* [patch 0/1] Fix data buffer handling in sg driver @ 2009-09-17 7:10 Christof Schmitt 2009-09-17 7:10 ` [patch 1/1] sg: Free data buffers after calling blk_rq_unmap_user Christof Schmitt 0 siblings, 1 reply; 3+ messages in thread From: Christof Schmitt @ 2009-09-17 7:10 UTC (permalink / raw) To: James Bottomley; +Cc: linux-scsi This fixes a problem in the sg driver that occurs with CONFIG_DEBUG_PAGEALLOC enabled. It is the same patch as in http://marc.info/?l=linux-scsi&m=125303366703782&w=2 I only added the acked-by from Fujita and the CC to stable@kernel.org -- Christof ^ permalink raw reply [flat|nested] 3+ messages in thread
* [patch 1/1] sg: Free data buffers after calling blk_rq_unmap_user 2009-09-17 7:10 [patch 0/1] Fix data buffer handling in sg driver Christof Schmitt @ 2009-09-17 7:10 ` Christof Schmitt 2009-09-17 8:06 ` Douglas Gilbert 0 siblings, 1 reply; 3+ messages in thread From: Christof Schmitt @ 2009-09-17 7:10 UTC (permalink / raw) To: James Bottomley; +Cc: linux-scsi, FUJITA Tomonori, stable, Christof Schmitt [-- Attachment #1: fix.diff --] [-- Type: text/plain, Size: 1535 bytes --] From: Christof Schmitt <christof.schmitt@de.ibm.com> Running sg_luns on s390x with CONFIG_DEBUG_PAGEALLOC enabled fails with EFAULT from the SG_IO ioctl. The EFAULT is the result from copy_to_user failing in this call chain: sg_ioctl sg_new_read sg_finish_rem_req blk_rq_unmap_user __blk_rq_unmap_user bio_uncopy_user __bio_copy_iov copy_to_user The sg driver calls sg_remove_scat to free the memory pages before calling blk_rq_unmap_user that tries to copy the data back to userspace. Change the order to first call blk_rq_unmap_user before freeing the pages in sg_remove_scat. Acked-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Cc: stable@kernel.org Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com> --- drivers/scsi/sg.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- a/drivers/scsi/sg.c 2009-09-15 18:18:11.000000000 +0200 +++ b/drivers/scsi/sg.c 2009-09-15 18:18:45.000000000 +0200 @@ -1708,11 +1708,6 @@ static int sg_finish_rem_req(Sg_request Sg_scatter_hold *req_schp = &srp->data; SCSI_LOG_TIMEOUT(4, printk("sg_finish_rem_req: res_used=%d\n", (int) srp->res_used)); - if (srp->res_used) - sg_unlink_reserve(sfp, srp); - else - sg_remove_scat(req_schp); - if (srp->rq) { if (srp->bio) ret = blk_rq_unmap_user(srp->bio); @@ -1720,6 +1715,11 @@ static int sg_finish_rem_req(Sg_request blk_put_request(srp->rq); } + if (srp->res_used) + sg_unlink_reserve(sfp, srp); + else + sg_remove_scat(req_schp); + sg_remove_request(sfp, srp); return ret; ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch 1/1] sg: Free data buffers after calling blk_rq_unmap_user 2009-09-17 7:10 ` [patch 1/1] sg: Free data buffers after calling blk_rq_unmap_user Christof Schmitt @ 2009-09-17 8:06 ` Douglas Gilbert 0 siblings, 0 replies; 3+ messages in thread From: Douglas Gilbert @ 2009-09-17 8:06 UTC (permalink / raw) To: Christof Schmitt; +Cc: James Bottomley, linux-scsi, FUJITA Tomonori, stable Christof Schmitt wrote: > From: Christof Schmitt <christof.schmitt@de.ibm.com> > > Running sg_luns on s390x with CONFIG_DEBUG_PAGEALLOC enabled fails > with EFAULT from the SG_IO ioctl. The EFAULT is the result from > copy_to_user failing in this call chain: > > sg_ioctl > sg_new_read > sg_finish_rem_req > blk_rq_unmap_user > __blk_rq_unmap_user > bio_uncopy_user > __bio_copy_iov > copy_to_user > > The sg driver calls sg_remove_scat to free the memory pages before > calling blk_rq_unmap_user that tries to copy the data back to > userspace. Change the order to first call blk_rq_unmap_user before > freeing the pages in sg_remove_scat. > > Acked-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> > Cc: stable@kernel.org > Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com> Signed-off-by: Douglas Gilbert <dgilbert@interlog.com> ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-09-17 8:06 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-09-17 7:10 [patch 0/1] Fix data buffer handling in sg driver Christof Schmitt 2009-09-17 7:10 ` [patch 1/1] sg: Free data buffers after calling blk_rq_unmap_user Christof Schmitt 2009-09-17 8:06 ` Douglas Gilbert
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.