kernel – Page 9

How we found that the Linux nios2 memset() implementation had a bug!

NIOS II processor NiosII is a 32-bit RISC embedded processor architecture designed by Altera, for its family of FPGAs: Cyclone III, Cyclone IV, etc. Being a soft-core architecture, by using Altera’s Quartus Prime design software, you can adjust the CPU configuration to your needs and instantiate it into the FPGA. You can customize various parameters like the instruction or the data cache size, enable/disable the MMU, enable/disable an FPU, and so on. And for us embedded Linux engineers, a very interesting aspect is that both the Linux kernel and the U-Boot bootloader, in their official versions, support the NIOS II architecture.

Recently, one of our customers designed a custom NIOS II platform, and we are working on porting the mainline U-Boot bootloader and the mainline Linux kernel to this platform. The U-Boot porting went fine, and quickly allowed us to load and start a Linux kernel. However, the Linux kernel was crashing very early with:

[    0.000000] Linux version 4.5.0-00007-g1717be9-dirty (rperier@archy) (gcc version 4.9.2 (Altera 15.1 Build 185) ) #74 PREEMPT Fri Apr 22 17:43:22 CEST 2016
[    0.000000] bootconsole [early0] enabled
[    0.000000] early_console initialized at 0xe3080000
[    0.000000] BUG: failure at mm/bootmem.c:307/__free()!
[    0.000000] Kernel panic - not syncing: BUG!

This BUG() comes from the __free() function in mm/bootmem.c. The bootmem allocator is a simple page-based allocator used very early in the Linux kernel initialization for the very first allocations, even before the regular buddy page allocator and other allocators such as kmalloc are available. We were slightly surprised to hit a BUG in a generic part of the kernel, and immediately suspected some platform-specific issue, like an invalid load address for our kernel, or invalid link address, or other ideas like this. But we quickly came to the conclusion that everything was looking good on that side, and so we went on to actually understand what this BUG was all about.

The NIOS II memory initialization code in arch/nios2/kernel/setup.c does the following:

bootmap_size = init_bootmem_node(NODE_DATA(0),
                                 min_low_pfn, PFN_DOWN(PHYS_OFFSET),
                                 max_low_pfn);
[...]
free_bootmem(memory_start, memory_end - memory_start);

The first call init_bootmem_node() initializes the bootmem allocator, which primarily consists in allocating a bitmap, with one bit per page. The entire bootmem bitmap is set to 0xff via a memset() during this initialization:

static unsigned long __init init_bootmem_core(bootmem_data_t *bdata,
        unsigned long mapstart, unsigned long start, unsigned long end)
{
        [...]
        mapsize = bootmap_bytes(end - start);
        memset(bdata->node_bootmem_map, 0xff, mapsize);
        [...]
}

After doing the bootmem initialization, the NIOS II architecture code calls free_bootmem() to mark all the memory pages as available, except the ones that contain the kernel itself. To achieve this, the __free() function (which is the one triggering the BUG) clears the bits corresponding to the page to be marked as free. When clearing those bits, the function checks that the bit was previously set, and if it’s not the case, fires the BUG:

static void __init __free(bootmem_data_t *bdata,
                        unsigned long sidx, unsigned long eidx)
{
        [...]
        for (idx = sidx; idx < eidx; idx++)
                if (!test_and_clear_bit(idx, bdata->node_bootmem_map))
                        BUG();
}

So to summarize, we were in a situation where a bitmap is memset to 0xff, but almost immediately afterwards, a function that clears some bits finds that some of the bits are already cleared. Sounds odd, doesn’t it?

We started by double checking that the address of the bitmap was the same between the initialization function and the __free function, verifying that the code was not overwriting the bitmap, and other obvious issues. But everything looked alright. So we simply dumped the bitmap after it was initialized by memset to 0xff, and to our great surprise, we found that the bitmap was in fact initialized with the pattern 0xff00ff00 and not 0xffffffff. This obviously explained why we were hitting this BUG(): simply because the buffer was not properly initialized. At first, we really couldn’t believe this: how it is possible that something as essential as memset() in Linux was not doing its job properly?

