The tiler irq handler uses engine->async value, but the code that sets
engine->async and enables the interrupt does not have a barrier. This
may cause the irq handler to see the old value of engine->async, causing
memory corruption.
Reported-by: Harinarayan Bhatta <harinarayan at ti.com>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen at ti.com>
---
drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
index ef3d14d9cfa1..c4563af55a82 100644
--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
+++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
@@ -273,6 +273,8 @@ static int dmm_txn_commit(struct dmm_txn *txn, bool wait)
/* mark whether it is async to denote list management in IRQ handler */
engine->async = wait ? false : true;
+ /* verify that the irq handler sees the 'async' value */
+ smp_mb();
/* kick reload */
writel(engine->refill_pa,
--
2.3.0
