From: Michael S. Tsirkin Date: Mon, 26 Sep 2005 16:42:09 +0000 (-0700) Subject: [IB] mthca: Fix off by one bug in mthca_map_cmd X-Git-Tag: firefly_0821_release~40966^2~3 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=44dd823b00fa64bf01e53557d28555011f122a88;p=firefly-linux-kernel-4.4.55.git [IB] mthca: Fix off by one bug in mthca_map_cmd The loop in mthca_map_cmd() would fill one entry past the end of the mailbox buffer before calling the firmware command. Signed-off-by: Michael S. Tsirkin Signed-off-by: Roland Dreier --- diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c index cc758a2d2bc6..f6a8ac026557 100644 --- a/drivers/infiniband/hw/mthca/mthca_cmd.c +++ b/drivers/infiniband/hw/mthca/mthca_cmd.c @@ -605,7 +605,7 @@ static int mthca_map_cmd(struct mthca_dev *dev, u16 op, struct mthca_icm *icm, err = -EINVAL; goto out; } - for (i = 0; i < mthca_icm_size(&iter) / (1 << lg); ++i, ++nent) { + for (i = 0; i < mthca_icm_size(&iter) / (1 << lg); ++i) { if (virt != -1) { pages[nent * 2] = cpu_to_be64(virt); virt += 1 << lg; @@ -616,7 +616,7 @@ static int mthca_map_cmd(struct mthca_dev *dev, u16 op, struct mthca_icm *icm, ts += 1 << (lg - 10); ++tc; - if (nent == MTHCA_MAILBOX_SIZE / 16) { + if (++nent == MTHCA_MAILBOX_SIZE / 16) { err = mthca_cmd(dev, mailbox->dma, nent, 0, op, CMD_TIME_CLASS_B, status); if (err || *status)