[LTP] [PATCH v5 2/2] io_uring04: Add CVE-2026-43494 regression test

Martin Doucha mdoucha@suse.cz
Fri Jun 5 17:30:59 CEST 2026 

Hi,
one minor suggestion below, otherwise for both patches:

Reviewed-by: Martin Doucha <mdoucha@suse.cz>

On 6/4/26 18:38, Sebastian Chlad wrote:
> +	/*
> +	 * Each send pins page 0, faults on page 1 (PROT_NONE), and on a
> +	 * vulnerable kernel double-drops page 0's reference. EFAULT is the
> +	 * expected error; other errors do not count as successful steals.
> +	 */
> +	for (i = 0, efaults = 0; i < GUP_PIN_COUNTING_BIAS; i++) {

AFAICT, you need to get GUP_PIN_COUNTING_BIAS EFAULTs to successfully 
reproduce the main bug. It might be better to change the loop condition 
like this:

for (...; efaults < GUP_PIN_COUNTING_BISA && i < 10 * 
GUP_PIN_COUNTING_BIAS; ...) {

Then you'll have some extra margin for exhausting the pin counter even 
if you can't steal a pin in every iteration. Though I suppose triggering 
enough EFAULTs not a problem at the moment.

> +		/* rds_cmsg_zcopy() in net/rds/send.c */
> +		*(uint32_t *)CMSG_DATA(cmsg) = (uint32_t)i;
> +
> +		ret = sendmsg(rds_fd, &msg, MSG_ZEROCOPY | MSG_DONTWAIT);
> +		if (ret >= 0)
> +			tst_brk(TBROK, "sendmsg() unexpectedly succeeded at iter %d", i);
> +
> +		if (errno == EFAULT)
> +			efaults++;
> +		else if (!first_bad_errno)
> +			first_bad_errno = errno;
> +	}
> +
> +	if (first_bad_errno) {
> +		tst_res(TINFO, "sendmsg() returned unexpected errno %d (%s) on at least one iteration",
> +			first_bad_errno, tst_strerrno(first_bad_errno));
> +	}
> +
> +	tst_res(TINFO, "Completed %d/%d sendmsg() attempts with EFAULT",
> +		efaults, GUP_PIN_COUNTING_BIAS);
> +
> +	if (efaults == 0)
> +		tst_brk(TCONF, "sendmsg() never returned EFAULT - GUP pin path not exercised");
> +
> +	if (efaults < GUP_PIN_COUNTING_BIAS)
> +		tst_res(TWARN, "Only %d/%d sends returned EFAULT - FOLL_PIN counter may not be fully drained",
> +			efaults, GUP_PIN_COUNTING_BIAS);
> +}

-- 
Martin Doucha   mdoucha@suse.cz
SW Quality Engineer
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic

More information about the ltp mailing list