On the NIOS II platform, memset() has an architecture-specific implementation, available in arch/nios2/lib/memset.c. For buffers smaller than 8 bytes, this memset implementation uses a simple naive loop, iterating byte by byte. For larger buffers, it uses a more optimized implementation, using inline assembly. This implementation copies data per blocks of 4-bytes rather than 1 byte to speed-up the memset.

We quickly tested a workaround that consisted in using the naive implementation for all buffer sizes, and it solved the problem: we had a booting kernel, all the way to the point where it mounts a root filesystem! So clearly, it’s the optimized implementation in assembly that had a bug.

After some investigation, we found out that the bug was in the very first instructions of the assembly code. The following piece of assembly is supposed to create a 4-byte value that repeats 4 times the 1-byte pattern passed as an argument to memset:

/* fill8 %3, %5 (c & 0xff) */
"       slli    %4, %5, 8\n"
"       or      %4, %4, %5\n"
"       slli    %3, %4, 16\n"
"       or      %3, %3, %4\n"

This code takes as input in %5 the one-byte pattern, and is supposed to return in %3 the 4-byte pattern. It goes through the following logic:

Stores in %4 the initial pattern shifted left by 8 bits. Provided an initial pattern of 0xff, %4 should now contain 0xff00
Does a logical or between %4 and %5, which leads to %4 containing 0xffff
Stores in %3 the 2-byte pattern shifted left by 16 bits. %3 should now contain 0xffff0000.
Does a logical or between code>%3 and %4, i.e between 0xffff0000 and 0xffff, which gives the expected 4-byte pattern 0xffffffff

When you look at the source code, it looks perfectly fine, so our source code review didn’t spot the problem. However, when looking at the actual compiled code disassembled, we got:

34:	280a923a 	slli	r5,r5,8
38:	294ab03a 	or	r5,r5,r5
3c:	2808943a 	slli	r4,r5,16
40:	2148b03a 	or	r4,r4,r5

Here r5 gets used for both %4 and %5. Due to this, the final pattern stored in r4 is 0xff00ff00 instead of the expected 0xffffffff.

Now, if we take a look at the output operands, %4 is defined with the "=r" constraint, i.e an output operand. How to prevent the compiler from re-using the corresponding register for another operand? As explained in this document, "=r" does not prevent gcc from using the same register for an output operand (%4) and input operand (%5). By adding the constrainst & (in addition to "=r"), we tell the compiler that the register associated with the given operand is an output-only register, and so, cannot be used with an input operand.

With this change, we get the following assembly output:

34:	2810923a 	slli	r8,r5,8
38:	4150b03a 	or	r8,r8,r5
3c:	400e943a 	slli	r7,r8,16
40:	3a0eb03a 	or	r7,r7,r8

Which is much better, and correctly produces the 0xffffffff pattern when 0xff is provided as the initial 1-byte pattern to memset.

In the end, the final patch only adds one character to adjust the inline assembly constraint and gets the proper behavior from gcc:

diff --git a/arch/nios2/lib/memset.c b/arch/nios2/lib/memset.c
index c2cfcb1..2fcefe7 100644
--- a/arch/nios2/lib/memset.c
+++ b/arch/nios2/lib/memset.c
@@ -68,7 +68,7 @@ void *memset(void *s, int c, size_t count)
 		  "=r" (charcnt),	/* %1  Output */
 		  "=r" (dwordcnt),	/* %2  Output */
 		  "=r" (fill8reg),	/* %3  Output */
-		  "=r" (wrkrega)	/* %4  Output */
+		  "=&r" (wrkrega)	/* %4  Output only */
 		: "r" (c),		/* %5  Input */
 		  "0" (s),		/* %0  Input/Output */
 		  "1" (count)		/* %1  Input/Output */

This patch was sent upstream to the NIOS II kernel maintainers:
[PATCH v2] nios2: memset: use the right constraint modifier for the %4 output operand, and has already been applied by the NIOS II maintainer.

We were quite surprised to find a bug in some common code for the NIOS II architecture: we were assuming it would have already been tested on enough platforms and with enough compilers/situations to not have such issues. But all in all, it was a fun debugging experience!

