zephyr: lib: alloc: Use cached memory for L3 Heap

[jxstelter]

This patch implements recommended hardware flow for Intel ACE platforms.
The L3 heap should be accessed via cached pointers including management data.
This change is fixing D3 save/restore flow on LNL.

Signed-off-by: Jaroslaw Stelter [email protected]

[lgirdwood]

One question from me on the code.

Thinking long term I guess a lot of this heap mgmt will end up in Zephyr, but this will need memory native API usage 1st.

[lgirdwood]

Still some opens, but I think some inline comments could allow everyone to follow. CI Zephyr failures unrelated to this PR.

[kv2019i]

See inline

[lyakh]

trying to think about it: now we limit the whole L3 heap to core 0, right? Doesn't this mean that we don't need cache-line alignment any more? I don't think Zephyr's heap API explicitly manipulates the caches either, but please double-check. So I would expect this function to be just an alias to l3_heap_alloc_aligned()

[jxstelter]

Zephyr heap is not manipulating this, but cache line alignment is required at least for library manager functionality.
It allocates buffer from L3_HEAP for loadable library storage. After load the library image to this buffer we need to flush cache to have whole library stored in memory. It could be accessed after wake from D3. On the other hands, the D3 context save/restore buffer is also allocated and flushed before D3 entry. Without the cache line alignment I see failures in tests where D3 entry/exit is introduced between Load Library phase and Init Instance phase (this is real E2E scenario).

[lyakh]

cache line alignment is required at least for library manager functionality.

then it's the caller who has to specify that alignment, in this case the library manager. That's why we have alignment as a function parameter here.

[jxstelter]

Yes, this is true. Unfortunately alignment parameter is omitted in upper API function
void *rmalloc(enum mem_zone zone, uint32_t flags, uint32_t caps, size_t bytes). I can fulfill your request adding new API function e.g.
void *rmalloc_alligned(enum mem_zone zone, uint32_t flags, uint32_t caps, size_t bytes, uint32_t alignment).
Another alternative would be to extend rballoc_align() functionality.

[jxstelter]

fixed

[lgirdwood]

@lyakh I think your review comments all addressed now.

[lyakh]

this is kind of theoretical, but maybe a small follow-up PR to convert this and line 301 above to return NULL

[cujomalainey]

@lyakh this isn't theoretical based on the find by @marc-hb in the fuzzer logs

[lyakh]

this means: the DSP is being powered down and we try to allocate an IMR buffer to safe state, and if we fail, we panic. Would it be possible to just abort saving state and go for a clean power off? Also rather theoretical, but would probably be better not to bother the host with a DSP panic but just to make this a clean shut down? @ujfalusi Can be an incremental PR too

[marc-hb]

This PR broke fuzzing, @andyross any idea why?

I fails very quickly and I can reproduce locally without any issue.

https://github.com/thesofproject/sof/actions/runs/7724788048/job/21057626265
https://github.com/thesofproject/sof/actions/runs/7749595113/job/21134436910

It was harder to notice because zmain has been broken for a while but it was not that hard to notice.

@jxstelter please pay attention to test results next time, reviewers have one order of magnitude more PRs to pay attention to.

#119902	NEW    cov: 729 ft: 3099 corp: 335/18Kb lim: 240 exec/s: 7993 rss: 87Mb L: 61/239 MS: 1 EraseBytes-
Exiting due to fatal error
==5292== ERROR: libFuzzer: fuzz target exited
    #0 0x8134c42 in __sanitizer_print_stack_trace (/home/runner/work/sof/sof/workspace/build-fuzz/zephyr/zephyr.exe+0x8134c42)
    #1 0x80aa4d6 in fuzzer::PrintStackTrace() (/home/runner/work/sof/sof/workspace/build-fuzz/zephyr/zephyr.exe+0x80aa4d6)
    #2 0x8090897 in fuzzer::Fuzzer::ExitCallback() (/home/runner/work/sof/sof/workspace/build-fuzz/zephyr/zephyr.exe+0x8090897)
    #3 0x809082e in fuzzer::Fuzzer::StaticExitCallback() (/home/runner/work/sof/sof/workspace/build-fuzz/zephyr/zephyr.exe+0x809082e)
    #4 0xf783a332  (/lib/i386-linux-gnu/libc.so.6+0x3a332) (BuildId: 0598ef3e075d7653ff4d565675d15666ec9b7b31)
    #5 0xf783a486 in exit (/lib/i386-linux-gnu/libc.so.6+0x3a486) (BuildId: 0598ef3e075d7653ff4d565675d15666ec9b7b31)
    #6 0x8194c5c in posix_exit /home/runner/work/sof/sof/workspace/zephyr/boards/posix/native_posix/main.c:51:2

