On Fri, Sep 22, 2017 at 01:18:39AM -0400, Vitaly Mayatskikh wrote:
> bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if
> IO vector has small consecutive buffers belonging to the same page.
> bio_add_pc_page merges them into one, but the page reference is never
> dropped.
>
> Signed-off-by: Vitaly Mayatskikh <v.mayatskih@xxxxxxxxx>
>
> diff --git a/block/bio.c b/block/bio.c
> index b38e962fa83e..10cd3b6bed27 100644
> --- a/block/bio.c
> +++ b/block/bio.c
> @@ -1383,6 +1383,7 @@ struct bio *bio_map_user_iov(struct request_queue *q,
> offset = offset_in_page(uaddr);
> for (j = cur_page; j < page_limit; j++) {
> unsigned int bytes = PAGE_SIZE - offset;
> + unsigned short prev_bi_vcnt = bio->bi_vcnt;
>
> if (len <= 0)
> break;
> @@ -1397,6 +1398,13 @@ struct bio *bio_map_user_iov(struct request_queue *q,
> bytes)
> break;
>
> + /*
> + * check if vector was merged with previous
> + * drop page reference if needed
> + */
> + if (bio->bi_vcnt == prev_bi_vcnt)
> + put_page(pages[j]);
> +
Except that now you've got double-puts on failure exits ;-/
