lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Jun 2008 09:57:38 +1000 From: "Dave Airlie" <airlied@...il.com> To: "Jan Beulich" <jbeulich@...ell.com> Cc: "Dave Airlie" <airlied@...ux.ie>, linux-kernel@...r.kernel.org Subject: Re: agp: two-stage page destruction issue On Wed, Jun 18, 2008 at 6:28 PM, Jan Beulich <jbeulich@...ell.com> wrote: > Dave, > > besides it apparently being useful only in 2.6.24 (the changes in 2.6.25 > really mean that it could be converted back to a single-stage mechanism), > I'm seeing an issue in Xen Dom0 kernels, which is caused by the calling > of gart_to_virt() in the second stage invocations of the destroy function. > I think that besides this being a real issue with Xen (where > unmap_page_from_agp() is not just a page table attribute change), this > also is invalid from a theoretical perspective: One should not assume that > gart_to_virt() is still valid after unmapping a page. So minimally (keeping > the 2-stage mechanism) a patch like the one below would be needed. > Looks good to me, its the simpler change for 2.6.26 at this point. Dave. > Jan > > --- a/drivers/char/agp/backend.c > +++ b/drivers/char/agp/backend.c > @@ -188,10 +188,10 @@ static int agp_backend_initialize(struct > > err_out: > if (bridge->driver->needs_scratch_page) { > - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), > - AGP_PAGE_DESTROY_UNMAP); > - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), > - AGP_PAGE_DESTROY_FREE); > + void *va = gart_to_virt(bridge->scratch_page_real); > + > + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_UNMAP); > + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_FREE); > } > if (got_gatt) > bridge->driver->free_gatt_table(bridge); > @@ -215,10 +215,10 @@ static void agp_backend_cleanup(struct a > > if (bridge->driver->agp_destroy_page && > bridge->driver->needs_scratch_page) { > - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), > - AGP_PAGE_DESTROY_UNMAP); > - bridge->driver->agp_destroy_page(gart_to_virt(bridge->scratch_page_real), > - AGP_PAGE_DESTROY_FREE); > + void *va = gart_to_virt(bridge->scratch_page_real); > + > + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_UNMAP); > + bridge->driver->agp_destroy_page(va, AGP_PAGE_DESTROY_FREE); > } > } > > --- a/drivers/char/agp/generic.c > +++ b/drivers/char/agp/generic.c > @@ -202,10 +202,13 @@ void agp_free_memory(struct agp_memory * > } > if (curr->page_count != 0) { > for (i = 0; i < curr->page_count; i++) { > - curr->bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[i]), AGP_PAGE_DESTROY_UNMAP); > + curr->memory[i] = (unsigned long)gart_to_virt(curr->memory[i]); > + curr->bridge->driver->agp_destroy_page((void *)curr->memory[i], > + AGP_PAGE_DESTROY_UNMAP); > } > for (i = 0; i < curr->page_count; i++) { > - curr->bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[i]), AGP_PAGE_DESTROY_FREE); > + curr->bridge->driver->agp_destroy_page((void *)curr->memory[i], > + AGP_PAGE_DESTROY_FREE); > } > } > agp_free_key(curr->key); > --- a/drivers/char/agp/intel-agp.c > +++ b/drivers/char/agp/intel-agp.c > @@ -428,9 +428,11 @@ static void intel_i810_free_by_type(stru > if (curr->page_count == 4) > i8xx_destroy_pages(gart_to_virt(curr->memory[0])); > else { > - agp_bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[0]), > + void *va = gart_to_virt(curr->memory[0]); > + > + agp_bridge->driver->agp_destroy_page(va, > AGP_PAGE_DESTROY_UNMAP); > - agp_bridge->driver->agp_destroy_page(gart_to_virt(curr->memory[0]), > + agp_bridge->driver->agp_destroy_page(va, > AGP_PAGE_DESTROY_FREE); > } > agp_free_page_array(curr); > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists