On Tue, Feb 12 2008, James Bottomley wrote:
> On Tue, 2008-02-12 at 15:40 -0500, Pete Wyckoff wrote:
> > If blk_rq_map_user requires more than one bio, and fails mapping
> > somewhere after the first bio, it will return with rq->bio set to
> > non-NULL, but it will have already unmapped the partial bio. The
> > "out:" error exit section will see the non-null bio and try to unmap
> > it again, triggering a mapcount bug via bad_page().
> >
> > Signed-off-by: Pete Wyckoff <pw@xxxxxxx>
> > ---
> > block/bsg.c | 4 +++-
> > 1 files changed, 3 insertions(+), 1 deletions(-)
> >
> > diff --git a/block/bsg.c b/block/bsg.c
> > index 3337125..bba7154 100644
> > --- a/block/bsg.c
> > +++ b/block/bsg.c
> > @@ -295,8 +295,10 @@ bsg_map_hdr(struct bsg_device *bd, struct sg_io_v4 *hdr)
> >
> > dxferp = (void*)(unsigned long)hdr->din_xferp;
> > ret = blk_rq_map_user(q, next_rq, dxferp, hdr->din_xfer_len);
> > - if (ret)
> > + if (ret) {
> > + next_rq->bio = NULL; /* do not unmap twice */
>
> Nice ... that's a nasty asymmetry of the blk_rq_map_user API. The map
> takes a request gets a ref and fills in the bio. The unmap has to be
> called on the bio leaving you to clear the now removed bio reference
> manually.
It is nasty, how about fixing that instead?
diff --git a/block/blk-map.c b/block/blk-map.c
index 955d75c..bc5ce60 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -143,6 +143,7 @@ int blk_rq_map_user(struct request_queue *q, struct request *rq,
return 0;
unmap_rq:
blk_rq_unmap_user(bio);
+ rq->bio = NULL;
return ret;
}
EXPORT_SYMBOL(blk_rq_map_user);
--
Jens Axboe
-
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
