* [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation
@ 2025-08-27 11:43 Qingyue Zhang
2025-08-27 14:40 ` Jens Axboe
2026-01-20 17:33 ` Harshit Mogalapalli
0 siblings, 2 replies; 5+ messages in thread
From: Qingyue Zhang @ 2025-08-27 11:43 UTC (permalink / raw)
To: axboe; +Cc: io-uring, linux-kernel, Qingyue Zhang, Suoxing Zhang
When importing and using buffers, buf->len is considered unsigned.
However, buf->len is converted to signed int when committing. This
can lead to unexpected behavior if buffer is large enough to be
interpreted as a negative value. Make min_t calculation unsigned.
Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
---
io_uring/kbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index f2d2cc319faa..81a13338dfab 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
u32 this_len;
buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask);
- this_len = min_t(int, len, buf->len);
+ this_len = min_t(u32, len, buf->len);
buf->len -= this_len;
if (buf->len) {
buf->addr += this_len;
--
2.48.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation
2025-08-27 11:43 [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation Qingyue Zhang
@ 2025-08-27 14:40 ` Jens Axboe
2026-01-20 17:33 ` Harshit Mogalapalli
1 sibling, 0 replies; 5+ messages in thread
From: Jens Axboe @ 2025-08-27 14:40 UTC (permalink / raw)
To: Qingyue Zhang; +Cc: io-uring, linux-kernel, Suoxing Zhang
On Wed, 27 Aug 2025 19:43:39 +0800, Qingyue Zhang wrote:
> When importing and using buffers, buf->len is considered unsigned.
> However, buf->len is converted to signed int when committing. This
> can lead to unexpected behavior if buffer is large enough to be
> interpreted as a negative value. Make min_t calculation unsigned.
>
>
Applied, thanks!
[1/2] io_uring/kbuf: fix signedness in this_len calculation
commit: c64eff368ac676e8540344d27a3de47e0ad90d21
Best regards,
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation
2025-08-27 11:43 [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation Qingyue Zhang
2025-08-27 14:40 ` Jens Axboe
@ 2026-01-20 17:33 ` Harshit Mogalapalli
2026-01-20 17:38 ` Jens Axboe
1 sibling, 1 reply; 5+ messages in thread
From: Harshit Mogalapalli @ 2026-01-20 17:33 UTC (permalink / raw)
To: Qingyue Zhang, axboe
Cc: io-uring, linux-kernel, Suoxing Zhang, cve, Greg Kroah-Hartman
Hi,
I have a question regarding the Fixes tag for this.
On 27/08/25 17:13, Qingyue Zhang wrote:
> When importing and using buffers, buf->len is considered unsigned.
> However, buf->len is converted to signed int when committing. This
> can lead to unexpected behavior if buffer is large enough to be
> interpreted as a negative value. Make min_t calculation unsigned.
>
> Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
> Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
> Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
In the upstream merged commit:
commit c64eff368ac676e8540344d27a3de47e0ad90d21
Author: Qingyue Zhang <chunzhennn@qq.com>
Date: Wed Aug 27 19:43:39 2025 +0800
io_uring/kbuf: fix signedness in this_len calculation
When importing and using buffers, buf->len is considered unsigned.
However, buf->len is converted to signed int when committing. This can
lead to unexpected behavior if the buffer is large enough to be
interpreted as a negative value. Make min_t calculation unsigned.
Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental
buffer consumption")
Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
Link:
https://lore.kernel.org/r/tencent_4DBB3674C0419BEC2C0C525949DA410CA307@qq.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index f2d2cc319faa..81a13338dfab 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list
*bl, int len)
u32 this_len;
buf = io_ring_head_to_buf(bl->buf_ring, bl->head,
bl->mask);
- this_len = min_t(int, len, buf->len);
+ this_len = min_t(u32, len, buf->len);
buf->len -= this_len;
if (buf->len) {
buf->addr += this_len;
I see the Fixes tag documented is "Fixes: ae98dbf43d75 ("io_uring/kbuf:
add support for incremental buffer consumption")"
I think a more accurate Fixes tag is "Fixes: cf9536e550dd
("io_uring/kbuf: enable bundles for incrementally consumed buffers")" ,
Reason: Commit cf9536e550dd243a1681fdbf804221527da20a80 is the first to
move incremental-buffer accounting into the new helper
io_kbuf_inc_commit(), introducing this_len = min_t(int, len, buf->len);.
The signed int here is exactly what
c64eff368ac676e8540344d27a3de47e0ad90d21 corrects.
I am asking this so we can correct the vulnerable commit for
CVE-2025-39822. Currently due to a different broken commit 6.12.y is
marked as vulnerable [1]. If the above new Fixes tag is correct only
kernels newer than 6.15 are affected.
