commit c26156b2534c75bb3cdedf76f6ad1340971cf5bd · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

block: hold extra reference to bio in blk_rq_map_user_iov()

If the size passed in is OK but we end up mapping too many segments,
we call the unmap path directly like from IO completion. But from IO
completion we have an extra reference to the bio, so this error case
goes OOPS when it attempts to free and already free bio.

Fix it by getting an extra reference to the bio before calling the
unmap failure case.

Reported-by: Petr Vandrovec <vandrove@vc.cvut.cz>

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>

Jens Axboe 17 years ago c26156b2 98ba4031

1 changed file

expand all

unified split

block

blk-map.c

block/blk-map.c

··· 217 return PTR_ERR(bio); 218 219 if (bio->bi_size != len) { 220 bio_endio(bio, 0); 221 bio_unmap_user(bio); 222 return -EINVAL;

··· 217 return PTR_ERR(bio); 218 219 if (bio->bi_size != len) { 220 + /* 221 + * Grab an extra reference to this bio, as bio_unmap_user() 222 + * expects to be able to drop it twice as it happens on the 223 + * normal IO completion path 224 + */ 225 + bio_get(bio); 226 bio_endio(bio, 0); 227 bio_unmap_user(bio); 228 return -EINVAL;