Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751617AbdIWQjc (ORCPT ); Sat, 23 Sep 2017 12:39:32 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:50834 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751276AbdIWQja (ORCPT ); Sat, 23 Sep 2017 12:39:30 -0400 Date: Sat, 23 Sep 2017 17:39:28 +0100 From: Al Viro To: Vitaly Mayatskikh Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, Jens Axboe Subject: Re: [PATCH] fix unbalanced page refcounting in bio_map_user_iov Message-ID: <20170923163928.GO32076@ZenIV.linux.org.uk> References: <87bmm3xqds.wl-v.mayatskih@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87bmm3xqds.wl-v.mayatskih@gmail.com> User-Agent: Mutt/1.8.3 (2017-05-23) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1134 Lines: 33 On Fri, Sep 22, 2017 at 01:18:39AM -0400, Vitaly Mayatskikh wrote: > bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if > IO vector has small consecutive buffers belonging to the same page. > bio_add_pc_page merges them into one, but the page reference is never > dropped. > > Signed-off-by: Vitaly Mayatskikh > > diff --git a/block/bio.c b/block/bio.c > index b38e962fa83e..10cd3b6bed27 100644 > --- a/block/bio.c > +++ b/block/bio.c > @@ -1383,6 +1383,7 @@ struct bio *bio_map_user_iov(struct request_queue *q, > offset = offset_in_page(uaddr); > for (j = cur_page; j < page_limit; j++) { > unsigned int bytes = PAGE_SIZE - offset; > + unsigned short prev_bi_vcnt = bio->bi_vcnt; > > if (len <= 0) > break; > @@ -1397,6 +1398,13 @@ struct bio *bio_map_user_iov(struct request_queue *q, > bytes) > break; > > + /* > + * check if vector was merged with previous > + * drop page reference if needed > + */ > + if (bio->bi_vcnt == prev_bi_vcnt) > + put_page(pages[j]); > + Except that now you've got double-puts on failure exits ;-/