Coverity spotted a "use after free" bug in
drivers/char/agp/amd-k7-agp.c::amd_create_gatt_pages().
The problem is this:
If "entry = kzalloc(sizeof(struct amd_page_map), GFP_KERNEL);"
fails, then there's a loop in the function to free all entries
allocated so far and break out of the allocation loop. That in itself
is pretty sane, but then the (now freed) 'tables' is assigned to
amd_irongate_private.gatt_pages and 'retval' is set to -ENOMEM which
causes amd_free_gatt_pages(); to be called at the end of the function.
The problem with this is that amd_free_gatt_pages() will then loop
'amd_irongate_private.num_tables' times and try to free each entry in
tables[] - this is bad since tables has already been freed and
furthermore it will call kfree(tables) at the end - a double free.
This patch removes the freeing loop in amd_create_gatt_pages() and
instead relies entirely on the call to amd_free_gatt_pages() to free
everything we allocated in case of an error. It also sets
amd_irongate_private.num_tables to the actual number of entries
allocated instead of just using the value passed in from the caller -
this ensures that amd_free_gatt_pages() will only attempt to free
stuff that was actually allocated.
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
With Andi's clflush fixup, we were getting hangs on server exit, flushing the
mappings after freeing each page helped.
This showed up a race condition where the pages after being freed could be
reused before the agp mappings had been flushed. Flushing after each single
page is a bad thing for future drm work, so make the page destroy a two pass
unmapping all the pages, flushing the mappings, and then destroying the pages.
Signed-off-by: Dave Airlie <airlied@linux.ie>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
This reverts commit f443675aff, which
breaks horribly if you aren't running an unreleased xf86-video-intel
driver out of git.
Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
Cc: Dave Airlie <airlied@linux.ie>
Cc: Zhenyu Wang <zhenyu.z.wang@intel.com>
Acked-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The mask on i830 should be 0x70 always, later chips 0xF0 should be okay.
Signed-off-by: Dave Airlie <airlied@linux.ie>
Acked-by: Zhenyu Wang <zhenyu.z.wang@intel.com>
Cc: Michael Haas <laga@laga.ath.cx>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
G33 has 1MB GTT table range. Fix GTT mapping in case like 512MB aperture
size.
Signed-off-by: Zhenyu Wang <zhenyu.z.wang@intel.com>
Acked-by: Dave Airlie <airlied@linux.ie>
Cc: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
G33 GTT stolen memory is below graphics data stolen memory and be seperate,
so don't subtract it in stolen mem counting.
Signed-off-by: Zhenyu Wang <zhenyu.z.wang@intel.com>
Acked-by: Dave Airlie <airlied@linux.ie>
Cc: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
patchset against 2.6.23-rc3.
corrects missing ioremap return checks and balancing on iounmap calls, integrated changes per list
recommendations on the original set of patches..
Signed-off-by: Scott Thompson <postfail <at> hushmail.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
(This is a resend of a patch originally submitted on 24-Jul-2007 00:14)
Ok, this is something the coverity checker found (CID: 1813).
I'm not at all intimate with this code, so I'm not sure if this
attempt at a fix is correct (but at least it compiles).
Please look it over and NACK if bad or merge if good ;-)
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
Fix some missing places to check with device id info, which
should probe the device gart correctly.
Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
AGP should not need to lock pages. They are not protecting any race
because there is no lock_page calls, only SetPageLocked.
This is causing hangs with d00806b183.
Signed-off-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Hi,
Coverity spotted a "use after free" bug in
drivers/char/agp/ati-agp.c::ati_create_gatt_pages().
The same one that was in
drivers/char/agp/amd-k7-agp.c::amd_create_gatt_pages()
The problem is this:
If "entry = kzalloc(sizeof(struct ati_page_map), GFP_KERNEL);"
fails, then there's a loop in the function to free all entries
allocated so far and break out of the allocation loop. That in itself
is pretty sane, but then the (now freed) 'tables' is assigned to
ati_generic_private.gatt_pages and 'retval' is set to -ENOMEM which
causes ati_free_gatt_pages(); to be called at the end of the function.
The problem with this is that ati_free_gatt_pages() will then loop
'ati_generic_private.num_tables' times and try to free each entry in
tables[] - this is bad since tables has already been freed and
furthermore it will call kfree(tables) at the end - a double free.
This patch removes the freeing loop in ati_create_gatt_pages() and
instead relies entirely on the call to ati_free_gatt_pages() to free
everything we allocated in case of an error. It also sets
ati_generic_private.num_tables to the actual number of entries
allocated instead of just using the value passed in from the caller -
this ensures that ati_free_gatt_pages() will only attempt to free
stuff that was actually allocated.
Note: I'm in no way intimate with this code and I have no way to
actually test this patch (besides compile test it), so while I've
tried to be careful in reading the code and make sure the patch
does the right thing an ACK from someone who actually knows the
code in-depth would be very much appreciated.
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
Instead of all drivers reading pci config space to get the revision
ID, they can now use the pci_device->revision member.
This exposes some issues where drivers where reading a word or a dword
for the revision number, and adding useless error-handling around the
read. Some drivers even just read it for no purpose of all.
In devices where the revision ID is being copied over and used in what
appears to be the equivalent of hotpath, I have left the copy code
and the cached copy as not to influence the driver's performance.
Compile tested with make all{yes,mod}config on x86_64 and i386.
Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com>
Acked-by: Dave Jones <davej@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Most of the AGP changes recently have been done in lock-step with
DRM updates, so it's probably easier to have airlied pushing
AGP changes at the same time he does DRM updates.
[Also remove my name from the boot messages.
Cautionary tale to others: Never do this, when computers
don't boot, people assume you're responsible even if 15
other subsystems initialised after yours. :-) ]
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
After i915 chip, GMCH has no AGP port. Origin bridge driver in device
table will try to access illegal regs like APBASE, APSIZE, etc. This
may cause problem.
So mark them as NULL in the table, we won't load if no IGD got detect
and bridge has no AGP port.
Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
This patch trys to fix device probe in two cases. First we should
correctly detect device if integrated graphics device is not enabled
or exists, like an add-in card is plugged. Second on some type of intel
GMCH, it might have multiple graphic chip models, like 945GME case, so
we should be sure the detect works through the whole table.
Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
* master.kernel.org:/pub/scm/linux/kernel/git/davej/agpgart:
[AGPGART] intel_agp: Add support for G33, Q33 and Q35 chipsets
[AGPGART] intel_agp: add support for 945GME
[AGPGART] intel_agp: add support for 965GME/GLE
[AGPGART] intel_agp: use table for device probe
[AGPGART] intel_agp: cleanup intel private data
This patch adds pci ids for G33, Q33 and Q35 chips, and update with new
GTT size and stolen mem size detect method on these chips.
Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Fixed issues noted by Christoph Hellwig, and I changed device table
scan a bit to allow the case that some models of graphics chips may
have same host bridge type. This type of chip will be added in the future.
This patch cleans up device probe function. Eric Anholt was the original author.
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Remove volatile type declare for IO mem variables.
A single private gart data is used by all drivers, this
makes it clean. Eric Anholt wrote the original patch.
Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
First thing mm.h does is including sched.h solely for can_do_mlock() inline
function which has "current" dereference inside. By dealing with can_do_mlock()
mm.h can be detached from sched.h which is good. See below, why.
This patch
a) removes unconditional inclusion of sched.h from mm.h
b) makes can_do_mlock() normal function in mm/mlock.c
c) exports can_do_mlock() to not break compilation
d) adds sched.h inclusions back to files that were getting it indirectly.
e) adds less bloated headers to some files (asm/signal.h, jiffies.h) that were
getting them indirectly
Net result is:
a) mm.h users would get less code to open, read, preprocess, parse, ... if
they don't need sched.h
b) sched.h stops being dependency for significant number of files:
on x86_64 allmodconfig touching sched.h results in recompile of 4083 files,
after patch it's only 3744 (-8.3%).
