From: liyouhong Date: Thu, 28 May 2026 02:49:36 +0000 (+0800) Subject: io_uring/kbuf: align legacy buffer add limit with MAX_BIDS_PER_BGID X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=ca55f98d6ff1ecb31a07b668a8d105b4e0829c6a;p=thirdparty%2Flinux.git io_uring/kbuf: align legacy buffer add limit with MAX_BIDS_PER_BGID io_provide_buffers_prep() accepts nbufs up to MAX_BIDS_PER_BGID, but io_add_buffers() stops when bl->nbufs reaches USHRT_MAX. This makes the effective add limit one lower than the validated limit. Use MAX_BIDS_PER_BGID in the add-side boundary check so validation and execution use the same limit, and update the comment to refer to the actual limit constant. Signed-off-by: liyouhong Link: https://patch.msgid.link/20260528024936.3672659-1-dayou5941@163.com Signed-off-by: Jens Axboe --- diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c index dd54e43e9ddf4..7a1c65f631c2b 100644 --- a/io_uring/kbuf.c +++ b/io_uring/kbuf.c @@ -541,11 +541,11 @@ static int io_add_buffers(struct io_ring_ctx *ctx, struct io_provide_buf *pbuf, for (i = 0; i < pbuf->nbufs; i++) { /* - * Nonsensical to have more than sizeof(bid) buffers in a + * Nonsensical to have more than MAX_BIDS_PER_BGID buffers in a * buffer list, as the application then has no way of knowing * which duplicate bid refers to what buffer. */ - if (bl->nbufs == USHRT_MAX) { + if (bl->nbufs == MAX_BIDS_PER_BGID) { ret = -EOVERFLOW; break; }