8 Tail call error path, NULL target jited:1 199 PASS test_bpf: #9 Tail call error path, index out of range jited:1 168 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` - s32ilp32 ``` ... test_bpf: Summary: 1027 PASSED, 0 FAILED, [832/1015 JIT'ed] test_bpf: #0 Tail call leaf jited:1 266 PASS test_bpf: #1 Tail call 2 jited:1 409 PASS test_bpf: #2 Tail call 3 jited:1 481 PASS test_bpf: #3 Tail call 4 jited:1 537 PASS test_bpf: #4 Tail call load/store leaf jited:1 325 PASS test_bpf: #5 Tail call load/store jited:1 427 PASS test_bpf: #6 Tail call error path, max count reached jited:1 3050 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 255522 PASS test_bpf: #8 Tail call error path, NULL target jited:1 315 PASS test_bpf: #9 Tail call error path, index out of range jited:1 280 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` Actually, s64ilp32 and s64lp64 perform consistently, both in terms of the number that can be executed by JIT and execution time. while, only 80% of cases in s32ilp32 can be executed by JIT, and the execution time is also longer under the same JIT execution situation. Signed-off-by: Chen Pei <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
commit 9d274c1 upstream. We have been seeing crashes on duplicate keys in btrfs_set_item_key_safe(): BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192) ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:2620! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs] With the following stack trace: #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4) #1 btrfs_drop_extents (fs/btrfs/file.c:411:4) #2 log_one_extent (fs/btrfs/tree-log.c:4732:9) #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9) #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9) #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8) #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8) #7 btrfs_sync_file (fs/btrfs/file.c:1933:8) #8 vfs_fsync_range (fs/sync.c:188:9) #9 vfs_fsync (fs/sync.c:202:9) #10 do_fsync (fs/sync.c:212:9) #11 __do_sys_fdatasync (fs/sync.c:225:9) #12 __se_sys_fdatasync (fs/sync.c:223:1) #13 __x64_sys_fdatasync (fs/sync.c:223:1) #14 do_syscall_x64 (arch/x86/entry/common.c:52:14) #15 do_syscall_64 (arch/x86/entry/common.c:83:7) #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121) So we're logging a changed extent from fsync, which is splitting an extent in the log tree. But this split part already exists in the tree, triggering the BUG(). This is the state of the log tree at the time of the crash, dumped with drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py) to get more details than btrfs_print_leaf() gives us: >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"]) leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610 leaf 33439744 flags 0x100000000000000 fs uuid e5bd3946-400c-4223-8923-190ef1f18677 chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160 generation 7 transid 9 size 8192 nbytes 8473563889606862198 block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 sequence 204 flags 0x10(PREALLOC) atime 1716417703.220000000 (2024-05-22 15:41:43) ctime 1716417704.983333333 (2024-05-22 15:41:44) mtime 1716417704.983333333 (2024-05-22 15:41:44) otime 17592186044416.000000000 (559444-03-08 01:40:16) item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13 index 195 namelen 3 name: 193 item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37 location key (0 UNKNOWN.0 0) type XATTR transid 7 data_len 1 name_len 6 name: user.a data a item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53 generation 9 type 1 (regular) extent data disk byte 303144960 nr 12288 extent data offset 0 nr 4096 ram 12288 extent compression 0 (none) item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 4096 nr 8192 item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 8192 nr 4096 ... So the real problem happened earlier: notice that items 4 (4k-12k) and 5 (8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and item 5 starts at i_size. Here is the state of the filesystem tree at the time of the crash: >>> root = prog.crashed_thread().stack_trace()[2]["inode"].root >>> ret, nodes, slots = btrfs_search_slot(root, BtrfsKey(450, 0, 0)) >>> print_extent_buffer(nodes[0]) leaf 30425088 level 0 items 184 generation 9 owner 5 leaf 30425088 flags 0x100000000000000 fs uuid e5bd3946-400c-4223-8923-190ef1f18677 chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da ... item 179 key (450 INODE_ITEM 0) itemoff 4907 itemsize 160 generation 7 transid 7 size 4096 nbytes 12288 block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 sequence 6 flags 0x10(PREALLOC) atime 1716417703.220000000 (2024-05-22 15:41:43) ctime 1716417703.220000000 (2024-05-22 15:41:43) mtime 1716417703.220000000 (2024-05-22 15:41:43) otime 1716417703.220000000 (2024-05-22 15:41:43) item 180 key (450 INODE_REF 