It is worth mentioning that in addition to this bug, we found another bug affecting NIOS II platforms, in the asm-generic implementation of the futex_atomic_cmpxchg_inatomic() function, which was causing some preemption imbalance warnings during the futex subsystem initialization. We also sent a patch for this problem, which has also been applied already.

Bootlin engineer Boris Brezillon becomes Linux NAND subsystem maintainer

Bootlin engineer Boris Brezillon has been involved in the support for NAND flashes in the Linux kernel for quite some time. He is the author of the NAND driver for the Allwinner ARM processors, did several improvements to the NAND GPMI controller driver, has initiated a significant rework of the NAND subsystem, and is working on supporting MLC NANDs. Boris is also very active on the linux-mtd mailing list by reviewing patches from others, and making suggestions.

Hynix NAND flash

For those reasons, Boris was recently appointed by the MTD maintainer Brian Norris as a new maintainer of the NAND subsystem. NAND is considered a sub-subsystem of the MTD subsystem, and as such, Boris will be sending pull requests to Brian, who in turn is sending pull requests to Linus Torvalds. See this commit for the addition of Boris as a NAND maintainer in the MAINTAINERS file. Boris will therefore be in charge of reviewing and merging all the patches touching drivers/mtd/nand/, which consist mainly of NAND drivers. Boris has created a nand/next branch on Github, where he has already merged a number of patches that will be pushed to Brian Norris during the 4.7 merge window.

We are happy to see one of our engineers taking another position as a maintainer in the kernel community. Maxime Ripard was already a co-maintainer of the Allwinner ARM platform support, Alexandre Belloni a co-maintainer of the RTC subsystem and Atmel ARM platform support, Grégory Clement a co-maintainer of the Marvell EBU platform support, and Antoine Ténart a co-maintainer of the Annapurna Labs platform support.

Bootlin contributions to Linux 4.5

Adelie Penguin Linus Torvalds just released Linux 4.5, for which the major new features have been described by LWN.net in three articles: part 1, part 2 and part 3. On a total of 12080 commits, Bootlin contributed 121 patches, almost exactly 1% of the total. Due to its large number of contribution by patch number, Bootlin engineer Boris Brezillon appears in the statistics of top-contributors for the 4.5 kernel in the LWN.net statistics article.

This time around, our important contributions were:

Addition of a driver for the Microcrystal rv1805 RTC, by Alexandre Belloni.
A huge number of patches touching all NAND controller drivers and the MTD subsystem, from Boris Brezillon. They are the first step of a more general rework of how NAND controllers and NAND chips are handled in the Linux kernel. As Boris explains in the cover letter, his series aims at clarifying the relationship between the mtd and nand_chip structures and hiding NAND framework internals to NAND. […]. This allows removal of some of the boilerplate code done in all NAND controller drivers, but most importantly, it unifies a bit the way NAND chip structures are instantiated.
On the support for the Marvell ARM processors:
- In the mvneta networking driver (used on Armada 370, XP, 38x and soon on Armada 3700): addition of naive RSS support with per-CPU queues, configure XPS support, numerous fixes for potential race conditions.
- Fix in the Marvell CESA driver
- Misc improvements to the mv_xor driver for the Marvell XOR engines.
- After four years of development the 32-bits Marvell EBU platform support is now pretty mature and the majority of patches for this platform now are improvements of existing drivers or bug fixes rather than new hardware support. Of course, the support for the 64-bits Marvell EBU platform has just started, and will require a significant number of patches and contributions to be fully supported upstream, which is an on-going effort.
On the support for the Atmel ARM processors:
- Addition of the support for the L+G VInCo platform.
- Improvement to the macb network driver to reset the PHY using a GPIO.
- Fix Ethernet PHY issues on Atmel SAMA5D4
On the support for Allwinner ARM processors:
- Implement audio capture in the sun4i audio driver.
- Add the support for a special pin controller available on Allwinner A80.

The complete list of our contributions:

Bootlin contributing Linux kernel initial support for Annapurna Labs ARM64 Platform-on-Chip

We are happy to announce that on February 8th 2016 we submitted to the mainline Linux kernel the initial support for Annapurna Labs Alpine v2 Platform-on-Chip based on the 64-bit ARMv8 architecture.

