Re: [PATCH] block: don't overwrite bip_vcnt in bio_integrity_copy_user()

Next message: David Hildenbrand (Arm): "Re: [PATCH v3 05/12] mm, swap: unify large folio allocation"
Previous message: M K, Muralidhara: "Re: [PATCH v2 1/7] platform/x86/amd/hsmp: Add new HSMP messages for Family 1Ah, Model 50h-5Fh"
In reply to: David Carlier: "[PATCH] block: don't overwrite bip_vcnt in bio_integrity_copy_user()"
Next in thread: Jens Axboe: "Re: [PATCH] block: don't overwrite bip_vcnt in bio_integrity_copy_user()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christoph Hellwig

Date: Tue May 12 2026 - 02:25:07 EST

On Mon, May 11, 2026 at 10:51:51PM +0100, David Carlier wrote:
> bio_integrity_add_page() already sets bip_vcnt to 1 for the bounce
> segment. Overwriting it with nr_vecs breaks bip_vcnt <= bip_max_vcnt
> on WRITE (bip_max_vcnt is 1), so the gap-merge checks in block/blk.h
> read past the bip_vec[] flex array. On READ the read is in bounds
> but lands on a saved user bvec instead of the bounce.
>
> The line was added for split propagation, but bio_integrity_clone()
> doesn't copy bip_vcnt and BIP_CLONE_FLAGS excludes BIP_COPY_USER.

Looks good:

Reviewed-by: Christoph Hellwig <hch@xxxxxx>