[BUG] io_uring: possible CQE32 overflow flush inconsistency in __io_cqring_overflow_flush()

Next message: gregkh@xxxxxxxxxxxxxxxxxxx: "Re: [BUG] io_uring: possible CQE32 overflow flush inconsistency in __io_cqring_overflow_flush()"
Previous message: Ruoyu Wang: "[PATCH v3] drm/amdgpu: initialize ret before UMC error record loop"
In reply to: Gabriel Krisman Bertazi: "Re: [BUG] io_uring: possible CQE32 overflow flush inconsistency in __io_cqring_overflow_flush()"
Next in thread: gregkh@xxxxxxxxxxxxxxxxxxx: "Re: [BUG] io_uring: possible CQE32 overflow flush inconsistency in __io_cqring_overflow_flush()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Cyber_black

Date: Sat Jun 20 2026 - 02:14:25 EST

Hi Gabriel,

Thank you for your response.

I found this bug while doing independent research. I was reading the Linux kernel code from Linus Torvalds' main repository (git.kernel.org) and the io_uring subsystem caught my attention. In particular, the use of shared memory for optimization purposes stood out – especially since this very feature has been exploited in the past to develop rootkits targeting io_uring.

So I first studied its architecture and then read the code in depth. The bug emerged during that review.

Regarding a trigger scenario (PoC – Proof of Concept): unfortunately, I don't have one. My system does not support io_uring (it returns ENOSYS, likely due to enterprise compatibility settings), so I couldn't run the liburing test suite. However, the fix itself is straightforward and the logic is clear.

As for the target version: this issue exists in the mainline kernel. It is not in a stable release yet, as I found it directly in Linus' main tree.

Regarding the patch format – I just generated a clean patch using git format-patch and sent it separately