From nobody Sat Feb  7 11:04:51 2026
Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com
 [209.85.210.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C06B431A045
	for <linux-kernel@vger.kernel.org>; Wed, 24 Dec 2025 16:43:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.170
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1766594607; cv=none;
 b=TNSGjzajToTj6yJJVsFdO+mDn6oAzus4HjmIrIrSIMokZolk/6HiqNVmW5ycznyXbMikzF26d4uh684pLkUDcPrCwmVHNC8YwOMXnjBsYfy8XMRReK80BFv9OXxikFqQPmiCAyy2H57ImZ4F3GEYgdUrvAgZ3kgmeYuMnDo2dko=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1766594607; c=relaxed/simple;
	bh=AiiMcR0T/Q577F9tdt0FEwOLmgTPTKSndvU3PGKdp/o=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=ADfWdefEcMzsALnNN5jHpn8KdwVuUCg8x5AQk/zZJQoXgtBhqOlqhHrcVQ71PRceGdvLV+Si9YJ5x4qfStpCzLLBLfe/Q3xyTNyNAq6WdF5EqmkHdok1/xN5JNIoV4X/J/J4q5CjJsbLkRdk1CaDUVCDAKcd3uomqDYJ5JrXh0M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=HIwO9sNp; arc=none smtp.client-ip=209.85.210.170
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="HIwO9sNp"
Received: by mail-pf1-f170.google.com with SMTP id
 d2e1a72fcca58-7f89d0b37f0so3563181b3a.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 24 Dec 2025 08:43:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1766594605; x=1767199405;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=ssG8N04RBTKk33KNiGJ23C3mBaOiOd3tZk3DIrx1DLk=;
        b=HIwO9sNp7ygPXHdecLYt65BdPrIwZ81jqG4QXbrXwjDaosmeqf35Bwt8GOQFCJANyI
         1LlmSuzAVZ/PmhYhGxU3uqG5KWCkmZTFU/fzfeLeve/DSU6GFMfN9XV95ZG9C2oqn8uv
         mdkb7Dfv0/7+9st5Hyy3BxICyqIOiZiEnfB6R4NUoYgt4Uzd9M+OZHxgWgpZhLNZZ7mR
         unpy2bOU9OmcRKepWnPIwgOYE4jP0nnado616WTk3gyVfldiVhpH+LNZ27Ug6i2xKqlw
         BhN8z3dffGJ2S8c7VOrDqEnPPiGNo9B4dKnAooSofCpu/TFqsXci5/3283CO7YBuqBTU
         +nUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766594605; x=1767199405;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ssG8N04RBTKk33KNiGJ23C3mBaOiOd3tZk3DIrx1DLk=;
        b=gNMZgF6xIFfzbqKvf9Wjt8ZTwENp6dICIfWO8/eQPc5POca0uVH7t6ugmHiVKCCjMN
         M8tIlvZk1+jueMFQ/0/iImDPCXSifTf4bMMCUbU+pJPqnvCWvfIGAleAbkk04u1W36L+
         OKXp8Qi4caIBzT8rAmbgHx3MrkBZ+6XFMdwH4TW7yo5nhY7czXgvnDgX5/CkdBH8vihd
         bXyZqGq0dBLr4H1twPlK6nYZyEbrcsV2QnEDpMJ/BuprWXti0YRh8qI+ffA2urxKMmHk
         BtZoDRh5QGktJzKhMwpx72OQuZpw786pOzhBHL+qCE16inNVDB6+YvbBomXe6yPaMakX
         O7Gg==
X-Forwarded-Encrypted: i=1;
 AJvYcCWHQA4yI+LgyHDGU5h5abiEEGyD2v52ok6DUafUy11vvHGcC3l3FjosTFdoWZ2gUkFz4r8jrTf2pRnUEJM=@vger.kernel.org
X-Gm-Message-State: AOJu0YydTC8e2q3P6DSjXQcSfMtKmIEHmh9Vg3Kf2pRyXcM3IOg1bPOp
	yvg7jdSMYu5518/kEHPBOYLSyAyc13wOkjdEd+yMF6ygRxr/AfWIuLvU
X-Gm-Gg: AY/fxX7F327sJQwaTmVzRlBhVGUGDkhrhz/y9efUjyaH0GciC/+y67Ej1/+lkWZ5qRv
	LZl7lOQk41j8a4TuDNL4/wNna83XtmM3e+OUhi4a5D4OmzSdo1yD7bAcsDrPseQWs0DoGfpAE3x
	ifgElT0M93WG97vX27bjX7OyIIxrcLJhREEYJqEaoj3sYRP794lrymnDbi4Mzdi221/usmHuKGr
	yasoMMRoTHGGezYL+WbQeCJYeYx3Agr1m5tPMe1FabJSt6qQqQzaedE02N+n857ScAo5XMzhLtj
	bpEMiD+DGxz9/gGD7MdHXjBEIHHuRAKLw4EDc+4xIWSNWFpPBAVPg5Qpi+AgZgCSWXdyUCDdljW
	Xc4EVNS28un5J8XvlX5OeXwEc7xi6W0By0i+i4ZHVm0MilBTOaPE6Te+xDWQN9xcrjSh+JBqi/F
	TI4H280lAUNHQHzPKtbPjijQqMiTVpf/MvSL1BZrc=
X-Google-Smtp-Source: 
 AGHT+IESuNtdg7r6U8V3avyj/W74Bs7jNYRoapVQX/S1yMhl+s9xpYrFbDcjHGddBIRzo8KRQZaBBQ==
X-Received: by 2002:a05:6a21:328c:b0:342:fa5:8b20 with SMTP id
 adf61e73a8af0-3769f9332a1mr18035364637.30.1766594604796;
        Wed, 24 Dec 2025 08:43:24 -0800 (PST)
Received: from localhost.localdomain ([111.125.235.126])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2a2f3c82a10sm159726745ad.26.2025.12.24.08.43.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 24 Dec 2025 08:43:24 -0800 (PST)
From: Prithvi Tambewagh <activprithvi@gmail.com>
To: axboe@kernel.dk
Cc: io-uring@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	brauner@kernel.org,
	jack@suse.cz,
	viro@zeniv.linux.org.uk,
	linux-fsdevel@vger.kernel.org,
	linux-kernel-mentees@lists.linux.dev,
	skhan@linuxfoundation.org,
	david.hunter.linux@gmail.com,
	khalid@kernel.org,
	Prithvi Tambewagh <activprithvi@gmail.com>,
	syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com,
	stable@vger.kernel.org
Subject: [PATCH] io_uring: fix filename leak in __io_openat_prep()
Date: Wed, 24 Dec 2025 22:12:47 +0530
Message-Id: <20251224164247.103336-1-activprithvi@gmail.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