SUMMARY: libFuzzer: fuzz target exited

[btian1]

@marc-hb ，Thanks for point out, my PR also got FUZZY error, I am looking for the reason, could you help double confirm below FUZZY error also caused by this:
https://github.com/thesofproject/sof/actions/runs/7751869504/job/21140431875?pr=8822
?

[marc-hb]

I debugged this a bit. This PR is probably just the messenger but this fuzzing failure looks like a "good catch" to me.

One of the new k_panic() gets triggered because caps & SOF_MEM_CAPS_L3 is true even when CONFIG_L3_HEAP is false.

I think the reason caps & SOF_MEM_CAPS_L3 is true is because... caps comes directly from untrusted IPC input!? Why would IPCs be able to set caps directly?

The panic happens when ipc_glb_tplg_buffer_new() does this:

ret = ipc_buffer_new(ipc, (struct sof_ipc_buffer *)ipc->comp_data); 

At this point comp_data looks like it came straight from the fuzzer's untrusted input:

(gdb) p /x *desc

$5 = {comp = {hdr = {size = 0x66, cmd = 0x3020ffff}, id = 0xb6b6b600, type = 0xb6b6b6b6, pipeline_id = 0xb6b6b6b6, core = 0xffffb236, 
    ext_data_length = 0xffffffff}, size = 0xffffffff, caps = 0xffffffff, flags = 0xffffffff, reserved = 0xffffffff}

#0  rballoc_align (flags=0, caps=4294903040, bytes=86376703, align=64) at sof/zephyr/lib/alloc.c:398
#1  0x0831d38c in buffer_alloc (size=86376703, caps=4294903040, flags=4294967295, align=64, is_shared=false)
    at sof/src/audio/buffer.c:58
#2  0x082e4d6b in buffer_new (desc=0x8b184c0 <heapmem+1728>, is_shared=false) at sof/src/ipc/ipc-helper.c:48
#3  0x082cc78e in ipc_buffer_new (ipc=0x8b183c0 <heapmem+1472>, desc=0x8b184c0 <heapmem+1728>) at sof/src/ipc/ipc3/helper.c:459
#4  0x082b7249 in ipc_glb_tplg_buffer_new (header=807469055) at sof/src/ipc/ipc3/handler.c:1305
#5  0x082b090c in ipc_glb_tplg_message (header=807469055) at sof/src/ipc/ipc3/handler.c:1416
#6  0x082aff8a in ipc_cmd (_hdr=0x8b184c0 <heapmem+1728>) at sof/src/ipc/ipc3/handler.c:1651
#7  0x082fcb1b in ipc_platform_do_cmd (ipc=0x8b183c0 <heapmem+1472>) at sof/src/platform/posix/ipc.c:162
#8  0x082e2827 in ipc_do_cmd (data=0x8b183c0 <heapmem+1472>) at sof/src/ipc/ipc-common.c:328
#9  0x0836a27a in task_run (task=0x8b183e8 <heapmem+1512>) at sof/zephyr/include/rtos/task.h:94

[kv2019i]

D'oh, my mistake, I did not notice the fail when merging. @jxstelter can you take a quick look so we don't need a revert?

[cujomalainey]

@marc-hb thanks for the find, indeed if we are trusting IPC on hw limits then we are not secure

[andyross]

Nice. Frustrating that k_panic() seems not to appear in the fuzzing backtrace. I'm guessing that's a misfeature in native_posix where it gets "handled" via an exit(), when what we really want is for it to do something (like crash or abort) that is visible to the framework as an error to be dumped.

[marc-hb]

A quick fix seems very unlikely so I filed new issue #8832, please move the discussion there.