[PATCH 1/2] io_uring/kbuf: fix signedness in this

public inbox for io-uring@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation
@ 2025-08-27 11:43 Qingyue Zhang
  2025-08-27 14:40 ` Jens Axboe
  2026-01-20 17:33 ` Harshit Mogalapalli
  0 siblings, 2 replies; 5+ messages in thread
From: Qingyue Zhang @ 2025-08-27 11:43 UTC (permalink / raw)
  To: axboe; +Cc: io-uring, linux-kernel, Qingyue Zhang, Suoxing Zhang

When importing and using buffers, buf->len is considered unsigned.
However, buf->len is converted to signed int when committing. This
can lead to unexpected behavior if buffer is large enough to be
interpreted as a negative value. Make min_t calculation unsigned.

Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
---
 io_uring/kbuf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index f2d2cc319faa..81a13338dfab 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
 		u32 this_len;
 
 		buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask);
-		this_len = min_t(int, len, buf->len);
+		this_len = min_t(u32, len, buf->len);
 		buf->len -= this_len;
 		if (buf->len) {
 			buf->addr += this_len;
-- 
2.48.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation
  2025-08-27 11:43 [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation Qingyue Zhang
@ 2025-08-27 14:40 ` Jens Axboe
  2026-01-20 17:33 ` Harshit Mogalapalli
  1 sibling, 0 replies; 5+ messages in thread
From: Jens Axboe @ 2025-08-27 14:40 UTC (permalink / raw)
  To: Qingyue Zhang; +Cc: io-uring, linux-kernel, Suoxing Zhang


On Wed, 27 Aug 2025 19:43:39 +0800, Qingyue Zhang wrote:
> When importing and using buffers, buf->len is considered unsigned.
> However, buf->len is converted to signed int when committing. This
> can lead to unexpected behavior if buffer is large enough to be
> interpreted as a negative value. Make min_t calculation unsigned.
> 
> 

Applied, thanks!

[1/2] io_uring/kbuf: fix signedness in this_len calculation
      commit: c64eff368ac676e8540344d27a3de47e0ad90d21

Best regards,
-- 
Jens Axboe




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation
  2025-08-27 11:43 [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation Qingyue Zhang
  2025-08-27 14:40 ` Jens Axboe
@ 2026-01-20 17:33 ` Harshit Mogalapalli
  2026-01-20 17:38   ` Jens Axboe
  1 sibling, 1 reply; 5+ messages in thread
From: Harshit Mogalapalli @ 2026-01-20 17:33 UTC (permalink / raw)
  To: Qingyue Zhang, axboe
  Cc: io-uring, linux-kernel, Suoxing Zhang, cve, Greg Kroah-Hartman

Hi,

I have a question regarding the Fixes tag for this.

On 27/08/25 17:13, Qingyue Zhang wrote:
> When importing and using buffers, buf->len is considered unsigned.
> However, buf->len is converted to signed int when committing. This
> can lead to unexpected behavior if buffer is large enough to be
> interpreted as a negative value. Make min_t calculation unsigned.
> 
> Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
> Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
> Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>


In the upstream merged commit:

commit c64eff368ac676e8540344d27a3de47e0ad90d21
Author: Qingyue Zhang <chunzhennn@qq.com>
Date:   Wed Aug 27 19:43:39 2025 +0800

     io_uring/kbuf: fix signedness in this_len calculation

     When importing and using buffers, buf->len is considered unsigned.
     However, buf->len is converted to signed int when committing. This can
     lead to unexpected behavior if the buffer is large enough to be
     interpreted as a negative value. Make min_t calculation unsigned.

     Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental 
buffer consumption")
     Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
     Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
     Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
     Link: 
https://lore.kernel.org/r/tencent_4DBB3674C0419BEC2C0C525949DA410CA307@qq.com
     Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index f2d2cc319faa..81a13338dfab 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list 
*bl, int len)
                 u32 this_len;

                 buf = io_ring_head_to_buf(bl->buf_ring, bl->head, 
bl->mask);
-               this_len = min_t(int, len, buf->len);
+               this_len = min_t(u32, len, buf->len);
                 buf->len -= this_len;
                 if (buf->len) {
                         buf->addr += this_len;


I see the Fixes tag documented is "Fixes: ae98dbf43d75 ("io_uring/kbuf: 
add support for incremental buffer consumption")"

I think a more accurate Fixes tag is "Fixes: cf9536e550dd 
("io_uring/kbuf: enable bundles for incrementally consumed buffers")" , 
Reason: Commit cf9536e550dd243a1681fdbf804221527da20a80 is the first to 
move incremental-buffer accounting into the new helper 
io_kbuf_inc_commit(), introducing this_len = min_t(int, len, buf->len);. 
The signed int here is exactly what 
c64eff368ac676e8540344d27a3de47e0ad90d21 corrects.

I am asking this so we can correct the vulnerable commit for 
CVE-2025-39822. Currently due to a different broken commit 6.12.y is 
marked as vulnerable [1]. If the above new Fixes tag is correct only 
kernels newer than 6.15 are affected.


