From: David Gibson <da...@gibson.dropbear.id.au> Elements in qemu SGLists can cross IOMMU page boundaries. So, in commit 39c138c8420f51a7da7b35233a8d7400a0b589ac "usb: Fix usb_packet_map() in the presence of IOMMUs", I changed usb_packet_map() to split up each SGList element on IOMMU page boundaries and each resulting piece of qemu's memory space separately to the iovec the usb code uses internally.
That was correct in concept, but the patch has a bug. The 'base' variable correctly steps through the dma address of each piece, but then we call the dma_memory_map() function on the base address of the whole SGList element every time. This patch fixes at least one problem using XHCI on the pseries guest machine. It didn't affect OHCI because that doesn't use usb_packet_map(). In theory it also affects EHCI, but we haven't observed that in practice. I think the transfers were small enough on EHCI that they never crossed an IOMMU page boundary in practice. Signed-off-by: David Gibson <da...@gibson.dropbear.id.au> Signed-off-by: Gerd Hoffmann <kra...@redhat.com> --- hw/usb/libhw.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/hw/usb/libhw.c b/hw/usb/libhw.c index 703e2d2..24d3cad 100644 --- a/hw/usb/libhw.c +++ b/hw/usb/libhw.c @@ -37,7 +37,7 @@ int usb_packet_map(USBPacket *p, QEMUSGList *sgl) while (len) { dma_addr_t xlen = len; - mem = dma_memory_map(sgl->dma, sgl->sg[i].base, &xlen, dir); + mem = dma_memory_map(sgl->dma, base, &xlen, dir); if (!mem) { goto err; } -- 1.7.1