• Daniel Vetter's avatar
    drm/i915: close PM interrupt masking races in the rps work func · a9e2641d
    Daniel Vetter authored
    This patch closes the following race:
    
    We get a PM interrupt A, mask it, set dev_priv->iir = PM_A and kick of the
    work item. Scheduler isn't grumpy, so the work queue takes rps_lock,
    grabs pm_iir = dev_priv->pm_iir and pm_imr = READ(PMIMR). Note that
    pm_imr == pm_iir because we've just masked the interrupt we've got.
    
    Now hw sends out PM interrupt B (not masked), we process it and mask
    it.  Later on the irq handler also clears PMIIR.
    
    Then the work item proceeds and at the end clears PMIMR. Because
    (local) pm_imr == pm_iir we have
            pm_imr & ~pm_iir == 0
    so all interrupts are enabled.
    
    Hardware is still interrupt-happy, and sends out a new PM interrupt B.
    PMIMR doesn't mask B (it does not mask anything), PMIIR is cleared, so
    we get it and hit the WARN in the interrupt handler (because
    dev_priv->pm_iir == PM_B).
    
    That's why I've moved the
            WRITE(PMIMR, 0)
    up under the protection of the rps_lock. And write an uncoditional 0
    to PMIMR, because that's what we'll do anyway.
    
    This races looks much more likely because we can arbitrarily extend
    the window by grabing dev->struct mutex right after the irq handler
    has processed the first PM_B interrupt.
    Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
    Reviewed-by: default avatarBen Widawsky <ben@bwidawsk.net>
    Signed-off-by: default avatarKeith Packard <keithp@keithp.com>
    a9e2641d
i915_irq.c 58.3 KB