From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Christie Subject: Re: [PATCH] st: don't doublefree pages from scatterlist Date: Fri, 03 Feb 2006 14:38:11 -0600 Message-ID: <43E3BF33.6050705@cs.wisc.edu> References: <20060104172727.GA320@tau.solarneutrino.net> <20060105201249.GB1795@tau.solarneutrino.net> <20060109033149.GC283@tau.solarneutrino.net> <20060109185350.GG283@tau.solarneutrino.net> <20060118001252.GB821@tau.solarneutrino.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from sabe.cs.wisc.edu ([128.105.6.20]:46016 "EHLO sabe.cs.wisc.edu") by vger.kernel.org with ESMTP id S1751484AbWBCUiX (ORCPT ); Fri, 3 Feb 2006 15:38:23 -0500 In-Reply-To: Sender: linux-scsi-owner@vger.kernel.org List-Id: linux-scsi@vger.kernel.org To: Hugh Dickins Cc: Kai Makisara , James Bottomley , Andrew Morton , linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org Hugh Dickins wrote: > On some architectures, mapping the scatterlist may coalesce entries: > if that coalesced list is then used for freeing the pages afterwards, > there's a danger that pages may be doubly freed (and others leaked). > > Fix SCSI Tape's sgl_unmap_user_pages by freeing from the pagelist used > in sgl_map_user_pages. Fixes Ryan Richter's crash on x86_64, with Bad > page state mapcount 2 from sgl_unmap_user_pages, and consequent mayhem. > Is this crash occuring with 2.6.16-rc1? I ask becuase in that kernel the scatterlist passed into scsi_execute_async if (scsi_execute_async(STp->device, cmd, direction, &((STp->buffer)->sg[0]), bytes, is not the same one that gets send down to the device/HBA. scsi_execute_async takes the scatterlist passed to it from st or sg, uses it as a hint to build a request + bios, then later when the request is sent to the device a new scatterlist is sent to the device and the device does the pci/dma operation on that scatterlist from the block/scsi layer.