[LTP] io_uring/pintheft: Add CVE-2026-43494 regression test

linuxtestproject.agent@gmail.com linuxtestproject.agent@gmail.com
Sat May 23 15:30:57 CEST 2026 

Hi Sebastian,

On Sat, May 23, 2026, Sebastian Chlad wrote:
> io_uring/pintheft: Add CVE-2026-43494 regression test

[...]

> +/* io_uring IORING_REGISTER_CLONE_BUFFERS argument. */
> +struct clone_buffers_arg {
> +	uint32_t src_fd;
> +	uint32_t flags;
> +	uint32_t pad[6];
> +};

This struct is a kernel API type and belongs in `include/lapi/io_uring.h`
alongside `IORING_REGISTER_CLONE_BUFFERS`, following the existing pattern
of `struct io_uring_files_update` living next to `IORING_REGISTER_FILES_UPDATE`.

> +#ifndef IORING_REGISTER_CLONE_BUFFERS
> +#define IORING_REGISTER_CLONE_BUFFERS  30
> +#endif

The value 30 needs a cross-reference to the upstream kernel uapi header
(`include/uapi/linux/io_uring.h`) in a comment or at least a verification
note. The lapi file has no other numbered register opcodes above 10, so
there is nothing here to corroborate the value. Please confirm against the
kernel source — the latest stable (7.1) has this defined; a quick grep of
`linux/io_uring.h` is enough.

> +	if (io_uring_register(ring_fd1, IORING_REGISTER_BUFFERS, &fixed_iov, 1)) {
> +		if (errno == ENOMEM)
> +			tst_brk(TCONF, "Not enough memory to register io_uring buffer");

ENOMEM is a resource exhaustion error, not a configuration or feature
availability issue. Use `TBROK | TERRNO` here (or simply drop the special
case and let the fallthrough handle it), not `TCONF`.

[...]

> +#define CLEANUP_WAIT_SECS	30

The test unconditionally sleeps 30 s on every non-vulnerable pass. No
`.timeout` is set; the default 300 s window is large enough, but a
`.timeout = 60` (or similar) would make the intent explicit and prevent
runtest timeouts if setup overhead is higher than expected.

---
Note:

Our agent completed the review of the patch. The full review can be
found at: https://github.com/linux-test-project/ltp/pull/1726

The agent can sometimes produce false positives although often its
findings are genuine. If you find issues with the review, please
comment this email or ignore the suggestions.

Regards,
LTP AI Reviewer

More information about the ltp mailing list