Commit 3ecd3e03 authored Mar 19, 2026 by Jens Axboe

io_uring/kbuf: fix missing BUF_MORE for incremental buffers at EOF



For a zero length transfer, io_kbuf_inc_commit() is called with !len.
Since we never enter the while loop to consume the buffers,
io_kbuf_inc_commit() ends up returning true, consuming the buffer. But
if no data was consumed, by definition it cannot have consumed the
buffer. Return false for that case.

Reported-by: Martin Michaelis <code@mgjm.de>
Cc: stable@vger.kernel.org
Fixes: ae98dbf4 ("io_uring/kbuf: add support for incremental buffer consumption")
Link: https://github.com/axboe/liburing/issues/1553


Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent a68ed2df

io_uring/kbuf.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -34,6 +34,10 @@ struct io_provide_buf {

		static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
		{
		/* No data consumed, return false early to avoid consuming the buffer */
		if (!len)
		return false;

		while (len) {
		struct io_uring_buf *buf;
		u32 buf_len, this_len;