When block layer fails to map iov, it calls bio_unmap_user to undo

mapping. Which is good if pages were mapped - but if they were provided by someone else and just copied then bad things happen - pages are released once here, and once by caller, leading to user triggerable BUG at include/linux/mm.h:246. Signed-off-by: Petr Vandrovec <petr@vandrovec.name> Signed-off-by: Jens Axboe <jens.axboe@oracle.com>

When block layer fails to map iov, it calls bio_unmap_user to undo
mapping. Which is good if pages were mapped - but if they were provided by someone else and just copied then bad things happen - pages are released once here, and once by caller, leading to user triggerable BUG at include/linux/mm.h:246. Signed-off-by: Petr Vandrovec <petr@vandrovec.name> Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
53cc0b29 · Petr Vandrovec · Jens Axboe · f6f7b52e · 53cc0b29
Commit 53cc0b29 authored Nov 19, 2008 by Petr Vandrovec Committed by Jens Axboe Dec 03, 2008
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

block/blk-map.c block/blk-map.c +1 -1

No files found.
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -224,7 +224,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
 		 */
 		bio_get(bio);
 		bio_endio(bio, 0);
-		bio_unmap_user(bio);
+		__blk_rq_unmap_user(bio);
 		return -EINVAL;
 	}