io_uring/net: always use current transfer count for buffer put

A previous fix corrected the retry condition for when to continue a
current bundle, but it missed that the current (not the total) transfer
count also applies to the buffer put. If not, then for incrementally
consumed buffer rings repeated completions on the same request may end
up over consuming.

Reported-by: Roy Tang (ErgoniaTrading) <royonia@ergonia.io>
Cc: stable@vger.kernel.org
Fixes: 3a08988123c8 ("io_uring/net: only retry recv bundle for a full transfer")
Link: https://github.com/axboe/liburing/issues/1423
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/net.c b/io_uring/net.c
index e16633f..9550d4c 100644 (file)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -821,7 +821,7 @@ static inline bool io_recv_finish(struct io_kiocb *req, int *ret,
        if (sr->flags & IORING_RECVSEND_BUNDLE) {
                size_t this_ret = *ret - sr->done_io;
 
-               cflags |= io_put_kbufs(req, *ret, io_bundle_nbufs(kmsg, this_ret),
+               cflags |= io_put_kbufs(req, this_ret, io_bundle_nbufs(kmsg, this_ret),
                                      issue_flags);
                if (sr->retry)
                        cflags = req->cqe.flags | (cflags & CQE_F_MASK);