From: linuxtestproject.agent@gmail.com
To: Sebastian Chlad <sebastianchlad@gmail.com>
Cc: ltp@lists.linux.it
Subject: Re: [LTP] io_uring/pintheft: Add CVE-2026-43494 regression test
Date: Sat, 23 May 2026 11:19:48 +0000 [thread overview]
Message-ID: <20260523111948.4053-1-linuxtestproject.agent@gmail.com> (raw)
In-Reply-To: <20260523101749.27657-1-sebastian.chlad@suse.com>
Hi Sebastian,
On Sat, 23 May 2026, Sebastian Chlad wrote:
> io_uring/pintheft: Add CVE-2026-43494 regression test
The commit author address (sebastianchlad@gmail.com) does not match the
Signed-off-by address (sebastian.chlad@suse.com). Either add a .mailmap
entry or re-send with a consistent identity.
> diff --git a/include/lapi/io_uring.h b/include/lapi/io_uring.h
> [...]
> +#ifndef IORING_REGISTER_CLONE_BUFFERS
> +# define IORING_REGISTER_CLONE_BUFFERS 30
> +#endif
Use `#define` without the extra space after `#`. All other fallback
defines in this file use `#define`, not `# define`.
> diff --git a/runtest/cve b/runtest/cve
> [...]
> +cve-2026-43494 pintheft
Wrong placement. The new entry lands between `cve-2022-2590` and
`cve-2022-23222`, in the middle of the 2022 block.
The pintheft test can crash, taint, or panic a vulnerable kernel
("Vulnerable kernels may crash, taint, panic, or hang during sendmsg()
or subsequent cleanup."). It belongs in the section below the
"Tests below may cause kernel memory leak" comment, in CVE-number order:
```
cve-2026-43284 xfrm01
+cve-2026-43494 pintheft
cve-2026-46300 xfrm02
```
[...]
The test logic itself looks correct: the child triggers the double-drop
via the IORING_UNREGISTER_BUFFERS path, the parent monitors for taint
across the RSS accounting sweep and the 30-second async cleanup window,
and all resources are properly guarded in cleanup(). Kernel version
checks (io_uring ≥ 5.1, RDS/TCP TCONF handling, io_uring_disabled
save/restore) are in order. Based on kernel 7.1 as the current stable
reference, no staging flag is required.
---
Note:
Our agent completed the review of the patch. The full review can be
found at: (REVIEW_URL not set)
The agent can sometimes produce false positives although often its
findings are genuine. If you find issues with the review, please
comment this email or ignore the suggestions.
Regards,
LTP AI Reviewer
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2026-05-23 11:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-23 10:17 [LTP] [PATCH] io_uring/pintheft: Add CVE-2026-43494 regression test Sebastian Chlad
2026-05-23 11:19 ` linuxtestproject.agent [this message]
2026-05-25 9:36 ` [LTP] " Cyril Hrubis
2026-05-29 10:18 ` Andrea Cervesato via ltp
2026-05-29 11:56 ` Cyril Hrubis
2026-05-23 11:39 ` [LTP] [PATCH v2] " Sebastian Chlad
2026-05-23 13:30 ` [LTP] " linuxtestproject.agent
2026-05-23 15:10 ` [LTP] [PATCH v3] " Sebastian Chlad
2026-05-23 16:17 ` [LTP] " linuxtestproject.agent
2026-05-23 16:57 ` [LTP] [PATCH v4] " Sebastian Chlad
2026-05-23 18:07 ` [LTP] " linuxtestproject.agent
2026-05-24 18:16 ` [LTP] [PATCH v4] " Petr Vorel
2026-05-28 16:45 ` Martin Doucha
2026-05-28 21:31 ` Petr Vorel
2026-05-28 16:36 ` Martin Doucha
2026-06-04 16:38 ` [LTP] [PATCH v5 1/2] lapi: Add io_uring_clone_buffers and RDS_CMSG_ZCOPY_COOKIE fallbacks Sebastian Chlad
2026-06-04 16:38 ` [LTP] [PATCH v5 2/2] io_uring04: Add CVE-2026-43494 regression test Sebastian Chlad
2026-06-05 15:30 ` Martin Doucha
2026-06-10 14:52 ` Cyril Hrubis
2026-06-10 19:34 ` [LTP] [PATCH v6 1/2] lapi: Add io_uring_clone_buffers and RDS_CMSG_ZCOPY_COOKIE fallbacks Sebastian Chlad
2026-06-10 19:35 ` [LTP] [PATCH v6 2/2] io_uring04: Add CVE-2026-43494 regression test Sebastian Chlad
2026-06-10 19:44 ` [LTP] lapi: Add io_uring_clone_buffers and RDS_CMSG_ZCOPY_COOKIE fallbacks linuxtestproject.agent
2026-06-11 13:13 ` [LTP] [PATCH v6 1/2] " Cyril Hrubis
2026-06-04 18:00 ` [LTP] " linuxtestproject.agent
2026-06-10 14:30 ` [LTP] [PATCH v5 1/2] " Cyril Hrubis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260523111948.4053-1-linuxtestproject.agent@gmail.com \
--to=linuxtestproject.agent@gmail.com \
--cc=ltp@lists.linux.it \
--cc=sebastianchlad@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox