Re: [BUG] io_uring: possible CQE32 overflow flush inconsistency in __io_cqring_overflow_flush()

From: Gabriel Krisman Bertazi

Date: Fri Jun 19 2026 - 12:09:00 EST

Cyber_black <Cyberblackk@xxxxxxxxx> writes:

> On Fri, Jun 19, 2026 at 04:49:32AM +0000, Greg KH wrote:> Please turn this into a real patch that you have gregkh@xxxxxxxxxxxxxxxxxxx to verify it
>> resolves the issue so you get full credit for the fix.
>
> Hi Greg,
>
> Apologies for the previous mail's format. The patch compiles cleanly
> on arm64. My current environment does not support io_uring (ENOSYS)
> so I was unable to run the liburing suite, but the fix itself is
> straightforward.

What's the context, was this sent against stable? The issue exists
in mainline.

> From 522b70bdd3ac64c64dd21842cb5901e59a1fb058 Mon Sep 17 00:00:00 2001
> From: Eneshan Erdogan Karaca <cyberblackk@xxxxxxxxx>
> Date: Fri, 19 Jun 2026 07:59:58 +0000
> Subject: [PATCH] io_uring: fix cqe_size/is_cqe32 inconsistency in overflow
>  flush

Ideally, send it as a patch to the list with [PATCH] so it doesn't vanish under a [BUG]
tag.
>
> When IORING_SETUP_CQE32 is set, Block A doubles cqe_size to handle
> 32-byte CQEs. Block B then resets is_cqe32 to false so that
> io_get_cqe_overflow() uses its own ctx flag check internally, but
> fails to reset cqe_size. This leaves cqe_size=32 while a 16-byte
> slot is allocated, causing memcpy() to write beyond the allocated
> CQE slot.

How was this found? Do you have a syzbot or a trigger? The fix looks
good but the patch appears corrupted, with a bunch of NBSP.

>
> Fix this by also resetting cqe_size when is_cqe32 is cleared.
>
> Signed-off-by: Eneshan Erdogan Karaca <cyberblackk@xxxxxxxxx>
> ---
>  io_uring/io_uring.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 1ea2fca34a36..f9690291633a 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -543,8 +543,10 @@ static void __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool dying)
>                         is_cqe32 = true;
>                         cqe_size <<= 1;
>                 }
> -               if (ctx->flags & IORING_SETUP_CQE32)
> +               if (ctx->flags & IORING_SETUP_CQE32) {
>                         is_cqe32 = false;
> +                       cqe_size = sizeof(struct io_uring_cqe);
> +               }
>                 if (!dying) {
>                         if (!io_get_cqe_overflow(ctx, &cqe, true, is_cqe32))
> --
> 2.34.1
>
> Thanks,
> Eneshan Erdogan Karaca

--
Gabriel Krisman Bertazi