agp: two-stage page destruction issue
besides it apparently being useful only in 2.6.24 (the changes in 2.6.25
really mean that it could be converted back to a single-stage mechanism),
I'm seeing an issue in Xen Dom0 kernels, which is caused by the calling
of gart_to_virt() in the second stage invocations of the destroy function.
I think that besides this being a real issue with Xen (where
unmap_page_from_agp() is not just a page table attribute change), this
also is invalid from a theoretical perspective: One should not assume that
gart_to_virt() is still valid after unmapping a page. So minimally (keeping
the 2-stage mechanism) a patch like the one below would be needed.
Jan
Signed-off-by: Dave Airlie <airlied@redhat.com>
diff --git a/drivers/char/agp/intel-agp.c b/drivers/char/agp/intel-agp.c
index eeea50a..01b0340 100644
--- a/drivers/char/agp/intel-agp.c
+++ b/drivers/char/agp/intel-agp.c
@@ -418,9 +418,11 @@
if (curr->page_count == 4)
i8xx_destroy_pages(gart_to_virt(curr->memory[0]));
else {
- agp_bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[0]),
+ void *va = gart_to_virt(curr->memory[0]);
+
+ agp_bridge->driver->agp_destroy_page(va,
AGP_PAGE_DESTROY_UNMAP);
- agp_bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[0]),
+ agp_bridge->driver->agp_destroy_page(va,
AGP_PAGE_DESTROY_FREE);
}
agp_free_page_array(curr);