Commit da503fa60b84d5945deb3ab74efdd0bec61df4a1
Committed by
Dave Airlie
Dave Airlie
1 parent
dcd981a77b
Exists in
master
and in
7 other branches
agp: two-stage page destruction issue
besides it apparently being useful only in 2.6.24 (the changes in 2.6.25 really mean that it could be converted back to a single-stage mechanism), I'm seeing an issue in Xen Dom0 kernels, which is caused by the calling of gart_to_virt() in the second stage invocations of the destroy function. I think that besides this being a real issue with Xen (where unmap_page_from_agp() is not just a page table attribute change), this also is invalid from a theoretical perspective: One should not assume that gart_to_virt() is still valid after unmapping a page. So minimally (keeping the 2-stage mechanism) a patch like the one below would be needed. Jan Signed-off-by: Dave Airlie <airlied@redhat.com>
Showing 3 changed files with 17 additions and 12 deletions Side-by-side Diff
drivers/char/agp/backend.c
| ... | ... | @@ -188,10 +188,10 @@ |
| 188 | 188 | |
| 189 | 189 | err_out: |
| 190 | 190 | if (bridge->driver->needs_scratch_page) { |
| 191 | - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), | |
| 192 | - AGP_PAGE_DESTROY_UNMAP); | |
| 193 | - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), | |
| 194 | - AGP_PAGE_DESTROY_FREE); | |
| 191 | + void *va = gart_to_virt(bridge->scratch_page_real); | |
| 192 | + | |
| 193 | + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_UNMAP); | |
| 194 | + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_FREE); | |
| 195 | 195 | } |
| 196 | 196 | if (got_gatt) |
| 197 | 197 | bridge->driver->free_gatt_table(bridge); |
| ... | ... | @@ -215,10 +215,10 @@ |
| 215 | 215 | |
| 216 | 216 | if (bridge->driver->agp_destroy_page && |
| 217 | 217 | bridge->driver->needs_scratch_page) { |
| 218 | - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), | |
| 219 | - AGP_PAGE_DESTROY_UNMAP); | |
| 220 | - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), | |
| 221 | - AGP_PAGE_DESTROY_FREE); | |
| 218 | + void *va = gart_to_virt(bridge->scratch_page_real); | |
| 219 | + | |
| 220 | + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_UNMAP); | |
| 221 | + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_FREE); | |
| 222 | 222 | } |
| 223 | 223 | } |
| 224 | 224 |
drivers/char/agp/generic.c
| ... | ... | @@ -202,10 +202,13 @@ |
| 202 | 202 | } |
| 203 | 203 | if (curr->page_count != 0) { |
| 204 | 204 | for (i = 0; i < curr->page_count; i++) { |
| 205 | - curr->bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[i]), AGP_PAGE_DESTROY_UNMAP); | |
| 205 | + curr->memory[i] = (unsigned long)gart_to_virt(curr->memory[i]); | |
| 206 | + curr->bridge->driver->agp_destroy_page((void *)curr->memory[i], | |
| 207 | + AGP_PAGE_DESTROY_UNMAP); | |
| 206 | 208 | } |
| 207 | 209 | for (i = 0; i < curr->page_count; i++) { |
| 208 | - curr->bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[i]), AGP_PAGE_DESTROY_FREE); | |
| 210 | + curr->bridge->driver->agp_destroy_page((void *)curr->memory[i], | |
| 211 | + AGP_PAGE_DESTROY_FREE); | |
| 209 | 212 | } |
| 210 | 213 | } |
| 211 | 214 | agp_free_key(curr->key); |
drivers/char/agp/intel-agp.c
| ... | ... | @@ -418,9 +418,11 @@ |
| 418 | 418 | if (curr->page_count == 4) |
| 419 | 419 | i8xx_destroy_pages(gart_to_virt(curr->memory[0])); |
| 420 | 420 | else { |
| 421 | - agp_bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[0]), | |
| 421 | + void *va = gart_to_virt(curr->memory[0]); | |
| 422 | + | |
| 423 | + agp_bridge->driver->agp_destroy_page(va, | |
| 422 | 424 | AGP_PAGE_DESTROY_UNMAP); |
| 423 | - agp_bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[0]), | |
| 425 | + agp_bridge->driver->agp_destroy_page(va, | |
| 424 | 426 | AGP_PAGE_DESTROY_FREE); |
| 425 | 427 | } |
| 426 | 428 | agp_free_page_array(curr); |