Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1d1dc5e8 authored by Stefan Richter's avatar Stefan Richter
Browse files

firewire: fw-ohci: fix IOMMU resource exhaustion 

There is a DMA map/ unmap imbalance whenever a block write request
packet is sent and then dequeued with ohci_cancel_packet.  The latter
may happen frequently if the AR resp tasklet is executed before the AT
req tasklet for the same transaction.

Add the missing dma_unmap_single.  This fixes
https://bugzilla.redhat.com/show_bug.cgi?id=475156



Reported-by: Emmanuel Kowalski
Tested-by: Emmanuel Kowalski
Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
parent ec9a13cd

drivers/firewire/fw-ohci.c

+7 −4
Original line number Diff line number Diff line
@@ -974,6 +974,7 @@ at_context_queue_packet(struct context *ctx, struct fw_packet *packet) 
			packet->ack = RCODE_SEND_ERROR;

			return -1;

		}

		packet->payload_bus = payload_bus;



		d[2].req_count    = cpu_to_le16(packet->payload_length);

		d[2].data_address = cpu_to_le32(payload_bus);
@@ -1025,7 +1026,6 @@ static int handle_at_packet(struct context *context, 
	struct driver_data *driver_data;

	struct fw_packet *packet;

	struct fw_ohci *ohci = context->ohci;

	dma_addr_t payload_bus;

	int evt;



	if (last->transfer_status == 0)
@@ -1038,9 +1038,8 @@ static int handle_at_packet(struct context *context, 
		/* This packet was cancelled, just continue. */

		return 1;



	payload_bus = le32_to_cpu(last->data_address);

	if (payload_bus != 0)

		dma_unmap_single(ohci->card.device, payload_bus,

	if (packet->payload_bus)

		dma_unmap_single(ohci->card.device, packet->payload_bus,

				 packet->payload_length, DMA_TO_DEVICE);



	evt = le16_to_cpu(last->transfer_status) & 0x1f;
@@ -1697,6 +1696,10 @@ static int ohci_cancel_packet(struct fw_card *card, struct fw_packet *packet) 
	if (packet->ack != 0)

		goto out;



	if (packet->payload_bus)

		dma_unmap_single(ohci->card.device, packet->payload_bus,

				 packet->payload_length, DMA_TO_DEVICE);



	log_ar_at_event('T', packet->speed, packet->header, 0x20);

	driver_data->packet = NULL;

	packet->ack = RCODE_CANCELLED;

drivers/firewire/fw-transaction.c

+3 −0
Original line number Diff line number Diff line
@@ -207,6 +207,7 @@ fw_fill_request(struct fw_packet *packet, int tcode, int tlabel, 
	packet->speed = speed;

	packet->generation = generation;

	packet->ack = 0;

	packet->payload_bus = 0;

}



/**
@@ -581,6 +582,8 @@ fw_fill_response(struct fw_packet *response, u32 *request_header, 
		BUG();

		return;

	}



	response->payload_bus = 0;

}

EXPORT_SYMBOL(fw_fill_response);

drivers/firewire/fw-transaction.h

+2 −0
Original line number Diff line number Diff line
@@ -27,6 +27,7 @@ 
#include <linux/list.h>

#include <linux/spinlock_types.h>

#include <linux/timer.h>

#include <linux/types.h>

#include <linux/workqueue.h>



#define TCODE_IS_READ_REQUEST(tcode)	(((tcode) & ~1) == 4)
@@ -153,6 +154,7 @@ struct fw_packet { 
	size_t header_length;

	void *payload;

	size_t payload_length;

	dma_addr_t payload_bus;

	u32 timestamp;



	/*