[PATCH] block: fix folio leak in bio_iov_iter_bounce_read()

[PATCH] block: fix folio leak in bio_iov_iter_bounce_read()

[Jens Axboe]

If iov_iter_extract_bvecs() returns an error or zero bytes extracted,
then the folio allocated is leaked on return. Ensure it's put before
returning.

Fixes: 8dd5e7c75d7b ("block: add helpers to bounce buffer an iov_iter into bios")
Signed-off-by: Jens Axboe <axboe@kernel.dk>

---

diff --git a/block/bio.c b/block/bio.c
index b291b9aaeee1..8203bb7455a9 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -1382,8 +1382,10 @@ static int bio_iov_iter_bounce_read(struct bio *bio, struct iov_iter *iter)
 		ret = iov_iter_extract_bvecs(iter, bio->bi_io_vec + 1, len,
 				&bio->bi_vcnt, bio->bi_max_vecs - 1, 0);
 		if (ret <= 0) {
-			if (!bio->bi_vcnt)
+			if (!bio->bi_vcnt) {
+				folio_put(folio);
 				return ret;
+			}
 			break;
 		}
 		len -= ret;

-- 
Jens Axboe

Re: [PATCH] block: fix folio leak in bio_iov_iter_bounce_read()

[Alexander Atanasov]

Hello,

On 12.02.26 13:10, Jens Axboe wrote:
> If iov_iter_extract_bvecs() returns an error or zero bytes extracted,
> then the folio allocated is leaked on return. Ensure it's put before
> returning.
> 
> Fixes: 8dd5e7c75d7b ("block: add helpers to bounce buffer an iov_iter into bios")
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> 
> ---
> 
> diff --git a/block/bio.c b/block/bio.c
> index b291b9aaeee1..8203bb7455a9 100644
> --- a/block/bio.c
> +++ b/block/bio.c
> @@ -1382,8 +1382,10 @@ static int bio_iov_iter_bounce_read(struct bio *bio, struct iov_iter *iter)
>   		ret = iov_iter_extract_bvecs(iter, bio->bi_io_vec + 1, len,
>   				&bio->bi_vcnt, bio->bi_max_vecs - 1, 0);
>   		if (ret <= 0) {
> -			if (!bio->bi_vcnt)
> +			if (!bio->bi_vcnt) {
> +				folio_put(folio);
>   				return ret;
> +			}
>   			break;
>   		}
>   		len -= ret;
> 

Isn't it better to move folio allocation after the while loop instead, 
right before it is actually used - less error prone in future updates, 
tighter loop, better cache wise.

-- 
have fun,
alex


diff --git a/block/bio.c b/block/bio.c
index 49f7548a31d6..742d395f98e1 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -1338,10 +1338,6 @@ static int bio_iov_iter_bounce_read(struct bio 
*bio, struct iov_iter *iter)
         size_t len = min(iov_iter_count(iter), SZ_1M);
         struct folio *folio;

-       folio = folio_alloc_greedy(GFP_KERNEL, &len);
-       if (!folio)
-               return -ENOMEM;
-
         do {
                 ssize_t ret;

@@ -1356,6 +1352,10 @@ static int bio_iov_iter_bounce_read(struct bio 
*bio, struct iov_iter *iter)
                 bio->bi_iter.bi_size += ret;
         } while (len && bio->bi_vcnt < bio->bi_max_vecs - 1);

+       folio = folio_alloc_greedy(GFP_KERNEL, &len);
+       if (!folio)
+               return -ENOMEM;
+
         /*
          * Set the folio directly here.  The above loop has already 
calculated
          * the correct bi_size, and we use bi_vcnt for the user 
buffers.  That

Re: [PATCH] block: fix folio leak in bio_iov_iter_bounce_read()

[Christoph Hellwig]

On Fri, Feb 13, 2026 at 02:00:17PM +0200, Alexander Atanasov wrote:
> Isn't it better to move folio allocation after the while loop instead, 
> right before it is actually used - less error prone in future updates, 
> tighter loop, better cache wise.


We can't do that, as folio_alloc_greedy returns how much we actually
were able to allocate.

Re: [PATCH] block: fix folio leak in bio_iov_iter_bounce_read()

[Christoph Hellwig]

On Thu, Feb 12, 2026 at 04:10:09AM -0700, Jens Axboe wrote:
> If iov_iter_extract_bvecs() returns an error or zero bytes extracted,
> then the folio allocated is leaked on return. Ensure it's put before
> returning.
> 
> Fixes: 8dd5e7c75d7b ("block: add helpers to bounce buffer an iov_iter into bios")
> Signed-off-by: Jens Axboe <axboe@kernel.dk>


Looks good, thanks:

Reviewed-by: Christoph Hellwig <hch@lst.de>