__io_openat_prep() allocates a struct filename using getname(), but
it isn't freed in case the present file is installed in the fixed file
table and simultaneously, it has the flag O_CLOEXEC set in the
open->how.flags field.

This is an erroneous condition, since for a file installed in the fixed
file table, it won't be installed in the normal file table, due to which
the file cannot support close on exec. Earlier, the code just returned
-EINVAL error code for this condition, however, the memory allocated for
that struct filename wasn't freed, resulting in a memory leak.

Hence, the case of file being installed in the fixed file table as well
as having O_CLOEXEC flag in open->how.flags set, is adressed by using
putname() to release the memory allocated to the struct filename, then
setting the field open->filename to NULL, and after that, returning
-EINVAL.

Reported-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D00e61c43eb5e4740438f
Tested-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
---
 io_uring/openclose.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/io_uring/openclose.c b/io_uring/openclose.c
index bfeb91b31bba..fc190a3d8112 100644
--- a/io_uring/openclose.c
+++ b/io_uring/openclose.c
@@ -75,8 +75,11 @@ static int __io_openat_prep(struct io_kiocb *req, const =
struct io_uring_sqe *sqe
 	}
=20
 	open->file_slot =3D READ_ONCE(sqe->file_index);
-	if (open->file_slot && (open->how.flags & O_CLOEXEC))
+	if (open->file_slot && (open->how.flags & O_CLOEXEC)) {
+		putname(open->filename);
+		open->filename =3D NULL;
 		return -EINVAL;
+	}
=20
 	open->nofile =3D rlimit(RLIMIT_NOFILE);
 	req->flags |=3D REQ_F_NEED_CLEANUP;

base-commit: b927546677c876e26eba308550207c2ddf812a43
--=20
2.34.1