From: Jens Axboe <axboe@kernel.dk>
To: Tom Ryan <ryan36005@gmail.com>, io-uring@vger.kernel.org
Cc: gregkh@linuxfoundation.org, kbusch@kernel.org, csander@purestorage.com
Subject: Re: [PATCH liburing] test/sqe-mixed-boundary: validate physical SQE index for 128-byte ops
Date: Tue, 10 Mar 2026 07:01:14 -0600 [thread overview]
Message-ID: <adc62a4e-6d68-4678-be0a-331d910405d5@kernel.dk> (raw)
In-Reply-To: <20260310052003.72871-2-ryan36005@gmail.com>
On 3/9/26 11:20 PM, Tom Ryan wrote:
> +/*
> + * Negative test: NOP128 at the last physical SQE slot via sq_array remap
> + * must be rejected. Without the kernel fix, this triggers a 64-byte OOB
> + * read in io_uring_cmd_sqe_copy().
> + */
> +static int test_oob_boundary(void)
> +{
> + struct io_uring ring;
> + struct io_uring_cqe *cqe;
> + struct io_uring_sqe *sqe;
> + unsigned mask;
> + int ret, i, found;
> +
> + ret = io_uring_queue_init(NENTRIES, &ring, IORING_SETUP_SQE_MIXED);
> + if (ret) {
> + if (ret == -EINVAL)
> + return T_EXIT_SKIP;
> + fprintf(stderr, "ring init: %d\n", ret);
> + return T_EXIT_FAIL;
> + }
I don't think this will work, because this function requires the sqe
redirection array and liburing will wrap the above in SETUP_NO_SQARRAY.
Is this some llm written test case, or conversion of a raw use case? Did
you actually try and run the test case?
You can certainly make it work, you'd have to use
__io_uring_queue_init_params() to accomplish the setting up of the ring
without IORING_SETUP_NO_SQARRAY.
> + found = 0;
> + for (i = 0; i < 3; i++) {
> + ret = io_uring_wait_cqe(&ring, &cqe);
> + if (ret)
> + break;
> + if (cqe->user_data == 2) {
> + if (cqe->res != -EINVAL) {
> + fprintf(stderr,
> + "NOP128 at last slot: expected -EINVAL, got %d\n",
> + cqe->res);
> + io_uring_cqe_seen(&ring, cqe);
> + goto fail;
> + }
> + found = 1;
> + }
> + io_uring_cqe_seen(&ring, cqe);
> + }
This one puzzles me too - you submit 2 SQEs, yet you wait for 3. This
will just sit forever until killed by the test suite timeout.
--
Jens Axboe
next prev parent reply other threads:[~2026-03-10 13:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 21:20 io_uring: OOB read in SQE_MIXED mode via sq_array physical index bypass Tom Ryan
2026-03-09 21:29 ` Keith Busch
2026-03-09 21:45 ` Caleb Sander Mateos
2026-03-09 21:54 ` Keith Busch
2026-03-10 5:20 ` [PATCH v2] io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops Tom Ryan
2026-03-10 5:20 ` [PATCH liburing] test/sqe-mixed-boundary: validate physical SQE index for " Tom Ryan
2026-03-10 13:01 ` Jens Axboe [this message]
2026-03-10 14:44 ` [PATCH v2] io_uring: fix physical SQE bounds check for SQE_MIXED " Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adc62a4e-6d68-4678-be0a-331d910405d5@kernel.dk \
--to=axboe@kernel.dk \
--cc=csander@purestorage.com \
--cc=gregkh@linuxfoundation.org \
--cc=io-uring@vger.kernel.org \
--cc=kbusch@kernel.org \
--cc=ryan36005@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox