releases/2.6.23.2/splice-fix-double-kunmap-in-vmsplice-copy-path.patch

   1 From 6866bef40d06f7c2baac3a855b1917a8ca75456c Mon Sep 17 00:00:00 2001
   2 From: Jens Axboe <jens.axboe@oracle.com>
   3 Date: Tue, 16 Oct 2007 10:01:29 +0200
   4 Subject: [PATCH] splice: fix double kunmap() in vmsplice copy path
   5 Message-ID: <20071017065521.GA5041@kernel.dk>
   6
   7 From: Jens Axboe <jens.axboe@oracle.com>
   8
   9 patch 6866bef40d06f7c2baac3a855b1917a8ca75456c in mainline.
  10
  11 The out label should not include the unmap, the only way to jump
  12 there already has unmapped the source.
  13
  14 00002000
  15        f7c21a00 00000000 00000000 c0489036 00018e32 00000002 00000000
  16 00001000
  17 Call Trace:
  18  [<c0487dd9>] pipe_to_user+0xca/0xd3
  19  [<c0488233>] __splice_from_pipe+0x53/0x1bd
  20  [<c0454947>] ------------[ cut here ]------------
  21 filemap_fault+0x221/0x380
  22  [<c0487d0f>] pipe_to_user+0x0/0xd3
  23  [<c0489036>] sys_vmsplice+0x3b7/0x422
  24  [<c045ec3f>] kernel BUG at mm/highmem.c:206!
  25 handle_mm_fault+0x4d5/0x8eb
  26  [<c041ed5b>] kmap_atomic+0x1c/0x20
  27  [<c045d33d>] unmap_vmas+0x3d1/0x584
  28  [<c045f717>] free_pgtables+0x90/0xa0
  29  [<c041d84b>] pgd_dtor+0x0/0x1
  30  [<c044d665>] audit_syscall_exit+0x2aa/0x2c6
  31  [<c0407817>] do_syscall_trace+0x124/0x169
  32  [<c0404df2>] syscall_call+0x7/0xb
  33  =======================
  34 Code: 2d 00 d0 5b 00 25 00 00 e0 ff 29 invalid opcode: 0000 [#1]
  35 c2 89 d0 c1 e8 0c 8b 14 85 a0 6c 7c c0 4a 85 d2 89 14 85 a0 6c 7c c0 74 07
  36 31 c9 4a 75 15 eb 04 <0f> 0b eb fe 31 c9 81 3d 78 38 6d c0 78 38 6d c0 0f
  37 95 c1 b0 01
  38 EIP: [<c045bbc3>] kunmap_high+0x51/0x8e SS:ESP 0068:f5960df0
  39 SMP
  40 Modules linked in: netconsole autofs4 hidp nfs lockd nfs_acl rfcomm l2cap
  41 bluetooth sunrpc ipv6 ib_iser rdma_cm ib_cm iw_cmib_sa ib_mad ib_core
  42 ib_addr iscsi_tcp libiscsi scsi_transport_iscsi dm_mirror dm_multipath
  43 dm_mod video output sbs batteryac parport_pc lp parport sg i2c_piix4
  44 i2c_core floppy cfi_probe gen_probe scb2_flash mtd chipreg tg3 e1000 button
  45 ide_cd serio_raw cdrom aic7xxx scsi_transport_spi sd_mod scsi_mod ext3 jbd
  46 ehci_hcd ohci_hcd uhci_hcd
  47 CPU:    3
  48 EIP:    0060:[<c045bbc3>]    Not tainted VLI
  49 EFLAGS: 00010246   (2.6.23 #1)
  50 EIP is at kunmap_high+0x51/0x8e
  51
  52 Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
  53 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  54
  55 ---
  56  fs/splice.c |    2 +-
  57  1 file changed, 1 insertion(+), 1 deletion(-)
  58
  59 --- a/fs/splice.c
  60 +++ b/fs/splice.c
  61 @@ -1390,10 +1390,10 @@ static int pipe_to_user(struct pipe_inod
  62         if (copy_to_user(sd->u.userptr, src + buf->offset, sd->len))
  63                 ret = -EFAULT;
  64
  65 +       buf->ops->unmap(pipe, buf, src);
  66  out:
  67         if (ret > 0)
  68                 sd->u.userptr += ret;
  69 -       buf->ops->unmap(pipe, buf, src);
  70         return ret;
  71  }
  72