See our patch series:

Annapurna Labs was founded in 2011 in Israel. Annapurna Labs provides 32-bit and 64-bit ARM products including chips and subsystems under the Alpine brand for the home NAS, Gateway and WiFi router equipment, see this page for details. The 32-bit version already has support in the official Linux kernel (see alpine.dtsi), and we have started to add support for the quad core 64-bit version, called Alpine v2, which brings significant performance for the home.

This is our initial contribution and we plan to follow it with additional Alpine v2 functionality in the near future.

“Porting Linux on ARM” seminar road show in France

In December 2015, Bootlin engineer Alexandre Belloni gave a half-day seminar “Porting Linux on ARM” in Toulouse (France) in partnership with french organization Captronic. We published the materials used for the seminar shortly after the event.

We are happy to announce that this seminar will be given in four different cities in France over the next few months:

In Montpellier, on April 14th from 2 PM to 6 PM. See this page for details.
In Clermont-Ferrand, on April 27th from 2 PM to 6 PM. See this page for details.
In Brive, on April 28th from 9 AM to 1 PM. See this page for details.
Near Chambéry, on May 25th from 9:30 AM to 5/30 PM. See this page for details.
Near Bordeaux, on June 2nd from 2 PM to 6 PM. See this page for details.
Near Nancy, on June 16th from 2 PM to 6 PM. See this page for details.

The seminar is delivered in French, and the event is free after registration. The speaker, Alexandre Belloni, has worked on porting botloaders and the Linux kernel on a number of ARM platforms (Atmel, Freescale, Texas Instruments and more) and is the Linux kernel co-maintainer for the RTC subsystem and the support of the Atmel ARM processors.

Bootlin speaking at the Linux Collaboration Summit

Bootlin engineers are regular speakers at the Embedded Linux Conference and Embedded Linux Conference Europe events from the Linux Foundation, to which our entire engineering team participates each year.

In 2016, for the first time, we will also be speaking at the Collaboration Summit, an invitation-only event where, as the Linux Foundation presents it, “the world’s thought leaders in open source software and collaborative development convene to share best practices and learn how to manage the largest shared technology investments of our time”.

Collaboration Summit 2016

This event will take place on March 29-31 in Lake Tahoe, California, and the event schedule has been published recently. Bootlin CTO Thomas Petazzoni will be giving a talk Upstreaming hardware support in the Linux kernel: why and how?, during which we will share our experience working with HW manufacturers to bring the support for their hardware to the upstream Linux kernel, discuss the benefits of upstreaming, and best practices to work with upstream.

With a small team of engineers, Bootlin has merged over the last few years thousands of patches in the official Linux kernel, and has several of its engineers having maintainer positions in the Linux kernel community. We are happy to take the opportunity of the Collaboration Summit to share some of our experience, and hopefully encourage and help other companies to participate upstream.

Initial support for ARM64 Marvell Armada 7K/8K platform

Two weeks ago, we submitted the initial support for the Marvell Armada 3700, which was the first ARM64 platform that Bootlin engineers contributed to the upstream Linux kernel.

Today, we submitted initial support for another Marvell ARM64 platform, the Armada 7K and Armada 8K platform. Compared to the Armada 3700, the Armada 7K and 8K are much more on the high-end side: they use a dual Cortex-A72 or a quad Cortex-A72, as opposed to the Cortex-A53 for the Armada 3700.

The Armada 7K and 8K also use a fairly unique architecture, internally they are composed of several components:

One AP (Application Processor), which contains the processor itself and a few core hardware blocks. The AP used in the Armada 7K and 8K is called AP806, and is available in two configurations: dual Cortex-A72 and quad Cortex-A72.
One or two CP (Communication Processor), which contain most of the I/O interfaces (SATA, PCIe, Ethernet, etc.). The 7K family chips have one CP, while the 8K family chips integrate two CPs, providing two times the number of I/O interfaces available in the CP. The CP used in the 7K and 8K is called CP110.

