some bugs in kiobufs in 2.3.48, one of them thanks to me.
1. in get_page_map() in mm/memory.c,
struct page * get_page_map(struct page *page, unsigned long vaddr)
{
if (MAP_NR(vaddr) >= max_mapnr)
return 0;
if (page == ZERO_PAGE(vaddr))
return 0;
if (PageReserved(page))
return 0;
return page;
}
it used to be MAP_NR(page) earlier which was of course wrong. but
vaddr can come from userspace (read/write a raw device), and MAP_NR() on it
is inappropriate. this test fails and we return 0 for any raw device i/o.
2. map_user_kiobuf() which calls the above gets a 0 and ..
...
map = get_page_map(map, ptr);
if (map) {
if (TryLockPage(map)) {
goto retry;
}
atomic_inc(&map->count);
}
spin_unlock(&mm->page_table_lock);
iobuf->maplist[i] = map;
iobuf->nr_pages = ++i;
...
the NULL page is entered into iobuf->maplist[]
eventually brw_kiovec() calls set_bh_page() which chokes on the NULL.
I'm not quite sure what should be fixed. stephen ?
ganesh
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Mar 07 2000 - 21:00:09 EST