From da503fa60b84d5945deb3ab74efdd0bec61df4a1 Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@novell.com>
Date: Wed, 18 Jun 2008 09:28:00 +0100
Subject: [PATCH] agp: two-stage page destruction issue
besides it apparently being useful only in 2.6.24 (the changes in 2.6.25
really mean that it could be converted back to a single-stage mechanism),
I'm seeing an issue in Xen Dom0 kernels, which is caused by the calling
of gart_to_virt() in the second stage invocations of the destroy function.
I think that besides this being a real issue with Xen (where
unmap_page_from_agp() is not just a page table attribute change), this
also is invalid from a theoretical perspective: One should not assume that
gart_to_virt() is still valid after unmapping a page. So minimally (keeping
the 2-stage mechanism) a patch like the one below would be needed.
Jan
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
drivers/char/agp/backend.c | 16 ++++++++--------
drivers/char/agp/generic.c | 7 +++++--
drivers/char/agp/intel-agp.c | 6 ++++--
3 files changed, 17 insertions(+), 12 deletions(-)
diff --git a/drivers/char/agp/backend.c b/drivers/char/agp/backend.c
index b1bdd015165c0..1ec87104e68cf 100644
--- a/drivers/char/agp/backend.c
+++ b/drivers/char/agp/backend.c
@@ -188,10 +188,10 @@ static int agp_backend_initialize(struct agp_bridge_data *bridge)
err_out:
if (bridge->driver->needs_scratch_page) {
- bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real),
- AGP_PAGE_DESTROY_UNMAP);
- bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real),
- AGP_PAGE_DESTROY_FREE);
+ void *va = gart_to_virt(bridge->scratch_page_real);
+
+ bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_UNMAP);
+ bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_FREE);
}
if (got_gatt)
bridge->driver->free_gatt_table(bridge);
@@ -215,10 +215,10 @@ static void agp_backend_cleanup(struct agp_bridge_data *bridge)
if (bridge->driver->agp_destroy_page &&
bridge->driver->needs_scratch_page) {
- bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real),
- AGP_PAGE_DESTROY_UNMAP);
- bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real),
- AGP_PAGE_DESTROY_FREE);
+ void *va = gart_to_virt(bridge->scratch_page_real);
+
+ bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_UNMAP);
+ bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_FREE);
}
}
diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c
index 7fc0c99a3a585..b6650a63197dd 100644
--- a/drivers/char/agp/generic.c
+++ b/drivers/char/agp/generic.c
@@ -202,10 +202,13 @@ void agp_free_memory(struct agp_memory *curr)
}
if (curr->page_count != 0) {
for (i = 0; i < curr->page_count; i++) {
- curr->bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[i]), AGP_PAGE_DESTROY_UNMAP);
+ curr->memory[i] = (unsigned long)gart_to_virt(curr->memory[i]);
+ curr->bridge->driver->agp_destroy_page((void *)curr->memory[i],
+ AGP_PAGE_DESTROY_UNMAP);
}
for (i = 0; i < curr->page_count; i++) {
- curr->bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[i]), AGP_PAGE_DESTROY_FREE);
+ curr->bridge->driver->agp_destroy_page((void *)curr->memory[i],
+ AGP_PAGE_DESTROY_FREE);
}
}
agp_free_key(curr->key);
diff --git a/drivers/char/agp/intel-agp.c b/drivers/char/agp/intel-agp.c
index eeea50a1d22ac..01b03402ea926 100644
--- a/drivers/char/agp/intel-agp.c
+++ b/drivers/char/agp/intel-agp.c
@@ -418,9 +418,11 @@ static void intel_i810_free_by_type(struct agp_memory *curr)
if (curr->page_count == 4)
i8xx_destroy_pages(gart_to_virt(curr->memory[0]));
else {
- agp_bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[0]),
+ void *va = gart_to_virt(curr->memory[0]);
+
+ agp_bridge->driver->agp_destroy_page(va,
AGP_PAGE_DESTROY_UNMAP);
- agp_bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[0]),
+ agp_bridge->driver->agp_destroy_page(va,
AGP_PAGE_DESTROY_FREE);
}
agp_free_page_array(curr);
--
GitLab