Skip to content

Commit

Permalink
block: hold extra reference to bio in blk_rq_map_user_iov()
Browse files Browse the repository at this point in the history 
If the size passed in is OK but we end up mapping too many segments,
we call the unmap path directly like from IO completion. But from IO
completion we have an extra reference to the bio, so this error case
goes OOPS when it attempts to free and already free bio.

Fix it by getting an extra reference to the bio before calling the
unmap failure case.

Reported-by: Petr Vandrovec <vandrove@vc.cvut.cz>

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
  • Loading branch information
Jens Axboe committed Nov 18, 2008
1 parent 98ba403 commit c26156b
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions block/blk-map.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,12 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
return PTR_ERR(bio);

if (bio->bi_size != len) {
/*
* Grab an extra reference to this bio, as bio_unmap_user()
* expects to be able to drop it twice as it happens on the
* normal IO completion path
*/
bio_get(bio);
bio_endio(bio, 0);
bio_unmap_user(bio);
return -EINVAL;
Expand Down

0 comments on commit c26156b

Please sign in to comment.