[LTP] [PATCH v4] io_uring/pintheft: Add CVE-2026-43494 regression test

Thu May 28 23:31:15 CEST 2026

Hi Martin,

> Hi!

> On 5/24/26 20:16, Petr Vorel wrote:
> > > +	rds_fd = socket(AF_RDS, SOCK_SEQPACKET | SOCK_CLOEXEC, 0);
> > > +	if (rds_fd < 0) {
> > > +		if (errno == EAFNOSUPPORT || errno == ESOCKTNOSUPPORT ||
> > > +		    errno == EPROTONOSUPPORT || errno == ENOPROTOOPT)
> > > +			tst_brk(TCONF | TERRNO, "RDS is not available");
> > > +
> > > +		tst_brk(TBROK | TERRNO, "socket(AF_RDS) failed");

> > Just a quick Sunday evening comment (not yet looking into the reproducer itself).
> > I wonder if we need this complicated check when we already have kconfig based
> > checks at the end. Could we just simply use SAFE_SOCKET() here? Or have you
> > encountered problems with older kernels?

> I've checked, SAFE_SOCKET() will fail on kernel-default-base due to the
> usual kconfig-RPM mismatch.

Thanks for info! There will be more modules like this [*]. I also wonder if
SAFE_SOCKET() should not change to TCONF on these errnos, we do that already for
some safe functions (safe_io_uring_init(), safe_unshare(), safe_timerfd_*(). It
should be safe also in this case.

BTW isn't it that autoloading is not working? i.e. testing on some old machine
with Debian (i.e. not JeOS missing modules problem).
$ uname -r
6.18-amd64
# ./pintheft
...
pintheft.c:120: TCONF: RDS is not available: EAFNOSUPPORT (97)
=> module not autoloaded by socket() (or the other syscalls) => IMHO worth to
double check if it should be autoloaded and/or call "modprobe rds_tcp" in the test.

# modprobe rds
# ./pintheft
pintheft.c:337: TFAIL: Kernel is vulnerable: tainted during RSS accounting checks
tst_test.c:1928: TFAIL: Kernel is now tainted
=> loading manually it detects it

# rmmod rds_tcp
# rmmod rds
# ./pintheft
tst_kconfig.c:90: TINFO: Parsing kernel config '/boot/config-6.18-amd64'
tst_taint.c:85: TCONF: Ignoring already set kernel warning taint
...
pintheft.c:274: TINFO: Completed 1024/1024 sendmsg() attempts with EFAULT
pintheft.c:359: TPASS: Kernel seems to have survived RDS zerocopy cleanup
=> are we really safe now? Maybe yes, as rds is not autoloaded automatically.

> > > +	if (clone_buffers(ring_fd2, ring_fd1)) {
> > > +		if (errno == EINVAL || errno == EOPNOTSUPP)
> > > +			tst_brk(TCONF | TERRNO, "IORING_REGISTER_CLONE_BUFFERS is not supported");
> > Also here do we need it? IMHO CONFIG_IO_URING should be enough.
> > And if errno is really needed, it'd IMHO be better to be in handled in
> > clone_buffers(), not separately.

> IORING_REGISTER_CLONE_BUFFERS was added in kernel v6.12 so the feature check
> is also needed.

Shouldn't the test require v6.12 then? Without it test TCONF anyway. Or you
expect being it backported? OTOH fix was backported to v6.6.141 (but IMHO test
is not able to test that old kernel).

$ uname -r
6.9.9-amd64
# ./pintheft
pintheft.c:120: TCONF: RDS is not available: EAFNOSUPPORT (97)
# modprobe rds
# ./pintheft
pintheft.c:169: TCONF: IORING_REGISTER_CLONE_BUFFERS is not supported: EINVAL (22)

$ uname -r
6.12.38+deb13-amd64
# ./pintheft
pintheft.c:120: TCONF: RDS is not available: EAFNOSUPPORT (97)
# modprobe rds
# ./pintheft
pintheft.c:337: TFAIL: Kernel is vulnerable: tainted during RSS accounting checks
tst_test.c:1928: TFAIL: Kernel is now tainted

# rmmod rds_tcp
# modprobe rds
# modprobe rds_tcp
tst_taint.c:85: TCONF: Ignoring already set kernel warning taint
pintheft.c:359: TPASS: Kernel seems to have survived RDS zerocopy cleanup

Kind regards,
Petr

[*] I.e. any module which cannot be detected via /proc/sys like check in
lib/tst_kconfig_checks.h; I was even thinking about checking via /proc/modules
or /sys/module/*/, but that would work only to double check if module
autoloading or direct loading with modprobe work. Maybe too complicated, but for
tests which call modprobe on some modules e.g. hwpoison_inject or zram it could
be useful.