scsifront: fix address arithmetic Incrementing the result of page_to_phys() is not the same as invoking it on the incremented page pointer. Signed-off-by: Jan Beulich --- a/drivers/xen/scsifront/scsifront.c +++ b/drivers/xen/scsifront/scsifront.c @@ -247,7 +247,6 @@ static int map_data_for_request(struct v int err, i, ref, ref_cnt = 0; int write = (sc->sc_data_direction == DMA_TO_DEVICE); int nr_pages, off, len, bytes; - unsigned long buffer_pfn; unsigned int data_len = 0; if (sc->sc_data_direction == DMA_NONE || !sc->request_bufflen) @@ -276,8 +275,6 @@ static int map_data_for_request(struct v len = sg[i].length; data_len += len; - buffer_pfn = page_to_phys(page) >> PAGE_SHIFT; - while (len > 0) { bytes = min_t(unsigned int, len, PAGE_SIZE - off); @@ -285,14 +282,14 @@ static int map_data_for_request(struct v BUG_ON(ref == -ENOSPC); gnttab_grant_foreign_access_ref(ref, info->dev->otherend_id, - buffer_pfn, write); + page_to_phys(page) >> PAGE_SHIFT, write); info->shadow[id].gref[ref_cnt] = ref; ring_req->seg[ref_cnt].gref = ref; ring_req->seg[ref_cnt].offset = (uint16_t)off; ring_req->seg[ref_cnt].length = (uint16_t)bytes; - buffer_pfn++; + page++; len -= bytes; off = 0; ref_cnt++; @@ -312,8 +309,6 @@ static int map_data_for_request(struct v goto big_to_sg; } - buffer_pfn = page_to_phys(page) >> PAGE_SHIFT; - off = offset_in_page((unsigned long)sc->request_buffer); for (i = 0; i < nr_pages; i++) { bytes = PAGE_SIZE - off; @@ -325,14 +320,14 @@ static int map_data_for_request(struct v BUG_ON(ref == -ENOSPC); gnttab_grant_foreign_access_ref(ref, info->dev->otherend_id, - buffer_pfn, write); + page_to_phys(page) >> PAGE_SHIFT, write); info->shadow[id].gref[i] = ref; ring_req->seg[i].gref = ref; ring_req->seg[i].offset = (uint16_t)off; ring_req->seg[i].length = (uint16_t)bytes; - buffer_pfn++; + page++; len -= bytes; off = 0; ref_cnt++;