256) itemoff 4894 itemsize 13 index 195 namelen 3 name: 193 item 181 key (450 XATTR_ITEM 1640047104) itemoff 4857 itemsize 37 location key (0 UNKNOWN.0 0) type XATTR transid 7 data_len 1 name_len 6 name: user.a data a item 182 key (450 EXTENT_DATA 0) itemoff 4804 itemsize 53 generation 9 type 1 (regular) extent data disk byte 303144960 nr 12288 extent data offset 0 nr 8192 ram 12288 extent compression 0 (none) item 183 key (450 EXTENT_DATA 8192) itemoff 4751 itemsize 53 generation 9 type 2 (prealloc) prealloc data disk byte 303144960 nr 12288 prealloc data offset 8192 nr 4096 Item 5 in the log tree corresponds to item 183 in the filesystem tree, but nothing matches item 4. Furthermore, item 183 is the last item in the leaf. btrfs_log_prealloc_extents() is responsible for logging prealloc extents beyond i_size. It first truncates any previously logged prealloc extents that start beyond i_size. Then, it walks the filesystem tree and copies the prealloc extent items to the log tree. If it hits the end of a leaf, then it calls btrfs_next_leaf(), which unlocks the tree and does another search. However, while the filesystem tree is unlocked, an ordered extent completion may modify the tree. In particular, it may insert an extent item that overlaps with an extent item that was already copied to the log tree. This may manifest in several ways depending on the exact scenario, including an EEXIST error that is silently translated to a full sync, overlapping items in the log tree, or this crash. This particular crash is triggered by the following sequence of events: - Initially, the file has i_size=4k, a regular extent from 0-4k, and a prealloc extent beyond i_size from 4k-12k. The prealloc extent item is the last item in its B-tree leaf. - The file is fsync'd, which copies its inode item and both extent items to the log tree. - An xattr is set on the file, which sets the BTRFS_INODE_COPY_EVERYTHING flag. - The range 4k-8k in the file is written using direct I/O. i_size is extended to 8k, but the ordered extent is still in flight. - The file is fsync'd. Since BTRFS_INODE_COPY_EVERYTHING is set, this calls copy_inode_items_to_log(), which calls btrfs_log_prealloc_extents(). - btrfs_log_prealloc_extents() finds the 4k-12k prealloc extent in the filesystem tree. Since it starts before i_size, it skips it. Since it is the last item in its B-tree leaf, it calls btrfs_next_leaf(). - btrfs_next_leaf() unlocks the path. - The ordered extent completion runs, which converts the 4k-8k part of the prealloc extent to written and inserts the remaining prealloc part from 8k-12k. - btrfs_next_leaf() does a search and finds the new prealloc extent 8k-12k. - btrfs_log_prealloc_extents() copies the 8k-12k prealloc extent into the log tree. Note that it overlaps with the 4k-12k prealloc extent that was copied to the log tree by the first fsync. - fsync calls btrfs_log_changed_extents(), which tries to log the 4k-8k extent that was written. - This tries to drop the range 4k-8k in the log tree, which requires adjusting the start of the 4k-12k prealloc extent in the log tree to 8k. - btrfs_set_item_key_safe() sees that there is already an extent starting at 8k in the log tree and calls BUG(). Fix this by detecting when we're about to insert an overlapping file extent item in the log tree and truncating the part that would overlap. CC: [email protected] # 6.1+ Reviewed-by: Filipe Manana <[email protected]> Signed-off-by: Omar Sandoval <[email protected]> Signed-off-by: David Sterba <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
commit 22f0081 upstream. The syzbot fuzzer found that the interrupt-URB completion callback in the cdc-wdm driver was taking too long, and the driver's immediate resubmission of interrupt URBs with -EPROTO status combined with the dummy-hcd emulation to cause a CPU lockup: cdc_wdm 1-1:1.0: nonzero urb status received: -71 cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625] CPU#0 Utilization every 4s during lockup: #1: 98% system, 0% softirq, 3% hardirq, 0% idle #2: 98% system, 0% softirq, 3% hardirq, 0% idle #3: 98% system, 0% softirq, 3% hardirq, 0% idle #4: 98% system, 0% softirq, 3% hardirq, 0% idle #5: 98% system, 1% softirq, 3% hardirq, 0% idle Modules linked in: irq event stamp: 73096 hardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline] hardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994 hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline] softirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582 softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588 CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Testing showed that the problem did not occur if the two error messages -- the first two lines above -- were removed; apparently adding material to the kernel log takes a surprisingly large amount of time. In any case, the best approach for preventing these lockups and to avoid spamming the log with thousands of error messages per second is to ratelimit the two dev_err() calls. Therefore we replace them with dev_err_ratelimited(). Signed-off-by: Alan Stern <[email protected]> Suggested-by: Greg KH <[email protected]> Reported-and-tested-by: [email protected] Closes: https://lore.kernel.org/linux-usb/[email protected]/ Reported-and-tested-by: [email protected] Closes: https://lore.kernel.org/linux-usb/[email protected]/ Fixes: 9908a32 ("USB: remove err() macro from usb class drivers") Link: https://lore.kernel.org/linux-usb/[email protected]/ Cc: [email protected] Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
