diff options
| author | Pavel Begunkov <asml.silence@gmail.com> | 2025-10-08 13:38:06 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-10-15 12:04:15 +0200 |
| commit | 8bcc9eaf1b19f1a7029cba19f6bd4122b40f6c4f (patch) | |
| tree | 5fbe40380c4be83c0eea2e67e0c5e7648bd3fcce /io_uring | |
| parent | 3e2205db2f0608898d535da1964e1b376aacfdaa (diff) | |
| download | linux-8bcc9eaf1b19f1a7029cba19f6bd4122b40f6c4f.tar.gz linux-8bcc9eaf1b19f1a7029cba19f6bd4122b40f6c4f.tar.bz2 linux-8bcc9eaf1b19f1a7029cba19f6bd4122b40f6c4f.zip | |
io_uring/zcrx: fix overshooting recv limit
commit 09cfd3c52ea76f43b3cb15e570aeddf633d65e80 upstream.
It's reported that sometimes a zcrx request can receive more than was
requested. It's caused by io_zcrx_recv_skb() adjusting desc->count for
all received buffers including frag lists, but then doing recursive
calls to process frag list skbs, which leads to desc->count double
accounting and underflow.
Reported-and-tested-by: Matthias Jasny <matthiasjasny@gmail.com>
Fixes: 6699ec9a23f85 ("io_uring/zcrx: add a read limit to recvzc requests")
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'io_uring')
| -rw-r--r-- | io_uring/zcrx.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c index e5ff49f3425e..643a69f9ffe2 100644 --- a/io_uring/zcrx.c +++ b/io_uring/zcrx.c @@ -1154,12 +1154,16 @@ io_zcrx_recv_skb(read_descriptor_t *desc, struct sk_buff *skb, end = start + frag_iter->len; if (offset < end) { + size_t count; + copy = end - offset; if (copy > len) copy = len; off = offset - start; + count = desc->count; ret = io_zcrx_recv_skb(desc, frag_iter, off, copy); + desc->count = count; if (ret < 0) goto out; |