[<prev] [next>] [day] [month] [year] [list]
Message-ID: <b0441e746c0a840908ec3e3881f782b5e84aa6d3.1759914280.git.asml.silence@gmail.com>
Date: Wed, 8 Oct 2025 13:38:06 +0100
From: Pavel Begunkov <asml.silence@...il.com>
To: io-uring@...r.kernel.org
Cc: asml.silence@...il.com,
axboe@...nel.dk,
netdev@...r.kernel.org,
Matthias Jasny <matthiasjasny@...il.com>
Subject: [PATCH 1/1] io_uring/zcrx: fix overshooting recv limit
It's reported that sometimes a zcrx request can receive more than was
requested. It's caused by io_zcrx_recv_skb() adjusting desc->count for
all received buffers including frag lists, but then doing recursive
calls to process frag list skbs, which leads to desc->count double
accounting and underflow.
Reported-and-tested-by: Matthias Jasny <matthiasjasny@...il.com>
Fixes: 6699ec9a23f85 ("io_uring/zcrx: add a read limit to recvzc requests")
Cc: stable@...r.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@...il.com>
---
io_uring/zcrx.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 723e4266b91f..ef73440b605a 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -1236,12 +1236,16 @@ io_zcrx_recv_skb(read_descriptor_t *desc, struct sk_buff *skb,
end = start + frag_iter->len;
if (offset < end) {
+ size_t count;
+
copy = end - offset;
if (copy > len)
copy = len;
off = offset - start;
+ count = desc->count;
ret = io_zcrx_recv_skb(desc, frag_iter, off, copy);
+ desc->count = count;
if (ret < 0)
goto out;
--
2.49.0
Powered by blists - more mailing lists