Cross-compile tested on
all arm defconfigs, all mips defconfigs, all powerpc defconfigs,
alpha alpha-up
arm
i386 i386-up i386-defconfig i386-allnoconfig
ia64 ia64-up
m68k
mips
parisc parisc-up
powerpc powerpc-up
s390 s390-up
sparc sparc-up
sparc64 sparc64-up
um-x86_64
x86_64 x86_64-up x86_64-defconfig x86_64-allnoconfig
as well as my two usual configs.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
there is a wrong id in drivers/char/agp/via-agp.c
#define PCI_DEVICE_ID_VIA_CX700 0x8324
It must be 0x0324
Notice that PCI_DEVICE_ID_VIA_CX700 is also used in
drivers/i2c/busses/i2c-viapro.c and
drivers/ide/pci/via82cxxx.c
So, I think that constant must be renamed to avoid conflicting.
I attached a proposed patch.
Signed-off-by: Dave Jones <davej@redhat.com>
I'm using a custom BIOS to configure the northbridge GART at address
0x80000000, size 2G. Linux complains:
"Aperture from northbridge cpu 0 beyond 4GB. Ignoring."
I think there's an off-by-two error in arch/x86_64/kernel/aperture.c:
AK: use correct types for i386
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* 'for-linus' of git://one.firstfloor.org/home/andi/git/linux-2.6: (231 commits)
[PATCH] i386: Don't delete cpu_devs data to identify different x86 types in late_initcall
[PATCH] i386: type may be unused
[PATCH] i386: Some additional chipset register values validation.
[PATCH] i386: Add missing !X86_PAE dependincy to the 2G/2G split.
[PATCH] x86-64: Don't exclude asm-offsets.c in Documentation/dontdiff
[PATCH] i386: avoid redundant preempt_disable in __unlazy_fpu
[PATCH] i386: white space fixes in i387.h
[PATCH] i386: Drop noisy e820 debugging printks
[PATCH] x86-64: Fix allnoconfig error in genapic_flat.c
[PATCH] x86-64: Shut up warnings for vfat compat ioctls on other file systems
[PATCH] x86-64: Share identical video.S between i386 and x86-64
[PATCH] x86-64: Remove CONFIG_REORDER
[PATCH] x86-64: Print type and size correctly for unknown compat ioctls
[PATCH] i386: Remove copy_*_user BUG_ONs for (size < 0)
[PATCH] i386: Little cleanups in smpboot.c
[PATCH] x86-64: Don't enable NUMA for a single node in K8 NUMA scanning
[PATCH] x86: Use RDTSCP for synchronous get_cycles if possible
[PATCH] i386: Add X86_FEATURE_RDTSCP
[PATCH] i386: Implement X86_FEATURE_SYNC_RDTSC on i386
[PATCH] i386: Implement alternative_io for i386
...
Fix up trivial conflict in include/linux/highmem.h manually.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* master.kernel.org:/pub/scm/linux/kernel/git/gregkh/pci-2.6: (59 commits)
PCI: Free resource files in error path of pci_create_sysfs_dev_files()
pci-quirks: disable MSI on RS400-200 and RS480
PCI hotplug: Use menuconfig objects
PCI: ZT5550 CPCI Hotplug driver fix
PCI: rpaphp: Remove semaphores
PCI: rpaphp: Ensure more pcibios_add/pcibios_remove symmetry
PCI: rpaphp: Use pcibios_remove_pci_devices() symmetrically
PCI: rpaphp: Document is_php_dn()
PCI: rpaphp: Document find_php_slot()
PCI: rpaphp: Rename rpaphp_register_pci_slot() to rpaphp_enable_slot()
PCI: rpaphp: refactor tail call to rpaphp_register_slot()
PCI: rpaphp: remove rpaphp_set_attention_status()
PCI: rpaphp: remove print_slot_pci_funcs()
PCI: rpaphp: Remove setup_pci_slot()
PCI: rpaphp: remove a call that does nothing but a pointer lookup
PCI: rpaphp: Remove another wrappered function
PCI: rpaphp: Remve another call that is a wrapper
PCI: rpaphp: remove a function that does nothing but wrap debug printks
PCI: rpaphp: Remove un-needed goto
PCI: rpaphp: Fix a memleak; slot->location string was never freed
...
Convert code that allocs a struct pci_dev to use alloc_pci_dev().
Signed-off-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Under CONFIG_DISCONTIGMEM, assuming that a !pfn_valid() implies all
subsequent pfn-s are also invalid is wrong. Thus replace this by
explicitly checking against the E820 map.
