Re: [PATCH 1/2] io_uring/kbuf: fix signedness in this_len calculation

[Harshit Mogalapalli]

Hi,

I have a question regarding the Fixes tag for this.

On 27/08/25 17:13, Qingyue Zhang wrote:
> When importing and using buffers, buf->len is considered unsigned.
> However, buf->len is converted to signed int when committing. This
> can lead to unexpected behavior if buffer is large enough to be
> interpreted as a negative value. Make min_t calculation unsigned.
>
> Co-developed-by: Suoxing Zhang <aftern00n@xxxxxx>
> Signed-off-by: Suoxing Zhang <aftern00n@xxxxxx>
> Signed-off-by: Qingyue Zhang <chunzhennn@xxxxxx>


In the upstream merged commit:

commit c64eff368ac676e8540344d27a3de47e0ad90d21
Author: Qingyue Zhang <chunzhennn@xxxxxx>
Date:   Wed Aug 27 19:43:39 2025 +0800

    io_uring/kbuf: fix signedness in this_len calculation

    When importing and using buffers, buf->len is considered unsigned.
    However, buf->len is converted to signed int when committing. This can
    lead to unexpected behavior if the buffer is large enough to be
    interpreted as a negative value. Make min_t calculation unsigned.

    Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental 
buffer consumption")
    Co-developed-by: Suoxing Zhang <aftern00n@xxxxxx>
    Signed-off-by: Suoxing Zhang <aftern00n@xxxxxx>
    Signed-off-by: Qingyue Zhang <chunzhennn@xxxxxx>
    Link: 
https://lore.kernel.org/r/tencent_4DBB3674C0419BEC2C0C525949DA410CA307@xxxxxx
    Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>

diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index f2d2cc319faa..81a13338dfab 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list 
*bl, int len)
                u32 this_len;

                buf = io_ring_head_to_buf(bl->buf_ring, bl->head, 
bl->mask);
-               this_len = min_t(int, len, buf->len);
+               this_len = min_t(u32, len, buf->len);
                buf->len -= this_len;
                if (buf->len) {
                        buf->addr += this_len;


I see the Fixes tag documented is "Fixes: ae98dbf43d75 ("io_uring/kbuf: 
add support for incremental buffer consumption")"

I think a more accurate Fixes tag is "Fixes: cf9536e550dd 
("io_uring/kbuf: enable bundles for incrementally consumed buffers")" , 
Reason: Commit cf9536e550dd243a1681fdbf804221527da20a80 is the first to 
move incremental-buffer accounting into the new helper 
io_kbuf_inc_commit(), introducing this_len = min_t(int, len, buf->len);. 
The signed int here is exactly what 
c64eff368ac676e8540344d27a3de47e0ad90d21 corrects.

I am asking this so we can correct the vulnerable commit for 
CVE-2025-39822. Currently due to a different broken commit 6.12.y is 
marked as vulnerable [1]. If the above new Fixes tag is correct only 
kernels newer than 6.15 are affected.


[1] https://lore.kernel.org/all/2025091616-CVE-2025-39822-454e@gregkh/

Thanks,
Harshit

> ---
>   io_uring/kbuf.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
> index f2d2cc319faa..81a13338dfab 100644
> --- a/io_uring/kbuf.c
> +++ b/io_uring/kbuf.c
> @@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
>   		u32 this_len;
>   
>   		buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask);
> -		this_len = min_t(int, len, buf->len);
> +		this_len = min_t(u32, len, buf->len);
>   		buf->len -= this_len;
>   		if (buf->len) {
>   			buf->addr += this_len;