[PATCH 1/1] usb: dwc3: meson-g12a: fix shared reset control use

Jerome Brunet jbrunet at baylibre.com
Mon Aug 24 10:26:59 EDT 2020 

On Mon 24 Aug 2020 at 12:24, Philipp Zabel <p.zabel at pengutronix.de> wrote:

> Hi Jerome,
>
> On Wed, 2020-08-19 at 17:03 +0200, Jerome Brunet wrote:
>> On Mon 13 Jul 2020 at 18:05, Dan Robertson <dan at dlrobertson.com> wrote:
>> 
>> > The reset is a shared reset line, but reset_control_reset is still used
>> > and reset_control_deassert is not guaranteed to have been called before
>> > the first reset_control_assert call. When suspending the following
>> > warning may be seen:
>> 
>> And now the same type of warning maybe seen on boot. This is
>> happening for me on the libretech-cc (s905x - gxl).
>> 
>> [    1.863469] ------------[ cut here ]------------
>> [    1.867914] WARNING: CPU: 1 PID: 16 at drivers/reset/core.c:309 reset_control_reset+0x130/0x150
> [...]
>> This breaks USB on this device. reverting the change brings it back.
>> 
>> Looking at the reset framework code, I don't think drivers sharing the
>> same reset line should mix using reset_control_reset() VS
>> reset_control_assert()/reset_control_deassert()
>
> That is correct, users must not mix the assert/deassert and reset calls
> on shared resets:
>
> /**
>  * reset_control_reset - reset the controlled device
>  * @rstc: reset controller
>  *
>  * On a shared reset line the actual reset pulse is only triggered once for the
>  * lifetime of the reset_control instance: for all but the first caller this is
>  * a no-op.
>  * Consumers must not use reset_control_(de)assert on shared reset lines when
>  * reset_control_reset has been used.
>  *
>  * If rstc is NULL it is an optional reset and the function will just
>  * return 0.
>  */
>
> [...]
> diff --git a/drivers/usb/dwc3/dwc3-meson-g12a.c b/drivers/usb/dwc3/dwc3-
> meson-g12a.c
>> > index 1f7f4d88ed9d..88b75b5a039c 100644
>> > --- a/drivers/usb/dwc3/dwc3-meson-g12a.c
>> > +++ b/drivers/usb/dwc3/dwc3-meson-g12a.c
>> > @@ -737,13 +737,13 @@ static int dwc3_meson_g12a_probe(struct platform_device *pdev)
>> >  		goto err_disable_clks;
>> >  	}
>> >  
>> > -	ret = reset_control_reset(priv->reset);
>> > +	ret = reset_control_deassert(priv->reset);
>> 
>> The change introduced here is significant. If the reset is not initially
>> asserted, it never will be before the life of the device.
>>
>> This means that Linux will have to deal which whatever state is left by the
>> bootloader. This looks sketchy ...
>>
>> I think the safer way solve the problem here would be to keep using
>> reset_control_reset() and introduce a new API in the reset
>> framework to decrement the reset line "triggered_count"
>> (reset_control_clear() ??)
>> 
>> That way, if all device using the reset line go to suspend, the line will
>> be "reset-able" again by the first device coming out of suspend ?
>>
>> Philip, would you be ok with such new API ?
>
> I'd like to first evaluate whether the already available APIs might be a
> better fit. There is already the option of handing off exclusive control
> between multiple drivers via the reset_control_acquire/release APIs on
> exclusive reset controls.
>
> If all drivers that are now sharing the reset line would switch to
> requesting resets via devm_reset_control_get_exclusive_released()
> and then prepend their reset handling with reset_control_acquire() (but
> ignore -EBUSY) and the driver that got exclusive control releases the
> reset via reset_control_release() during suspend, this should do exactly
> what you want. Note that reset_control_release() must not be called on a
> reset control that has not been successfully acquired by the same
> driver.

In practice, I think your proposition would work since the drivers
sharing this USB reset line are likely to be probed/suspended/resumed at
the same time but ...

If we imagine a situation where 2 device share a reset line, 1 go in
suspend, the other does not - if the first device as control of the
reset, it could trigger it and break the 2nd device. Same goes for
probe/remove()

I agree it could be seen as unlikely but leaving such race condition
open looks dangerous to me.

>
> Is this something that would be feasible for your combination of
> drivers? Otherwise it is be unclear to me under which condition a driver
> should be allowed to call the proposed reset_control_clear().

I was thinking of reset_control_clear() as the counter part of
reset_control_reset().

When a reset_control_reset() has been called once, "triggered_count" is
incremented which signals that the ressource under the reset is
"in_use" and the reset should not be done again. reset_control_clear()
would be the way to state that the ressource is no longer used and, that
from the caller perspective, the reset can fired again if necessary.

If we take the probe / suspend / resume example:
* 1st device using the shared will actually trigger it (as it is now)
* following device just increase triggered_count

If all devices go to suspend (calling reset_control_clear()) then
triggered_count will reach zero, allowing the first device resuming to
trigger the reset again ... this is important since it might not be the
one which would have got the exclusive control

If any device don't go to suspend, meaning the ressource under reset
keep on being used, no reset will performed. With exlusive control,
there is a risk that the resuming device resets something already in use.

Regarding the condition, on shared resets, call reset_control_reset()
should be balanced reset_control_clear() - no clear before reset.

>
>> In the meantime, I think this change should be reverted. A warning on
>> suspend seems less critical than a regression breaking USB completly.
>
> Agreed.
>
> regards
> Philipp

More information about the linux-arm-kernel mailing list