Commit 3ecd3e03144b for kernel

commit 3ecd3e03144b38a21a3b70254f1b9d2e16629b09
Author: Jens Axboe <axboe@kernel.dk>
Date:   Thu Mar 19 14:29:09 2026 -0600

    io_uring/kbuf: fix missing BUF_MORE for incremental buffers at EOF

    For a zero length transfer, io_kbuf_inc_commit() is called with !len.
    Since we never enter the while loop to consume the buffers,
    io_kbuf_inc_commit() ends up returning true, consuming the buffer. But
    if no data was consumed, by definition it cannot have consumed the
    buffer. Return false for that case.

    Reported-by: Martin Michaelis <code@mgjm.de>
    Cc: stable@vger.kernel.org
    Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption")
    Link: https://github.com/axboe/liburing/issues/1553
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c
index e7f444953dfb..a4cb6752b7aa 100644
--- a/io_uring/kbuf.c
+++ b/io_uring/kbuf.c
@@ -34,6 +34,10 @@ struct io_provide_buf {

 static bool io_kbuf_inc_commit(struct io_buffer_list *bl, int len)
 {
+	/* No data consumed, return false early to avoid consuming the buffer */
+	if (!len)
+		return false;
+
 	while (len) {
 		struct io_uring_buf *buf;
 		u32 buf_len, this_len;