Message ID | 20240320073927.1641788-3-lk@c--e.de |
---|---|
State | New |
Headers | show |
Series | Fix various races in UCSI | expand |
On Wed, Mar 20, 2024 at 08:39:23AM +0100, Christian A. Ehrhardt wrote: > The completion notification for the final SET_NOTIFICATION_ENABLE > command during initialization can include a connector change > notification. However, at the time this completion notification is > processed, the ucsi struct is not ready to handle this notification. > As a result the notification is ignored and the controller > never sends an interrupt again. > > Re-check CCI for a pending connector state change after > initialization is complete. Adjust the corresponding debug > message accordingly. > > Fixes: 71a1fa0df2a3 ("usb: typec: ucsi: Store the notification mask") > Cc: stable@vger.kernel.org > Signed-off-by: Christian A. Ehrhardt <lk@c--e.de> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> > --- > drivers/usb/typec/ucsi/ucsi.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > index 8a6645ffd938..dceeed207569 100644 > --- a/drivers/usb/typec/ucsi/ucsi.c > +++ b/drivers/usb/typec/ucsi/ucsi.c > @@ -1237,7 +1237,7 @@ void ucsi_connector_change(struct ucsi *ucsi, u8 num) > struct ucsi_connector *con = &ucsi->connector[num - 1]; > > if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { > - dev_dbg(ucsi->dev, "Bogus connector change event\n"); > + dev_dbg(ucsi->dev, "Early connector change event\n"); > return; > } > > @@ -1636,6 +1636,7 @@ static int ucsi_init(struct ucsi *ucsi) > { > struct ucsi_connector *con, *connector; > u64 command, ntfy; > + u32 cci; > int ret; > int i; > > @@ -1688,6 +1689,13 @@ static int ucsi_init(struct ucsi *ucsi) > > ucsi->connector = connector; > ucsi->ntfy = ntfy; > + > + ret = ucsi->ops->read(ucsi, UCSI_CCI, &cci, sizeof(cci)); > + if (ret) > + return ret; > + if (UCSI_CCI_CONNECTOR(READ_ONCE(cci))) > + ucsi_connector_change(ucsi, cci); > + > return 0; > > err_unregister: > -- > 2.40.1
On Wed, Mar 20, 2024 at 08:39:23AM +0100, Christian A. Ehrhardt wrote: > The completion notification for the final SET_NOTIFICATION_ENABLE > command during initialization can include a connector change > notification. However, at the time this completion notification is > processed, the ucsi struct is not ready to handle this notification. > As a result the notification is ignored and the controller > never sends an interrupt again. > > Re-check CCI for a pending connector state change after > initialization is complete. Adjust the corresponding debug > message accordingly. > > Fixes: 71a1fa0df2a3 ("usb: typec: ucsi: Store the notification mask") > Cc: stable@vger.kernel.org > Signed-off-by: Christian A. Ehrhardt <lk@c--e.de> > --- > drivers/usb/typec/ucsi/ucsi.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > index 8a6645ffd938..dceeed207569 100644 > --- a/drivers/usb/typec/ucsi/ucsi.c > +++ b/drivers/usb/typec/ucsi/ucsi.c > @@ -1237,7 +1237,7 @@ void ucsi_connector_change(struct ucsi *ucsi, u8 num) > struct ucsi_connector *con = &ucsi->connector[num - 1]; > > if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { > - dev_dbg(ucsi->dev, "Bogus connector change event\n"); > + dev_dbg(ucsi->dev, "Early connector change event\n"); > return; > } > > @@ -1636,6 +1636,7 @@ static int ucsi_init(struct ucsi *ucsi) > { > struct ucsi_connector *con, *connector; > u64 command, ntfy; > + u32 cci; > int ret; > int i; > > @@ -1688,6 +1689,13 @@ static int ucsi_init(struct ucsi *ucsi) > > ucsi->connector = connector; > ucsi->ntfy = ntfy; > + > + ret = ucsi->ops->read(ucsi, UCSI_CCI, &cci, sizeof(cci)); > + if (ret) > + return ret; > + if (UCSI_CCI_CONNECTOR(READ_ONCE(cci))) > + ucsi_connector_change(ucsi, cci); > + I think this leaves place for the race. With this patchset + "Ack connector change early" in place Neil triggered the following backtrace on sm8550 HDK while testing my UCSI-qcom-fixes patchset: What happens: [ 10.421640] write: 00000000: 05 00 e7 db 00 00 00 00 SET_NOTIFICATION_ENABLE [ 10.432359] read: 00000000: 10 01 00 00 00 00 00 80 00 00 00 00 00 00 00 00 [ 10.469553] read: 00000010: 04 58 29 20 00 00 00 00 00 00 00 00 00 03 30 01 [ 10.476783] read: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 10.489552] notify: 00000000: 00 00 00 80 COMMAND_COMPLETE [ 10.494194] read: 00000000: 10 01 00 00 00 00 00 80 00 00 00 00 00 00 00 00 [ 10.501370] read: 00000010: 04 58 29 20 00 00 00 00 00 00 00 00 00 03 30 01 [ 10.508578] read: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 10.515757] write: 00000000: 04 00 02 00 00 00 00 00 ACK_CC_CI(command completed) [ 10.521100] read: 00000000: 10 01 00 00 00 00 00 20 00 00 00 00 00 00 00 00 [ 10.528363] read: 00000010: 04 58 29 20 00 00 00 00 00 00 00 00 00 03 30 01 [ 10.535603] read: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 10.549549] notify: 00000000: 00 00 00 20 ACK_COMPLETE [Here ucsi->connector and ucsi->ntfy are being set by ucsi_init() [ 10.566654] read: 00000010: 04 58 29 20 00 00 00 00 00 00 00 00 00 03 30 01 [ 10.593553] notify: 00000000: 02 00 00 20 Event with CONNECTION_CHANGE. It also schedules connector_change work, because ucsi->ntfy is already set [ 10.595796] read: 00000000: 10 01 00 00 02 00 00 20 00 00 00 00 00 00 00 00 [ 10.595798] read: 00000010: 04 58 29 20 00 00 00 00 00 00 00 00 00 03 30 01 [ 10.595799] read: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 The CCI read coming from ucsi_init() [ 10.595807] ------------[ cut here ]------------ [ 10.595808] WARNING: CPU: 6 PID: 101 at kernel/workqueue.c:2384 __queue_work+0x374/0x474 [skipped the register dump] [ 10.595953] __queue_work+0x374/0x474 [ 10.595956] queue_work_on+0x68/0x84 [ 10.595959] ucsi_connector_change+0x54/0x88 [typec_ucsi] [ 10.595963] ucsi_init_work+0x834/0x85c [typec_ucsi] [ 10.595968] process_one_work+0x148/0x29c [ 10.595971] worker_thread+0x2fc/0x40c [ 10.595974] kthread+0x110/0x114 [ 10.595978] ret_from_fork+0x10/0x20 [ 10.595985] ---[ end trace 0000000000000000 ]--- Warning, because the work is already scheduled. > return 0; > > err_unregister: > -- > 2.40.1 >
Hi, On Fri, Mar 29, 2024 at 06:21:08PM +0200, Dmitry Baryshkov wrote: > On Wed, Mar 20, 2024 at 08:39:23AM +0100, Christian A. Ehrhardt wrote: > > The completion notification for the final SET_NOTIFICATION_ENABLE > > command during initialization can include a connector change > > notification. However, at the time this completion notification is > > processed, the ucsi struct is not ready to handle this notification. > > As a result the notification is ignored and the controller > > never sends an interrupt again. > > > > Re-check CCI for a pending connector state change after > > initialization is complete. Adjust the corresponding debug > > message accordingly. > > > > Fixes: 71a1fa0df2a3 ("usb: typec: ucsi: Store the notification mask") > > Cc: stable@vger.kernel.org > > Signed-off-by: Christian A. Ehrhardt <lk@c--e.de> > > --- > > drivers/usb/typec/ucsi/ucsi.c | 10 +++++++++- > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > > index 8a6645ffd938..dceeed207569 100644 > > --- a/drivers/usb/typec/ucsi/ucsi.c > > +++ b/drivers/usb/typec/ucsi/ucsi.c > > @@ -1237,7 +1237,7 @@ void ucsi_connector_change(struct ucsi *ucsi, u8 num) > > struct ucsi_connector *con = &ucsi->connector[num - 1]; > > > > if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { > > - dev_dbg(ucsi->dev, "Bogus connector change event\n"); > > + dev_dbg(ucsi->dev, "Early connector change event\n"); > > return; > > } > > > > @@ -1636,6 +1636,7 @@ static int ucsi_init(struct ucsi *ucsi) > > { > > struct ucsi_connector *con, *connector; > > u64 command, ntfy; > > + u32 cci; > > int ret; > > int i; > > > > @@ -1688,6 +1689,13 @@ static int ucsi_init(struct ucsi *ucsi) > > > > ucsi->connector = connector; > > ucsi->ntfy = ntfy; > > + > > + ret = ucsi->ops->read(ucsi, UCSI_CCI, &cci, sizeof(cci)); > > + if (ret) > > + return ret; > > + if (UCSI_CCI_CONNECTOR(READ_ONCE(cci))) > > + ucsi_connector_change(ucsi, cci); > > + > > I think this leaves place for the race. With this patchset + "Ack > connector change early" in place Neil triggered the following backtrace > on sm8550 HDK while testing my UCSI-qcom-fixes patchset: Sorry, but this seems to be a brown paper bag change. - The READ_ONCE is bogus and a remnant of a prevoius verion of the change. - Calling ->read should probably be done with the PPM lock held. - The argument to ucsi_connector_change() must be UCSI_CCI_CONNECTOR(cci) instead of the plain cci. I'll send a fix. > What happens: [ ... ] > > [ 10.595807] ------------[ cut here ]------------ > [ 10.595808] WARNING: CPU: 6 PID: 101 at kernel/workqueue.c:2384 __queue_work+0x374/0x474 > > [skipped the register dump] > > [ 10.595953] __queue_work+0x374/0x474 > [ 10.595956] queue_work_on+0x68/0x84 > [ 10.595959] ucsi_connector_change+0x54/0x88 [typec_ucsi] > [ 10.595963] ucsi_init_work+0x834/0x85c [typec_ucsi] > [ 10.595968] process_one_work+0x148/0x29c > [ 10.595971] worker_thread+0x2fc/0x40c > [ 10.595974] kthread+0x110/0x114 > [ 10.595978] ret_from_fork+0x10/0x20 > [ 10.595985] ---[ end trace 0000000000000000 ]--- > > Warning, because the work is already scheduled. No, the reason is the wrong connector number. Scheduling a work that is already scheduled is fine. Best regards Christian
diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c index 8a6645ffd938..dceeed207569 100644 --- a/drivers/usb/typec/ucsi/ucsi.c +++ b/drivers/usb/typec/ucsi/ucsi.c @@ -1237,7 +1237,7 @@ void ucsi_connector_change(struct ucsi *ucsi, u8 num) struct ucsi_connector *con = &ucsi->connector[num - 1]; if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { - dev_dbg(ucsi->dev, "Bogus connector change event\n"); + dev_dbg(ucsi->dev, "Early connector change event\n"); return; } @@ -1636,6 +1636,7 @@ static int ucsi_init(struct ucsi *ucsi) { struct ucsi_connector *con, *connector; u64 command, ntfy; + u32 cci; int ret; int i; @@ -1688,6 +1689,13 @@ static int ucsi_init(struct ucsi *ucsi) ucsi->connector = connector; ucsi->ntfy = ntfy; + + ret = ucsi->ops->read(ucsi, UCSI_CCI, &cci, sizeof(cci)); + if (ret) + return ret; + if (UCSI_CCI_CONNECTOR(READ_ONCE(cci))) + ucsi_connector_change(ucsi, cci); + return 0; err_unregister:
The completion notification for the final SET_NOTIFICATION_ENABLE command during initialization can include a connector change notification. However, at the time this completion notification is processed, the ucsi struct is not ready to handle this notification. As a result the notification is ignored and the controller never sends an interrupt again. Re-check CCI for a pending connector state change after initialization is complete. Adjust the corresponding debug message accordingly. Fixes: 71a1fa0df2a3 ("usb: typec: ucsi: Store the notification mask") Cc: stable@vger.kernel.org Signed-off-by: Christian A. Ehrhardt <lk@c--e.de> --- drivers/usb/typec/ucsi/ucsi.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)