From: Jens Axboe <axboe@kernel.dk>
To: Tom Ryan <ryan36005@gmail.com>, io-uring@vger.kernel.org
Cc: gregkh@linuxfoundation.org, kbusch@kernel.org, csander@purestorage.com
Subject: Re: [PATCH liburing] test/sqe-mixed-boundary: validate physical SQE index for 128-byte ops
Date: Tue, 10 Mar 2026 07:01:14 -0600 [thread overview]
Message-ID: <adc62a4e-6d68-4678-be0a-331d910405d5@kernel.dk> (raw)
In-Reply-To: <20260310052003.72871-2-ryan36005@gmail.com>
On 3/9/26 11:20 PM, Tom Ryan wrote:
> +/*
> + * Negative test: NOP128 at the last physical SQE slot via sq_array remap
> + * must be rejected. Without the kernel fix, this triggers a 64-byte OOB
> + * read in io_uring_cmd_sqe_copy().
> + */
> +static int test_oob_boundary(void)
> +{
> + struct io_uring ring;
> + struct io_uring_cqe *cqe;
> + struct io_uring_sqe *sqe;
> + unsigned mask;
> + int ret, i, found;
> +
> + ret = io_uring_queue_init(NENTRIES, &ring, IORING_SETUP_SQE_MIXED);
> + if (ret) {
> + if (ret == -EINVAL)
> + return T_EXIT_SKIP;
> + fprintf(stderr, "ring init: %d\n", ret);
> + return T_EXIT_FAIL;
> + }
I don't think this will work, because this function requires the sqe
redirection array and liburing will wrap the above in SETUP_NO_SQARRAY.
Is this some llm written test case, or conversion of a raw use case? Did
you actually try and run the test case?
You can certainly make it work, you'd have to use
__io_uring_queue_init_params() to accomplish the setting up of the ring
without IORING_SETUP_NO_SQARRAY.
> + found = 0;
> + for (i = 0; i < 3; i++) {
> + ret = io_uring_wait_cqe(&ring, &cqe);
> + if (ret)
> + break;
> + if (cqe->user_data == 2) {
> + if (cqe->res != -EINVAL) {
> + fprintf(stderr,
> + "NOP128 at last slot: expected -EINVAL, got %d\n",
> + cqe->res);
> + io_uring_cqe_seen(&ring, cqe);
> + goto fail;
> + }
> + found = 1;
> + }
> + io_uring_cqe_seen(&ring, cqe);
> + }
This one puzzles me too - you submit 2 SQEs, yet you wait for 3. This
will just sit forever until killed by the test suite timeout.
--
Jens Axboe
next prev parent reply other threads:[~2026-03-10 13:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 21:20 io_uring: OOB read in SQE_MIXED mode via sq_array physical index bypass Tom Ryan
2026-03-09 21:29 ` Keith Busch
2026-03-09 21:45 ` Caleb Sander Mateos
2026-03-09 21:54 ` Keith Busch
2026-03-10 5:20 ` [PATCH v2] io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops Tom Ryan
2026-03-10 5:20 ` [PATCH liburing] test/sqe-mixed-boundary: validate physical SQE index for " Tom Ryan
2026-03-10 13:01 ` Jens Axboe [this message]
2026-03-10 14:44 ` [PATCH v2] io_uring: fix physical SQE bounds check for SQE_MIXED " Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adc62a4e-6d68-4678-be0a-331d910405d5@kernel.dk \
--to=axboe@kernel.dk \
--cc=csander@purestorage.com \
--cc=gregkh@linuxfoundation.org \
--cc=io-uring@vger.kernel.org \
--cc=kbusch@kernel.org \
--cc=ryan36005@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.