Re: [PATCH] test/recv-bundle-pbuf-len-poison: add regression test for pbuf len corruption

Next message: Borislav Petkov: "Re: [PATCH] EDAC/versalnet: release remoteproc reference in remove"
Previous message: Jens Axboe: "Re: [PATCH] iouring: Fix min_timeout behaviour"
In reply to: Nyakundi Emmanuel: "[PATCH] test/recv-bundle-pbuf-len-poison: add regression test for pbuf len corruption"
Next in thread: Jens Axboe: "Re: [BUG io_uring] Failed RECVSEND_BUNDLE can persistently shrink non-INC pbuf ring len and affect later READ operations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Sun Jun 07 2026 - 18:16:43 EST

On 6/7/26 4:10 PM, Nyakundi Emmanuel wrote:
> A failed IORING_RECVSEND_BUNDLE receive on a non-INC provided-buffer
> ring can persistently corrupt the buffer descriptor length. When the
> receive fails with -EAGAIN, the kernel writes the requested length into
> buf->len during buffer selection but never restores it on failure.
>
> A later unrelated IORING_OP_READ using the same buffer group then
> consumes the corrupted length, returning fewer bytes than expected.
>
> This test reproduces the issue as reported by Federico Brasili.

Thanks, but I already wrote one, which also tests the much more
important aspect of the kernel change - that the reported CQE
completion reports the right amount without truncating the
buffer length when no bytes have been transferred.

And once again, it's not _corrupting_ the buffer length. It's
shrinking it, which is unexpected and should not happen, but there's
no corruption taking place.

I'm dubious on how much AI koolaid was used in reproducing the
test case and report? That said, it is something we should fix,
as the kernel should not be changing the buffer length for this
case.

--
Jens Axboe