io_uring/kbuf: fix signedness in this_len calculation

[ Upstream commit c64eff368ac676e8540344d27a3de47e0ad90d21 ] When importing and using buffers, buf->len is considered unsigned. However, buf->len is converted to signed int when committing. This can lead to unexpected behavior if the buffer is large enough to be interpreted as a negative value. Make min_t calculation unsigned. Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption") Co-developed-by: Suoxing Zhang <aftern00n@qq.com> Signed-off-by: Suoxing Zhang <aftern00n@qq.com> Signed-off-by: Qingyue Zhang <chunzhennn@qq.com> Link: https://lore.kernel.org/r/tencent_4DBB3674C0419BEC2C0C525949DA410CA307@qq.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Qingyue Zhang <chunzhennn@qq.com> 2025-08-27 19:43:39 +0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-09-04 16:55:42 +0200
commit: f4f411c068402c370c4f9a9d4950a97af97bbbb1 (patch)
tree: d27715119c7f8976d6d5f628b9465c9a7acac9fc
parent: 1505c0e01ce13afd9128e21dfd43ab92e39c4126 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index f2d2cc319faa..81a13338dfab 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -39,7 +39,7 @@ static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
 		u32 this_len;
 
 		buf = io_ring_head_to_buf(bl->buf_ring, bl->head, bl->mask);
-		this_len = min_t(int, len, buf->len);
+		this_len = min_t(u32, len, buf->len);
 		buf->len -= this_len;
 		if (buf->len) {
 			buf->addr += this_len;
author	Qingyue Zhang <chunzhennn@qq.com>	2025-08-27 19:43:39 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-09-04 16:55:42 +0200
commit	f4f411c068402c370c4f9a9d4950a97af97bbbb1 (patch)
tree	d27715119c7f8976d6d5f628b9465c9a7acac9fc
parent	1505c0e01ce13afd9128e21dfd43ab92e39c4126 (diff)