On Tue, 12 Feb 2008 15:40:24 -0500
Pete Wyckoff <pw@xxxxxxx> wrote:
> If blk_rq_map_user requires more than one bio, and fails mapping
> somewhere after the first bio, it will return with rq->bio set to
> non-NULL, but it will have already unmapped the partial bio. The
> "out:" error exit section will see the non-null bio and try to unmap
> it again, triggering a mapcount bug via bad_page().
>
> Signed-off-by: Pete Wyckoff <pw@xxxxxxx>
> ---
> block/bsg.c | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/block/bsg.c b/block/bsg.c
> index 3337125..bba7154 100644
> --- a/block/bsg.c
> +++ b/block/bsg.c
> @@ -295,8 +295,10 @@ bsg_map_hdr(struct bsg_device *bd, struct sg_io_v4 *hdr)
>
> dxferp = (void*)(unsigned long)hdr->din_xferp;
> ret = blk_rq_map_user(q, next_rq, dxferp, hdr->din_xfer_len);
> - if (ret)
> + if (ret) {
> + next_rq->bio = NULL; /* do not unmap twice */
> goto out;
> + }
> }
>
> if (hdr->dout_xfer_len) {
Thanks!
Acked-by: FUJITA Tomonori <fujita.tomonori@xxxxxxxxxxxxx>
James, please put this to the scsi-fixes tree.
-
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