commit c0a4009 upstream. Synchronize the dev->driver usage in really_probe() and dev_uevent(). These can run in different threads, what can result in the following race condition for dev->driver uninitialization: Thread #1: ========== really_probe() { ... probe_failed: ... device_unbind_cleanup(dev) { ... dev->driver = NULL; // <= Failed probe sets dev->driver to NULL ... } ... } Thread #2: ========== dev_uevent() { ... if (dev->driver) // If dev->driver is NULLed from really_probe() from here on, // after above check, the system crashes add_uevent_var(env, "DRIVER=%s", dev->driver->name); ... } really_probe() holds the lock, already. So nothing needs to be done there. dev_uevent() is called with lock held, often, too. But not always. What implies that we can't add any locking in dev_uevent() itself. So fix this race by adding the lock to the non-protected path. This is the path where above race is observed: dev_uevent+0x235/0x380 uevent_show+0x10c/0x1f0 <= Add lock here dev_attr_show+0x3a/0xa0 sysfs_kf_seq_show+0x17c/0x250 kernfs_seq_show+0x7c/0x90 seq_read_iter+0x2d7/0x940 kernfs_fop_read_iter+0xc6/0x310 vfs_read+0x5bc/0x6b0 ksys_read+0xeb/0x1b0 __x64_sys_read+0x42/0x50 x64_sys_call+0x27ad/0x2d30 do_syscall_64+0xcd/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Similar cases are reported by syzkaller in https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a But these are regarding the *initialization* of dev->driver dev->driver = drv; As this switches dev->driver to non-NULL these reports can be considered to be false-positives (which should be "fixed" by this commit, as well, though). The same issue was reported and tried to be fixed back in 2015 in https://lore.kernel.org/lkml/[email protected]/ already. Fixes: 239378f ("Driver core: add uevent vars for devices of a class") Cc: stable <[email protected]> Cc: [email protected] Cc: Ashish Sangwan <[email protected]> Cc: Namjae Jeon <[email protected]> Signed-off-by: Dirk Behme <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
[ Upstream commit f1e197a ] trace_drop_common() is called with preemption disabled, and it acquires a spin_lock. This is problematic for RT kernels because spin_locks are sleeping locks in this configuration, which causes the following splat: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47 preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 2 5 locks held by rcuc/47/449: #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210 #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130 #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210 #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70 #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290 irq event stamp: 139909 hardirqs last enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80 hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290 softirqs last enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170 softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0 Preemption disabled at: [<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0 CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7 Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022 Call Trace: <TASK> dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 __might_resched+0x21e/0x2f0 rt_spin_lock+0x5e/0x130 ? trace_drop_common.constprop.0+0xb5/0x290 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_drop_common.constprop.0+0xb5/0x290 ? preempt_count_sub+0x1c/0xd0 ? _raw_spin_unlock_irqrestore+0x4a/0x80 ? __pfx_trace_drop_common.constprop.0+0x10/0x10 ? rt_mutex_slowunlock+0x26a/0x2e0 ? skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_rt_mutex_slowunlock+0x10/0x10 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_kfree_skb_hit+0x15/0x20 trace_kfree_skb+0xe9/0x150 kfree_skb_reason+0x7b/0x110 skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10 ? mark_lock.part.0+0x8a/0x520 ... trace_drop_common() also disables interrupts, but this is a minor issue because we could easily replace it with a local_lock. Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic context. Signed-off-by: Wander Lairson Costa <[email protected]> Reported-by: Hu Chunyu <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
