All of lore.kernel.org
 help / color / mirror / Atom feed
From: Christoph Hellwig <hch@lst.de>
To: David Carlier <devnexen@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>, Christoph Hellwig <hch@lst.de>,
	"Martin K . Petersen" <martin.petersen@oracle.com>,
	Anuj Gupta <anuj20.g@samsung.com>,
	Kanchan Joshi <joshi.k@samsung.com>,
	linux-block@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] block: don't overwrite bip_vcnt in bio_integrity_copy_user()
Date: Tue, 12 May 2026 08:17:06 +0200	[thread overview]
Message-ID: <20260512061706.GA30204@lst.de> (raw)
In-Reply-To: <20260511215151.346228-1-devnexen@gmail.com>

On Mon, May 11, 2026 at 10:51:51PM +0100, David Carlier wrote:
> bio_integrity_add_page() already sets bip_vcnt to 1 for the bounce
> segment. Overwriting it with nr_vecs breaks bip_vcnt <= bip_max_vcnt
> on WRITE (bip_max_vcnt is 1), so the gap-merge checks in block/blk.h
> read past the bip_vec[] flex array. On READ the read is in bounds
> but lands on a saved user bvec instead of the bounce.
> 
> The line was added for split propagation, but bio_integrity_clone()
> doesn't copy bip_vcnt and BIP_CLONE_FLAGS excludes BIP_COPY_USER.

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>


  reply	other threads:[~2026-05-12  6:17 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-11 21:51 [PATCH] block: don't overwrite bip_vcnt in bio_integrity_copy_user() David Carlier
2026-05-12  6:17 ` Christoph Hellwig [this message]
2026-05-12 15:27 ` Jens Axboe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260512061706.GA30204@lst.de \
    --to=hch@lst.de \
    --cc=anuj20.g@samsung.com \
    --cc=axboe@kernel.dk \
    --cc=devnexen@gmail.com \
    --cc=joshi.k@samsung.com \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.