io_uring/kbuf: reject zero sized provided buffers

This isn't fixing a real issue, but there's also zero point in going through group and buffer setup, when the buffers are going to be rejected once attempted to get used. Cc: stable@vger.kernel.org Reported-by: syzbot+58928048fd1416f1457c@syzkaller.appspotmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Jens Axboe <axboe@kernel.dk> 2025-04-07 07:51:23 -0600
committer: Jens Axboe <axboe@kernel.dk> 2025-04-07 07:51:23 -0600
commit: cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc (patch)
tree: 72dc0009a183968b05f9d0749f8d15620e40b3de
parent: 5a17131a5dbd0ebca655bfb65fe3fe643ccc27f3 (diff)
download: linux-cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc.tar.gz
linux-cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc.tar.bz2
linux-cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index 098109259671..953d5e742569 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -504,6 +504,8 @@ int io_provide_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe
 	p->nbufs = tmp;
 	p->addr = READ_ONCE(sqe->addr);
 	p->len = READ_ONCE(sqe->len);
+	if (!p->len)
+		return -EINVAL;
 
 	if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
 				&size))
author	Jens Axboe <axboe@kernel.dk>	2025-04-07 07:51:23 -0600
committer	Jens Axboe <axboe@kernel.dk>	2025-04-07 07:51:23 -0600
commit	cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc (patch)
tree	72dc0009a183968b05f9d0749f8d15620e40b3de
parent	5a17131a5dbd0ebca655bfb65fe3fe643ccc27f3 (diff)
download	linux-cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc.tar.gz linux-cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc.tar.bz2 linux-cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc.zip