IORING_OP_WAITID stores its result fields in struct io_waitid::info and
later copies them to userspace siginfo. The prep path initializes the
request arguments, but it does not initialize info itself.

If the wait operation completes without reporting a child event, the common
wait code can return without writing wo_info. In that case io_waitid_finish()
still copies iw->info to userspace, exposing stale bytes from the reused
io_kiocb command storage.

Clear the result storage during prep so the io_uring path matches the
regular waitid syscall, which uses a zero-initialized struct waitid_info.

Fixes: f31ecf671ddc ("io_uring: add IORING_OP_WAITID support")
Cc: stable@vger.kernel.org # 6.7+
Signed-off-by: Heechan Kang <gganji11@naver.com>
---
v2:
- Resend as plain text; no code changes.

 io_uring/waitid.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/io_uring/waitid.c b/io_uring/waitid.c
index d25d60aed6a..32f68fd7fcd 100644
--- a/io_uring/waitid.c
+++ b/io_uring/waitid.c
@@ -275,6 +275,7 @@ int io_waitid_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	iw->options = READ_ONCE(sqe->file_index);
 	iw->head = NULL;
 	iw->infop = u64_to_user_ptr(READ_ONCE(sqe->addr2));
+	memset(&iw->info, 0, sizeof(iw->info));
 	return 0;
 }
 
-- 
2.43.0

On Sun, 17 May 2026 03:47:09 +0900, Heechan Kang wrote:
> IORING_OP_WAITID stores its result fields in struct io_waitid::info and
> later copies them to userspace siginfo. The prep path initializes the
> request arguments, but it does not initialize info itself.
> 
> If the wait operation completes without reporting a child event, the common
> wait code can return without writing wo_info. In that case io_waitid_finish()
> still copies iw->info to userspace, exposing stale bytes from the reused
> io_kiocb command storage.
> 
> [...]

Applied, thanks!

[1/1] io_uring/waitid: clear waitid info before copying it to userspace
      commit: 93d93f5f8da791e98159795c6ef683f45bd95d13

Best regards,
-- 
Jens Axboe