[Devel] [PATCH RHEL7 COMMIT] bcache: fix NULL pointer deref in blk_add_request_payload
Vasily Averin
vvs at virtuozzo.com
Mon Oct 12 19:07:47 MSK 2020
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.18.2.vz7.163.36
------>
commit c71f88419bd7eca486997ccc8d4e377240163145
Author: Lars Ellenberg <lars at linbit.com>
Date: Mon Oct 12 19:07:47 2020 +0300
bcache: fix NULL pointer deref in blk_add_request_payload
[https://lkml.org/lkml/2014/2/19/264]
bch_generic_make_request_hack() tries to be smart,
and fake a bi_max_bvecs = bi_vcnt.
If those bios have been REQ_DISCARD, and get submitted to a driver
(md raid) that uses bio_clone, the clone will end up with bi_io_vec == NULL,
passed down the stack, end up in sd_prep_fn and blk_add_request_payload,
which then tries to use bio->bi_io_vec->page.
Fix: try to be even smarter in bch_generic_make_request_hack(),
and always pretend to have at least bi_max_vecs of 1,
unless the incoming bio was already created without a single bvec.
Signed-off-by: Lars Ellenberg <lars at linbit.com>
https://jira.sw.ru/browse/PSBM-121142
The fix did not make it into the mainline or stable kernels but it was not
rejected either, just forgotten.
The problem was fixed in the kernel 3.14 with commit
e90abc8ec323 "block: Remove bi_idx hacks" and its prerequisites, which are
rather invasive.
Signed-off-by: Evgenii Shatokhin <eshatokhin at virtuozzo.com>
---
drivers/md/bcache/io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/bcache/io.c b/drivers/md/bcache/io.c
index d285cd4..4482c09 100644
--- a/drivers/md/bcache/io.c
+++ b/drivers/md/bcache/io.c
@@ -45,7 +45,7 @@ static void bch_generic_make_request_hack(struct bio *bio)
*
* To be taken out once immutable bvec stuff is in.
*/
- bio->bi_max_vecs = bio->bi_vcnt;
+ bio->bi_max_vecs = bio->bi_vcnt ?: (bio->bi_io_vec ? 1 : 0);
generic_make_request(bio);
}
More information about the Devel
mailing list