All in all, this gives the following combinations:

Armada 7020, which is a dual Cortex-A72 with one CP
Armada 7040, which is a quad Cortex-A72 with one CP
Armada 8020, which is a dual Cortex-A72 with two CPs
Armada 8040, which is a quad Cortex-A72 with two CPs

So far, we submitted initial support only for the AP806 part of the chip, with the following patch series:

[PATCH 0/3] clk: mvebu: initial support for AP806 clocks, adding two new clock drivers for the main clocks of the AP806
[PATCH] irqchip: irq-mvebu-odmi: new driver, adding a new irqchip driver to control a MSI controller that can be used by on-board devices
[PATCH] dma: mv_xor_v2: new driver, adding a new dmaengine driver to accelerate copy and XOR operations, used mainly for RAID5
[PATCH 0/5] arm64: Initial support for Marvell Armada 7K/8K, adding the initial support for the platform itself, with mainly the Device Tree files

We will continue to submit more and more patches to support other features of the Armada 7K and 8K processors in the near future.

Bootlin contributes Linux support for a first ARM64 platform: Marvell Armada 3700

Over the last years, Bootlin has become a strong participant to the Linux ARM kernel community, with our engineers upstreaming support for numerous ARM 32 bits platforms.

Now, with ARM64 becoming more and more mainstream, our focus in 2016 will shift towards this architecture, and we’re happy to announce that we have recently contributed to the upstream Linux kernel the initial support for our first ARM64 architecture: the Marvell Armada 3700.

This new SoC from Marvell is available in single-core and dual-core Cortex-A53 configurations, and features a wide range of peripherals: 2 Gigabit Ethernet controllers, USB 3.0 and 2.0, SATA, PCIe interfaces, DMA engines for XOR acceleration, and of course the usual SPI, I2C, UART, GPIO, SDIO interfaces. For more details, see the Product Brief.

So far, we have sent a patch series adding minimal support for this platform:

A UART driver, since this SoC uses a new specific UART controller
Small changes to an AHCI driver to support SATA.
The Device Tree files describing the SoC and the currently available development board. So far, only the CPU, timers, UART0, USB 3.0, SATA and GIC interrupt controllers are described.

A second version of the patch series was sent a few days later, in order to address comments received during the review.

It is worth mentioning that this SoC was publicly announced in a press release on January 6 2016, and we’ve been able to send the initial support patches on February 2, 2016, less than a month later.

We’ll be progressively submitting support for all the other hardware blocks of the Armada 3700, and also be announcing soon our development efforts on several other ARM64 platforms.

2016 Q1 newsletter

The Bootlin team wishes you a Happy New Year for 2016, with many new bits to enjoy in your life!

Bootlin is happy to take this opportunity to share some news about the latest training and contribution activities of the company.

Bootlin work on the $9 computer

As announced in our previous newsletter, Bootlin has been working intensively on developing the low-level software support for the first $9 computer, the C.H.I.P by Next Thing Co.

Next Thing Co. has successfully delivered an initial batch of platforms in September to the early adopters, and has started shipping the final products in December to thousands of Kickstarter supporters.

Those products are using the U-Boot and Linux kernel ported by Bootlin engineers, with numerous patches submitted to the official projects and more to be submitted in the coming weeks and months:

Support for the C.H.I.P platform itself, in U-Boot and in the Linux kernel;
Support for audio on Allwinner platforms added to the Linux kernel;
Development of a DRM/KMS driver for the graphics controller found on Allwinner platforms;
Significant research effort on finding appropriate solutions to support Multi-Level Cell NANDs in the Linux kernel;
Enabling of the NAND storage in Single-Level Cell mode, until the Multi-Level Cell mode can be enabled reliably;
Addition of NAND support in the fastboot implementation of U-Boot, which is used to reflash the C.H.I.P.

We will continue to work on the C.H.I.P over the next months, with among other things more work on the graphics side and the NAND side.

Kernel contributions

The primary focus of the majority of our customer projects remain the Linux kernel, to which we continue to contribute very significantly.

