[LTP] io_uring/pintheft: Add CVE-2026-43494 regression test

Sat May 23 13:19:48 CEST 2026

Hi Sebastian,

On Sat, 23 May 2026, Sebastian Chlad wrote:
> io_uring/pintheft: Add CVE-2026-43494 regression test

The commit author address (sebastianchlad@gmail.com) does not match the
Signed-off-by address (sebastian.chlad@suse.com).  Either add a .mailmap
entry or re-send with a consistent identity.

> diff --git a/include/lapi/io_uring.h b/include/lapi/io_uring.h
> [...]
> +#ifndef IORING_REGISTER_CLONE_BUFFERS
> +# define IORING_REGISTER_CLONE_BUFFERS 30
> +#endif

Use `#define` without the extra space after `#`.  All other fallback
defines in this file use `#define`, not `# define`.

> diff --git a/runtest/cve b/runtest/cve
> [...]
> +cve-2026-43494 pintheft

Wrong placement.  The new entry lands between `cve-2022-2590` and
`cve-2022-23222`, in the middle of the 2022 block.

The pintheft test can crash, taint, or panic a vulnerable kernel
("Vulnerable kernels may crash, taint, panic, or hang during sendmsg()
or subsequent cleanup.").  It belongs in the section below the
"Tests below may cause kernel memory leak" comment, in CVE-number order:

```
 cve-2026-43284 xfrm01
+cve-2026-43494 pintheft
 cve-2026-46300 xfrm02
```

[...]

The test logic itself looks correct: the child triggers the double-drop
via the IORING_UNREGISTER_BUFFERS path, the parent monitors for taint
across the RSS accounting sweep and the 30-second async cleanup window,
and all resources are properly guarded in cleanup().  Kernel version
checks (io_uring ≥ 5.1, RDS/TCP TCONF handling, io_uring_disabled
save/restore) are in order.  Based on kernel 7.1 as the current stable
reference, no staging flag is required.

---
Note:

Our agent completed the review of the patch. The full review can be
found at: (REVIEW_URL not set)

The agent can sometimes produce false positives although often its
findings are genuine. If you find issues with the review, please
comment this email or ignore the suggestions.

Regards,
LTP AI Reviewer