From: Liviu Dudau <liviu.dudau@arm.com>
To: Boris Brezillon <boris.brezillon@collabora.com>
Cc: Steven Price <steven.price@arm.com>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Maxime Ripard <mripard@kernel.org>,
Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch>,
Nicolas Frattaroli <nicolas.frattaroli@collabora.com>,
Chia-I Wu <olvaffe@gmail.com>,
Karunika Choo <karunika.choo@arm.com>,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
sashiko-bot@kernel.org
Subject: Re: [PATCH 05/11] drm/panthor: Fix theoretical IOMEM access in suspended state
Date: Fri, 26 Jun 2026 10:29:54 +0100 [thread overview]
Message-ID: <aj5GkoBpmrpMWHSV@e142607> (raw)
In-Reply-To: <20260625-panthor-misc-fixes-v1-5-b67ed973fea6@collabora.com>
On Thu, Jun 25, 2026 at 02:40:31PM +0200, Boris Brezillon wrote:
> In theory, our hardirq handler can be called while the device (and
> thus the panthor_irq) is suspended, because the IRQ line is shared.
> In practice though, in all the designs we've seen, the line is only
> shared within the GPU, and because sub-component suspend state is
> consistent (all-suspended or all-resumed), we shouldn't end up with
> an interrupt triggered while we're suspended.
>
> Fix the problem anyway, if nothing else, for our sanity.
>
> Fixes: 0b2d86670a84 ("drm/panthor: Rework panthor_irq::suspended into panthor_irq::state")
> Reported-by: sashiko-bot@kernel.org
> Closes: https://sashiko.dev/#/patchset/20260625-panthor-signal-from-irq-v4-0-3d2908912afa@collabora.com?part=1
> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
> ---
> drivers/gpu/drm/panthor/panthor_device.h | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/panthor/panthor_device.h b/drivers/gpu/drm/panthor/panthor_device.h
> index 35679bfa1f3a..a39386bd6382 100644
> --- a/drivers/gpu/drm/panthor/panthor_device.h
> +++ b/drivers/gpu/drm/panthor/panthor_device.h
> @@ -512,9 +512,6 @@ static irqreturn_t panthor_ ## __name ## _irq_raw_handler(int irq, void *data)
> struct panthor_irq *pirq = data; \
> enum panthor_irq_state old_state; \
> \
> - if (!gpu_read(pirq->iomem, INT_STAT)) \
> - return IRQ_NONE; \
> - \
> guard(spinlock_irqsave)(&pirq->mask_lock); \
> old_state = atomic_cmpxchg(&pirq->state, \
> PANTHOR_IRQ_STATE_ACTIVE, \
> @@ -522,6 +519,13 @@ static irqreturn_t panthor_ ## __name ## _irq_raw_handler(int irq, void *data)
> if (old_state != PANTHOR_IRQ_STATE_ACTIVE) \
> return IRQ_NONE; \
> \
> + if (!gpu_read(pirq->iomem, INT_STAT)) { \
> + atomic_cmpxchg(&pirq->state, \
> + PANTHOR_IRQ_STATE_PROCESSING, \
> + PANTHOR_IRQ_STATE_ACTIVE); \
> + return IRQ_NONE; \
> + } \
Hmm,
I get it that you're trying to revert the effect of the previous atomic_cmpxchg() here but it feels
like a better option would be to not do the swap at all if the state is not ACTIVE.
Best regards,
Liviu
> + \
> gpu_write(pirq->iomem, INT_MASK, 0); \
> return IRQ_WAKE_THREAD; \
> } \
>
> --
> 2.54.0
>
--
====================
| I would like to |
| fix the world, |
| but they're not |
| giving me the |
\ source code! /
---------------
¯\_(ツ)_/¯
next prev parent reply other threads:[~2026-06-26 9:30 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 12:40 [PATCH 00/11] drm/panthor: Misc fixes for bugs found by shashiko Boris Brezillon
2026-06-25 12:40 ` [PATCH 01/11] drm/panthor: Always use the IRQ-safe variant when acquiring the fence lock Boris Brezillon
2026-06-26 9:11 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 02/11] drm/panthor: Keep the reset work disabled until everything is initialized Boris Brezillon
2026-06-26 9:13 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 03/11] drm/panthor: Fix UAF on works queued to panthor_cleanup_wq Boris Brezillon
2026-06-25 14:20 ` Boris Brezillon
2026-06-25 12:40 ` [PATCH 04/11] drm/panthor: Fix potential invalid pointer deref in group_process_tiler_oom() Boris Brezillon
2026-06-26 9:14 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 05/11] drm/panthor: Fix theoretical IOMEM access in suspended state Boris Brezillon
2026-06-26 9:29 ` Liviu Dudau [this message]
2026-06-26 11:40 ` Boris Brezillon
2026-06-26 13:13 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 06/11] drm/panthor: Don't overrule pending immediate ticks in sched_resume_tick() Boris Brezillon
2026-06-26 12:45 ` Liviu Dudau
2026-06-26 13:19 ` Boris Brezillon
2026-06-25 12:40 ` [PATCH 07/11] drm/panthor: Fix panthor_pwr_unplug() Boris Brezillon
2026-06-26 12:42 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 08/11] drm/panthor: Drop a needless check in panthor_fw_unplug() Boris Brezillon
2026-06-26 13:11 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 09/11] drm/panthor: Fix a leak when a group is evicted before the tiler OOM is serviced Boris Brezillon
2026-06-26 13:12 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 10/11] drm/panthor: Interrupt group start/resumption if group_bind_locked() fails Boris Brezillon
2026-06-26 13:14 ` Liviu Dudau
2026-06-25 12:40 ` [PATCH 11/11] drm/panthor: Keep interrupts masked until they are needed Boris Brezillon
2026-06-26 13:18 ` Liviu Dudau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aj5GkoBpmrpMWHSV@e142607 \
--to=liviu.dudau@arm.com \
--cc=airlied@gmail.com \
--cc=boris.brezillon@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=karunika.choo@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=nicolas.frattaroli@collabora.com \
--cc=olvaffe@gmail.com \
--cc=sashiko-bot@kernel.org \
--cc=simona@ffwll.ch \
--cc=steven.price@arm.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox