From: Jens Axboe <axboe@xxxxxxxxx> commit c314094cb4cfa6fc5a17f4881ead2dfebfa717a7 upstream. If the recv returns zero, or an error, then it doesn't matter if more data has already been received for this buffer. A condition like that should terminate the multishot receive. Rather than pass in the collected return value, pass in whether to terminate or keep the recv going separately. Note that this isn't a bug right now, as the only way to get there is via setting MSG_WAITALL with multishot receive. And if an application does that, then -EINVAL is returned anyway. But it seems like an easy bug to introduce, so let's make it a bit more explicit. Link: https://github.com/axboe/liburing/issues/1246 Cc: stable@xxxxxxxxxxxxxxx Fixes: b3fdea6ecb55 ("io_uring: multishot recv") Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- io_uring/net.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/io_uring/net.c +++ b/io_uring/net.c @@ -1116,6 +1116,7 @@ int io_recv(struct io_kiocb *req, unsign int ret, min_ret = 0; bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK; size_t len = sr->len; + bool mshot_finished; if (!(req->flags & REQ_F_POLLED) && (sr->flags & IORING_RECVSEND_POLL_FIRST)) @@ -1170,6 +1171,7 @@ out_free: req_set_fail(req); } + mshot_finished = ret <= 0; if (ret > 0) ret += sr->done_io; else if (sr->done_io) @@ -1177,7 +1179,7 @@ out_free: else io_kbuf_recycle(req, issue_flags); - if (!io_recv_finish(req, &ret, kmsg, ret <= 0, issue_flags)) + if (!io_recv_finish(req, &ret, kmsg, mshot_finished, issue_flags)) goto retry_multishot; return ret; Patches currently in stable-queue which might be from axboe@xxxxxxxxx are queue-6.10/io_uring-fix-memory-leak-when-cache-init-fail.patch queue-6.10/io_uring-net-harden-multishot-termination-case-for-recv.patch queue-6.10/aoe-fix-the-potential-use-after-free-problem-in-more-places.patch queue-6.10/block-fix-integer-overflow-in-blksecdiscard.patch queue-6.10/loop-don-t-set-queue_flag_nomerges.patch queue-6.10/blk_iocost-fix-more-out-of-bound-shifts.patch
