From: Jan Beulich Date: Wed, 18 Jun 2008 08:28:00 +0000 (+0100) Subject: agp: two-stage page destruction issue X-Git-Tag: v2.6.26-rc7~14^2~5 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=da503fa60b84d5945deb3ab74efdd0bec61df4a1;p=linux-2.6 agp: two-stage page destruction issue besides it apparently being useful only in 2.6.24 (the changes in 2.6.25 really mean that it could be converted back to a single-stage mechanism), I'm seeing an issue in Xen Dom0 kernels, which is caused by the calling of gart_to_virt() in the second stage invocations of the destroy function. I think that besides this being a real issue with Xen (where unmap_page_from_agp() is not just a page table attribute change), this also is invalid from a theoretical perspective: One should not assume that gart_to_virt() is still valid after unmapping a page. So minimally (keeping the 2-stage mechanism) a patch like the one below would be needed. Jan Signed-off-by: Dave Airlie --- diff --git a/drivers/char/agp/backend.c b/drivers/char/agp/backend.c index b1bdd01516..1ec87104e6 100644 --- a/drivers/char/agp/backend.c +++ b/drivers/char/agp/backend.c @@ -188,10 +188,10 @@ static int agp_backend_initialize(struct agp_bridge_data *bridge) err_out: if (bridge->driver->needs_scratch_page) { - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), - AGP_PAGE_DESTROY_UNMAP); - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), - AGP_PAGE_DESTROY_FREE); + void *va = gart_to_virt(bridge->scratch_page_real); + + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_UNMAP); + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_FREE); } if (got_gatt) bridge->driver->free_gatt_table(bridge); @@ -215,10 +215,10 @@ static void agp_backend_cleanup(struct agp_bridge_data *bridge) if (bridge->driver->agp_destroy_page && bridge->driver->needs_scratch_page) { - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), - AGP_PAGE_DESTROY_UNMAP); - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), - AGP_PAGE_DESTROY_FREE); + void *va = gart_to_virt(bridge->scratch_page_real); + + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_UNMAP); + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_FREE); } } diff --git a/drivers/char/agp/generic.c b/drivers/char/agp/generic.c index 7fc0c99a3a..b6650a6319 100644 --- a/drivers/char/agp/generic.c +++ b/drivers/char/agp/generic.c @@ -202,10 +202,13 @@ void agp_free_memory(struct agp_memory *curr) } if (curr->page_count != 0) { for (i = 0; i < curr->page_count; i++) { - curr->bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[i]), AGP_PAGE_DESTROY_UNMAP); + curr->memory[i] = (unsigned long)gart_to_virt(curr->memory[i]); + curr->bridge->driver->agp_destroy_page((void *)curr->memory[i], + AGP_PAGE_DESTROY_UNMAP); } for (i = 0; i < curr->page_count; i++) { - curr->bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[i]), AGP_PAGE_DESTROY_FREE); + curr->bridge->driver->agp_destroy_page((void *)curr->memory[i], + AGP_PAGE_DESTROY_FREE); } } agp_free_key(curr->key); diff --git a/drivers/char/agp/intel-agp.c b/drivers/char/agp/intel-agp.c index eeea50a1d2..01b03402ea 100644 --- a/drivers/char/agp/intel-agp.c +++ b/drivers/char/agp/intel-agp.c @@ -418,9 +418,11 @@ static void intel_i810_free_by_type(struct agp_memory *curr) if (curr->page_count == 4) i8xx_destroy_pages(gart_to_virt(curr->memory[0])); else { - agp_bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[0]), + void *va = gart_to_virt(curr->memory[0]); + + agp_bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_UNMAP); - agp_bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[0]), + agp_bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_FREE); } agp_free_page_array(curr);