Re: [PATCH] USB: hcd-pci: Fully suspend across freeze/thaw cycle

[Evan Green]

Hi Alan,

On Fri, Apr 8, 2022 at 7:29 AM Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Thu, Apr 07, 2022 at 11:59:55AM -0700, Evan Green wrote:
> > The documentation for the freeze() method says that it "should quiesce
> > the device so that it doesn't generate IRQs or DMA". The unspoken
> > consequence of not doing this is that MSIs aimed at non-boot CPUs may
> > get fully lost if they're sent during the period where the target CPU is
> > offline.
> >
> > The current callbacks for USB HCD do not fully quiesce interrupts,
> > specifically on XHCI. Change to use the full suspend/resume flow for
> > freeze/thaw to ensure interrupts are fully quiesced. This fixes issues
> > where USB devices fail to thaw during hibernation because XHCI misses
> > its interrupt and fails to recover.
>
> I don't think your interpretation is quite right.  The problem doesn't lie
> in the HCD callbacks but rather in the root-hub callbacks.
>
> Correct me if I'm wrong about xHCI, but AFAIK the host controller doesn't
> issue any interrupt requests on its own behalf; it issues IRQs only on
> behalf of its root hubs.  Given that the root hubs should be suspended
> (i.e., frozen) at this point, and hence not running, the only IRQs they
> might make would be for wakeup requests.
>
> So during freeze, wakeups should be disabled on root hubs.  Currently I
> believe we don't do this; if a root hub was already runtime suspended when
> asked to go into freeze, its wakeup setting will remain unchanged.  _That_

For my issue at least, it's the opposite. Enabling runtime pm on the
controller significantly reduces the repro rate of the lost interrupt.
I think having the controller runtime suspended reduces the overall
number of interrupts that flow in, which is why my chances to hit an
interrupt in this window drop, but aren't fully eliminated.

I think xhci may still find reasons to generate interrupts even if all
of its root hub ports are suspended without wake events. For example,
won't Port Status Change Events still come in if a device is unplugged
or overcurrents in between freeze() and thaw()? The spec does mention
that generation of this event is gated by the HCHalted flag, but at
least in my digging around I couldn't find a place where we halt the
controller through this path. With how fragile xhci (and maybe
others?) are towards lost interrupts, even if it does happen to be
perfect now, it seems like it would be more resilient to just fully
suspend the controller across this transition.

I'd also put forward the hypothesis (feel free to shoot it down!) that
unless there's a human-scale time penalty with this change, the
downsides of being more heavy handed like this across freeze/thaw are
minimal. There's always a thaw() right on the heels of freeze(), and
hibernation is such a rare and jarring transition that being able to
recover after the transition is more important than accomplishing the
transition quickly.

-Evan

> is the bug which needs to be fixed.  (Consider what would happen if a root
> hub wakes up after it is frozen but before the host controller is frozen:
> The attempt to freeze the host controller would fail, causing the entire
> hibernation transition to fail.)
>
> The whole issue of how wakeup requests should be handled during hibernation
> is a difficult one.  I don't think we have any good protection against cases
> where a wakeup request races with the system entering hibernation.  For
> instance, if a wakeup event occurs after we go into the thaw state, it won't
> even be recognized as such because the system will be running normally and
> will handle it as an ordinary event.  But then it will be consumed, so the
> wakeup signal won't remain on to reactivate the system once it has shut
> down, and when the stored kernel image is eventually restored it won't
> remember that the event ever happened.
>
> Alan Stern
>
> > Signed-off-by: Evan Green <evgreen@xxxxxxxxxxxx> ---
> >
> > You may be able to reproduce this issue on your own machine via the
> > following:
> > 1. Disable runtime PM on your XHCI controller
> > 2. Aim your XHCI IRQ at a non-boot CPU (replace 174): echo 2 >
> >    /proc/irq/174/smp_affinity
> > 3. Attempt to hibernate (no need to actually go all the way down).
> >
> > I run 2 and 3 in a loop, and can usually hit a hang or dead XHCI
> > controller within 1-2 iterations. I happened to notice this on an
> > Alderlake system where runtime PM is accidentally disabled for one of
> > the XHCI controllers. Some more discussion and debugging can be found at
> > [1].
> >
> > [1] https://lore.kernel.org/linux-pci/CAE=gft4a-QL82iFJE_xRQ3JrMmz-KZKWREtz=MghhjFbJeK=8A@xxxxxxxxxxxxxx/T/#u
> >
> > ---
> >  drivers/usb/core/hcd-pci.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c
> > index 8176bc81a635d6..e02506807ffc6c 100644
> > --- a/drivers/usb/core/hcd-pci.c
> > +++ b/drivers/usb/core/hcd-pci.c
> > @@ -616,10 +616,10 @@ const struct dev_pm_ops usb_hcd_pci_pm_ops = {
> >       .suspend_noirq  = hcd_pci_suspend_noirq,
> >       .resume_noirq   = hcd_pci_resume_noirq,
> >       .resume         = hcd_pci_resume,
> > -     .freeze         = check_root_hub_suspended,
> > -     .freeze_noirq   = check_root_hub_suspended,
> > -     .thaw_noirq     = NULL,
> > -     .thaw           = NULL,
> > +     .freeze         = hcd_pci_suspend,
> > +     .freeze_noirq   = hcd_pci_suspend_noirq,
> > +     .thaw_noirq     = hcd_pci_resume_noirq,
> > +     .thaw           = hcd_pci_resume,
> >       .poweroff       = hcd_pci_suspend,
> >       .poweroff_noirq = hcd_pci_suspend_noirq,
> >       .restore_noirq  = hcd_pci_resume_noirq,
> > --
> > 2.31.0
> >