Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-4304-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Message-ID: <b8cc1486-b627-4186-a53c-8331b84e2318@quicinc.com>
Date: Sat, 4 May 2024 05:51:15 +0800
Precedence: bulk
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v1] Bluetooth: qca: Fix BT enable failure again for
 QCA6390 after warm reboot
To: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
CC: <luiz.von.dentz@intel.com>, <marcel@holtmann.org>,
        <linux-bluetooth@vger.kernel.org>, <wt@penguintechs.org>,
        <regressions@lists.linux.dev>, <stable@vger.kernel.org>
References: <1714658761-15326-1-git-send-email-quic_zijuhu@quicinc.com>
 <CABBYNZJc=Pzt02f0L3KOSLqkJ+2SwO=OZibA=0S0T3vKPDwPyw@mail.gmail.com>
 <c5998fbd-bd63-4f7d-8f51-3dd081913449@quicinc.com>
 <CABBYNZJOVnBShpgbWEpFBcu_MnHW+TKLndLKnZkkB9C71EfJNA@mail.gmail.com>
Content-Language: en-US
From: quic_zijuhu <quic_zijuhu@quicinc.com>
In-Reply-To: <CABBYNZJOVnBShpgbWEpFBcu_MnHW+TKLndLKnZkkB9C71EfJNA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit

On 5/4/2024 5:25 AM, Luiz Augusto von Dentz wrote:
> Hi,
> 
> On Fri, May 3, 2024 at 4:18 PM quic_zijuhu <quic_zijuhu@quicinc.com> wrote:
>>
>> On 5/4/2024 3:22 AM, Luiz Augusto von Dentz wrote:
>>> Hi Zijun,
>>>
>>> On Thu, May 2, 2024 at 10:06 AM Zijun Hu <quic_zijuhu@quicinc.com> wrote:
>>>>
>>>> Commit 272970be3dab ("Bluetooth: hci_qca: Fix driver shutdown on closed
>>>> serdev") will cause below regression issue:
>>>>
>>>> BT can't be enabled after below steps:
>>>> cold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure
>>>> if property enable-gpios is not configured within DT|ACPI for QCA6390.
>>>>
>>>> The commit is to fix a use-after-free issue within qca_serdev_shutdown()
>>>> during reboot, but also introduces this regression issue regarding above
>>>> steps since the VSC is not sent to reset controller during warm reboot.
>>>>
>>>> Fixed by sending the VSC to reset controller within qca_serdev_shutdown()
>>>> once BT was ever enabled, and the use-after-free issue is also be fixed
>>>> by this change since serdev is still opened when send to serdev.
>>>>
>>>> Fixes: 272970be3dab ("Bluetooth: hci_qca: Fix driver shutdown on closed serdev")
>>>> Cc: stable@vger.kernel.org
>>>> Reported-by: Wren Turkal <wt@penguintechs.org>
>>>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218726
>>>> Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
>>>> Tested-by: Wren Turkal <wt@penguintechs.org>
>>>> ---
>>>>  drivers/bluetooth/hci_qca.c | 5 ++---
>>>>  1 file changed, 2 insertions(+), 3 deletions(-)
>>>>
>>>> diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
>>>> index 0c9c9ee56592..8e35c9091486 100644
>>>> --- a/drivers/bluetooth/hci_qca.c
>>>> +++ b/drivers/bluetooth/hci_qca.c
>>>> @@ -2450,13 +2450,12 @@ static void qca_serdev_shutdown(struct device *dev)
>>>>         struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
>>>>         struct hci_uart *hu = &qcadev->serdev_hu;
>>>>         struct hci_dev *hdev = hu->hdev;
>>>> -       struct qca_data *qca = hu->priv;
>>>>         const u8 ibs_wake_cmd[] = { 0xFD };
>>>>         const u8 edl_reset_soc_cmd[] = { 0x01, 0x00, 0xFC, 0x01, 0x05 };
>>>>
>>>>         if (qcadev->btsoc_type == QCA_QCA6390) {
>>>> -               if (test_bit(QCA_BT_OFF, &qca->flags) ||
>>>> -                   !test_bit(HCI_RUNNING, &hdev->flags))
>>>
>>> This probably deserves a comment on why you end up with
>>> HCI_QUIRK_NON_PERSISTENT_SETUP and HCI_SETUP flags here, also why you
>>> are removing the flags above since that was introduce to prevent
>>> use-after-free this sort of revert it so I do wonder how serdev can
>>> still be open if you haven't tested for QCA_BT_OFF for example?
>>>
>> okay, let me give comments at next version.
>> this design logic is shown below. you maybe review it.
>>
>> if HCI_QUIRK_NON_PERSISTENT_SETUP is set, it means that hdev->setup()
>> is able to be invoked by every open() to initializate SoC without any
>> help. so we don't need to send the VSC to reset SoC into initial and
>> clean state for the next hdev->setup() call success.
>>
>> otherwise, namely, HCI_QUIRK_NON_PERSISTENT_SETUP is not set.
>>
>> if HCI_SETUP is set, it means hdev->setup() was never be invoked, so the
>> SOC is already in the initial and clean state, so we also don't need to
>> send the VSC to reset SOC.
>>
>> otherwise, we need to send the VSC to reset Soc into a initial and clean
>> state for hdev->setup() call success after "warm reboot -> enable BT"
>>
>> for the case commit message cares about, the only factor which decide to
>> send the VSC is that SoC is a initial and clean state or not after warm
>> reboot, any other factors are irrelevant to this decision.
>>
>> why the serdev is still open after go through
>> (test_bit(HCI_QUIRK_NON_PERSISTENT_SETUP, &hdev->quirks)
>> || hci_dev_test_flag(hdev, HCI_SETUP) checking is that
>> serdev is not closed by hci_uart_close().
> 
> Sounds like a logical jump to me, in fact hci_uart_close doesn't
> really change any of those flags, beside these flags are not really
> meant to tell the driver if serdev_device_close has been called or not
> which seems to be the intention with HCI_UART_PROTO_READY so how about
> we use that instead?
> 
sorry for that i maybe not give good explanation, let me explain again.
hci_uart_close() is the only point which maybe close serdev before
qca_serdev_shutdown() is called, but for our case that
HCI_QUIRK_NON_PERSISTENT_SETUP is NOT set, hci_uart_close() will not
close serdev for our case, so serdev must be open state before sending
the VSC. so should not need other checking.

