From ac9af7cba9e642961bfdee1a1fac6060405597e5 Mon Sep 17 00:00:00 2001 From: Brian King Date: Thu, 18 Aug 2005 07:32:18 +1000 Subject: [PATCH] [PATCH] ppc64: iommu vmerge fix This fixes a bug in the PPC64 iommu vmerge code which results in the potential for iommu_unmap_sg to go off unmapping more than it should. This was found on a test system which resulted in PCI bus errors due to PCI memory being unmapped while DMAs were still in progress. Signed-off-by: Brian King Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Linus Torvalds --- arch/ppc64/kernel/iommu.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/arch/ppc64/kernel/iommu.c b/arch/ppc64/kernel/iommu.c index 8316426ccaf6..845eebd1e28d 100644 --- a/arch/ppc64/kernel/iommu.c +++ b/arch/ppc64/kernel/iommu.c @@ -242,7 +242,7 @@ int iommu_map_sg(struct device *dev, struct iommu_table *tbl, dma_addr_t dma_next = 0, dma_addr; unsigned long flags; struct scatterlist *s, *outs, *segstart; - int outcount; + int outcount, incount; unsigned long handle; BUG_ON(direction == DMA_NONE); @@ -252,6 +252,7 @@ int iommu_map_sg(struct device *dev, struct iommu_table *tbl, outs = s = segstart = &sglist[0]; outcount = 1; + incount = nelems; handle = 0; /* Init first segment length for backout at failure */ @@ -338,10 +339,10 @@ int iommu_map_sg(struct device *dev, struct iommu_table *tbl, DBG("mapped %d elements:\n", outcount); - /* For the sake of iommu_free_sg, we clear out the length in the + /* For the sake of iommu_unmap_sg, we clear out the length in the * next entry of the sglist if we didn't fill the list completely */ - if (outcount < nelems) { + if (outcount < incount) { outs++; outs->dma_address = DMA_ERROR_CODE; outs->dma_length = 0;