Hello. There is a case of integer overflow in __bvec_gap_to_prev(): ((bprv->bv_offset + bprv->bv_len) & lim->virt_boundary_mask); bio_vec can cross multiple pages: https://lore.kernel.org/lkml/20190215111324.30129-1-ming.lei@xxxxxxxxxx/t/ So, in case bio has one bio_vec bv_len can have a maximum value of UINT_MAX. The check happens in bio_full(). In the case when bv_len is equal to UINT_MAX and bv_offset is greater than zero, an overflow may occur. Found by Linux Verification Center (linuxtesting.org) with Svace.