[ Upstream commit af0cb3f ] Xiumei and Christoph reported the following lockdep splat, complaining of the qdisc root lock being taken twice: ============================================ WARNING: possible recursive locking detected 6.7.0-rc3+ #598 Not tainted -------------------------------------------- swapper/2/0 is trying to acquire lock: ffff888177190110 (&sch->q.lock){+.-.}-{2:2}, at: __dev_queue_xmit+0x1560/0x2e70 but task is already holding lock: ffff88811995a110 (&sch->q.lock){+.-.}-{2:2}, at: __dev_queue_xmit+0x1560/0x2e70 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&sch->q.lock); lock(&sch->q.lock); *** DEADLOCK *** May be due to missing lock nesting notation 5 locks held by swapper/2/0: #0: ffff888135a09d98 ((&in_dev->mr_ifc_timer)){+.-.}-{0:0}, at: call_timer_fn+0x11a/0x510 #1: ffffffffaaee5260 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x2c0/0x1ed0 #2: ffffffffaaee5200 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x209/0x2e70 #3: ffff88811995a110 (&sch->q.lock){+.-.}-{2:2}, at: __dev_queue_xmit+0x1560/0x2e70 #4: ffffffffaaee5200 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x209/0x2e70 stack backtrace: CPU: 2 PID: 0 Comm: swapper/2 Not tainted 6.7.0-rc3+ #598 Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7353+9de0a3cc 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x4a/0x80 __lock_acquire+0xfdd/0x3150 lock_acquire+0x1ca/0x540 _raw_spin_lock+0x34/0x80 __dev_queue_xmit+0x1560/0x2e70 tcf_mirred_act+0x82e/0x1260 [act_mirred] tcf_action_exec+0x161/0x480 tcf_classify+0x689/0x1170 prio_enqueue+0x316/0x660 [sch_prio] dev_qdisc_enqueue+0x46/0x220 __dev_queue_xmit+0x1615/0x2e70 ip_finish_output2+0x1218/0x1ed0 __ip_finish_output+0x8b3/0x1350 ip_output+0x163/0x4e0 igmp_ifc_timer_expire+0x44b/0x930 call_timer_fn+0x1a2/0x510 run_timer_softirq+0x54d/0x11a0 __do_softirq+0x1b3/0x88f irq_exit_rcu+0x18f/0x1e0 sysvec_apic_timer_interrupt+0x6f/0x90 </IRQ> This happens when TC does a mirred egress redirect from the root qdisc of device A to the root qdisc of device B. As long as these two locks aren't protecting the same qdisc, they can be acquired in chain: add a per-qdisc lockdep key to silence false warnings. This dynamic key should safely replace the static key we have in sch_htb: it was added to allow enqueueing to the device "direct qdisc" while still holding the qdisc root lock. v2: don't use static keys anymore in HTB direct qdiscs (thanks Eric Dumazet) CC: Maxim Mikityanskiy <[email protected]> CC: Xiumei Mu <[email protected]> Reported-by: Christoph Paasch <[email protected]> Closes: multipath-tcp/mptcp_net-next#451 Signed-off-by: Davide Caratti <[email protected]> Link: https://lore.kernel.org/r/7dc06d6158f72053cf877a82e2a7a5bd23692faa.1713448007.git.dcaratti@redhat.com Signed-off-by: Paolo Abeni <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
[ Upstream commit f6944d4 ] Lockdep reports the below circular locking dependency issue. The mmap_lock acquisition while holding pci_bus_sem is due to the use of copy_to_user() from within a pci_walk_bus() callback. Building the devices array directly into the user buffer is only for convenience. Instead we can allocate a local buffer for the array, bounded by the number of devices on the bus/slot, fill the device information into this local buffer, then copy it into the user buffer outside the bus walk callback. ====================================================== WARNING: possible circular locking dependency detected 6.9.0-rc5+ #39 Not tainted ------------------------------------------------------ CPU 0/KVM/4113 is trying to acquire lock: ffff99a609ee18a8 (&vdev->vma_lock){+.+.}-{4:4}, at: vfio_pci_mmap_fault+0x35/0x1a0 [vfio_pci_core] but task is already holding lock: ffff99a243a052a0 (&mm->mmap_lock){++++}-{4:4}, at: vaddr_get_pfns+0x3f/0x170 [vfio_iommu_type1] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&mm->mmap_lock){++++}-{4:4}: __lock_acquire+0x4e4/0xb90 lock_acquire+0xbc/0x2d0 __might_fault+0x5c/0x80 _copy_to_user+0x1e/0x60 vfio_pci_fill_devs+0x9f/0x130 [vfio_pci_core] vfio_pci_walk_wrapper+0x45/0x60 [vfio_pci_core] __pci_walk_bus+0x6b/0xb0 vfio_pci_ioctl_get_pci_hot_reset_info+0x10b/0x1d0 [vfio_pci_core] vfio_pci_core_ioctl+0x1cb/0x400 [vfio_pci_core] vfio_device_fops_unl_ioctl+0x7e/0x140 [vfio] __x64_sys_ioctl+0x8a/0xc0 do_syscall_64+0x8d/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #2 (pci_bus_sem){++++}-{4:4}: __lock_acquire+0x4e4/0xb90 lock_acquire+0xbc/0x2d0 down_read+0x3e/0x160 pci_bridge_wait_for_secondary_bus.part.0+0x33/0x2d0 pci_reset_bus+0xdd/0x160 vfio_pci_dev_set_hot_reset+0x256/0x270 [vfio_pci_core] vfio_pci_ioctl_pci_hot_reset_groups+0x1a3/0x280 [vfio_pci_core] vfio_pci_core_ioctl+0x3b5/0x400 [vfio_pci_core] vfio_device_fops_unl_ioctl+0x7e/0x140 [vfio] __x64_sys_ioctl+0x8a/0xc0 do_syscall_64+0x8d/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&vdev->memory_lock){+.