[RHEL7,COMMIT] bcache: fix NULL pointer deref in blk_add_request_payload

Submitted by Vasily Averin on Oct. 12, 2020, 4:07 p.m.


Message ID 202010121607.09CG7lu3015665@vz7build.vvs.sw.ru
State New
Series "bcache: fix NULL pointer deref in blk_add_request_payload"
Headers show

Commit Message

Vasily Averin Oct. 12, 2020, 4:07 p.m.
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.18.2.vz7.163.36
commit c71f88419bd7eca486997ccc8d4e377240163145
Author: Lars Ellenberg <lars@linbit.com>
Date:   Mon Oct 12 19:07:47 2020 +0300

    bcache: fix NULL pointer deref in blk_add_request_payload
    bch_generic_make_request_hack() tries to be smart,
    and fake a bi_max_bvecs = bi_vcnt.
    If those bios have been REQ_DISCARD, and get submitted to a driver
    (md raid) that uses bio_clone, the clone will end up with bi_io_vec == NULL,
    passed down the stack, end up in sd_prep_fn and blk_add_request_payload,
    which then tries to use bio->bi_io_vec->page.
    Fix: try to be even smarter in bch_generic_make_request_hack(),
    and always pretend to have at least bi_max_vecs of 1,
    unless the incoming bio was already created without a single bvec.
    Signed-off-by: Lars Ellenberg <lars@linbit.com>
    The fix did not make it into the mainline or stable kernels but it was not
    rejected either, just forgotten.
    The problem was fixed in the kernel 3.14 with commit
    e90abc8ec323 "block: Remove bi_idx hacks" and its prerequisites, which are
    rather invasive.
    Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
 drivers/md/bcache/io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/drivers/md/bcache/io.c b/drivers/md/bcache/io.c
index d285cd4..4482c09 100644
--- a/drivers/md/bcache/io.c
+++ b/drivers/md/bcache/io.c
@@ -45,7 +45,7 @@  static void bch_generic_make_request_hack(struct bio *bio)
 	 * To be taken out once immutable bvec stuff is in.
-	bio->bi_max_vecs = bio->bi_vcnt;
+	bio->bi_max_vecs = bio->bi_vcnt ?: (bio->bi_io_vec ? 1 : 0);