[1] https://lore.kernel.org/all/2025091616-CVE-2025-39822-454e@gregkh/
Thanks,
Harshit
> ---
> io_uring/kbuf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
> index f2d2cc319faa..81a13338dfab 100644
> --- a/io_uring/kbuf.c
> +++ b/io_uring/kbuf.c
> @@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
> u32 this_len;
>
> buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask);
> - this_len = min_t(int, len, buf->len);
> + this_len = min_t(u32, len, buf->len);
> buf->len -= this_len;
> if (buf->len) {
> buf->addr += this_len;
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation
2026-01-20 17:33 ` Harshit Mogalapalli
@ 2026-01-20 17:38 ` Jens Axboe
2026-01-20 17:41 ` Harshit Mogalapalli
0 siblings, 1 reply; 5+ messages in thread
From: Jens Axboe @ 2026-01-20 17:38 UTC (permalink / raw)
To: Harshit Mogalapalli, Qingyue Zhang
Cc: io-uring, linux-kernel, Suoxing Zhang, cve, Greg Kroah-Hartman
On 1/20/26 10:33 AM, Harshit Mogalapalli wrote:
> Hi,
>
> I have a question regarding the Fixes tag for this.
>
> On 27/08/25 17:13, Qingyue Zhang wrote:
>> When importing and using buffers, buf->len is considered unsigned.
>> However, buf->len is converted to signed int when committing. This
>> can lead to unexpected behavior if buffer is large enough to be
>> interpreted as a negative value. Make min_t calculation unsigned.
>>
>> Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
>> Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
>> Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
>
>
> In the upstream merged commit:
>
> commit c64eff368ac676e8540344d27a3de47e0ad90d21
> Author: Qingyue Zhang <chunzhennn@qq.com>
> Date: Wed Aug 27 19:43:39 2025 +0800
>
> io_uring/kbuf: fix signedness in this_len calculation
>
> When importing and using buffers, buf->len is considered unsigned.
> However, buf->len is converted to signed int when committing. This can
> lead to unexpected behavior if the buffer is large enough to be
> interpreted as a negative value. Make min_t calculation unsigned.
>
> Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption")
> Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
> Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
> Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
> Link: https://lore.kernel.org/r/tencent_4DBB3674C0419BEC2C0C525949DA410CA307@qq.com
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
>
> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
> index f2d2cc319faa..81a13338dfab 100644
> --- a/io_uring/kbuf.c
> +++ b/io_uring/kbuf.c
> @@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
> u32 this_len;
>
> buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask);
> - this_len = min_t(int, len, buf->len);
> + this_len = min_t(u32, len, buf->len);
> buf->len -= this_len;
> if (buf->len) {
> buf->addr += this_len;
>
>
> I see the Fixes tag documented is "Fixes: ae98dbf43d75
> ("io_uring/kbuf: add support for incremental buffer consumption")"
>
> I think a more accurate Fixes tag is "Fixes: cf9536e550dd
> ("io_uring/kbuf: enable bundles for incrementally consumed buffers")"
> , Reason: Commit cf9536e550dd243a1681fdbf804221527da20a80 is the first
> to move incremental-buffer accounting into the new helper
> io_kbuf_inc_commit(), introducing this_len = min_t(int, len,
> buf->len);. The signed int here is exactly what
> c64eff368ac676e8540344d27a3de47e0ad90d21 corrects.
I took a look, and indeed, it is mis-tagged. The correct fixes tag
should've been for cf9536e550dd.
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation
2026-01-20 17:38 ` Jens Axboe
@ 2026-01-20 17:41 ` Harshit Mogalapalli
0 siblings, 0 replies; 5+ messages in thread
From: Harshit Mogalapalli @ 2026-01-20 17:41 UTC (permalink / raw)
To: Jens Axboe, Qingyue Zhang
Cc: io-uring, linux-kernel, Suoxing Zhang, cve, Greg Kroah-Hartman
Hi Jens,
>> I see the Fixes tag documented is "Fixes: ae98dbf43d75
>> ("io_uring/kbuf: add support for incremental buffer consumption")"
>>
>> I think a more accurate Fixes tag is "Fixes: cf9536e550dd
>> ("io_uring/kbuf: enable bundles for incrementally consumed buffers")"
>> , Reason: Commit cf9536e550dd243a1681fdbf804221527da20a80 is the first
>> to move incremental-buffer accounting into the new helper
>> io_kbuf_inc_commit(), introducing this_len = min_t(int, len,
>> buf->len);. The signed int here is exactly what
>> c64eff368ac676e8540344d27a3de47e0ad90d21 corrects.
>
> I took a look, and indeed, it is mis-tagged. The correct fixes tag
> should've been for cf9536e550dd.
>
Thanks a lot for taking a look, will send a patch to vulns.git to get
the CVE information corrected.
Regards,
Harshit
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-01-20 17:41 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-27 11:43 [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation Qingyue Zhang
2025-08-27 14:40 ` Jens Axboe
2026-01-20 17:33 ` Harshit Mogalapalli
2026-01-20 17:38 ` Jens Axboe
2026-01-20 17:41 ` Harshit Mogalapalli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox