Before writing the read or write command to the SPMI arbiter through the
PMIF interface, the current status of the channel is checked to ensure
it is idle. However, since the status only changes from idle when the
command is written, it is possible for two concurrent calls to determine
that the channel is idle and simultaneously send their commands. At this
point the PMIF interface hangs, with the status register no longer being
updated, and thus causing all subsequent operations to time out.
This was observed on the mt8195-cherry-tomato-r2 machine, particularly
after commit 46600ab142f8 ("regulator: Set PROBE_PREFER_ASYNCHRONOUS for
drivers between 5.10 and 5.15") was applied, since then the two MT6315
devices present on the SPMI bus would probe assynchronously and
sometimes read the bus simultaneously, breaking the PMIF interface and
consequently slowing down the whole system.
To fix the issue, introduce locking around the channel status check and
the command write, so that both become an atomic operation. A spinlock
is used since this is a fast bus, as indicated by the usage of the
atomic variant of readl_poll, and '.fast_io = true' being used in the
mt6315 driver, so spinlocks are already used for the regmap access.
Fixes: b45b3ccef8c0 ("spmi: mediatek: Add support for MT6873/8192")
Signed-off-by: Nícolas F. R. A. Prado <[email protected]>
---
drivers/spmi/spmi-mtk-pmif.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/spmi/spmi-mtk-pmif.c b/drivers/spmi/spmi-mtk-pmif.c
index b3c991e1ea40..208ba0adfb98 100644
--- a/drivers/spmi/spmi-mtk-pmif.c
+++ b/drivers/spmi/spmi-mtk-pmif.c
@@ -50,6 +50,7 @@ struct pmif {
struct clk_bulk_data clks[PMIF_MAX_CLKS];
size_t nclks;
const struct pmif_data *data;
+ spinlock_t lock;
};
static const char * const pmif_clock_names[] = {
@@ -314,6 +315,7 @@ static int pmif_spmi_read_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
struct ch_reg *inf_reg;
int ret;
u32 data, cmd;
+ unsigned long flags;
/* Check for argument validation. */
if (sid & ~0xf) {
@@ -334,6 +336,7 @@ static int pmif_spmi_read_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
else
return -EINVAL;
+ spin_lock_irqsave(&arb->lock, flags);
/* Wait for Software Interface FSM state to be IDLE. */
inf_reg = &arb->chan;
ret = readl_poll_timeout_atomic(arb->base + arb->data->regs[inf_reg->ch_sta],
@@ -350,6 +353,7 @@ static int pmif_spmi_read_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
/* Send the command. */
cmd = (opc << 30) | (sid << 24) | ((len - 1) << 16) | addr;
pmif_writel(arb, cmd, inf_reg->ch_send);
+ spin_unlock_irqrestore(&arb->lock, flags);
/*
* Wait for Software Interface FSM state to be WFVLDCLR,
@@ -377,6 +381,7 @@ static int pmif_spmi_write_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
struct ch_reg *inf_reg;
int ret;
u32 data, cmd;
+ unsigned long flags;
if (len > 4) {
dev_err(&ctrl->dev, "pmif supports 1..4 bytes per trans, but:%zu requested", len);
@@ -394,6 +399,7 @@ static int pmif_spmi_write_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
else
return -EINVAL;
+ spin_lock_irqsave(&arb->lock, flags);
/* Wait for Software Interface FSM state to be IDLE. */
inf_reg = &arb->chan;
ret = readl_poll_timeout_atomic(arb->base + arb->data->regs[inf_reg->ch_sta],
@@ -414,6 +420,7 @@ static int pmif_spmi_write_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
/* Send the command. */
cmd = (opc << 30) | BIT(29) | (sid << 24) | ((len - 1) << 16) | addr;
pmif_writel(arb, cmd, inf_reg->ch_send);
+ spin_unlock_irqrestore(&arb->lock, flags);
return 0;
}
@@ -488,6 +495,8 @@ static int mtk_spmi_probe(struct platform_device *pdev)
arb->chan.ch_send = PMIF_SWINF_0_ACC + chan_offset;
arb->chan.ch_rdy = PMIF_SWINF_0_VLD_CLR + chan_offset;
+ spin_lock_init(&arb->lock);
+
platform_set_drvdata(pdev, ctrl);
err = spmi_controller_add(ctrl);
--
2.41.0
Il 14/07/23 23:17, Nícolas F. R. A. Prado ha scritto:
> Before writing the read or write command to the SPMI arbiter through the
> PMIF interface, the current status of the channel is checked to ensure
> it is idle. However, since the status only changes from idle when the
> command is written, it is possible for two concurrent calls to determine
> that the channel is idle and simultaneously send their commands. At this
> point the PMIF interface hangs, with the status register no longer being
> updated, and thus causing all subsequent operations to time out.