+.}-{4:4}: __lock_acquire+0x4e4/0xb90 lock_acquire+0xbc/0x2d0 down_write+0x3b/0xc0 vfio_pci_zap_and_down_write_memory_lock+0x1c/0x30 [vfio_pci_core] vfio_basic_config_write+0x281/0x340 [vfio_pci_core] vfio_config_do_rw+0x1fa/0x300 [vfio_pci_core] vfio_pci_config_rw+0x75/0xe50 [vfio_pci_core] vfio_pci_rw+0xea/0x1a0 [vfio_pci_core] vfs_write+0xea/0x520 __x64_sys_pwrite64+0x90/0xc0 do_syscall_64+0x8d/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #0 (&vdev->vma_lock){+.+.}-{4:4}: check_prev_add+0xeb/0xcc0 validate_chain+0x465/0x530 __lock_acquire+0x4e4/0xb90 lock_acquire+0xbc/0x2d0 __mutex_lock+0x97/0xde0 vfio_pci_mmap_fault+0x35/0x1a0 [vfio_pci_core] __do_fault+0x31/0x160 do_pte_missing+0x65/0x3b0 __handle_mm_fault+0x303/0x720 handle_mm_fault+0x10f/0x460 fixup_user_fault+0x7f/0x1f0 follow_fault_pfn+0x66/0x1c0 [vfio_iommu_type1] vaddr_get_pfns+0xf2/0x170 [vfio_iommu_type1] vfio_pin_pages_remote+0x348/0x4e0 [vfio_iommu_type1] vfio_pin_map_dma+0xd2/0x330 [vfio_iommu_type1] vfio_dma_do_map+0x2c0/0x440 [vfio_iommu_type1] vfio_iommu_type1_ioctl+0xc5/0x1d0 [vfio_iommu_type1] __x64_sys_ioctl+0x8a/0xc0 do_syscall_64+0x8d/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &vdev->vma_lock --> pci_bus_sem --> &mm->mmap_lock Possible unsafe locking scenario: block dm-0: the capability attribute has been deprecated. CPU0 CPU1 ---- ---- rlock(&mm->mmap_lock); lock(pci_bus_sem); lock(&mm->mmap_lock); lock(&vdev->vma_lock); *** DEADLOCK *** 2 locks held by CPU 0/KVM/4113: #0: ffff99a25f294888 (&iommu->lock#2){+.+.}-{4:4}, at: vfio_dma_do_map+0x60/0x440 [vfio_iommu_type1] #1: ffff99a243a052a0 (&mm->mmap_lock){++++}-{4:4}, at: vaddr_get_pfns+0x3f/0x170 [vfio_iommu_type1] stack backtrace: CPU: 1 PID: 4113 Comm: CPU 0/KVM Not tainted 6.9.0-rc5+ #39 Hardware name: Dell Inc. PowerEdge T640/04WYPY, BIOS 2.15.1 06/16/2022 Call Trace: <TASK> dump_stack_lvl+0x64/0xa0 check_noncircular+0x131/0x150 check_prev_add+0xeb/0xcc0 ? add_chain_cache+0x10a/0x2f0 ? __lock_acquire+0x4e4/0xb90 validate_chain+0x465/0x530 __lock_acquire+0x4e4/0xb90 lock_acquire+0xbc/0x2d0 ? vfio_pci_mmap_fault+0x35/0x1a0 [vfio_pci_core] ? lock_is_held_type+0x9a/0x110 __mutex_lock+0x97/0xde0 ? vfio_pci_mmap_fault+0x35/0x1a0 [vfio_pci_core] ? lock_acquire+0xbc/0x2d0 ? vfio_pci_mmap_fault+0x35/0x1a0 [vfio_pci_core] ? find_held_lock+0x2b/0x80 ? vfio_pci_mmap_fault+0x35/0x1a0 [vfio_pci_core] vfio_pci_mmap_fault+0x35/0x1a0 [vfio_pci_core] __do_fault+0x31/0x160 do_pte_missing+0x65/0x3b0 __handle_mm_fault+0x303/0x720 handle_mm_fault+0x10f/0x460 fixup_user_fault+0x7f/0x1f0 follow_fault_pfn+0x66/0x1c0 [vfio_iommu_type1] vaddr_get_pfns+0xf2/0x170 [vfio_iommu_type1] vfio_pin_pages_remote+0x348/0x4e0 [vfio_iommu_type1] vfio_pin_map_dma+0xd2/0x330 [vfio_iommu_type1] vfio_dma_do_map+0x2c0/0x440 [vfio_iommu_type1] vfio_iommu_type1_ioctl+0xc5/0x1d0 [vfio_iommu_type1] __x64_sys_ioctl+0x8a/0xc0 do_syscall_64+0x8d/0x170 ? rcu_core+0x8d/0x250 ? __lock_release+0x5e/0x160 ? rcu_core+0x8d/0x250 ? lock_release+0x5f/0x120 ? sched_clock+0xc/0x30 ? sched_clock_cpu+0xb/0x190 ? irqtime_account_irq+0x40/0xc0 ? __local_bh_enable+0x54/0x60 ? __do_softirq+0x315/0x3ca ? lockdep_hardirqs_on_prepare.part.0+0x97/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f8300d0357b Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 75 68 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007f82ef3fb948 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8300d0357b RDX: 00007f82ef3fb990 RSI: 0000000000003b71 RDI: 0000000000000023 RBP: 00007f82ef3fb9c0 R08: 0000000000000000 R09: 0000561b7e0bcac2 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 R13: 0000000200000000 R14: 0000381800000000 R15: 0000000000000000 </TASK> Reviewed-by: Jason Gunthorpe <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alex Williamson <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
commit 6cd4a78 upstream. It is possible to trigger a use-after-free by: * attaching an fentry probe to __sock_release() and the probe calling the bpf_get_socket_cookie() helper * running traceroute -I 1.1.1.1 on a freshly booted VM A KASAN enabled kernel will log something like below (decoded and stripped): ================================================================== BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) Read of size 8 at addr ffff888007110dd8 by task traceroute/299 CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_report (mm/kasan/report.c:603) ? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29) bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092) bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e bpf_trampoline_6442506592+0x47/0xaf __sock_release (net/socket.c:652) __sock_create (net/socket.c:1601) ... Allocated by task 299 on cpu 2 at 78.328492s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338) kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007) sk_prot_alloc (net/core/sock.c:2075) sk_alloc (net/core/sock.c:2134) inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 299 on cpu 2 at 78.328502s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) kasan_save_free_info (mm/kasan/generic.c:582) poison_slab_object (mm/kasan/common.c:242) __kasan_slab_free (mm/kasan/common.c:256) kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511) __sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208) inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1572) __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) __x64_sys_socket (net/socket.c:1718) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by clearing the struct socket reference in sk_common_release() to cover all protocol families create functions, which may already attached the reference to the sk object with sock_init_data(). Fixes: c5dbb89 ("bpf: Expose bpf_get_socket_cookie to tracing programs") Suggested-by: Kuniyuki Iwashima <[email protected]> Signed-off-by: Ignat Korchagin <[email protected]> Cc: [email protected] Link: https://lore.kernel.org/netdev/[email protected]/T/ Reviewed-by: Kuniyuki Iwashima <[email protected]> Reviewed-by: D. Wythe <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Abeni <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
The callee saved fp & ra are xlen size, not long size. This patch corrects the layout for the struct stackframe. echo c > /proc/sysrq-trigger Before the patch: sysrq: Trigger a crash Kernel panic - not syncing: sysrq triggered crash CPU: 0 PID: 102 Comm: sh Not tainted 6.3.0-rc1-00084-g9e2ba938797e-dirty #2 Hardware name: riscv-virtio,qemu (DT) Call Trace: ---[ end Kernel panic - not syncing: sysrq triggered crash ]--- After the patch: sysrq: Trigger a crash Kernel panic - not syncing: sysrq triggered crash CPU: 0 PID: 102 Comm: sh Not tainted 6.3.0-rc1-00084-g9e2ba938797e-dirty #1 Hardware name: riscv-virtio,qemu (DT) Call Trace: [<c00050c8>] dump_backtrace+0x1e/0x26 [<c086dcae>] show_stack+0x2e/0x3c [<c0878e00>] dump_stack_lvl+0x40/0x5a [<c0878e30>] dump_stack+0x16/0x1e [<c086df7c>] panic+0x10c/0x2a8 [<c04f4c1e>] sysrq_reset_seq_param_set+0x0/0x76 [<c04f52cc>] __handle_sysrq+0x9c/0x19c [<c04f5946>] write_sysrq_trigger+0x64/0x78 [<c020c7f6>] proc_reg_write+0x4a/0xa2 [<c01acf0a>] vfs_write+0xac/0x308 [<c01ad2b8>] ksys_write+0x62/0xda [<c01ad33e>] sys_write+0xe/0x16 [<c0879860>] do_trap_ecall_u+0xd8/0xda [<c00037de>] ret_from_exception+0x0/0x66 ---[ end Kernel panic - not syncing: sysrq triggered crash ]--- Signed-off-by: Guo Ren <[email protected]> Signed-off-by: Guo Ren <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
…s in tail_call This patch solves the 10 tail_call testing issues in test_bpf. At this point, all tests of test_bpf in BPF_JIT mode have passed. Here is the comparison between s64ilp32, s64lp64 and s32ilp32: - s64lp64 ``` ... test_bpf: Summary: 1026 PASSED, 0 FAILED, [1014/1014 JIT'ed] test_bpf: #0 Tail call leaf jited:1 188 PASS test_bpf: #1 Tail call 2 jited:1 180 PASS test_bpf: #2 Tail call 3 jited:1 203 PASS test_bpf: #3 Tail call 4 jited:1 225 PASS test_bpf: #4 Tail call load/store leaf jited:1 145 PASS test_bpf: #5 Tail call load/store jited:1 195 PASS test_bpf: #6 Tail call error path, max count reached jited:1 997 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 155563 PASS test_bpf: #8 Tail call error path, NULL target jited:1 164 PASS test_bpf: #9 Tail call error path, index out of range jited:1 136 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` - s64ilp32 ``` ... test_bpf: Summary: 1026 PASSED, 0 FAILED, [1014/1014 JIT'ed] test_bpf: #0 Tail call leaf jited:1 160 PASS test_bpf: #1 Tail call 2 jited:1 221 PASS test_bpf: #2 Tail call 3 jited:1 251 PASS test_bpf: #3 Tail call 4 jited:1 275 PASS test_bpf: #4 Tail call load/store leaf jited:1 198 PASS test_bpf: #5 Tail call load/store jited:1 262 PASS test_bpf: #6 Tail call error path, max count reached jited:1 1390 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 204492 PASS test_bpf: #8 Tail call error path, NULL target jited:1 199 PASS test_bpf: #9 Tail call error path, index out of range jited:1 168 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` - s32ilp32 ``` ... test_bpf: Summary: 1027 PASSED, 0 FAILED, [832/1015 JIT'ed] test_bpf: #0 Tail call leaf jited:1 266 PASS test_bpf: #1 Tail call 2 jited:1 409 PASS test_bpf: #2 Tail call 3 jited:1 481 PASS test_bpf: #3 Tail call 4 jited:1 537 PASS test_bpf: #4 Tail call load/store leaf jited:1 325 PASS test_bpf: #5 Tail call load/store jited:1 427 PASS test_bpf: #6 Tail call error path, max count reached jited:1 3050 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 255522 PASS test_bpf: #8 Tail call error path, NULL target jited:1 315 PASS test_bpf: #9 Tail call error path, index out of range jited:1 280 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` Actually, s64ilp32 and s64lp64 perform consistently, both in terms of the number that can be executed by JIT and execution time. while, only 80% of cases in s32ilp32 can be executed by JIT, and the execution time is also longer under the same JIT execution situation. Signed-off-by: Chen Pei <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
