On Fri, 17 Mar 2017 13:54:28 -0500 Grygorii Strashko <grygorii.strashko@xxxxxx> wrote: > On 03/17/2017 12:54 PM, David Rivshin wrote: > > Hi Grygorii, > > > > On Fri, 17 Mar 2017 11:45:56 -0500 > > Grygorii Strashko <grygorii.strashko@xxxxxx> wrote: > > > >> On 03/16/2017 07:57 PM, David Rivshin wrote: > >>> From: David Rivshin <DRivshin@xxxxxxxxxxx> > >>> > >>> omap_gpio_debounce() does not validate that the requested debounce > >>> is within a range it can handle. Instead it lets the register value > >>> wrap silently, and always returns success. > >>> > >>> This can lead to all sorts of unexpected behavior, such as gpio_keys > >>> asking for a too-long debounce, but getting a very short debounce in > >>> practice. > >>> > >>> Fix this by returning -EINVAL if the requested value does not fit into > >>> the register field. If there is no debounce clock available at all, > >>> return -ENOTSUPP. > >> > >> In general this patch looks good, but there is one thing I'm worry about.. > >> > >>> > >>> Fixes: e85ec6c3047b ("gpio: omap: fix omap2_set_gpio_debounce") > >>> Cc: <stable@xxxxxxxxxxxxxxx> # 4.3+ > >>> Signed-off-by: David Rivshin <drivshin@xxxxxxxxxxx> > >>> --- > >>> drivers/gpio/gpio-omap.c | 16 +++++++++++----- > >>> 1 file changed, 11 insertions(+), 5 deletions(-) > >>> > >>> diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c > >>> index efc85a2..33ec02d 100644 > >>> --- a/drivers/gpio/gpio-omap.c > >>> +++ b/drivers/gpio/gpio-omap.c > >>> @@ -208,8 +208,10 @@ static inline void omap_gpio_dbck_disable(struct gpio_bank *bank) > >>> * OMAP's debounce time is in 31us steps > >>> * <debounce time> = (GPIO_DEBOUNCINGTIME[7:0].DEBOUNCETIME + 1) x 31 > >>> * so we need to convert and round up to the closest unit. > >>> + * > >>> + * Return: 0 on success, negative error otherwise. > >>> */ > >>> -static void omap2_set_gpio_debounce(struct gpio_bank *bank, unsigned offset, > >>> +static int omap2_set_gpio_debounce(struct gpio_bank *bank, unsigned offset, > >>> unsigned debounce) > >>> { > >>> void __iomem *reg; > >>> @@ -218,11 +220,12 @@ static void omap2_set_gpio_debounce(struct gpio_bank *bank, unsigned offset, > >>> bool enable = !!debounce; > >>> > >>> if (!bank->dbck_flag) > >>> - return; > >>> + return -ENOTSUPP; > >>> > >>> if (enable) { > >>> debounce = DIV_ROUND_UP(debounce, 31) - 1; > >>> - debounce &= OMAP4_GPIO_DEBOUNCINGTIME_MASK; > >>> + if ((debounce & OMAP4_GPIO_DEBOUNCINGTIME_MASK) != debounce) > >>> + return -EINVAL; > >> > >> This might cause boot issues as current drivers may expect this op to succeed even if > >> configured value is wrong - just think, may be we can do warn here and use max value as > >> fallback? > > > > I have not looked through all drivers to be sure, but at least the gpio-keys > > driver requires set_debounce to return an error if it can't satisfy the request. > > In that case gpio-keys will use a software timer instead. > > > > if (button->debounce_interval) { > > error = gpiod_set_debounce(bdata->gpiod, > > button->debounce_interval * 1000); > > /* use timer if gpiolib doesn't provide debounce */ > > if (error < 0) > > bdata->software_debounce = > > button->debounce_interval; > > } > > > > Also, at least some other GPIO drivers (e.g. gpio-max7760) return -EINVAL in > > such a case. And gpiolib will return -ENOTSUPP if there is no debounce > > callback at all. So I expect all drivers which use gpiod_set_debounce() to > > handle error returns gracefully. > > > > So I certainly understand the concern about backwards compatibility, but I > > think clipping to max is the greater of the evils in this case. Even a > > warning may be too much, because it's not necessarily anything wrong. > > Perhaps an info or debug message would be helpful, though? > > > > If you prefer, I can try to go through all callers of gpiod_set_debounce() > > and see how they'd handle an error return. The handful