Re: [PATCH v8 3/3] Bluetooth: hci_qca: Disable IBS state machine and flush Tx buffer

[Balakrishna Godavarthi <bgodavar@codeaurora.org>]

On 2019-01-17 04:38, Matthias Kaehlcke wrote:
> On Wed, Jan 16, 2019 at 05:16:03PM +0530, Balakrishna Godavarthi wrote:
>> During hci down we observed IBS sleep commands are queued in the Tx
>> buffer and hci_uart_write_work is sending data to the chip which is
>> not required as the chip is powered off. This patch will disable IBS
>> and flush the Tx buffer before we turn off the chip.
>> 
>> Signed-off-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
>> ---
>>  drivers/bluetooth/hci_qca.c | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>> 
>> diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
>> index 7e4afcf40da2..7330ba71ada4 100644
>> --- a/drivers/bluetooth/hci_qca.c
>> +++ b/drivers/bluetooth/hci_qca.c
>> @@ -1275,6 +1275,14 @@ static const struct qca_vreg_data qca_soc_data 
>> = {
>> 
>>  static void qca_power_shutdown(struct hci_uart *hu)
>>  {
>> +	struct qca_data *qca = hu->priv;
>> +
>> +	/* From this point we go into power off state. But serial port is
>> +	 * still open, stop queueing the IBS data and flush all the buffered
>> +	 * data in skb's.
>> +	 */
>> +	clear_bit(STATE_IN_BAND_SLEEP_ENABLED, &qca->flags);
>> +	qca_flush(hu);
>>  	host_set_baudrate(hu, 2400);
>>  	qca_send_power_pulse(hu, QCA_WCN3990_POWEROFF_PULSE);
>>  	qca_power_setup(hu, false);
> 
> Due to a race-condition there could be an IBS sleep command queued
> even after clearing the bit and flushing the queue.
> 
> In qca_enqueue() we have this:
> 
> static int qca_enqueue(struct hci_uart *hu, struct sk_buff *skb)
> {
>         ...
> 
>         /* Don't go to sleep in middle of patch download or
>          * Out-Of-Band(GPIOs control) sleep is selected.
>          */
>         if (!test_bit(STATE_IN_BAND_SLEEP_ENABLED, &qca->flags)) {
>                 skb_queue_tail(&qca->txq, skb);
>                 return 0;
>         }
> 
>         spin_lock_irqsave(&qca->hci_ibs_lock, flags);
> }
> 
> With process X executing qca_power_shutdown() and process Y running
> qca_enqueue() this could happen:
> 
> [X] test_bit(STATE_IN_BAND_SLEEP_ENABLED)  => set
> [Y] clear_bit(STATE_IN_BAND_SLEEP_ENABLED)
> [Y] qca_flush(hu);
> [X] skb_queue_tail(&qca->txq, skb);
> 
> The following should fix this race:
> 
> --- a/drivers/bluetooth/hci_qca.c
> +++ b/drivers/bluetooth/hci_qca.c
> @@ -770,16 +770,17 @@ static int qca_enqueue(struct hci_uart *hu,
> struct sk_buff *skb)
>  	/* Prepend skb with frame type */
>  	memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
> 
> +	spin_lock_irqsave(&qca->hci_ibs_lock, flags);
> +
>  	/* Don't go to sleep in middle of patch download or
>  	 * Out-Of-Band(GPIOs control) sleep is selected.
>  	 */
>  	if (!test_bit(STATE_IN_BAND_SLEEP_ENABLED, &qca->flags)) {
>  		skb_queue_tail(&qca->txq, skb);
> +		spin_unlock_irqrestore(&qca->hci_ibs_lock, flags);
>  		return 0;
>  	}
> 
> -	spin_lock_irqsave(&qca->hci_ibs_lock, flags);
> -
>  	/* Act according to current state */
>  	switch (qca->tx_ibs_state) {
>  	case HCI_IBS_TX_AWAKE:
> @@ -1275,13 +1276,17 @@ static const struct qca_vreg_data qca_soc_data 
> = {
>  static void qca_power_shutdown(struct hci_uart *hu)
>  {
>  	struct qca_data *qca = hu->priv;
> +	unsigned long flags;
> 
>  	/* From this point we go into power off state. But serial port is
>  	 * still open, stop queueing the IBS data and flush all the buffered
>  	 * data in skb's.
>  	 */
> +	spin_lock_irqsave(&qca->hci_ibs_lock, flags);
>  	clear_bit(STATE_IN_BAND_SLEEP_ENABLED, &qca->flags);
>  	qca_flush(hu);
> +	spin_unlock_irqrestore(&qca->hci_ibs_lock, flags);
> +
[Bala]: Thanks for catch this. yes you are rite, we will have an byte 
queued in the skb.
         will update with the lock.

>  	host_set_baudrate(hu, 2400);
>  	qca_send_power_pulse(hu, QCA_WCN3990_POWEROFF_PULSE);
>  	qca_power_setup(hu, false);
> 
> Cheers
> 
> Matthias

-- 
Regards
Balakrishna.