> Another thing that is troubling me is that having traffic on shutdown
> is not common, specially if you are going to reboot, etc, and even if
> it doesn't get power cycle why don't you reset on probe rather than
> shutdown? That way we don't have to depend on what has been done in a
> previous boot, which can really become a problem in case of multi-OS
> where you have another system that may not be doing what you expect.
as you know, BT UART are working at 3M baudrate for normal usage.
we can't distinguish if SoC expects 3M or default 11.52K baudarate
during probe() after reboot. so we send the VSC within shutdown to make
sure SoC enter a initial state with 11.52 baudrate.

for cold boot, SOC expects default 11.52K baudrate for probe().
for Enable BT -> warm boot, SOC expects 3M baudrate for probe().
we can't tell these two case within probe(). so need to send the VSC
within shutdown().

>> see hci_uart_close() within drivers/bluetooth/hci_serdev.c
>> static int hci_uart_close(struct hci_dev *hdev)
>> {
>> ......
>>         /* When QUIRK HCI_QUIRK_NON_PERSISTENT_SETUP is set by driver,
>>          * BT SOC is completely powered OFF during BT OFF, holding port
>>          * open may drain the battery.
>>          */
>>         if (test_bit(HCI_QUIRK_NON_PERSISTENT_SETUP, &hdev->quirks)) {
>>                 clear_bit(HCI_UART_PROTO_READY, &hu->flags);
>>                 serdev_device_close(hu->serdev);
>>         }
>>
>>         return 0;
>> }
>>
>>>> +               if (test_bit(HCI_QUIRK_NON_PERSISTENT_SETUP, &hdev->quirks) ||
>>>> +                   hci_dev_test_flag(hdev, HCI_SETUP))
>>>>                         return;
>>>>
>>>>                 serdev_device_write_flush(serdev);
>>>> --
>>>> 2.7.4
>>>>
>>>
>>>
>>
> 
>