…s in tail_call This patch solves the 10 tail_call testing issues in test_bpf. At this point, all tests of test_bpf in BPF_JIT mode have passed. Here is the comparison between s64ilp32, s64lp64 and s32ilp32: - s64lp64 ``` ... test_bpf: Summary: 1026 PASSED, 0 FAILED, [1014/1014 JIT'ed] test_bpf: #0 Tail call leaf jited:1 188 PASS test_bpf: #1 Tail call 2 jited:1 180 PASS test_bpf: #2 Tail call 3 jited:1 203 PASS test_bpf: #3 Tail call 4 jited:1 225 PASS test_bpf: #4 Tail call load/store leaf jited:1 145 PASS test_bpf: #5 Tail call load/store jited:1 195 PASS test_bpf: #6 Tail call error path, max count reached jited:1 997 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 155563 PASS test_bpf: #8 Tail call error path, NULL target jited:1 164 PASS test_bpf: #9 Tail call error path, index out of range jited:1 136 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` - s64ilp32 ``` ... test_bpf: Summary: 1026 PASSED, 0 FAILED, [1014/1014 JIT'ed] test_bpf: #0 Tail call leaf jited:1 160 PASS test_bpf: #1 Tail call 2 jited:1 221 PASS test_bpf: #2 Tail call 3 jited:1 251 PASS test_bpf: #3 Tail call 4 jited:1 275 PASS test_bpf: #4 Tail call load/store leaf jited:1 198 PASS test_bpf: #5 Tail call load/store jited:1 262 PASS test_bpf: #6 Tail call error path, max count reached jited:1 1390 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 204492 PASS test_bpf: #8 Tail call error path, NULL target jited:1 199 PASS test_bpf: #9 Tail call error path, index out of range jited:1 168 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` - s32ilp32 ``` ... test_bpf: Summary: 1027 PASSED, 0 FAILED, [832/1015 JIT'ed] test_bpf: #0 Tail call leaf jited:1 266 PASS test_bpf: #1 Tail call 2 jited:1 409 PASS test_bpf: #2 Tail call 3 jited:1 481 PASS test_bpf: #3 Tail call 4 jited:1 537 PASS test_bpf: #4 Tail call load/store leaf jited:1 325 PASS test_bpf: #5 Tail call load/store jited:1 427 PASS test_bpf: #6 Tail call error path, max count reached jited:1 3050 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 255522 PASS test_bpf: #8 Tail call error path, NULL target jited:1 315 PASS test_bpf: #9 Tail call error path, index out of range jited:1 280 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` Actually, s64ilp32 and s64lp64 perform consistently, both in terms of the number that can be executed by JIT and execution time. while, only 80% of cases in s32ilp32 can be executed by JIT, and the execution time is also longer under the same JIT execution situation. Signed-off-by: Chen Pei <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 29, 2024
…s in tail_call This patch solves the 10 tail_call testing issues in test_bpf. At this point, all tests of test_bpf in BPF_JIT mode have passed. Here is the comparison between s64ilp32, s64lp64 and s32ilp32: - s64lp64 ``` ... test_bpf: Summary: 1026 PASSED, 0 FAILED, [1014/1014 JIT'ed] test_bpf: #0 Tail call leaf jited:1 188 PASS test_bpf: #1 Tail call 2 jited:1 180 PASS test_bpf: #2 Tail call 3 jited:1 203 PASS test_bpf: #3 Tail call 4 jited:1 225 PASS test_bpf: #4 Tail call load/store leaf jited:1 145 PASS test_bpf: #5 Tail call load/store jited:1 195 PASS test_bpf: #6 Tail call error path, max count reached jited:1 997 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 155563 PASS test_bpf: #8 Tail call error path, NULL target jited:1 164 PASS test_bpf: #9 Tail call error path, index out of range jited:1 136 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` - s64ilp32 ``` ... test_bpf: Summary: 1026 PASSED, 0 FAILED, [1014/1014 JIT'ed] test_bpf: #0 Tail call leaf jited:1 160 PASS test_bpf: #1 Tail call 2 jited:1 221 PASS test_bpf: #2 Tail call 3 jited:1 251 PASS test_bpf: #3 Tail call 4 jited:1 275 PASS test_bpf: #4 Tail call load/store leaf jited:1 198 PASS test_bpf: #5 Tail call load/store jited:1 262 PASS test_bpf: #6 Tail call error path, max count reached jited:1 1390 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 204492 PASS test_bpf: #8 Tail call error path, NULL target jited:1 199 PASS test_bpf: #9 Tail call error path, index out of range jited:1 168 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` - s32ilp32 ``` ... test_bpf: Summary: 1027 PASSED, 0 FAILED, [832/1015 JIT'ed] test_bpf: #0 Tail call leaf jited:1 266 PASS test_bpf: #1 Tail call 2 jited:1 409 PASS test_bpf: #2 Tail call 3 jited:1 481 PASS test_bpf: #3 Tail