If blk_rq_map_user requires more than one bio, and fails mapping
somewhere after the first bio, it will return with rq->bio set to
non-NULL, but it will have already unmapped the partial bio. The
"out:" error exit section will see the non-null bio and try to unmap
it again, triggering a mapcount bug via bad_page().
Signed-off-by: Pete Wyckoff <[EMAIL PROTECTED]>
---
block/bsg.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/block/bsg.c b/block/bsg.c
index 3337125..bba7154 100644
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -295,8 +295,10 @@ bsg_map_hdr(struct bsg_device *bd, struct sg_io_v4 *hdr)
dxferp = (void*)(unsigned long)hdr->din_xferp;
ret = blk_rq_map_user(q, next_rq, dxferp, hdr->din_xfer_len);
- if (ret)
+ if (ret) {
+ next_rq->bio = NULL; /* do not unmap twice */
goto out;
+ }
}
if (hdr->dout_xfer_len) {
--
1.5.3.8
-
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