[1] https://lore.kernel.org/all/2025091616-CVE-2025-39822-454e@gregkh/

Thanks,
Harshit

> ---
>   io_uring/kbuf.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
> index f2d2cc319faa..81a13338dfab 100644
> --- a/io_uring/kbuf.c
> +++ b/io_uring/kbuf.c
> @@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
>   		u32 this_len;
>   
>   		buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask);
> -		this_len = min_t(int, len, buf->len);
> +		this_len = min_t(u32, len, buf->len);
>   		buf->len -= this_len;
>   		if (buf->len) {
>   			buf->addr += this_len;


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation
  2026-01-20 17:33 ` Harshit Mogalapalli
@ 2026-01-20 17:38   ` Jens Axboe
  2026-01-20 17:41     ` Harshit Mogalapalli
  0 siblings, 1 reply; 5+ messages in thread
From: Jens Axboe @ 2026-01-20 17:38 UTC (permalink / raw)
  To: Harshit Mogalapalli, Qingyue Zhang
  Cc: io-uring, linux-kernel, Suoxing Zhang, cve, Greg Kroah-Hartman

On 1/20/26 10:33 AM, Harshit Mogalapalli wrote:
> Hi,
> 
> I have a question regarding the Fixes tag for this.
> 
> On 27/08/25 17:13, Qingyue Zhang wrote:
>> When importing and using buffers, buf->len is considered unsigned.
>> However, buf->len is converted to signed int when committing. This
>> can lead to unexpected behavior if buffer is large enough to be
>> interpreted as a negative value. Make min_t calculation unsigned.
>>
>> Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
>> Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
>> Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
> 
> 
> In the upstream merged commit:
> 
> commit c64eff368ac676e8540344d27a3de47e0ad90d21
> Author: Qingyue Zhang <chunzhennn@qq.com>
> Date:   Wed Aug 27 19:43:39 2025 +0800
> 
>     io_uring/kbuf: fix signedness in this_len calculation
> 
>     When importing and using buffers, buf->len is considered unsigned.
>     However, buf->len is converted to signed int when committing. This can
>     lead to unexpected behavior if the buffer is large enough to be
>     interpreted as a negative value. Make min_t calculation unsigned.
> 
>     Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption")
>     Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
>     Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
>     Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
>     Link: https://lore.kernel.org/r/tencent_4DBB3674C0419BEC2C0C525949DA410CA307@qq.com
>     Signed-off-by: Jens Axboe <axboe@kernel.dk>
> 
> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
> index f2d2cc319faa..81a13338dfab 100644
> --- a/io_uring/kbuf.c
> +++ b/io_uring/kbuf.c
> @@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
>                 u32 this_len;
> 
>                 buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask);
> -               this_len = min_t(int, len, buf->len);
> +               this_len = min_t(u32, len, buf->len);
>                 buf->len -= this_len;
>                 if (buf->len) {
>                         buf->addr += this_len;
> 
> 
> I see the Fixes tag documented is "Fixes: ae98dbf43d75
> ("io_uring/kbuf: add support for incremental buffer consumption")"
>
> I think a more accurate Fixes tag is "Fixes: cf9536e550dd
> ("io_uring/kbuf: enable bundles for incrementally consumed buffers")"
> , Reason: Commit cf9536e550dd243a1681fdbf804221527da20a80 is the first
> to move incremental-buffer accounting into the new helper
> io_kbuf_inc_commit(), introducing this_len = min_t(int, len,
> buf->len);. The signed int here is exactly what
> c64eff368ac676e8540344d27a3de47e0ad90d21 corrects.

I took a look, and indeed, it is mis-tagged. The correct fixes tag
should've been for cf9536e550dd.

-- 
Jens Axboe

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation
  2026-01-20 17:38   ` Jens Axboe
@ 2026-01-20 17:41     ` Harshit Mogalapalli
  0 siblings, 0 replies; 5+ messages in thread
From: Harshit Mogalapalli @ 2026-01-20 17:41 UTC (permalink / raw)
  To: Jens Axboe, Qingyue Zhang
  Cc: io-uring, linux-kernel, Suoxing Zhang, cve, Greg Kroah-Hartman

Hi Jens,


>> I see the Fixes tag documented is "Fixes: ae98dbf43d75
>> ("io_uring/kbuf: add support for incremental buffer consumption")"
>>
>> I think a more accurate Fixes tag is "Fixes: cf9536e550dd
>> ("io_uring/kbuf: enable bundles for incrementally consumed buffers")"
>> , Reason: Commit cf9536e550dd243a1681fdbf804221527da20a80 is the first
>> to move incremental-buffer accounting into the new helper
>> io_kbuf_inc_commit(), introducing this_len = min_t(int, len,
>> buf->len);. The signed int here is exactly what
>> c64eff368ac676e8540344d27a3de47e0ad90d21 corrects.
> 
> I took a look, and indeed, it is mis-tagged. The correct fixes tag
> should've been for cf9536e550dd.
> 

Thanks a lot for taking a look, will send a patch to vulns.git to get 
the CVE information corrected.

Regards,
Harshit


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-01-20 17:41 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-27 11:43 [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation Qingyue Zhang
2025-08-27 14:40 ` Jens Axboe
2026-01-20 17:33 ` Harshit Mogalapalli
2026-01-20 17:38   ` Jens Axboe
2026-01-20 17:41     ` Harshit Mogalapalli

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox