--- /dev/null
+From 72bd80252feeb3bef8724230ee15d9f7ab541c6e Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 1 Feb 2024 06:42:36 -0700
+Subject: io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 72bd80252feeb3bef8724230ee15d9f7ab541c6e upstream.
+
+If we use IORING_OP_RECV with provided buffers and pass in '0' as the
+length of the request, the length is retrieved from the selected buffer.
+If MSG_WAITALL is also set and we get a short receive, then we may hit
+the retry path which decrements sr->len and increments the buffer for
+a retry. However, the length is still zero at this point, which means
+that sr->len now becomes huge and import_ubuf() will cap it to
+MAX_RW_COUNT and subsequently return -EFAULT for the range as a whole.
+
+Fix this by always assigning sr->len once the buffer has been selected.
+
+Cc: stable@vger.kernel.org
+Fixes: 7ba89d2af17a ("io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -875,6 +875,7 @@ retry_multishot:
+ if (!buf)
+ return -ENOBUFS;
+ sr->buf = buf;
++ sr->len = len;
+ }
+
+ ret = import_single_range(ITER_DEST, sr->buf, len, &iov, &msg.msg_iter);
hrtimer-report-offline-hrtimer-enqueue.patch
input-i8042-fix-strange-behavior-of-touchpad-on-clevo-ns70pu.patch
input-atkbd-skip-atkbd_cmd_setleds-when-skipping-atkbd_cmd_getid.patch
+io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
