[PATCH v6 05/12] power-domain: Add refcounting

Samuel Holland samuel.holland at sifive.com
Wed Apr 16 03:14:19 CEST 2025 

Hi Miquel,

On 2025-04-03 2:39 AM, Miquel Raynal wrote:
> It is very surprising that such an uclass, specifically designed to
> handle resources that may be shared by different devices, is not keeping
> the count of the number of times a power domain has been
> enabled/disabled to avoid shutting it down unexpectedly or disabling it
> several times.
> 
> Doing this causes troubles on eg. i.MX8MP because disabling power
> domains can be done in recursive loops were the same power domain
> disabled up to 4 times in a row. PGCs seem to have tight FSM internal
> timings to respect and it is easy to produce a race condition that puts
> the power domains in an unstable state, leading to ADB400 errors and
> later crashes in Linux.
> 
> CI tests using power domains are slightly updated to make sure the count
> of on/off calls is even and the results match what we *now* expect.
> 
> As we do not want to break existing users while stile getting
> interesting error codes, the implementation is split between:
> - a low-level helper reporting error codes if the requested transition
>   could not be operated,
> - a higher-level helper ignoring the "non error" codes, like EALREADY and
>   EBUSY.
> 
> Signed-off-by: Miquel Raynal <miquel.raynal at bootlin.com>
> ---
>  drivers/firmware/scmi/sandbox-scmi_devices.c     |  1 +
>  drivers/power/domain/power-domain-uclass.c       | 40 ++++++++++++++--
>  drivers/power/domain/sandbox-power-domain-test.c |  1 +
>  include/power-domain.h                           | 60 ++++++++++++++++++++----
>  test/dm/power-domain.c                           |  2 +-
>  5 files changed, 91 insertions(+), 13 deletions(-)
> 
> diff --git a/drivers/firmware/scmi/sandbox-scmi_devices.c b/drivers/firmware/scmi/sandbox-scmi_devices.c
> index 96c2922b067e2886b3fa963bcd7e396f4569a569..9f253b0fd40f703a5ec11d34c197423d27ad8b01 100644
> --- a/drivers/firmware/scmi/sandbox-scmi_devices.c
> +++ b/drivers/firmware/scmi/sandbox-scmi_devices.c
> @@ -163,4 +163,5 @@ U_BOOT_DRIVER(sandbox_scmi_devices) = {
>  	.priv_auto = sizeof(struct sandbox_scmi_device_priv),
>  	.remove = sandbox_scmi_devices_remove,
>  	.probe = sandbox_scmi_devices_probe,
> +	.flags = DM_FLAG_DEFAULT_PD_CTRL_OFF,
>  };
> diff --git a/drivers/power/domain/power-domain-uclass.c b/drivers/power/domain/power-domain-uclass.c
> index 938bd8cbc9ffd1ba2109d702f886b6a99288d063..a6e5f9ed0369eb9d2dfa66edc9e938bac6720dab 100644
> --- a/drivers/power/domain/power-domain-uclass.c
> +++ b/drivers/power/domain/power-domain-uclass.c
> @@ -12,6 +12,10 @@
>  #include <power-domain-uclass.h>
>  #include <dm/device-internal.h>
>  
> +struct power_domain_priv {
> +	int on_count;
> +};
> +
>  static inline struct power_domain_ops *power_domain_dev_ops(struct udevice *dev)
>  {
>  	return (struct power_domain_ops *)dev->driver->ops;
> @@ -107,22 +111,49 @@ int power_domain_free(struct power_domain *power_domain)
>  	return ops->rfree ? ops->rfree(power_domain) : 0;
>  }
>  
> -int power_domain_on(struct power_domain *power_domain)
> +int power_domain_on_lowlevel(struct power_domain *power_domain)
>  {
> +	struct power_domain_priv *priv = dev_get_uclass_priv(power_domain->dev);
>  	struct power_domain_ops *ops = power_domain_dev_ops(power_domain->dev);
> +	int ret;
>  
>  	debug("%s(power_domain=%p)\n", __func__, power_domain);
>  
> -	return ops->on ? ops->on(power_domain) : 0;
> +	if (priv->on_count++ > 0)
> +		return -EALREADY;

This change is broken for power domain providers with #power-domain-cells = <1>,
which can have multiple domains per provider device. There would need to be a
separate reference count per domain, and currently the uclass doesn't know the
range of valid domain IDs.

Regards,
Samuel

> +
> +	ret = ops->on ? ops->on(power_domain) : 0;
> +	if (ret) {
> +		priv->on_count--;
> +		return ret;
> +	}
> +
> +	return 0;
>  }
>  
> -int power_domain_off(struct power_domain *power_domain)
> +int power_domain_off_lowlevel(struct power_domain *power_domain)
>  {
> +	struct power_domain_priv *priv = dev_get_uclass_priv(power_domain->dev);
>  	struct power_domain_ops *ops = power_domain_dev_ops(power_domain->dev);
> +	int ret;
>  
>  	debug("%s(power_domain=%p)\n", __func__, power_domain);
>  
> -	return ops->off ? ops->off(power_domain) : 0;
> +	if (priv->on_count <= 0) {
> +		debug("Power domain %s already off.\n", power_domain->dev->name);
> +		return -EALREADY;
> +	}
> +
> +	if (priv->on_count-- > 1)
> +		return -EBUSY;
> +
> +	ret = ops->off ? ops->off(power_domain) : 0;
> +	if (ret) {
> +		priv->on_count++;
> +		return ret;
> +	}
> +
> +	return 0;
>  }
>  
>  #if CONFIG_IS_ENABLED(OF_REAL)
> @@ -180,4 +211,5 @@ int dev_power_domain_off(struct udevice *dev)
>  UCLASS_DRIVER(power_domain) = {
>  	.id		= UCLASS_POWER_DOMAIN,
>  	.name		= "power_domain",
> +	.per_device_auto = sizeof(struct power_domain_priv),
>  };
> diff --git a/drivers/power/domain/sandbox-power-domain-test.c b/drivers/power/domain/sandbox-power-domain-test.c
> index 08c15ef342b3dd3ce01807ee59b7e97337f7dde5..5b530974e942ffcba453e53be330baaf3a113a13 100644
> --- a/drivers/power/domain/sandbox-power-domain-test.c
> +++ b/drivers/power/domain/sandbox-power-domain-test.c
> @@ -51,4 +51,5 @@ U_BOOT_DRIVER(sandbox_power_domain_test) = {
>  	.id = UCLASS_MISC,
>  	.of_match = sandbox_power_domain_test_ids,
>  	.priv_auto	= sizeof(struct sandbox_power_domain_test),
> +	.flags = DM_FLAG_DEFAULT_PD_CTRL_OFF,
>  };
> diff --git a/include/power-domain.h b/include/power-domain.h
> index 18525073e5e3534fcbac6fae4e18462f29a4dc49..ad33dea76ce5808beaa4fbf4388438a504e36027 100644
> --- a/include/power-domain.h
> +++ b/include/power-domain.h
> @@ -147,37 +147,81 @@ static inline int power_domain_free(struct power_domain *power_domain)
>  #endif
>  
>  /**
> - * power_domain_on - Enable power to a power domain.
> + * power_domain_on_lowlevel - Enable power to a power domain (with refcounting)
>   *
>   * @power_domain:	A power domain struct that was previously successfully
>   *		requested by power_domain_get().
> - * Return: 0 if OK, or a negative error code.
> + * Return: 0 if the transition has been performed correctly,
> + *         -EALREADY if the domain is already on,
> + *         a negative error code otherwise.
>   */
>  #if CONFIG_IS_ENABLED(POWER_DOMAIN)
> -int power_domain_on(struct power_domain *power_domain);
> +int power_domain_on_lowlevel(struct power_domain *power_domain);
>  #else
> -static inline int power_domain_on(struct power_domain *power_domain)
> +static inline int power_domain_on_lowlevel(struct power_domain *power_domain)
>  {
>  	return -ENOSYS;
>  }
>  #endif
>  
>  /**
> - * power_domain_off - Disable power to a power domain.
> + * power_domain_on - Enable power to a power domain (ignores the actual state
> + *		      of the power domain)
>   *
>   * @power_domain:	A power domain struct that was previously successfully
>   *		requested by power_domain_get().
> - * Return: 0 if OK, or a negative error code.
> + * Return: a negative error code upon error during the transition, 0 otherwise.
> + */
> +static inline int power_domain_on(struct power_domain *power_domain)
> +{
> +	int ret;
> +
> +	ret = power_domain_on_lowlevel(power_domain);
> +	if (ret == -EALREADY)
> +		ret = 0;
> +
> +	return ret;
> +}
> +
> +/**
> + * power_domain_off_lowlevel - Disable power to a power domain (with refcounting)
> + *
> + * @power_domain:	A power domain struct that was previously successfully
> + *		requested by power_domain_get().
> + * Return: 0 if the transition has been performed correctly,
> + *         -EALREADY if the domain is already off,
> + *         -EBUSY if another device is keeping the domain on (but the refcounter
> + *         is decremented),
> + *         a negative error code otherwise.
>   */
>  #if CONFIG_IS_ENABLED(POWER_DOMAIN)
> -int power_domain_off(struct power_domain *power_domain);
> +int power_domain_off_lowlevel(struct power_domain *power_domain);
>  #else
> -static inline int power_domain_off(struct power_domain *power_domain)
> +static inline int power_domain_off_lowlevel(struct power_domain *power_domain)
>  {
>  	return -ENOSYS;
>  }
>  #endif
>  
> +/**
> + * power_domain_off - Disable power to a power domain (ignores the actual state
> + *		      of the power domain)
> + *
> + * @power_domain:	A power domain struct that was previously successfully
> + *		requested by power_domain_get().
> + * Return: a negative error code upon error during the transition, 0 otherwise.
> + */
> +static inline int power_domain_off(struct power_domain *power_domain)
> +{
> +	int ret;
> +
> +	ret = power_domain_off_lowlevel(power_domain);
> +	if (ret == -EALREADY || ret == -EBUSY)
> +		ret = 0;
> +
> +	return ret;
> +}
> +
>  /**
>   * dev_power_domain_on - Enable power domains for a device .
>   *
> diff --git a/test/dm/power-domain.c b/test/dm/power-domain.c
> index 896cf5b2ae9d26701150fad70e888f8b135a22b0..8a95f6bdb903be9d1993528d87d5cae0075a83e4 100644
> --- a/test/dm/power-domain.c
> +++ b/test/dm/power-domain.c
> @@ -27,7 +27,7 @@ static int dm_test_power_domain(struct unit_test_state *uts)
>  
>  	ut_assertok(uclass_get_device_by_name(UCLASS_MISC, "power-domain-test",
>  					      &dev_test));
> -	ut_asserteq(1, sandbox_power_domain_query(dev_power_domain,
> +	ut_asserteq(0, sandbox_power_domain_query(dev_power_domain,
>  						  TEST_POWER_DOMAIN));
>  	ut_assertok(sandbox_power_domain_test_get(dev_test));
>  
>

More information about the U-Boot mailing list