[RH7] bcache: fix NULL pointer deref in blk_add_request_payload

Submitted by Evgenii Shatokhin on Oct. 9, 2020, 2:58 p.m.


Message ID 20201009145840.9156-1-eshatokhin@virtuozzo.com
State New
Series "bcache: fix NULL pointer deref in blk_add_request_payload"
Headers show

Commit Message

Evgenii Shatokhin Oct. 9, 2020, 2:58 p.m.
From: Lars Ellenberg <lars@linbit.com>


bch_generic_make_request_hack() tries to be smart,
and fake a bi_max_bvecs = bi_vcnt.

If those bios have been REQ_DISCARD, and get submitted to a driver
(md raid) that uses bio_clone, the clone will end up with bi_io_vec == NULL,
passed down the stack, end up in sd_prep_fn and blk_add_request_payload,
which then tries to use bio->bi_io_vec->page.

Fix: try to be even smarter in bch_generic_make_request_hack(),
and always pretend to have at least bi_max_vecs of 1,
unless the incoming bio was already created without a single bvec.

Signed-off-by: Lars Ellenberg <lars@linbit.com>


The fix did not make it into the mainline or stable kernels but it was not
rejected either, just forgotten.

The problem was fixed in the kernel 3.14 with commit
e90abc8ec323 "block: Remove bi_idx hacks" and its prerequisites, which are
rather invasive.

Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
 drivers/md/bcache/io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/drivers/md/bcache/io.c b/drivers/md/bcache/io.c
index d285cd49104c..4482c0982e8f 100644
--- a/drivers/md/bcache/io.c
+++ b/drivers/md/bcache/io.c
@@ -45,7 +45,7 @@  static void bch_generic_make_request_hack(struct bio *bio)
 	 * To be taken out once immutable bvec stuff is in.
-	bio->bi_max_vecs = bio->bi_vcnt;
+	bio->bi_max_vecs = bio->bi_vcnt ?: (bio->bi_io_vec ? 1 : 0);