6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov asml.silence@gmail.com
commit 09cfd3c52ea76f43b3cb15e570aeddf633d65e80 upstream.
It's reported that sometimes a zcrx request can receive more than was requested. It's caused by io_zcrx_recv_skb() adjusting desc->count for all received buffers including frag lists, but then doing recursive calls to process frag list skbs, which leads to desc->count double accounting and underflow.
Reported-and-tested-by: Matthias Jasny matthiasjasny@gmail.com Fixes: 6699ec9a23f85 ("io_uring/zcrx: add a read limit to recvzc requests") Cc: stable@vger.kernel.org Signed-off-by: Pavel Begunkov asml.silence@gmail.com Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- io_uring/zcrx.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/io_uring/zcrx.c +++ b/io_uring/zcrx.c @@ -1154,12 +1154,16 @@ io_zcrx_recv_skb(read_descriptor_t *desc
end = start + frag_iter->len; if (offset < end) { + size_t count; + copy = end - offset; if (copy > len) copy = len;
off = offset - start; + count = desc->count; ret = io_zcrx_recv_skb(desc, frag_iter, off, copy); + desc->count = count; if (ret < 0) goto out;