Date: Wed, 10 Dec 2008 00:20:38 +0100 (CET) From: Stefan Richter Subject: firewire: fw-ohci: fix IOMMU resource exhaustion commit 1d1dc5e83f3299c108a4e44d58cc4bfef48c876a upstream. There is a DMA map/ unmap imbalance whenever a block write request packet is sent and then dequeued with ohci_cancel_packet. The latter may happen frequently if the AR resp tasklet is executed before the AT req tasklet for the same transaction. Add the missing dma_unmap_single. This fixes https://bugzilla.redhat.com/show_bug.cgi?id=475156 Reported-by: Emmanuel Kowalski Tested-by: Emmanuel Kowalski Signed-off-by: Stefan Richter --- drivers/firewire/fw-ohci.c | 11 +++++++---- drivers/firewire/fw-transaction.c | 3 +++ drivers/firewire/fw-transaction.h | 2 ++ 3 files changed, 12 insertions(+), 4 deletions(-) Index: linux-2.6.27.9/drivers/firewire/fw-ohci.c =================================================================== --- linux-2.6.27.9.orig/drivers/firewire/fw-ohci.c +++ linux-2.6.27.9/drivers/firewire/fw-ohci.c @@ -958,6 +958,7 @@ at_context_queue_packet(struct context * packet->ack = RCODE_SEND_ERROR; return -1; } + packet->payload_bus = payload_bus; d[2].req_count = cpu_to_le16(packet->payload_length); d[2].data_address = cpu_to_le32(payload_bus); @@ -1009,7 +1010,6 @@ static int handle_at_packet(struct conte struct driver_data *driver_data; struct fw_packet *packet; struct fw_ohci *ohci = context->ohci; - dma_addr_t payload_bus; int evt; if (last->transfer_status == 0) @@ -1022,9 +1022,8 @@ static int handle_at_packet(struct conte /* This packet was cancelled, just continue. */ return 1; - payload_bus = le32_to_cpu(last->data_address); - if (payload_bus != 0) - dma_unmap_single(ohci->card.device, payload_bus, + if (packet->payload_bus) + dma_unmap_single(ohci->card.device, packet->payload_bus, packet->payload_length, DMA_TO_DEVICE); evt = le16_to_cpu(last->transfer_status) & 0x1f; @@ -1681,6 +1680,10 @@ static int ohci_cancel_packet(struct fw_ if (packet->ack != 0) goto out; + if (packet->payload_bus) + dma_unmap_single(ohci->card.device, packet->payload_bus, + packet->payload_length, DMA_TO_DEVICE); + log_ar_at_event('T', packet->speed, packet->header, 0x20); driver_data->packet = NULL; packet->ack = RCODE_CANCELLED; Index: linux-2.6.27.9/drivers/firewire/fw-transaction.c =================================================================== --- linux-2.6.27.9.orig/drivers/firewire/fw-transaction.c +++ linux-2.6.27.9/drivers/firewire/fw-transaction.c @@ -207,6 +207,7 @@ fw_fill_request(struct fw_packet *packet packet->speed = speed; packet->generation = generation; packet->ack = 0; + packet->payload_bus = 0; } /** @@ -541,6 +542,8 @@ fw_fill_response(struct fw_packet *respo BUG(); return; } + + response->payload_bus = 0; } EXPORT_SYMBOL(fw_fill_response); Index: linux-2.6.27.9/drivers/firewire/fw-transaction.h =================================================================== --- linux-2.6.27.9.orig/drivers/firewire/fw-transaction.h +++ linux-2.6.27.9/drivers/firewire/fw-transaction.h @@ -27,6 +27,7 @@ #include #include #include +#include #include #define TCODE_IS_READ_REQUEST(tcode) (((tcode) & ~1) == 4) @@ -153,6 +154,7 @@ struct fw_packet { size_t header_length; void *payload; size_t payload_length; + dma_addr_t payload_bus; u32 timestamp; /*