[PATCH v2 1/2] ARM64: arch_timer: Work around QorIQ Erratum A-008585
Marc Zyngier
marc.zyngier at arm.com
Mon Jun 27 06:13:33 PDT 2016
On 22/06/16 02:45, Scott Wood wrote:
> On Fri, 2016-05-13 at 11:24 +0100, Marc Zyngier wrote:
>> On Thu, 12 May 2016 23:37:39 -0500
>> Scott Wood <oss at buserror.net> wrote:
>>
>> Hi Scott,
>>
>>> Erratum A-008585 says that the ARM generic timer counter "has the
>>> potential to contain an erroneous value for a small number of core
>>> clock cycles every time the timer value changes". Accesses to TVAL
>>> (both read and write) are also affected due to the implicit counter
>>> read. Accesses to CVAL are not affected.
>>>
>>> The workaround is to reread TVAL and count registers until successive
>>> reads
>>> return the same value, and when writing TVAL to retry until counter
>>> reads before and after the write return the same value.
>>>
>>> This erratum can be found on LS1043A and LS2080A.
>>>
>>> Signed-off-by: Scott Wood <oss at buserror.net>
>>> ---
>>> v2:
>>> Significant rework based on feedback, including using static_key,
>>> disabling VDSO counter access rather than adding the workaround to the
>>> VDSO, and uninlining the loops.
>>>
>>> Dropped the separate property for indicating that writes to TVAL are
>>> affected, as I believe that's just a side effect of the implicit
>>> counter read being corrupted, and thus a chip that is affected by one
>>> will always be affected by the other.
>>>
>>> Dropped the arm32 portion as it seems there was confusion about whether
>>> LS1021A is affected. Currently I am being told that it is not
>>> affected.
>>>
>>> I considered writing to CVAL rather than looping on TVAL writes, but
>>> that would still have required separate set_next_event() code for the
>>> erratum, and adding CVAL to the enum would have required a bunch of
>>> extra handlers in switch statements (even where unused, due to compiler
>>> warnings about unhandled enum values) including in an arm32 header. It
>>> seemed better to avoid the arm32 interaction and new untested
>>> accessors.
>>> ---
>>> .../devicetree/bindings/arm/arch_timer.txt | 6 ++
>>> arch/arm64/include/asm/arch_timer.h | 37 +++++--
>>> drivers/clocksource/arm_arch_timer.c | 110
>>> +++++++++++++++++++++
>>> 3 files changed, 144 insertions(+), 9 deletions(-)
>>>
>>> diff --git a/Documentation/devicetree/bindings/arm/arch_timer.txt
>>> b/Documentation/devicetree/bindings/arm/arch_timer.txt
>>> index e774128..ef5fbe9 100644
>>> --- a/Documentation/devicetree/bindings/arm/arch_timer.txt
>>> +++ b/Documentation/devicetree/bindings/arm/arch_timer.txt
>>> @@ -25,6 +25,12 @@ to deliver its interrupts via SPIs.
>>> - always-on : a boolean property. If present, the timer is powered
>>> through an
>>> always-on power domain, therefore it never loses context.
>>>
>>> +- fsl,erratum-a008585 : A boolean property. Indicates the presence of
>>> + QorIQ erratum A-008585, which says that reading the counter is
>>> + unreliable unless the same value is returned by back-to-back reads.
>>> + This also affects writes to the tval register, due to the implicit
>>> + counter read.
>>> +
>>> ** Optional properties:
>>>
>>> - arm,cpu-registers-not-fw-configured : Firmware does not initialize
>>
>> This should be part of a separate patch. Also, errata should be
>> documented in Documentation/arm64/silicon-errata.txt.
>
> Oh right, forgot.
>
>>> +extern struct static_key_false arch_timer_read_ool_enabled;
>>> +
>>> +#define ARCH_TIMER_REG_READ(reg, func) \
>>> +extern u64 func##_ool(void); \
>>> +static inline u64 __##func(void) \
>>> +{ \
>>> + u64 val; \
>>> + asm volatile("mrs %0, " reg : "=r" (val)); \
>>> + return val; \
>>> +} \
>>> +static inline u64 _##func(void) \
>>> +{ \
>>> + if (static_branch_unlikely(&arch_timer_read_ool_enabled)) \
>>> + return func##_ool(); \
>>> + else \
>>> + return __##func(); \
>>> +}
>>> +
>>> +ARCH_TIMER_REG_READ("cntp_tval_el0", arch_timer_get_ptval)
>>> +ARCH_TIMER_REG_READ("cntv_tval_el0", arch_timer_get_vtval)
>>> +ARCH_TIMER_REG_READ("cntvct_el0", arch_counter_get_cntvct)
>>> +
>>
>> Given that this will have a (small) impact on non-affected platforms,
>> it'd be good to have this guarded by a erratum-specific config option
>> (CONFIG_FSL_ERRATUM_008585?) and turn it into trivial accessors when not
>> defined.
>
> OK.
>
>>
>>> /*
>>> * These register accessors are marked inline so the compiler can
>>> * nicely work out which register we want, and chuck away the rest of
>>> @@ -66,19 +89,19 @@ u32 arch_timer_reg_read_cp15(int access, enum
>>> arch_timer_reg reg)
>>> if (access == ARCH_TIMER_PHYS_ACCESS) {
>>> switch (reg) {
>>> case ARCH_TIMER_REG_CTRL:
>>> - asm volatile("mrs %0, cntp_ctl_el0" : "=r"
>>> (val));
>>> + asm volatile("mrs %0, cntp_ctl_el0" : "=r"
>>> (val));
>>
>> Spurious change?
>
> The extra spacing seemed to be an attempt to get things to line up between the
> CTRL and TVAL asm statements. When the TVAL case was converted to a function
> call, there was nothing for the above to line up with, so I moved it back to
> normal spacing.
>
>>> +{
>>> + u64 cval_old, cval_new;
>>> + int timeout = 200;
>>
>> Can we have a comment on how this value has been chosen?
>
> It's an arbitrary value well beyond the point at which we've seen it fail.
So can we please have a comment *in the code* that explains how this
value has been picked?
>
>>> @@ -232,6 +274,50 @@ static __always_inline void set_next_event(const int
>>> access, unsigned long evt,
>>> arch_timer_reg_write(access, ARCH_TIMER_REG_CTRL, ctrl, clk);
>>> }
>>>
>>> +#ifdef CONFIG_ARM64
>>> +static __always_inline void rewrite_tval(const int access,
>>> + unsigned long evt, struct clock_event_device *clk)
>>> +{
>>> + u64 cval_old, cval_new;
>>> + int timeout = 200;
>>> +
>>> + do {
>>> + cval_old = __arch_counter_get_cntvct();
>>> + arch_timer_reg_write(access, ARCH_TIMER_REG_TVAL, evt,
>>> clk);
>>> + cval_new = __arch_counter_get_cntvct();
>>
>> Don't you need to guarantee the order of accesses here?
>
> I'm not 100% sure. The erratum workaround sample code doesn't show any
> barriers, and adding more barriers could make it harder for the loop to
> successfully complete. There's already a barrier after the write, so the only
> concern should be whether the timer read could be reordered after the timer
> write, which could cause the loop to exit even if the write was bad. Do you
> know if A53 or A57 will reorder a counter read relative to a tval write?
I can't see any absolute guarantee that they wouldn't be reordered (but
I have no insight on the micro-architecture either). I'd rather err on
the side of caution here.
>
>>> +#endif /* ARM64 */
>>> +
>>> static int arch_timer_set_next_event_virt(unsigned long evt,
>>> struct clock_event_device *clk)
>>> {
>>> @@ -277,6 +363,13 @@ static void __arch_timer_setup(unsigned type,
>>> clk->set_state_shutdown =
>>> arch_timer_shutdown_virt;
>>> clk->set_state_oneshot_stopped =
>>> arch_timer_shutdown_virt;
>>> clk->set_next_event =
>>> arch_timer_set_next_event_virt;
>>> +
>>> +#ifdef CONFIG_ARM64
>>> + if
>>> (static_branch_unlikely(&arch_timer_read_ool_enabled))
>>> + clk->set_next_event =
>>> + arch_timer_set_next_event_virt_er
>>> rata;
>>
>> On the same line, please.
>
> I was trying to avoid going beyond 80 columns.
Please ignore what checkpatch says. Readability is more important (and
I've given up using a vintage vt100...).
>
>>> @@ -485,6 +585,13 @@ static void __init arch_counter_register(unsigned
>>> type)
>>> arch_timer_read_counter =
>>> arch_counter_get_cntvct;
>>> else
>>> arch_timer_read_counter =
>>> arch_counter_get_cntpct;
>>> +
>>> + /*
>>> + * Don't use the vdso fastpath if errata require using
>>> + * the out-of-line counter accessor.
>>> + */
>>> + if (static_branch_unlikely(&arch_timer_read_ool_enabled))
>>> + clocksource_counter.name =
>>> "arch_sys_counter_ool";
>>
>> This looks really ugly. How about telling the vdso subsystem directly?
>> Will, do you have a preference?
>
> I was following the example set by "arch_mem_counter".
The right thing should probably be to use a flag in the clocksource
structure to mark it as "suitable for vdso", but I guess we can fix that
in a subsequent patch.
>
>>> } else {
>>> arch_timer_read_counter = arch_counter_get_cntvct_mem;
>>>
>>> @@ -763,6 +870,9 @@ static void __init arch_timer_of_init(struct
>>> device_node *np)
>>>
>>> arch_timer_c3stop = !of_property_read_bool(np, "always-on");
>>>
>>> + if (of_property_read_bool(np, "fsl,erratum-a008585"))
>>> + static_branch_enable(&arch_timer_read_ool_enabled);
>>> +
>>> /*
>>> * If we cannot rely on firmware initializing the timer registers
>>> then
>>> * we should use the physical timers instead.
>>
>> An outstanding question is how we're going to deal with this in KVM,
>> because a guest absolutely needs to know about it (I can definitely see
>> time jumping in guests running on a LS2080).
>
> The property will need to be in the guest's device tree. I'm not too familiar
> with how KVM handles device trees on arm... From looking at the QEMU source
> it seems that the dtb is passed in by the user. So either that dtb will need
> the erratum property in it, or QEMU (and KVM tool?) would need to patch it
> into the guest dtb based on seeing the property in /proc/device-tree.
There is no guarantee that the host device tree is always accessible to
userspace. So we're probably looking at requiring a new KVM device API
that would expose the timer properties, one of them being this erratum.
That's certainly going to be fun to handle.
Thanks,
M.
--
Jazz is not dead. It just smells funny...
More information about the linux-arm-kernel
mailing list