[Devel] [PATCH RH7] bcache: fix NULL pointer deref in blk_add_request_payload

[Evgenii Shatokhin]

From: Lars Ellenberg <lars at linbit.com>

[https://lkml.org/lkml/2014/2/19/264]

bch_generic_make_request_hack() tries to be smart,
and fake a bi_max_bvecs = bi_vcnt.

If those bios have been REQ_DISCARD, and get submitted to a driver
(md raid) that uses bio_clone, the clone will end up with bi_io_vec == NULL,
passed down the stack, end up in sd_prep_fn and blk_add_request_payload,
which then tries to use bio->bi_io_vec->page.

Fix: try to be even smarter in bch_generic_make_request_hack(),
and always pretend to have at least bi_max_vecs of 1,
unless the incoming bio was already created without a single bvec.

Signed-off-by: Lars Ellenberg <lars at linbit.com>

https://jira.sw.ru/browse/PSBM-121142

The fix did not make it into the mainline or stable kernels but it was not
rejected either, just forgotten.

The problem was fixed in the kernel 3.14 with commit
e90abc8ec323 "block: Remove bi_idx hacks" and its prerequisites, which are
rather invasive.

Signed-off-by: Evgenii Shatokhin <eshatokhin at virtuozzo.com>
---
 drivers/md/bcache/io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/md/bcache/io.c b/drivers/md/bcache/io.c
index d285cd49104c..4482c0982e8f 100644
--- a/drivers/md/bcache/io.c
+++ b/drivers/md/bcache/io.c
@@ -45,7 +45,7 @@ static void bch_generic_make_request_hack(struct bio *bio)
 	 *
 	 * To be taken out once immutable bvec stuff is in.
 	 */
-	bio->bi_max_vecs = bio->bi_vcnt;
+	bio->bi_max_vecs = bio->bi_vcnt ?: (bio->bi_io_vec ? 1 : 0);
 
 	generic_make_request(bio);
 }
-- 
2.27.0