lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20251119224140.8616-5-david.laight.linux@gmail.com>
Date: Wed, 19 Nov 2025 22:41:00 +0000
From: david.laight.linux@...il.com
To: linux-kernel@...r.kernel.org,
	io-uring@...r.kernel.org
Cc: Jens Axboe <axboe@...nel.dk>,
	David Laight <david.laight.linux@...il.com>
Subject: [PATCH 04/44] io_uring/net: Change some dubious min_t()

From: David Laight <david.laight.linux@...il.com>

Since iov_len is 'unsigned long' it is possible that the cast
to 'int' will change the value of min_t(int, iov[nbufs].iov_len, ret).
Use a plain min() and change the loop bottom to while (ret > 0) so that
the compiler knows 'ret' is always positive.

Also change min_t(int, sel->val, sr->mshot_total_len) to a simple min()
since sel->val is also long and subject to possible trunctation.

It might be that other checks stop these being problems, but they are
picked up by some compile-time tests for min_t() truncating values.

Signed-off-by: David Laight <david.laight.linux@...il.com>
---
 io_uring/net.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/io_uring/net.c b/io_uring/net.c
index a95cc9ca2a4d..5fcc3e9b094e 100644
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -483,11 +483,11 @@ static int io_bundle_nbufs(struct io_async_msghdr *kmsg, int ret)
 	/* short transfer, count segments */
 	nbufs = 0;
 	do {
-		int this_len = min_t(int, iov[nbufs].iov_len, ret);
+		int this_len = min(iov[nbufs].iov_len, ret);
 
 		nbufs++;
 		ret -= this_len;
-	} while (ret);
+	} while (ret > 0);
 
 	return nbufs;
 }
@@ -853,7 +853,7 @@ static inline bool io_recv_finish(struct io_kiocb *req,
 		 * mshot as finished, and flag MSHOT_DONE as well to prevent
 		 * a potential bundle from being retried.
 		 */
-		sr->mshot_total_len -= min_t(int, sel->val, sr->mshot_total_len);
+		sr->mshot_total_len -= min(sel->val, sr->mshot_total_len);
 		if (!sr->mshot_total_len) {
 			sr->flags |= IORING_RECV_MSHOT_DONE;
 			mshot_finished = true;
-- 
2.39.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