lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Zhanol2xi_E2Ypv3@ryzen>
Date: Wed, 10 Apr 2024 16:52:18 +0200
From: Niklas Cassel <cassel@...nel.org>
To: Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org>
Cc: Lorenzo Pieralisi <lpieralisi@...nel.org>,
	Krzysztof WilczyƄski <kw@...ux.com>,
	Rob Herring <robh@...nel.org>, Bjorn Helgaas <bhelgaas@...gle.com>,
	Kishon Vijay Abraham I <kishon@...nel.org>,
	Thierry Reding <thierry.reding@...il.com>,
	Jonathan Hunter <jonathanh@...dia.com>,
	Jingoo Han <jingoohan1@...il.com>, linux-pci@...r.kernel.org,
	linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org,
	mhi@...ts.linux.dev, linux-tegra@...r.kernel.org
Subject: Re: [PATCH v2 10/10] PCI: qcom: Implement shutdown() callback to
 properly reset the endpoint devices

On Wed, Apr 10, 2024 at 04:24:10PM +0530, Manivannan Sadhasivam wrote:
> On Wed, Apr 03, 2024 at 10:03:26PM +0200, Niklas Cassel wrote:
> > On Wed, Apr 03, 2024 at 07:02:17PM +0530, Manivannan Sadhasivam wrote:
> > > On Tue, Apr 02, 2024 at 01:18:54PM +0200, Niklas Cassel wrote:
> > > > On Mon, Apr 01, 2024 at 09:20:36PM +0530, Manivannan Sadhasivam wrote:
> > > > > PCIe host controller drivers are supposed to properly reset the endpoint
> > > > > devices during host shutdown/reboot. Currently, Qcom driver doesn't do
> > > > > anything during host shutdown/reboot, resulting in both PERST# and refclk
> > > > > getting disabled at the same time. This prevents the endpoint device
> > > > > firmware to properly reset the state machine. Because, if the refclk is
> > > > > cutoff immediately along with PERST#, access to device specific registers
> > > > > within the endpoint will result in a firmware crash.
> > > > > 
> > > > > To address this issue, let's call qcom_pcie_host_deinit() inside the
> > > > > shutdown callback, that asserts PERST# and then cuts off the refclk with a
> > > > > delay of 1ms, thus allowing the endpoint device firmware to properly
> > > > > cleanup the state machine.
> > > > 
> > > > Hm... a QCOM EP device could be attached to any of the PCIe RC drivers that
> > > > we have in the kernel, so it seems a bit weird to fix this problem by
> > > > patching the QCOM RC driver only.
> > > > 
> > > > Which DBI call is it that causes this problem during perst assert on EP side?
> > > > 
> > > > I assume that it is pci-epf-test:deinit() callback that calls
> > > > pci_epc_clear_bar(), which calls dw_pcie_ep_clear_bar(), which will both:
> > > > -clear local data structures, e.g.
> > > > ep->epf_bar[bar] = NULL;
> > > > ep->bar_to_atu[bar] = 0;
> > > > 
> > > > but also call:
> > > > __dw_pcie_ep_reset_bar()
> > > > dw_pcie_disable_atu()
> > > > 
> > > > 
> > > > Do we perhaps need to redesign the .deinit EPF callback?
> > > > 
> > > > Considering that we know that .deinit() will only be called on platforms
> > > > where there will be a fundamental core reset, I guess we could do something
> > > > like introduce a __dw_pcie_ep_clear_bar() which will only clear the local
> > > > data structures. (It might not need to do any DBI writes, since the
> > > > fundamental core reset should have reset all values.)
> > > > 
> > > > Or perhaps instead of letting pci_epf_test_epc_deinit() call
> > > > pci_epf_test_clear_bar()/__pci_epf_test_clear_bar() directly, perhaps let
> > > > pci_epf_test_epc_deinit() call add a .deinit()/.cleanup() defined in the
> > > > EPC driver.
> > > > 
> > > > This EPC .deinit()/.cleanup() callback would then only clear the
> > > > local data structures (no DBI writes...).
> > > > 
> > > > Something like that?
> > > > 
> > > 
> > > It is not just about the EPF test driver. A function driver may need to do many
> > > things to properly reset the state machine. Like in the case of MHI driver, it
> > > needs to reset channel state, mask interrupts etc... and all requires writing to
> > > some registers. So certainly there should be some time before cutting off the
> > > refclk.
> > 
> > I was more thinking that perhaps we should think of .deinit() as in how
> > dw_pcie_ep_init() used to be. It was not allowed to have any DBI writes.
> > (The DBI writes were all in dw_pcie_ep_init_complete()).
> > So perhaps we could define that a EPF .deinit() callback is not allowed
> > to have any DBI writes.
> > 
> > If we take qcom-ep as an example, as soon as you get a PERST assertion
> > the qcom-ep driver calls notify_deinit(), then asserts the reset control,
> > disables clocks and regulators.
> > 
> > Since the PCIe core is held in reset, the hardware is in a well defined
> > state, no? Sure, the data structures e.g. bar_to_iatu[], etc., might be
> > out of sync, but these could be memset():ed no? Since this is a fundamental
> > reset, all registers should be reset to their default state (once reset
> > is deasserted).
> > 
> 
> Well, we could prevent the register access during PERST# assert time in the
> endpoint, but my worry is that we will end up with 2 version of the cleanup
> APIs. Lets take an example of dw_pcie_edma_remove() API which gets called
> during deinit and it touches some eDMA registers.
> 
> So should we introduce another API which just clears the sw data structure and
> not touching the registers? And this may be needed for other generic APIs as
> well.

I agree that it will be hard to come up with an elegant solution to this
problem.

These endpoint controllers that cannot do register accesses to their own
controllers' DBI/register space without the RC providing a refclock are
really becoming a pain... and the design and complexity of the PCI endpoint
APIs is what suffers as a result.

PERST could be asserted at any time.
So for your system to not crash/hang by accessing registers in the controller,
an EPF driver must be designed with great care to never do any register access
when it is not safe...

Perhaps the the EPF core should set the state (i.e. init_complete = false,
even before calling the deinit callback in EPF driver, and perhaps even add
safe-guards against init_complete in some APIs, so that e.g. a set_bar() call
cannot trigger a crash because PERST# is asserted.. but even then, it could
still be asserted in the middle of set_bar()'s execution.)


Looking at the databook, it looks like core_clk is derived from pipe_clk
output of the PHY. The PHY will either use external clock or internal clock.

4.6.2 DBI Protocol Transactions
it looks like core_clk must be active to read/write the DBI.

I really wish those controllers could e.g. change the clock temporarily
using a mux, so that it could still perform DBI read/writes when there is
not external refclk... Something like pm_sel_aux_clk selecting to use the
aux clk instead of core_clk when in low power states.
But I don't know the hardware well enough to know if that is possible for
the DBI, so that might just be wishful thinking...


Kind regards,
Niklas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