call 4 jited:1 537 PASS test_bpf: #4 Tail call load/store leaf jited:1 325 PASS test_bpf: #5 Tail call load/store jited:1 427 PASS test_bpf: #6 Tail call error path, max count reached jited:1 3050 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 255522 PASS test_bpf: #8 Tail call error path, NULL target jited:1 315 PASS test_bpf: #9 Tail call error path, index out of range jited:1 280 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` Actually, s64ilp32 and s64lp64 perform consistently, both in terms of the number that can be executed by JIT and execution time. while, only 80% of cases in s32ilp32 can be executed by JIT, and the execution time is also longer under the same JIT execution situation. Signed-off-by: Chen Pei <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 30, 2024
The callee saved fp & ra are xlen size, not long size. This patch corrects the layout for the struct stackframe. echo c > /proc/sysrq-trigger Before the patch: sysrq: Trigger a crash Kernel panic - not syncing: sysrq triggered crash CPU: 0 PID: 102 Comm: sh Not tainted 6.3.0-rc1-00084-g9e2ba938797e-dirty #2 Hardware name: riscv-virtio,qemu (DT) Call Trace: ---[ end Kernel panic - not syncing: sysrq triggered crash ]--- After the patch: sysrq: Trigger a crash Kernel panic - not syncing: sysrq triggered crash CPU: 0 PID: 102 Comm: sh Not tainted 6.3.0-rc1-00084-g9e2ba938797e-dirty #1 Hardware name: riscv-virtio,qemu (DT) Call Trace: [<c00050c8>] dump_backtrace+0x1e/0x26 [<c086dcae>] show_stack+0x2e/0x3c [<c0878e00>] dump_stack_lvl+0x40/0x5a [<c0878e30>] dump_stack+0x16/0x1e [<c086df7c>] panic+0x10c/0x2a8 [<c04f4c1e>] sysrq_reset_seq_param_set+0x0/0x76 [<c04f52cc>] __handle_sysrq+0x9c/0x19c [<c04f5946>] write_sysrq_trigger+0x64/0x78 [<c020c7f6>] proc_reg_write+0x4a/0xa2 [<c01acf0a>] vfs_write+0xac/0x308 [<c01ad2b8>] ksys_write+0x62/0xda [<c01ad33e>] sys_write+0xe/0x16 [<c0879860>] do_trap_ecall_u+0xd8/0xda [<c00037de>] ret_from_exception+0x0/0x66 ---[ end Kernel panic - not syncing: sysrq triggered crash ]--- Signed-off-by: Guo Ren <[email protected]> Signed-off-by: Guo Ren <[email protected]>
RevySR
pushed a commit
that referenced
this pull request
Jun 30, 2024
…s in tail_call This patch solves the 10 tail_call testing issues in test_bpf. At this point, all tests of test_bpf in BPF_JIT mode have passed. Here is the comparison between s64ilp32, s64lp64 and s32ilp32: - s64lp64 ``` ... test_bpf: Summary: 1026 PASSED, 0 FAILED, [1014/1014 JIT'ed] test_bpf: #0 Tail call leaf jited:1 188 PASS test_bpf: #1 Tail call 2 jited:1 180 PASS test_bpf: #2 Tail call 3 jited:1 203 PASS test_bpf: #3 Tail call 4 jited:1 225 PASS test_bpf: #4 Tail call load/store leaf jited:1 145 PASS test_bpf: #5 Tail call load/store jited:1 195 PASS test_bpf: #6 Tail call error path, max count reached jited:1 997 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 155563 PASS test_bpf: #8 Tail call error path, NULL target jited:1 164 PASS test_bpf: #9 Tail call error path, index out of range jited:1 136 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` - s64ilp32 ``` ... test_bpf: Summary: 1026 PASSED, 0 FAILED, [1014/1014 JIT'ed] test_bpf: #0 Tail call leaf jited:1 160 PASS test_bpf: #1 Tail call 2 jited:1 221 PASS test_bpf: #2 Tail call 3 jited:1 251 PASS test_bpf: #3 Tail call 4 jited:1 275 PASS test_bpf: #4 Tail call load/store leaf jited:1 198 PASS test_bpf: #5 Tail call load/store jited:1 262 PASS test_bpf: #6 Tail call error path, max count reached jited:1 1390 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 204492 PASS test_bpf: #8 Tail call error path, NULL target jited:1 199 PASS test_bpf: #9 Tail call error path, index out of range jited:1 168 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` - s32ilp32 ``` ... test_bpf: Summary: 1027 PASSED, 0 FAILED, [832/1015 JIT'ed] test_bpf: #0 Tail call leaf jited:1 266 PASS test_bpf: #1 Tail call 2 jited:1 409 PASS test_bpf: #2 Tail call 3 jited:1 481 PASS test_bpf: #3 Tail call 4 jited:1 537 PASS test_bpf: #4 Tail call load/store leaf jited:1 325 PASS test_bpf: #5 Tail call load/store jited:1 427 PASS test_bpf: #6 Tail call error path, max count reached jited:1 3050 PASS test_bpf: #7 Tail call count preserved across function calls jited:1 255522 PASS test_bpf: #8 Tail call error path, NULL target jited:1 315 PASS test_bpf: #9 Tail call error path, index out of range jited:1 280 PASS test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed] ... test_bpf: test_skb_segment: Summary: 2 PASSED, 0 FAILED ``` Actually, s64ilp32 and s64lp64 perform consistently, both in terms of the number that can be executed by JIT and execution time. while, only 80% of cases in s32ilp32 can be executed by JIT, and the execution time is also longer under the same JIT execution situation. Signed-off-by: Chen Pei <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.