[LTP] io_uring/pintheft: Add CVE-2026-43494 regression test

linuxtestproject.agent@gmail.com linuxtestproject.agent@gmail.com
Sat May 23 20:07:54 CEST 2026 

Hi Sebastian,

On Sat, 23 May 2026 18:57:18 +0200, Sebastian Chlad wrote:
> io_uring/pintheft: Add CVE-2026-43494 regression test

[...]

> +#ifndef HAVE_STRUCT_IO_URING_CLONE_BUFFERS
> +struct io_uring_clone_buffers {
> +       uint32_t src_fd;
> +       uint32_t flags;
> +       uint32_t pad[6];
> +};
> +#endif

The fallback struct doesn't match the upstream kernel definition
(include/uapi/linux/io_uring.h).  The kernel has:

  struct io_uring_clone_buffers {
          __u32   src_fd;
          __u32   flags;
          __u32   src_off;
          __u32   dst_off;
          __u32   nr;
          __u32   pad[3];
  };

Total size is the same (8 × u32 = 32 bytes), so the test happens to
work correctly because you zero the whole struct and only set src_fd.
But the lapi header is wrong: future users who try to set src_off,
dst_off, or nr will write into pad[] instead of the real fields.  Fix
the fallback to match the kernel layout.

[...]

> +	for (i = 0, efaults = 0; i < GUP_PIN_COUNTING_BIAS; i++) {

[...]

> +		ret = sendmsg(rds_fd, &msg, MSG_ZEROCOPY | MSG_DONTWAIT);
> +		if (ret >= 0)
> +			tst_brk(TBROK, "sendmsg() unexpectedly succeeded at iter %d", i);

The RDS socket is opened with SOCK_CLOEXEC but no O_CLOEXEC is set
on the io_uring ring fds (ring_fd1, ring_fd2).  Both rings are
therefore inherited by the fork()ed child.  trigger() -> cleanup()
unregisters buffers from the *shared* io_uring instances before the
child exits, so the parent's cleanup() hits IORING_UNREGISTER_BUFFERS
on already-unregistered rings.  The return value of io_uring_register()
in cleanup() is silently ignored, so this doesn't crash, but it means
the "double-unpin WARN/BUG_ON" can fire in the child's cleanup pass
before the parent even gets to check taint.  Consider opening the ring
fds with O_CLOEXEC so the child only operates on the rds socket, or
document the intentional sharing explicitly.

[...]

Summary: the struct io_uring_clone_buffers fallback definition must be
corrected to match the kernel layout before merging.

---
Note:

Our agent completed the review of the patch. The agent can sometimes
produce false positives although often its findings are genuine. If you
find issues with the review, please comment this email or ignore the
suggestions.

Regards,
LTP AI Reviewer

More information about the ltp mailing list