From c26156b2534c75bb3cdedf76f6ad1340971cf5bd Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Tue, 18 Nov 2008 15:07:05 +0100 Subject: block: hold extra reference to bio in blk_rq_map_user_iov() If the size passed in is OK but we end up mapping too many segments, we call the unmap path directly like from IO completion. But from IO completion we have an extra reference to the bio, so this error case goes OOPS when it attempts to free and already free bio. Fix it by getting an extra reference to the bio before calling the unmap failure case. Reported-by: Petr Vandrovec Signed-off-by: Jens Axboe --- block/blk-map.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'block/blk-map.c') diff --git a/block/blk-map.c b/block/blk-map.c index 4849fa3..0f4b4b8 100644 --- a/block/blk-map.c +++ b/block/blk-map.c @@ -217,6 +217,12 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, return PTR_ERR(bio); if (bio->bi_size != len) { + /* + * Grab an extra reference to this bio, as bio_unmap_user() + * expects to be able to drop it twice as it happens on the + * normal IO completion path + */ + bio_get(bio); bio_endio(bio, 0); bio_unmap_user(bio); return -EINVAL; -- cgit v1.1 From 53cc0b2948bcb8a084982e6c1f9bd7b337e0df38 Mon Sep 17 00:00:00 2001 From: Petr Vandrovec Date: Wed, 19 Nov 2008 11:12:14 +0100 Subject: When block layer fails to map iov, it calls bio_unmap_user to undo mapping. Which is good if pages were mapped - but if they were provided by someone else and just copied then bad things happen - pages are released once here, and once by caller, leading to user triggerable BUG at include/linux/mm.h:246. Signed-off-by: Petr Vandrovec Signed-off-by: Jens Axboe --- block/blk-map.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'block/blk-map.c') diff --git a/block/blk-map.c b/block/blk-map.c index 0f4b4b8..2990447 100644 --- a/block/blk-map.c +++ b/block/blk-map.c @@ -224,7 +224,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, */ bio_get(bio); bio_endio(bio, 0); - bio_unmap_user(bio); + __blk_rq_unmap_user(bio); return -EINVAL; } -- cgit v1.1