Re: [PATCH] block: don't overwrite bip_vcnt in bio_integrity_copy_user()

Next message: kernel test robot: "Re: [PATCH v1 1/1] drm/st7735r: simplify with spi_get_device_match_data()"
Previous message: Salih Erim: "Re: [PATCH v3 3/3] iio: adc: xilinx-ams: refactor alarm mapping to table-driven approach"
In reply to: Christoph Hellwig: "Re: [PATCH] block: don't overwrite bip_vcnt in bio_integrity_copy_user()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Tue May 12 2026 - 11:27:58 EST

On Mon, 11 May 2026 22:51:51 +0100, David Carlier wrote:
> bio_integrity_add_page() already sets bip_vcnt to 1 for the bounce
> segment. Overwriting it with nr_vecs breaks bip_vcnt <= bip_max_vcnt
> on WRITE (bip_max_vcnt is 1), so the gap-merge checks in block/blk.h
> read past the bip_vec[] flex array. On READ the read is in bounds
> but lands on a saved user bvec instead of the bounce.
>
> The line was added for split propagation, but bio_integrity_clone()
> doesn't copy bip_vcnt and BIP_CLONE_FLAGS excludes BIP_COPY_USER.
>
> [...]

Applied, thanks!

[1/1] block: don't overwrite bip_vcnt in bio_integrity_copy_user()
commit: 637ad3a56a3b889527d1dacea6fea2a8bd648140

Best regards,
--
Jens Axboe