I've looked through so > > far all behave like gpio-keys. The only ones I'd be particularly concerned > > about are platform-specific drivers which were perhaps never used with other > > gpio drivers. Do you know of that I should pay special attention to? > > Yeh agree. But the problem here will be not only with drivers itself - it can be wrong data in DT :( > As result, even gpio-keys driver will just silently switch to software_debounce > without any notification. I think that switching to software_debounce silently is exactly the intended/desired behavior of gpio-keys (and other drivers). For example, if the DT requests a 20ms debounce on a gpio-key, the existing math resulted in a hardware debounce of just 2ms. With the error return, gpio-keys would silently switch to software_debounce of the requested 20ms (potentially longer if the CPU is busy, but I don't think that's a problem for correctness), exactly what the DT asked for. Of course that would be a change in behavior for any such existing DT, and it's conceivable that the DT for some HW is somehow relying on that previous incorrect behavior. I suspect it's more likely that they are silently broken, and no-one has noticed. A quick search of some in-tree DTs finds most debounce times are 5ms (which has no issue), and then these three examples (all happen to be gpio-keys): am335x-shc.dts: debounce-interval = <1000>; am335x-shc.dts: debounce-interval = <1000>; omap5-uevm.dts: debounce_interval = <50>; The first two currently result in a HW debounce of about 4ms. The third would be 2.5ms, except it's the wrong property name so it does nothing (it gets the default gpio-keys debounce of 5ms). Not having seen any of that hardware, I can't say for certain what the true HW requirements are. 1000ms does seem like a long debounce, perhaps the author meant 1ms (1000us) for those buttons? Or perhaps it really needs a 1000ms debounce, and is currently wrong? > > But agree - max might not be a good choose, so can you add dev_err() below, pls. Given the above, I personally feel that a dev_err() is undesirable in most cases. If I have a system and matching DT that just happens to need a longer debounce than the GPIO HW is capable of, gpio-keys (etc) does the best it can automatically. I don't consider that there is any error in that case, or anything to be fixed. I can understanding wanting to draw attention to a change in behavior (just in case the DT is incorrect), but I'd personally lean towards dev_info() if anything. That said: if you still prefer dev_err(), I will certainly do so. Tangent: This discussion makes me think that adding a gpiod_get_max_debounce() would allow even better behavior. Then asking for a too-high debounce could be a dev_err() in all gpio drivers, with the expectation that no driver should ask for such. Also, drivers could do something like use max hardware debounce plus a software debounce for the remaining time, in order to avoid CPU overhead on short glitches. > >> > >>> } > >>> > >>> l = BIT(offset); > >>> @@ -255,6 +258,8 @@ static void omap2_set_gpio_debounce(struct gpio_bank *bank, unsigned offset, > >>> bank->context.debounce = debounce; > >>> bank->context.debounce_en = val; > >>> } > >>> + > >>> + return 0; > >>> } > >>> > >>> /** > >>> @@ -964,14 +969,15 @@ static int omap_gpio_debounce(struct gpio_chip *chip, unsigned offset, > >>> { > >>> struct gpio_bank *bank; > >>> unsigned long flags; > >>> + int ret; > >>> > >>> bank = gpiochip_get_data(chip); > >>> > >>> raw_spin_lock_irqsave(&bank->lock, flags); > >>> - omap2_set_gpio_debounce(bank, offset, debounce); > >>> + ret = omap2_set_gpio_debounce(bank, offset, debounce); > >>> raw_spin_unlock_irqrestore(&bank->lock, flags); > > if (ret) dev_err(); > > >>> > >>> - return 0; > >>> + return ret; > >>> } > >>> > >>> static int omap_gpio_set_config(struct gpio_chip *chip, unsigned offset, > >>> > >> > > > > >