[IB] mthca: Fix off by one bug in mthca_map_cmd

The loop in mthca_map_cmd() would fill one entry past the end of the
mailbox buffer before calling the firmware command.

Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c
index cc758a2d2bc6cad452f73b644ada7246ea2441bc..f6a8ac026557db5639d446bf1188cf9d73b22739 100644 (file)
--- a/drivers/infiniband/hw/mthca/mthca_cmd.c
+++ b/drivers/infiniband/hw/mthca/mthca_cmd.c
@@ -605,7 +605,7 @@ static int mthca_map_cmd(struct mthca_dev *dev, u16 op, struct mthca_icm *icm,
                        err = -EINVAL;
                        goto out;
                }
-               for (i = 0; i < mthca_icm_size(&iter) / (1 << lg); ++i, ++nent) {
+               for (i = 0; i < mthca_icm_size(&iter) / (1 << lg); ++i) {
                        if (virt != -1) {
                                pages[nent * 2] = cpu_to_be64(virt);
                                virt += 1 << lg;
@@ -616,7 +616,7 @@ static int mthca_map_cmd(struct mthca_dev *dev, u16 op, struct mthca_icm *icm,
                        ts += 1 << (lg - 10);
                        ++tc;
 
-                       if (nent == MTHCA_MAILBOX_SIZE / 16) {
+                       if (++nent == MTHCA_MAILBOX_SIZE / 16) {
                                err = mthca_cmd(dev, mailbox->dma, nent, 0, op,
                                                CMD_TIME_CLASS_B, status);
                                if (err || *status)