From: David Miller <davem@davemloft.net>
Date: Thu, 26 Oct 2006 06:51:07 +0000 (-0700)
Subject: [PATCH] SPARC64: Fix memory corruption in pci_4u_free_consistent().
X-Git-Tag: v2.6.18.2~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=955ebc8df7709dbcb92d7bf74a2598282e1c9307;p=thirdparty%2Fkernel%2Fstable.git

[PATCH] SPARC64: Fix memory corruption in pci_4u_free_consistent().

The second argument to free_npages() was being incorrectly
calculated, which would thus access far past the end of the
arena->map[] bitmap.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

diff --git a/arch/sparc64/kernel/pci_iommu.c b/arch/sparc64/kernel/pci_iommu.c
index 82e5455134c67..2e7f1427088ad 100644
--- a/arch/sparc64/kernel/pci_iommu.c
+++ b/arch/sparc64/kernel/pci_iommu.c
@@ -281,7 +281,7 @@ static void pci_4u_free_consistent(struct pci_dev *pdev, size_t size, void *cpu,
 
 	spin_lock_irqsave(&iommu->lock, flags);
 
-	free_npages(iommu, dvma, npages);
+	free_npages(iommu, dvma - iommu->page_table_map_base, npages);
 
 	spin_unlock_irqrestore(&iommu->lock, flags);