Linux 4.2

We contributed 203 patches to this release, with a new IIO driver for the ADC found on Marvell Berlin platforms, a big cleanup to the support of Atmel platforms, improvements to the DMA controller driver for Atmel platforms, a completely new driver for the cryptographic accelerator found on Marvell EBU platforms.

In this cycle, our engineer Alexandre Belloni became the official maintainer of the RTC subsystem.

See details on our contributions to Linux 4.2

Linux 4.3

We contributed 110 patches to this release, with mainly improvements to the DRM/KMS driver and DMA controller driver for Atmel platforms and power management improvements for Marvell platforms.

See details on our contributions to Linux 4.3

Linux 4.4

We contributed 112 patches to this release, the main highlights being an additional RTC driver, a PWM driver, support for the C.H.I.P platform, and improvements to the NAND support.

See details on our contributions to Linux 4.4

Work on ARM 64-bit platform

We have started to work on supporting the Linux kernel on several ARM 64 bits platforms from different vendors. We will be submitting the initial patches in the coming weeks and will progressively improve the support for those platforms throughout 2016 where a major part of our Linux kernel contribution effort will shift to ARM 64-bit.

Growing engineering team

Our engineering team, currently composed of six engineers, will be significantly expanded in 2016:

Two additional embedded Linux engineers will join us in March 2016 and will be working with our engineering team in Toulouse, France. They will help us on our numerous Linux kernel and Linux BSP projects.
An engineering intern will join us starting early February, and will work on setting up a board farm to contribute to the kernelci.org automated testing effort. This will help us do more automated testing on the ARM platforms we work on.

Upcoming training sessions

We have public training sessions scheduled for the beginning of 2016:

Embedded Linux development training: February 29 – March 4, in English, in Avignon (France)
Embedded Linux kernel and driver development training: March 14-18, in English, in Avignon (France)
Android system development training: March 7-10, in English, in Toulouse (France)

We also offer the following training courses, on-site, anywhere in the world, upon request:

Embedded Linux development
Embedded Linux kernel and driver development
Android system development
Yocto Project and OpenEmbedded development
Embedded Linux development with Buildroot

Conferences

We participated to the Embedded Linux Conference Europe in Dublin in October 2015, and gave a number of talks:

Supporting Multi-Function Devices in the Linux Kernel: A Tour of the mfd, regmap and syscon APIs, by Alexandre Belloni (slides, video)
Kernel Maintainership: An Oral Tradition, by Grégory Clement (slides, video)
Learning the basics of Buildroot, by Thomas Petazzoni (slides, video)
Keynote: Linux Kernel SoC Support Mainlining Tips (By a Bunch of Other French People), by Thomas Petazzoni (slides)

In addition, our engineer Thomas Petazzoni was invited to the Linux Kernel Summit, an invitation-only conference for the kernel maintainers and developers. He participated to the three days event in Seoul, South Korea. See Bootlin at the Linux Kernel Summit 2015.

At the beginning of 2016, our entire engineering team will be attending the Embedded Linux Conference in San Diego (US), which means that no less than 9 engineers from Bootlin will be present at the conference!

Porting Linux on ARM seminar

In December 2015, we gave a half-day seminar entitled “Porting Linux on ARM” in Toulouse (France). The materials, in English, are now freely available on our web site.

Seminar “Porting Linux on an ARM board”, materials available

On December 10th 2015, Bootlin engineer Alexandre Belloni gave a half-day seminar on the topic of Porting Linux on an ARM board in Toulouse, France. This seminar covers topics like porting the bootloader, understanding the concept of the Device Tree, writing Linux device drivers and more. With ~50 persons from various companies attending and lots of questions from the audience, this first edition has been very successful, which shows an increasing interest for using Linux on ARM platforms in the industry.

We are now publishing the 220 slides materials from this seminar, available in PDF format. Like all our training materials, this material is published under the Creative Commons BY-SA 3.0 license, which allows everyone to re-use it for free, provided the derivative works are released under the same license. We indeed re-used quite extensively parts of our existing training materials for this half-day seminar.

We plan to give this half-day seminar in other locations in France in 2016. Contact us if you are interested in organizing a similar seminar in your area (we are happy to travel!).