• Christophe Leroy's avatar
    powerpc/8xx: Fix kernel DTLB miss on dcbz · 8956c582
    Christophe Leroy authored
    Following OOPS is encountered while loading test_bpf module
    on powerpc 8xx:
    
    [  218.835567] BUG: Unable to handle kernel data access on write at 0xcb000000
    [  218.842473] Faulting instruction address: 0xc0017a80
    [  218.847451] Oops: Kernel access of bad area, sig: 11 [#1]
    [  218.852854] BE PAGE_SIZE=16K PREEMPT CMPC885
    [  218.857207] SAF3000 DIE NOTIFICATION
    [  218.860713] Modules linked in: test_bpf(+) test_module
    [  218.865867] CPU: 0 UID: 0 PID: 527 Comm: insmod Not tainted 6.11.0-s3k-dev-09856-g3de3d71ae2e6-dirty #1280
    [  218.875546] Hardware name: MIAE 8xx 0x500000 CMPC885
    [  218.880521] NIP:  c0017a80 LR: beab859c CTR: 000101d4
    [  218.885584] REGS: cac2bc90 TRAP: 0300   Not tainted  (6.11.0-s3k-dev-09856-g3de3d71ae2e6-dirty)
    [  218.894308] MSR:  00009032 <EE,ME,IR,DR,RI>  CR: 55005555  XER: a0007100
    [  218.901290] DAR: cb000000 DSISR: c2000000
    [  218.901290] GPR00: 000185d1 cac2bd50 c21b9580 caf7c030 c3883fcc 00000008 cafffffc 00000000
    [  218.901290] GPR08: 00040000 18300000 20000000 00000004 99005555 100d815e ca669d08 00000369
    [  218.901290] GPR16: ca730000 00000000 ca2c004c 00000000 00000000 0000035d 00000311 00000369
    [  218.901290] GPR24: ca732240 00000001 00030ba3 c3800000 00000000 00185d48 caf7c000 ca2c004c
    [  218.941087] NIP [c0017a80] memcpy+0x88/0xec
    [  218.945277] LR [beab859c] test_bpf_init+0x22c/0x3c90 [test_bpf]
    [  218.951476] Call Trace:
    [  218.953916] [cac2bd50] [beab8570] test_bpf_init+0x200/0x3c90 [test_bpf] (unreliable)
    [  218.962034] [cac2bde0] [c0004c04] do_one_initcall+0x4c/0x1fc
    [  218.967706] [cac2be40] [c00a2ec4] do_init_module+0x68/0x360
    [  218.973292] [cac2be60] [c00a5194] init_module_from_file+0x8c/0xc0
    [  218.979401] [cac2bed0] [c00a5568] sys_finit_module+0x250/0x3f0
    [  218.985248] [cac2bf20] [c000e390] system_call_exception+0x8c/0x15c
    [  218.991444] [cac2bf30] [c00120a8] ret_from_syscall+0x0/0x28
    
    This happens in the main loop of memcpy()
    
      ==>	c0017a80:	7c 0b 37 ec 	dcbz    r11,r6
    	c0017a84:	80 e4 00 04 	lwz     r7,4(r4)
    	c0017a88:	81 04 00 08 	lwz     r8,8(r4)
    	c0017a8c:	81 24 00 0c 	lwz     r9,12(r4)
    	c0017a90:	85 44 00 10 	lwzu    r10,16(r4)
    	c0017a94:	90 e6 00 04 	stw     r7,4(r6)
    	c0017a98:	91 06 00 08 	stw     r8,8(r6)
    	c0017a9c:	91 26 00 0c 	stw     r9,12(r6)
    	c0017aa0:	95 46 00 10 	stwu    r10,16(r6)
    	c0017aa4:	42 00 ff dc 	bdnz    c0017a80 <memcpy+0x88>
    
    Commit ac9f97ff ("powerpc/8xx: Inconditionally use task PGDIR in
    DTLB misses") relies on re-reading DAR register to know if an error is
    due to a missing copy of a PMD entry in task's PGDIR, allthough DAR
    was already read in the exception prolog and copied into thread
    struct. This is because is it done very early in the exception and
    there are not enough registers available to keep a pointer to thread
    struct.
    
    However, dcbz instruction is buggy and doesn't update DAR register on
    fault. That is detected and generates a call to FixupDAR workaround
    which updates DAR copy in thread struct but doesn't fix DAR register.
    
    Let's fix DAR in addition to the update of DAR copy in thread struct.
    
    Fixes: ac9f97ff ("powerpc/8xx: Inconditionally use task PGDIR in DTLB misses")
    Signed-off-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/2b851399bd87e81c6ccb87ea3a7a6b32c7aa04d7.1728118396.git.christophe.leroy@csgroup.eu
    8956c582
head_8xx.S 22.1 KB