From: linuxtestproject.agent@gmail.com
To: Sebastian Chlad <sebastianchlad@gmail.com>
Cc: ltp@lists.linux.it
Subject: Re: [LTP] io_uring/pintheft: Add CVE-2026-43494 regression test
Date: Sat, 23 May 2026 18:07:54 +0000 [thread overview]
Message-ID: <20260523180754.3853-1-linuxtestproject.agent@gmail.com> (raw)
In-Reply-To: <20260523165718.26187-1-sebastian.chlad@suse.com>
Hi Sebastian,
On Sat, 23 May 2026 18:57:18 +0200, Sebastian Chlad wrote:
> io_uring/pintheft: Add CVE-2026-43494 regression test
[...]
> +#ifndef HAVE_STRUCT_IO_URING_CLONE_BUFFERS
> +struct io_uring_clone_buffers {
> + uint32_t src_fd;
> + uint32_t flags;
> + uint32_t pad[6];
> +};
> +#endif
The fallback struct doesn't match the upstream kernel definition
(include/uapi/linux/io_uring.h). The kernel has:
struct io_uring_clone_buffers {
__u32 src_fd;
__u32 flags;
__u32 src_off;
__u32 dst_off;
__u32 nr;
__u32 pad[3];
};
Total size is the same (8 × u32 = 32 bytes), so the test happens to
work correctly because you zero the whole struct and only set src_fd.
But the lapi header is wrong: future users who try to set src_off,
dst_off, or nr will write into pad[] instead of the real fields. Fix
the fallback to match the kernel layout.
[...]
> + for (i = 0, efaults = 0; i < GUP_PIN_COUNTING_BIAS; i++) {
[...]
> + ret = sendmsg(rds_fd, &msg, MSG_ZEROCOPY | MSG_DONTWAIT);
> + if (ret >= 0)
> + tst_brk(TBROK, "sendmsg() unexpectedly succeeded at iter %d", i);
The RDS socket is opened with SOCK_CLOEXEC but no O_CLOEXEC is set
on the io_uring ring fds (ring_fd1, ring_fd2). Both rings are
therefore inherited by the fork()ed child. trigger() -> cleanup()
unregisters buffers from the *shared* io_uring instances before the
child exits, so the parent's cleanup() hits IORING_UNREGISTER_BUFFERS
on already-unregistered rings. The return value of io_uring_register()
in cleanup() is silently ignored, so this doesn't crash, but it means
the "double-unpin WARN/BUG_ON" can fire in the child's cleanup pass
before the parent even gets to check taint. Consider opening the ring
fds with O_CLOEXEC so the child only operates on the rds socket, or
document the intentional sharing explicitly.
[...]
Summary: the struct io_uring_clone_buffers fallback definition must be
corrected to match the kernel layout before merging.
---
Note:
Our agent completed the review of the patch. The agent can sometimes
produce false positives although often its findings are genuine. If you
find issues with the review, please comment this email or ignore the
suggestions.
Regards,
LTP AI Reviewer
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2026-05-23 18:08 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-23 10:17 [LTP] [PATCH] io_uring/pintheft: Add CVE-2026-43494 regression test Sebastian Chlad
2026-05-23 11:19 ` [LTP] " linuxtestproject.agent
2026-05-25 9:36 ` Cyril Hrubis
2026-05-29 10:18 ` Andrea Cervesato via ltp
2026-05-29 11:56 ` Cyril Hrubis
2026-05-23 11:39 ` [LTP] [PATCH v2] " Sebastian Chlad
2026-05-23 13:30 ` [LTP] " linuxtestproject.agent
2026-05-23 15:10 ` [LTP] [PATCH v3] " Sebastian Chlad
2026-05-23 16:17 ` [LTP] " linuxtestproject.agent
2026-05-23 16:57 ` [LTP] [PATCH v4] " Sebastian Chlad
2026-05-23 18:07 ` linuxtestproject.agent [this message]
2026-05-24 18:16 ` Petr Vorel
2026-05-28 16:45 ` Martin Doucha
2026-05-28 21:31 ` Petr Vorel
2026-05-28 16:36 ` Martin Doucha
2026-06-04 16:38 ` [LTP] [PATCH v5 1/2] lapi: Add io_uring_clone_buffers and RDS_CMSG_ZCOPY_COOKIE fallbacks Sebastian Chlad
2026-06-04 16:38 ` [LTP] [PATCH v5 2/2] io_uring04: Add CVE-2026-43494 regression test Sebastian Chlad
2026-06-05 15:30 ` Martin Doucha
2026-06-10 14:52 ` Cyril Hrubis
2026-06-10 19:34 ` [LTP] [PATCH v6 1/2] lapi: Add io_uring_clone_buffers and RDS_CMSG_ZCOPY_COOKIE fallbacks Sebastian Chlad
2026-06-10 19:35 ` [LTP] [PATCH v6 2/2] io_uring04: Add CVE-2026-43494 regression test Sebastian Chlad
2026-06-10 19:44 ` [LTP] lapi: Add io_uring_clone_buffers and RDS_CMSG_ZCOPY_COOKIE fallbacks linuxtestproject.agent
2026-06-11 13:13 ` [LTP] [PATCH v6 1/2] " Cyril Hrubis
2026-06-04 18:00 ` [LTP] " linuxtestproject.agent
2026-06-10 14:30 ` [LTP] [PATCH v5 1/2] " Cyril Hrubis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260523180754.3853-1-linuxtestproject.agent@gmail.com \
--to=linuxtestproject.agent@gmail.com \
--cc=ltp@lists.linux.it \
--cc=sebastianchlad@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox