From: Kurt Garloff <garloff@suse.de>

When using bounce buffers for SG_IO commands with unaligned buffers in
blk_rq_map_user(), we should free the pages from blk_rq_unmap_user() which
calls bio_uncopy_user() for the non-BIO_USER_MAPPED case.  That function
failed to free the pages for write requests.

So we leaked pages and you machine would go OOM.  Rebooting helped ;-)

This bug was triggered by writing audio CDs (but not on data CDs), as the
audio frames are not aligned well (2352 bytes), so the user pages don't
just get mapped.

Bug was reported by Mathias Homan and debugged by Chris Mason + me.  (Jens
is away.)

Signed-off-by: Kurt Garloff <garloff@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/fs/bio.c |   19 ++++++++-----------
 1 files changed, 8 insertions(+), 11 deletions(-)

diff -puN fs/bio.c~bio_uncopy_user-mem-leak fs/bio.c
--- 25/fs/bio.c~bio_uncopy_user-mem-leak	Tue Aug 17 15:46:53 2004
+++ 25-akpm/fs/bio.c	Tue Aug 17 15:46:53 2004
@@ -388,20 +388,17 @@ int bio_uncopy_user(struct bio *bio)
 	struct bio_vec *bvec;
 	int i, ret = 0;
 
-	if (bio_data_dir(bio) == READ) {
-		char *uaddr = bio->bi_private;
+	char *uaddr = bio->bi_private;
 
-		__bio_for_each_segment(bvec, bio, i, 0) {
-			char *addr = page_address(bvec->bv_page);
+	__bio_for_each_segment(bvec, bio, i, 0) {
+		char *addr = page_address(bvec->bv_page);
+		if (bio_data_dir(bio) == READ && !ret &&
+		    copy_to_user(uaddr, addr, bvec->bv_len))
+			ret = -EFAULT;
 
-			if (!ret && copy_to_user(uaddr, addr, bvec->bv_len))
-				ret = -EFAULT;
-
-			__free_page(bvec->bv_page);
-			uaddr += bvec->bv_len;
-		}
+		__free_page(bvec->bv_page);
+		uaddr += bvec->bv_len;
 	}
-
 	bio_put(bio);
 	return ret;
 }
_