Re: [BUG] io_uring: possible CQE32 overflow flush inconsistency in __io_cqring_overflow_flush()

Next message: Arnd Bergmann: "Re: [PATCH] KMSAN: fix memset() when using fortify-source, again"
Previous message: Andrew Lunn: "Re: [PATCH net-next 2/2] net: dsa: mv88e6xxx: add support for credit based shaper"
In reply to: Cyber_black: "[BUG] io_uring: possible CQE32 overflow flush inconsistency in __io_cqring_overflow_flush()"
Next in thread: Cyber_black: "[BUG] io_uring: possible CQE32 overflow flush inconsistency in __io_cqring_overflow_flush()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Fri Jun 19 2026 - 02:01:24 EST

On Fri, Jun 19, 2026 at 04:49:32AM +0000, Cyber_black wrote:
>
> Hi,
>
> I believe there is a bug in __io_cqring_overflow_flush() in io_uring/io_uring.c
> where `is_cqe32` and `cqe_size` are left in an inconsistent state when
> IORING_SETUP_CQE32 is set, potentially leading to an out-of-bounds write into
> the CQ ring.
>
> AFFECTED FILE
> =============
> io_uring/io_uring.c
> Function: __io_cqring_overflow_flush()
>
> KERNEL VERSION
> ==============
> Observed in current upstream (v6.8+). Please confirm against your tree.

Huh? Was this written by a LLM?

> PROPOSED FIX
> ============
> If Block B is intentional (i.e. io_get_cqe_overflow already handles CQE32 slot
> sizing internally when IORING_SETUP_CQE32 is set), then cqe_size must also be
> reset:
>
> if (ctx->flags & IORING_SETUP_CQE32) {
>
> is_cqe32 = false;
> cqe_size = sizeof(struct io_uring_cqe); /* undo Block A */
> }
>
> Alternatively, if Block B is dead/incorrect code, it should be removed entirely
> and io_get_cqe_overflow() called with is_cqe32 = true when appropriate.
>
> The correct fix depends on the intended semantics of is_cqe32 vs ctx flag
> inside io_get_cqe_overflow(), which the maintainer is best placed to confirm.

Please turn this into a real patch that you have tested to verify it
resolves the issue so you get full credit for the fix.

thanks,

greg k-h