AK: make e820 on x86-64 not initdata
Signed-off-by: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andi Kleen <ak@suse.de>
Acked-by: Mark Langsdorf <mark.langsdorf@amd.com>
These are all the remaining instances of get_property. Simple rename of
get_property to of_get_property.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Fix a call to __free_page where __free_pages(, 2) was meant, and do proper
error path handling. Also remove a redundant conditional.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Remove an arch-dependent hunk in favor of #define-ing the respective bits in
asm-<arch>/agp.h (allowing easier overriding in para-virtualized environments).
Signed-off-by: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Dave Jones <davej@redhat.com>
For some vendor/id pairs the kernel will autoload both the sis-agp and the
amd64_agp modules as the sis-agp module will load for all sis devices.
This collision causes the bug reported in:
http://bugzilla.novell.com/show_bug.cgi?id=248665
As currently sis_probe does its own matching, requesting the whole range
gains nothing. The clean fix seems to me to leave the matching to the core
and advertise only the devices actually supported. This patch does so.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dave Jones <davej@redhat.com>
On G965, I810_PGETBL_CTL is a mmio offset, but we wrongly take it
as pci config space offset in detecting GTT size. This one line patch
fixs this.
Signed-off-by: Wang Zhenyu <zhenyu.z.wang@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
This fixes the following compile failures of agpgart drivers.
These errors were inserted by the recent AGPGART constification patch.
drivers/char/agp/uninorth-agp.c:492: error: expected '{' before 'const'
drivers/char/agp/uninorth-agp.c:517: error: expected '{' before 'const'
drivers/char/agp/uninorth-agp.c: In function 'agp_uninorth_probe':
drivers/char/agp/uninorth-agp.c:634: error: 'u3_agp_driver' undeclared (first use in this function)
drivers/char/agp/uninorth-agp.c:634: error: (Each undeclared identifier is reported only once
drivers/char/agp/uninorth-agp.c:634: error: for each function it appears in.)
drivers/char/agp/uninorth-agp.c:636: error: 'uninorth_agp_driver' undeclared (first use in this function)
Signed-off-by: Ryusuke Konishi <ryusuke@osrg.net>
Signed-off-by: Dave Jones <davej@redhat.com>
Can't really blame davej for mucking this up... static-ify
it while we're at it, which would have prevented this...
Signed-off-by: Kyle McMartin <kyle@parisc-linux.org>
* master.kernel.org:/pub/scm/linux/kernel/git/kyle/parisc-2.6: (78 commits)
[PARISC] Use symbolic last syscall in __NR_Linux_syscalls
[PARISC] Add missing statfs64 and fstatfs64 syscalls
Revert "[PARISC] Optimize TLB flush on SMP systems"
[PARISC] Compat signal fixes for 64-bit parisc
[PARISC] Reorder syscalls to match unistd.h
Revert "[PATCH] make kernel/signal.c:kill_proc_info() static"
[PARISC] fix sys_rt_sigqueueinfo
[PARISC] fix section mismatch warnings in harmony sound driver
[PARISC] do not export get_register/set_register
[PARISC] add ENTRY()/ENDPROC() and simplify assembly of HP/UX emulation code
[PARISC] convert to use CONFIG_64BIT instead of __LP64__
[PARISC] use CONFIG_64BIT instead of __LP64__
[PARISC] add ASM_EXCEPTIONTABLE_ENTRY() macro
[PARISC] more ENTRY(), ENDPROC(), END() conversions
[PARISC] fix ENTRY() and ENDPROC() for 64bit-parisc
[PARISC] Fixes /proc/cpuinfo cache output on B160L
[PARISC] implement standard ENTRY(), END() and ENDPROC()
[PARISC] kill ENTRY_SYS_CPUS
[PARISC] clean up debugging printks in smp.c
[PARISC] factor syscall_restart code out of do_signal
...
Fix conflict in include/linux/sched.h due to kill_proc_info() being made
publicly available to PARISC again.
My previous compat AGP patch broke modular AGPGART.
Test built on;
i386 CONFIG_AGP=y,m
x86_64 CONFIG_AGP=y
ia64 CONFIG_AGP=m
Signed-off-by: Zwane Mwaikambo <zwane@infradead.org>
Cc: Kyle McMartin <kyle@mcmartin.ca>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dave Jones <davej@redhat.com>
