superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

io_uring/zcrx: fix overshooting recv limit 

It's reported that sometimes a zcrx request can receive more than was
requested. It's caused by io_zcrx_recv_skb() adjusting desc->count for
all received buffers including frag lists, but then doing recursive
calls to process frag list skbs, which leads to desc->count double
accounting and underflow.

Reported-and-tested-by: Matthias Jasny <matthiasjasny@gmail.com>
Fixes: 6699ec9a23 ("io_uring/zcrx: add a read limit to recvzc requests")
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
pull/1354/merge
Pavel Begunkov 2025-10-08 13:38:06 +01:00 committed by Jens Axboe
parent beb97995b9
commit 09cfd3c52e
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
io_uring/zcrx.c
View File

@ -1236,12 +1236,16 @@ io_zcrx_recv_skb(read_descriptor_t *desc, struct sk_buff *skb,
end = start + frag_iter->len;
if (offset < end) {
size_t count;
copy = end - offset;
if (copy > len)
copy = len;
off = offset - start;
count = desc->count;
ret = io_zcrx_recv_skb(desc, frag_iter, off, copy);
desc->count = count;
if (ret < 0)
goto out;