io_uring/kbuf: align legacy buffer add limit with MAX_BIDS_PER_BGID

io_provide_buffers_prep() accepts nbufs up to MAX_BIDS_PER_BGID, but
io_add_buffers() stops when bl->nbufs reaches USHRT_MAX. This makes the
effective add limit one lower than the validated limit.

Use MAX_BIDS_PER_BGID in the add-side boundary check so validation and
execution use the same limit, and update the comment to refer to the
actual limit constant.

Signed-off-by: liyouhong <liyouhong@kylinos.cn>
Link: https://patch.msgid.link/20260528024936.3672659-1-dayou5941@163.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index dd54e43e9ddf4cd4d464cc83ff10d9d0ea55d7a5..7a1c65f631c2b01d4b4213e3d1e442e03edb08c0 100644 (file)
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -541,11 +541,11 @@ static int io_add_buffers(struct io_ring_ctx *ctx, struct io_provide_buf *pbuf,
 
        for (i = 0; i < pbuf->nbufs; i++) {
                /*
-                * Nonsensical to have more than sizeof(bid) buffers in a
+                * Nonsensical to have more than MAX_BIDS_PER_BGID buffers in a
                 * buffer list, as the application then has no way of knowing
                 * which duplicate bid refers to what buffer.
                 */
-               if (bl->nbufs == USHRT_MAX) {
+               if (bl->nbufs == MAX_BIDS_PER_BGID) {
                        ret = -EOVERFLOW;
                        break;
                }