>
> This was observed on the mt8195-cherry-tomato-r2 machine, particularly
> after commit 46600ab142f8 ("regulator: Set PROBE_PREFER_ASYNCHRONOUS for
> drivers between 5.10 and 5.15") was applied, since then the two MT6315
> devices present on the SPMI bus would probe assynchronously and
> sometimes read the bus simultaneously, breaking the PMIF interface and
> consequently slowing down the whole system.
>
> To fix the issue, introduce locking around the channel status check and
> the command write, so that both become an atomic operation. A spinlock
> is used since this is a fast bus, as indicated by the usage of the
> atomic variant of readl_poll, and '.fast_io = true' being used in the
> mt6315 driver, so spinlocks are already used for the regmap access.
>
> Fixes: b45b3ccef8c0 ("spmi: mediatek: Add support for MT6873/8192")
> Signed-off-by: Nícolas F. R. A. Prado <[email protected]>
>
I agree. After all, switching back to synchronous probe would solve the issue
but that wouldn't be enough, as there's another latent issue in this driver.
You missed an important part for this commit's description!
Concurrent R/W may happen *not only* during probe, but *also* (and that's why
we *really* need this locking action) during runtime as some platforms may
have multiple regulator ICs, or others, over SPMI.
Anyway, look further, there are some comments to address for this patch.
> ---
>
> drivers/spmi/spmi-mtk-pmif.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/drivers/spmi/spmi-mtk-pmif.c b/drivers/spmi/spmi-mtk-pmif.c
> index b3c991e1ea40..208ba0adfb98 100644
> --- a/drivers/spmi/spmi-mtk-pmif.c
> +++ b/drivers/spmi/spmi-mtk-pmif.c
> @@ -50,6 +50,7 @@ struct pmif {
> struct clk_bulk_data clks[PMIF_MAX_CLKS];
> size_t nclks;
> const struct pmif_data *data;
> + spinlock_t lock;
> };
>
> static const char * const pmif_clock_names[] = {
> @@ -314,6 +315,7 @@ static int pmif_spmi_read_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
> struct ch_reg *inf_reg;
> int ret;
> u32 data, cmd;
> + unsigned long flags;
>
> /* Check for argument validation. */
> if (sid & ~0xf) {
> @@ -334,6 +336,7 @@ static int pmif_spmi_read_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
> else
> return -EINVAL;
>
> + spin_lock_irqsave(&arb->lock, flags);
> /* Wait for Software Interface FSM state to be IDLE. */
> inf_reg = &arb->chan;
> ret = readl_poll_timeout_atomic(arb->base + arb->data->regs[inf_reg->ch_sta],
> @@ -350,6 +353,7 @@ static int pmif_spmi_read_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
> /* Send the command. */
> cmd = (opc << 30) | (sid << 24) | ((len - 1) << 16) | addr;
> pmif_writel(arb, cmd, inf_reg->ch_send);
> + spin_unlock_irqrestore(&arb->lock, flags);
NACK. If readl_poll_timeout_atomic() fails you're leaving the spinlock locked!!!
Please fix :-)
>
> /*
> * Wait for Software Interface FSM state to be WFVLDCLR,
> @@ -377,6 +381,7 @@ static int pmif_spmi_write_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
> struct ch_reg *inf_reg;
> int ret;
> u32 data, cmd;
> + unsigned long flags;
>
> if (len > 4) {
> dev_err(&ctrl->dev, "pmif supports 1..4 bytes per trans, but:%zu requested", len);
> @@ -394,6 +399,7 @@ static int pmif_spmi_write_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
> else
> return -EINVAL;
>
> + spin_lock_irqsave(&arb->lock, flags);
> /* Wait for Software Interface FSM state to be IDLE. */
> inf_reg = &arb->chan;
> ret = readl_poll_timeout_atomic(arb->base + arb->data->regs[inf_reg->ch_sta],
> @@ -414,6 +420,7 @@ static int pmif_spmi_write_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid,
> /* Send the command. */
> cmd = (opc << 30) | BIT(29) | (sid << 24) | ((len - 1) << 16) | addr;
> pmif_writel(arb, cmd, inf_reg->ch_send);
> + spin_unlock_irqrestore(&arb->lock, flags);
>
For performance, do the memcpy() outside of the spinlock, before waiting for IDLE.
Cheers,
Angelo