[PATCH] block: copy bi_vcnt in __bio_clone_fast

[Jeff Mahoney <jeffm@suse.com>]

Commit 05f1dd53152173 (block: add queue flag for disabling SG merging) uses
bi_vcnt to assign bio->bi_phys_segments if sg merging is disabled. When
using device mapper on top of a blk-mq device (virtio_blk in my test),
we'd end up overflowing the scatterlist in __blk_bios_map_sg.

__bio_clone_fast copies bi_iter and bi_io_vec but not bi_vcnt, so
blk_recount_segments would report bi_phys_segments as 0. Since
rq->nr_phys_segments is 0 as well, the checks to ensure that we don't
exceed the queue's segment limit end up allowing more bios (and segments) to
attach the a request until we finally map it. That also means we
pass the BUG_ON at the beginning of virtio_queue_rq, ultimately causing
memory corruption and a crash.

If we copy bi_vcnt in __bio_clone_fast, the bios and requests properly
report the number of segments and everything works as expected.

Originally reported at http://bugzilla.opensuse.org/show_bug.cgi?id=888259

Reported-by: Stephen Kulow <coolo@suse.com>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---

 block/bio.c |    1 +
 1 file changed, 1 insertion(+)

--- a/block/bio.c
+++ b/block/bio.c
@@ -564,6 +564,7 @@ void __bio_clone_fast(struct bio *bio, s
 	bio->bi_rw = bio_src->bi_rw;
 	bio->bi_iter = bio_src->bi_iter;
 	bio->bi_io_vec = bio_src->bi_io_vec;
+	bio->bi_vcnt = bio_src->bi_vcnt;
 }
 EXPORT_SYMBOL(__bio_clone_fast);
 

-- 
Jeff Mahoney
SUSE Labs