From nobody Sat Feb 7 18:15:20 2026 Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E4ACA2D8DB9 for ; Thu, 25 Dec 2025 07:28:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766647722; cv=none; b=Cw9k4nrLYfTmVZC8L8TwSuyI6U7KZusTuwpSmLhW0NvMoue6Ah017aJ4uJvUgOVZ8k/+L5ZwMaeiEV5Qp9/mlnWyAt3KycE+OWkulSI4vEctP7oqxMdRum2zjAUq/WQLmxgQPZQCrYoIiuwe8DAUbHsvgRPS2YFo5wV3Z2GuQ/8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766647722; c=relaxed/simple; bh=nDbknJ7IUdumOxpo9hBQLkqYxDx2G2kdEPg/Zd1nCmo=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=I6y6dcgo6lYh+8fh5JWsmb4bUBh+REW8DKm3tY05Hqk+DPzR24qDtLICWGbRL+099qY3GaMEOE+5HIYP3w9DDRh4/iz7AfY7nYhxpBmdj7PZcZEOA+rP23/lzA0jb2nTPtnXVDmfx7Cech88vvRPI3R7ncl5rS/IurBxeFumRnw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BPbbcRHm; arc=none smtp.client-ip=209.85.210.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BPbbcRHm" Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-7bab7c997eeso7387885b3a.0 for ; Wed, 24 Dec 2025 23:28:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766647719; x=1767252519; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=p6BFcbd9iyFXSrOLN1khZAr09vJHb19aUamed8L/NRg=; b=BPbbcRHmr2XAdJPMbciFDgXmgU2jEEOqvaF0Uodl2q4pcJDvclntXFPZBMU4D3Xmj9 6EiI/uap6ZpVRRZCcMoDJixOIp/Q74rr4fZAXLUm7ON3pfULkisWRbsdReDXWge4UeBG 3L9v7CvBQFDnG5tCjk+MXQDu+N2CGaJ3kTe7I81zz7N0bGn1sozoFkMn1XvWv/f9IS++ dlFmBlqBrJNh9bHjIGT9ah8fgeQqbRnq/HXFszpC/oWICopN6Ix4hJ6MXRygPu9P+Gz+ r35zBYl+8grrB7AkgdvIhsmieZHHX1eUtTXIbhLg+a1vCn5z5oUlp9n5qjQZpp5cMjTy PzLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766647719; x=1767252519; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=p6BFcbd9iyFXSrOLN1khZAr09vJHb19aUamed8L/NRg=; b=otsTxqwsmL75tRX/m/ND3T+sUADZ+XFnFhDMO2rwsL+zVqkeSuniuMC6X8KkXu5L9p LDRj22TyYyTPVm4Wa8jnSYQ77vDCBoZPBmRmC1mobanAFzmrA++yK2DTkR3SEgTAz/8f 1336Dm+b2eKzN6NnNoug3cm3+XApXPC3wd+7GBzC2tHDeRX4s4ipdVfJwg5ByeH8k6CF 10DuC/x976Y0iwFqEEhy62+yQ5v9It9cpw28jYe9FgXCgtU0G5eXuvD2cajfr84EuKzb IWTxUEfyJerVafnNHWeQW84OB3i1ihB/E+g/QX5dWWW1PM4MJf9GouB+pc8LXrhNrCLA wozg== X-Forwarded-Encrypted: i=1; AJvYcCUPVf6GeXbtKRQOOJQXNe8zn2cI72auvzDwB2Ao4tw0sxA+rELaR+wjY3tIWkqyCE/bfy5GbSej/s056uc=@vger.kernel.org X-Gm-Message-State: AOJu0YzDsUdiO+1Y2st4O81nHbDUn88BUkN4/wfE7/IWhPQ47bEmBGUs N3rVbDBY9XaqLIBfLNTqpRjrngEbs81y4Yzux1mrk668MxJUnXJFNxX8 X-Gm-Gg: AY/fxX59oDMkdl6YB2+FuFLyEXuPYg7YNhbEBtx90e1Pgy5+PCMrfjVgSTBdmwnjuWR 3clIzR5yRL+FP8J/6cHJUeoIeX6gM5MwJfJbtI1+tlB+j04TpRpSvan4eITnNNbh1ByLEJyu3gm NsgD2OS117JNZHZ4dBvUnKEuCeKmcH8hI6DZJOIvf6kW0IhY6cpwr7m5o/BVae67VwLRViNbO5L xC+5A6XMRWxSpsKAF7/VAfz5LTg2XOdkxEnljc+r4r9vzQ0ns3zpkHoTN10W2Bcc0A2I8AsRzFN BuLEDrLKvrA8enW8bVpgq4L2ErffB4a11xPiVJbHjUlknMzjWeCRILqZ/28dU7BI6DEswHeI/lk R8YOgKXOEzH4SvZGm1cOetNqDmaXtYgdN/vaK/3pKVCeTBw9j/EOHTEz3BtEe8IBkOKgd+3tn8u k9pV6TlQJhKW/Sut/1+KA3RUpvBgupfWsR6zj42Tg= X-Google-Smtp-Source: AGHT+IF2kBqM1Pc1oeCfW9iKt8MagjLl70ZYlJlrxss71glv1f95LGdDpd860qL8p+WKwgQCmnLTnQ== X-Received: by 2002:a05:6a20:9189:b0:366:14ac:8c6c with SMTP id adf61e73a8af0-376ab2e8f52mr18576741637.66.1766647719168; Wed, 24 Dec 2025 23:28:39 -0800 (PST) Received: from localhost.localdomain ([111.125.235.126]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c1e79620bd3sm15961406a12.4.2025.12.24.23.28.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Dec 2025 23:28:38 -0800 (PST) From: Prithvi Tambewagh To: axboe@kernel.dk Cc: io-uring@vger.kernel.org, brauner@kernel.org, jack@suse.cz, viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linux.dev, skhan@linuxfoundation.org, david.hunter.linux@gmail.com, khalid@kernel.org, Prithvi Tambewagh , syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com, stable@vger.kernel.org Subject: [PATCH v2] io_uring: fix filename leak in __io_openat_prep() Date: Thu, 25 Dec 2025 12:58:29 +0530 Message-Id: <20251225072829.44646-1-activprithvi@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this, the memory for the newly allocated struct filename is not cleaned up, causing a memory leak. Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the successful getname() call, so that when the request is torn down, the filename will be cleaned up, along with other resources needing cleanup. Reported-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D00e61c43eb5e4740438f Tested-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Prithvi Tambewagh --- io_uring/openclose.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/io_uring/openclose.c b/io_uring/openclose.c index bfeb91b31bba..15dde9bd6ff6 100644 --- a/io_uring/openclose.c +++ b/io_uring/openclose.c @@ -73,13 +73,13 @@ static int __io_openat_prep(struct io_kiocb *req, const= struct io_uring_sqe *sqe open->filename =3D NULL; return ret; } + req->flags |=3D REQ_F_NEED_CLEANUP; =20 open->file_slot =3D READ_ONCE(sqe->file_index); if (open->file_slot && (open->how.flags & O_CLOEXEC)) return -EINVAL; =20 open->nofile =3D rlimit(RLIMIT_NOFILE); - req->flags |=3D REQ_F_NEED_CLEANUP; if (io_openat_force_async(open)) req->flags |=3D REQ_F_FORCE_ASYNC; return 0; base-commit: b927546677c876e26eba308550207c2ddf812a43 --=20 2.34.1