From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DE6E337A4AF for ; Mon, 11 May 2026 21:51:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778536318; cv=none; b=gSVoEHyMypS4EgujnX4LopOiIsp9k6qVZASXKWtoFNSnl6FCkJGl3E3VxX9zJ0tObQN115dGJ/g4265YXpB648xnsvGpTOyylLhfMJ2/bv7faqwsdPa4HWwqFimPkfj9OjpR0M5VldbHkqOs/xlKi50kxx0jCD6ZnKqT4zx4xgM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778536318; c=relaxed/simple; bh=H884xHAasWhJMrJEAQrb8OdVWipJmcLKpX0XCXbKWAQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WPkvw+Gy3+Gb9/QZ+VHp+Ss42REVzUXb2ZOGEeY/aP3e3H6n1567YQkXJgi+yKZ4Ty8pheyezYGZyusgJKHsc855Qb+Szykyj+7UCUaiW3p3SFbOREGAMHeH1ia2siRqobtI67uFNCfMU3VF1BkS0s3YOSAMQOJ2fhwzrWIZ+5o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=c836qKmL; arc=none smtp.client-ip=209.85.128.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="c836qKmL" Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-488ff90d6c7so43453465e9.2 for ; Mon, 11 May 2026 14:51:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778536315; x=1779141115; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=FNrh6D5SHjoaH2WyyedqLt7IdCIpYru9M1cGpz/UP08=; b=c836qKmLSZ/guB0D49Qeaumcb1R5sbopcwh1yebzG/iFPdQFvS8IUFF9CrtLFepw1e I/swRcQXoIfI4ueEIvxINExBoWcll8KtMmnSw3cnDpADTuNgUNcKR8oHXjq3ma5eYGei yI/hwRn3Y7npFSnBZS6LEKaRMuTiuGlc2pNyPstCB5mQYf6rO1c/uyf8GesY0BSm3TLt nIwkUyngYiU1OK7KbTsDttwpOmS6nyXMjtkaGoet/vGMogLsORiuNoKCNBMMZIqD+iVi YmmZGABXtAjp6KUftXYJpSKQ23D6knZYaVgAEidCLsbELtEuvnxk+DqGi6OT2yT0YvH6 GTIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778536315; x=1779141115; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=FNrh6D5SHjoaH2WyyedqLt7IdCIpYru9M1cGpz/UP08=; b=bmZBKV9zQZWAUNjQ6xJ1nCA6n+U8lRbdgNt2FKx34g80gbE9UnQ6k4EDv57fmX5KFq EXYztxvcQcImOBGmBKdIpM6ccmmOoGiS3dgbODoTNNTgQ8xAocIyosdqY/hkC13AYW+L 9hX0T8c2ZwluizObubpxrgUzMcuDkkrboO3T8zUvR6OGWQIuVAKndoPJ4G6qCH/eLAFw UZ1e0yRi0qp4E4FFZTi5A6Fefa3v5ykNMcHrOwUnQRHLNMxhCNHoCkv+srSBDx+W8BOE 1ZcCYy22nNe+NJ8naX5zLNs+GhM3AERhLHQtx2m40bgzE3Ojhr+nouC8typfxNy/wYOA UsDw== X-Forwarded-Encrypted: i=1; AFNElJ9M33X5hc1BbcxbQPP+ACqphILxDEGcoeRKtecPrHequGUutGAdazPzEkqmauoYnmpmvoe9Bq/B2baQgmY=@vger.kernel.org X-Gm-Message-State: AOJu0Yxr1nPZB7cfTqKvZPJ5uyZ0ptMQFXFpEMTjbzqYjCRMDoUyMLVL VZ+1zIDH11l32VY53vvaGCXIut/7jEdz9TegB7289sdRxQKlXEb2xCMz X-Gm-Gg: Acq92OEtZdi8D4ZN5ipCouuL8uqoCC4JyEcwOAfegoQmci3DKesB3IZhjxnshjvE/QJ SHcKFBGXy8Q3WvublCUKFvsum5B6Z8eA322AquOBed4aIvYqVxcM/9gx2L2g1HKGP8p8byU9lP4 y9cyEGt838d7Vn0gncIW+P7VifiQEarcTAfHKJbxJHBVdO4dJa51bNN00lechT39AlYxABYa2FZ fXQ9RrtdoIbu9O846HrRfnxBjLt/tQ/hhP6WMwYnLol2zKk+ThPHtQqVafEef+P/As78fLBkUiA tJscBTbghalaQ76WFWka4/aSV2WvpV35llB6F7bN+N55vQAg9K1cyPGnmGiU87Tg1qtJRc2kluS O3L53PlhWXRekFfudqYyLaWdRKlLRCv4nD47rWdJT+Duk0menDnjaN/L2W4fMRVQxyAgkPEDwN7 2vxLj6xw6Q+4CRWH0iW2cKI5lYL387n9hI98P3YnHx541tvswWsmBF8bhux/5/7EpRkhmT6kg9j Otq8SlWieo= X-Received: by 2002:a05:600c:15d1:b0:48d:112c:f582 with SMTP id 5b1f17b1804b1-48e51e1e415mr254346135e9.11.1778536315089; Mon, 11 May 2026 14:51:55 -0700 (PDT) Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e8f42a845sm2918695e9.20.2026.05.11.14.51.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 14:51:54 -0700 (PDT) From: David Carlier To: Jens Axboe Cc: Christoph Hellwig , "Martin K . Petersen" , Anuj Gupta , Kanchan Joshi , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, David Carlier Subject: [PATCH] block: don't overwrite bip_vcnt in bio_integrity_copy_user() Date: Mon, 11 May 2026 22:51:51 +0100 Message-ID: <20260511215151.346228-1-devnexen@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit bio_integrity_add_page() already sets bip_vcnt to 1 for the bounce segment. Overwriting it with nr_vecs breaks bip_vcnt <= bip_max_vcnt on WRITE (bip_max_vcnt is 1), so the gap-merge checks in block/blk.h read past the bip_vec[] flex array. On READ the read is in bounds but lands on a saved user bvec instead of the bounce. The line was added for split propagation, but bio_integrity_clone() doesn't copy bip_vcnt and BIP_CLONE_FLAGS excludes BIP_COPY_USER. Fixes: 3991657ae707 ("block: set bip_vcnt correctly") Signed-off-by: David Carlier --- block/bio-integrity.c | 1 - 1 file changed, 1 deletion(-) diff --git a/block/bio-integrity.c b/block/bio-integrity.c index e79eaf047794..869746412949 100644 --- a/block/bio-integrity.c +++ b/block/bio-integrity.c @@ -308,7 +308,6 @@ static int bio_integrity_copy_user(struct bio *bio, struct bio_vec *bvec, } bip->bip_flags |= BIP_COPY_USER; - bip->bip_vcnt = nr_vecs; return 0; free_bip: bio_integrity_free(bio); -- 2.53.0