Pandora Sourcecodes - pandora-kernel.git/commit

author	Daniel Vetter <daniel.vetter@ffwll.ch>
	Thu, 8 Sep 2011 12:00:21 +0000 (14:00 +0200)
committer	Keith Packard <keithp@keithp.com>
	Thu, 20 Oct 2011 21:11:17 +0000 (14:11 -0700)
commit	a9e2641dee52cae2db7688a749344365642a5e79
tree	55db91e129c293ab51f55702118abff2105edee0	tree \| snapshot
parent	4fb066ab9ef3111c86d9fb8f13f1178885cf7f1c	commit \| diff

drm/i915: close PM interrupt masking races in the rps work func

This patch closes the following race:

We get a PM interrupt A, mask it, set dev_priv->iir = PM_A and kick of the
work item. Scheduler isn't grumpy, so the work queue takes rps_lock,
grabs pm_iir = dev_priv->pm_iir and pm_imr = READ(PMIMR). Note that
pm_imr == pm_iir because we've just masked the interrupt we've got.

Now hw sends out PM interrupt B (not masked), we process it and mask
it.  Later on the irq handler also clears PMIIR.

Then the work item proceeds and at the end clears PMIMR. Because
(local) pm_imr == pm_iir we have
        pm_imr & ~pm_iir == 0
so all interrupts are enabled.

Hardware is still interrupt-happy, and sends out a new PM interrupt B.
PMIMR doesn't mask B (it does not mask anything), PMIIR is cleared, so
we get it and hit the WARN in the interrupt handler (because
dev_priv->pm_iir == PM_B).

That's why I've moved the
        WRITE(PMIMR, 0)
up under the protection of the rps_lock. And write an uncoditional 0
to PMIMR, because that's what we'll do anyway.

This races looks much more likely because we can arbitrarily extend
the window by grabing dev->struct mutex right after the irq handler
has processed the first PM_B interrupt.

Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Ben Widawsky <ben@bwidawsk.net>
Signed-off-by: Keith Packard <keithp@keithp.com>