fbd77ce1d1
commit 72bd80252feeb3bef8724230ee15d9f7ab541c6e upstream.
If we use IORING_OP_RECV with provided buffers and pass in '0' as the
length of the request, the length is retrieved from the selected buffer.
If MSG_WAITALL is also set and we get a short receive, then we may hit
the retry path which decrements sr->len and increments the buffer for
a retry. However, the length is still zero at this point, which means
that sr->len now becomes huge and import_ubuf() will cap it to
MAX_RW_COUNT and subsequently return -EFAULT for the range as a whole.
Fix this by always assigning sr->len once the buffer has been selected.
Cc: stable@vger.kernel.org
Fixes:
|
||
|---|---|---|
| .. | ||
| Makefile | ||
| advise.c | ||
| advise.h | ||
| alloc_cache.h | ||
| cancel.c | ||
| cancel.h | ||
| epoll.c | ||
| epoll.h | ||
| fdinfo.c | ||
| fdinfo.h | ||
| filetable.c | ||
| filetable.h | ||
| fs.c | ||
| fs.h | ||
| io-wq.c | ||
| io-wq.h | ||
| io_uring.c | ||
| io_uring.h | ||
| kbuf.c | ||
| kbuf.h | ||
| msg_ring.c | ||
| msg_ring.h | ||
| net.c | ||
| net.h | ||
| nop.c | ||
| nop.h | ||
| notif.c | ||
| notif.h | ||
| opdef.c | ||
| opdef.h | ||
| openclose.c | ||
| openclose.h | ||
| poll.c | ||
| poll.h | ||
| refs.h | ||
| rsrc.c | ||
| rsrc.h | ||
| rw.c | ||
| rw.h | ||
| slist.h | ||
| splice.c | ||
| splice.h | ||
| sqpoll.c | ||
| sqpoll.h | ||
| statx.c | ||
| statx.h | ||
| sync.c | ||
| sync.h | ||
| tctx.c | ||
| tctx.h | ||
| timeout.c | ||
| timeout.h | ||
| uring_cmd.c | ||
| uring_cmd.h | ||
| xattr.c | ||
| xattr.h | ||