tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

io_uring/kbuf: fix signedness in this_len calculation

When importing and using buffers, buf->len is considered unsigned.
However, buf->len is converted to signed int when committing. This can
lead to unexpected behavior if the buffer is large enough to be
interpreted as a negative value. Make min_t calculation unsigned.

Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption")
Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
Link: https://lore.kernel.org/r/tencent_4DBB3674C0419BEC2C0C525949DA410CA307@qq.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

Qingyue Zhang and committed by
Jens Axboe c64eff36 e4e6aaea

+1 -1
+1 -1
io_uring/kbuf.c
··· 39 39 u32 this_len; 40 40 41 41 buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask); 42 - this_len = min_t(int, len, buf->len); 42 + this_len = min_t(u32, len, buf->len); 43 43 buf->len -= this_len; 44 44 if (buf->len) { 45 45 buf->addr += this_len;