From: Qingyue Zhang <chunzhennn@qq.com>
Date: Wed, 27 Aug 2025 11:43:39 +0000 (+0800)
Subject: io_uring/kbuf: fix signedness in this_len calculation
X-Git-Tag: ceph-for-6.17-rc6~50^2~1
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=c64eff368ac676e8540344d27a3de47e0ad90d21;p=ceph-client.git

io_uring/kbuf: fix signedness in this_len calculation

When importing and using buffers, buf->len is considered unsigned.
However, buf->len is converted to signed int when committing. This can
lead to unexpected behavior if the buffer is large enough to be
interpreted as a negative value. Make min_t calculation unsigned.

Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption")
Co-developed-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Suoxing Zhang <aftern00n@qq.com>
Signed-off-by: Qingyue Zhang <chunzhennn@qq.com>
Link: https://lore.kernel.org/r/tencent_4DBB3674C0419BEC2C0C525949DA410CA307@qq.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index f2d2cc319faac..81a13338dfab3 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
 		u32 this_len;
 
 		buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask);
-		this_len = min_t(int, len, buf->len);
+		this_len = min_t(u32, len, buf->len);
 		buf->len -= this_len;
 		if (buf->len) {
 			buf->addr += this_len;