On Tue, Nov 17, 2020 at 02:07:01PM +0000, Satya Tangirala wrote: > @@ -275,11 +331,24 @@ static struct bio *blk_bio_segment_split(struct request_queue *q, > bvprvp = &bvprv; > } > > + /* > + * The input bio's number of sectors is assumed to be aligned to > + * bio_sectors_alignment. If that's the case, then this function should > + * ensure that aligned_segs == nsegs and aligned_sectors == sectors if > + * the bio is not going to be split. > + */ > + WARN_ON(aligned_segs != nsegs || aligned_sectors != sectors); > *segs = nsegs; > return NULL; > split: > - *segs = nsegs; > - return bio_split(bio, sectors, GFP_NOIO, bs); > + *segs = aligned_segs; > + if (WARN_ON(aligned_sectors == 0)) > + goto err; > + return bio_split(bio, aligned_sectors, GFP_NOIO, bs); > +err: > + bio->bi_status = BLK_STS_IOERR; > + bio_endio(bio); > + return bio; > } [...] > diff --git a/block/blk-mq.c b/block/blk-mq.c > index 55bcee5dc032..de5c97ab8e5a 100644 > --- a/block/blk-mq.c > +++ b/block/blk-mq.c > @@ -2161,6 +2161,9 @@ blk_qc_t blk_mq_submit_bio(struct bio *bio) > blk_queue_bounce(q, &bio); > __blk_queue_split(&bio, &nr_segs); > > + if (bio->bi_status != BLK_STS_OK) > + goto queue_exit; > + Note that as soon as bio_endio() is called, the bio may be freed. So accessing the bio after that is not correct. - Eric
