io_uring/kbuf: fix signedness in this_len calculation

When importing and using buffers, buf->len is considered unsigned.
However, buf->len is converted to signed int when committing. This can
lead to unexpected behavior if the buffer is large enough to be
interpreted as a negative value. Make min_t calculation unsigned.

Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption")
Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
Link: https://lore.kernel.org/r/tencent_4DBB3674C0419BEC2C0C525949DA410CA307@qq.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index f2d2cc319faac5f5045d055c2bfff5999872dd1d..81a13338dfab3ee243552b0f009b37127e2d6d34 100644 (file)
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
                u32 this_len;
 
                buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask);
-               this_len = min_t(int, len, buf->len);
+               this_len = min_t(u32, len, buf->len);
                buf->len -= this_len;
                if (buf->len) {
                        buf->addr += this_len;