Re: [PATCH RESEND 3/3] lib: Fix length calculation in extract_kvec_to_sg

[Christian A. Ehrhardt]

Hi Andrew,

On Tue, Mar 24, 2026 at 12:12:24PM -0700, Andrew Morton wrote:
> On Mon, 23 Mar 2026 22:23:50 +0100 "Christian A. Ehrhardt" <lk@xxxxxxx> wrote:
> 
> > When extracting from a kvec to a scatterlist, do not
> > cross page boundaries. The required length is already
> > calculated but not used as intended.
> > 
> > The previous changes to the kunit_iov_iter.c demonstrate
> > that the patch is necessary.
> 
> Thanks.
> 
> > Cc: David Howells <dhowells@xxxxxxxxxx>
> > Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> > Cc: stable@xxxxxxxxxxxxxxx # v6.5+
> 
> Could we please have a description of the userspace-visible impact?  To
> help others understand why we're proposing a backport,

The function is used to construct a scatterlist. The result of the
bug is that the scatterlist entries have a length that is too long.
Results can vary but most likely this will result in silent data
corruption. I don't have a use visible example of this, though.
The bug was found while staring at code.

> > --- a/lib/scatterlist.c
> > +++ b/lib/scatterlist.c
> > @@ -1249,7 +1249,7 @@ static ssize_t extract_kvec_to_sg(struct iov_iter *iter,
> >  			else
> >  				page = virt_to_page((void *)kaddr);
> >  
> > -			sg_set_page(sg, page, len, off);
> > +			sg_set_page(sg, page, seg, off);
> >  			sgtable->nents++;
> >  			sg++;
> >  			sg_max--;
> 
> I'm thinking the series should be split up - this patch for 7.0-rcX and
> -stable, the kunit changes for 7.0-rcX.  Or do you think we should
> -stableize the kunit changes also?

Only the actual fix is marked for backport to -stable but I consider
that somewhat critical because it is in essence a memory error.

> Or we put it all into 7.0-rcX and let the -stable patch trickle back
> later on.  After all, 018584697533 was a couple of years ago.  It's hard
> to decide on these things without that userspace-visible impact thing!

Best regards,
Christian