diff --git a/fs/splice.c b/fs/splice.c
index 684bca3..2d7e598 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1122,6 +1122,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
 		size_t len;
 		int i;
 
+		if (!access_ok(VERIFY_READ, iov, sizeof(struct iovec))) {
+			error = -EFAULT;
+			break;
+		}
+
 		/*
 		 * Get user address base and length for this iovec.
 		 */
@@ -1141,6 +1146,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
 		if (unlikely(!base))
 			break;
 
+		if (!access_ok(VERIFY_READ, base, len)) {
+			error = -EFAULT;
+			break;
+		}
+
 		/*
 		 * Get this base offset and number of pages, then map
 		 * in the user pages.