from article linked to by URL and taken from lkml--- From: Kurt Garloff [email blocked] To: Andrew Morton [email blocked] Subject: [PATCH] bio_uncopy_user mem leak Date: Tue, 17 Aug 2004 17:59:18 +0200 Hi Andrew, When using bounce buffers for SG_IO commands with unaligned buffers in blk_rq_map_user(), we should free the pages from blk_rq_unmap_user() which calls bio_uncopy_user() for the non-BIO_USER_MAPPED case. That function failed to free the pages for write requests. So we leaked pages and you machine would go OOM. Rebooting helped ;-) This bug was triggered by writing audio CDs (but not on data CDs), as the audio frames are not aligned well (2352 bytes), so the user pages don't just get mapped. Bug was reported by Mathias Homan and debugged by Chris Mason + me. (Jens is away.) Signed-off-by: Kurt Garloff [email blocked] bio.c | 21 +++++++++------------ 1 files changed, 9 insertions(+), 12 deletions(-) --- linux-2.6.8.x86/fs/bio.c.orig 2004-08-14 07:37:15.000000000 +0200 +++ linux-2.6.8.x86/fs/bio.c 2004-08-17 17:41:52.022012902 +0200 @@ -388,20 +388,17 @@ int bio_uncopy_user(struct bio *bio) struct bio_vec *bvec; int i, ret = 0; - if (bio_data_dir(bio) == READ) { - char *uaddr = bio->bi_private; - - __bio_for_each_segment(bvec, bio, i, 0) { - char *addr = page_address(bvec->bv_page); - - if (!ret && copy_to_user(uaddr, addr, bvec->bv_len)) - ret = -EFAULT; + char *uaddr = bio->bi_private; + + __bio_for_each_segment(bvec, bio, i, 0) { + char *addr = page_address(bvec->bv_page); + if (bio_data_dir(bio) == READ && !ret && + copy_to_user(uaddr, addr, bvec->bv_len)) + ret = -EFAULT; - __free_page(bvec->bv_page); - uaddr += bvec->bv_len; - } + __free_page(bvec->bv_page); + uaddr += bvec->bv_len; } - bio_put(bio); return ret; } -- Kurt Garloff, Director SUSE Labs, Novell From: Andrew Morton [email blocked] Subject: Re: [PATCH] bio_uncopy_user mem leak Date: Tue, 17 Aug 2004 15:50:04 -0700 Kurt Garloff [email blocked] wrote: > > When using bounce buffers for SG_IO commands with unaligned > buffers in blk_rq_map_user(), we should free the pages from > blk_rq_unmap_user() which calls bio_uncopy_user() for the > non-BIO_USER_MAPPED case. That function failed to free the > pages for write requests. > > So we leaked pages and you machine would go OOM. Rebooting > helped ;-) Eureka. Thanks. This really should trigger a 2.6.8.2. We'll see. ---end of quote this really should get including in the genpatches Reproducible: Always Steps to Reproduce: 1. burn an audio cd well running 2.6.8 kernel Actual Results: all memory will be eaten up and the cd will be a coaster, the system will hang and will require a reboot Expected Results: burnt the audio cd correctly and without ill effect
links to related ck patches: http://ck.kolivas.org/patches/2.6/2.6.8.1/2.6.8.1-ck3/split-out/bio_uncopy_user-mem-leak.patch http://ck.kolivas.org/patches/2.6/2.6.8.1/2.6.8.1-ck3/split-out/bio_uncopy_user2.diff links to related mm patches: http://kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.8.1/2.6.8.1-mm3/broken-out/bio_uncopy_user-mem-leak.patch http://kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.8.1/2.6.8.1-mm3/broken-out/bio_uncopy_user-mem-leak-fix.patch as you can see two patches are required now. the first patch fixed the memory leak but the audio cd would still be corrupt. i believe the second patch corrects this, but i have not tested this yet. i will update this once i have tested it.
this bug is completely fixed after patching the kernel with both patches.
*** Bug 61089 has been marked as a duplicate of this bug. ***
Will be forwarding patches to be applied into gentoo-dev-sources shortly..
*** Bug 61633 has been marked as a duplicate of this bug. ***
Included in gentoo-dev-sources-2.6.8-r3 thanks to Greg KH.