Commit 09cfd3c5 authored Oct 08, 2025 by Pavel Begunkov Committed by Jens Axboe Oct 08, 2025

io_uring/zcrx: fix overshooting recv limit



It's reported that sometimes a zcrx request can receive more than was
requested. It's caused by io_zcrx_recv_skb() adjusting desc->count for
all received buffers including frag lists, but then doing recursive
calls to process frag list skbs, which leads to desc->count double
accounting and underflow.

Reported-and-tested-by: Matthias Jasny <matthiasjasny@gmail.com>
Fixes: 6699ec9a ("io_uring/zcrx: add a read limit to recvzc requests")
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent beb97995

io_uring/zcrx.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -1236,12 +1236,16 @@ io_zcrx_recv_skb(read_descriptor_t desc, struct sk_buff skb,

		end = start + frag_iter->len;
		if (offset < end) {
		size_t count;

		copy = end - offset;
		if (copy > len)
		copy = len;

		off = offset - start;
		count = desc->count;
		ret = io_zcrx_recv_skb(desc, frag_iter, off, copy);
		desc->count = count;
		if (ret < 0)
		goto out;