6.1-stable patches

added patches:
	io_uring-fix-filename-leak-in-__io_openat_prep.patch
	io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch

diff --git a/queue-6.1/io_uring-fix-filename-leak-in-__io_openat_prep.patch b/queue-6.1/io_uring-fix-filename-leak-in-__io_openat_prep.patch
new file mode 100644 (file)
index 0000000..c2f0d91
--- /dev/null
+++ b/queue-6.1/io_uring-fix-filename-leak-in-__io_openat_prep.patch
@@ -0,0 +1,49 @@
+From b14fad555302a2104948feaff70503b64c80ac01 Mon Sep 17 00:00:00 2001
+From: Prithvi Tambewagh <activprithvi@gmail.com>
+Date: Thu, 25 Dec 2025 12:58:29 +0530
+Subject: io_uring: fix filename leak in __io_openat_prep()
+
+From: Prithvi Tambewagh <activprithvi@gmail.com>
+
+Commit b14fad555302a2104948feaff70503b64c80ac01 upstream.
+
+ __io_openat_prep() allocates a struct filename using getname(). However,
+for the condition of the file being installed in the fixed file table as
+well as having O_CLOEXEC flag set, the function returns early. At that
+point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,
+the memory for the newly allocated struct filename is not cleaned up,
+causing a memory leak.
+
+Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the
+successful getname() call, so that when the request is torn down, the
+filename will be cleaned up, along with other resources needing cleanup.
+
+Reported-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f
+Tested-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
+Fixes: b9445598d8c6 ("io_uring: openat directly into fixed fd table")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/openclose.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/io_uring/openclose.c
++++ b/io_uring/openclose.c
+@@ -54,13 +54,13 @@ static int __io_openat_prep(struct io_ki
+               open->filename = NULL;
+               return ret;
+       }
++      req->flags |= REQ_F_NEED_CLEANUP;
+ 
+       open->file_slot = READ_ONCE(sqe->file_index);
+       if (open->file_slot && (open->how.flags & O_CLOEXEC))
+               return -EINVAL;
+ 
+       open->nofile = rlimit(RLIMIT_NOFILE);
+-      req->flags |= REQ_F_NEED_CLEANUP;
+       return 0;
+ }
+ 

diff --git a/queue-6.1/io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch b/queue-6.1/io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch
new file mode 100644 (file)
index 0000000..0d5e409
--- /dev/null
+++ b/queue-6.1/io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch
@@ -0,0 +1,53 @@
+From bcf84b1aaa6c5a5ad583d6ab856a052d5791e4cc Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 1 Dec 2025 13:25:22 -0700
+Subject: io_uring/poll: correctly handle io_poll_add() return value on update
+
+From: Jens Axboe <axboe@kernel.dk>
+
+Commit 84230ad2d2afbf0c44c32967e525c0ad92e26b4e upstream.
+
+When the core of io_uring was updated to handle completions
+consistently and with fixed return codes, the POLL_REMOVE opcode
+with updates got slightly broken. If a POLL_ADD is pending and
+then POLL_REMOVE is used to update the events of that request, if that
+update causes the POLL_ADD to now trigger, then that completion is lost
+and a CQE is never posted.
+
+Additionally, ensure that if an update does cause an existing POLL_ADD
+to complete, that the completion value isn't always overwritten with
+-ECANCELED. For that case, whatever io_poll_add() set the value to
+should just be retained.
+
+Cc: stable@vger.kernel.org
+Fixes: 97b388d70b53 ("io_uring: handle completions in the core")
+Reported-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
+Tested-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/poll.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/io_uring/poll.c
++++ b/io_uring/poll.c
+@@ -1038,12 +1038,17 @@ found:
+ 
+               ret2 = io_poll_add(preq, issue_flags & ~IO_URING_F_UNLOCKED);
+               /* successfully updated, don't complete poll request */
+-              if (!ret2 || ret2 == -EIOCBQUEUED)
++              if (ret2 == IOU_ISSUE_SKIP_COMPLETE)
+                       goto out;
++              /* request completed as part of the update, complete it */
++              else if (ret2 == IOU_OK)
++                      goto complete;
+       }
+ 
+-      req_set_fail(preq);
+       io_req_set_res(preq, -ECANCELED, 0);
++complete:
++      if (preq->cqe.res < 0)
++              req_set_fail(preq);
+       io_req_task_complete(preq, &locked);
+ out:
+       io_ring_submit_unlock(ctx, issue_flags);

diff --git a/queue-6.1/series b/queue-6.1/series
index 16c6e2ade6736f41d2f9473e061cbfb46ad91621..ec670e8058b06811cbc9acc5ea5cb941e81fa226 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -373,3 +373,5 @@ fsnotify-do-not-generate-access-modify-events-on-child-for-special-files.patch
 nfsd-mark-variable-__maybe_unused-to-avoid-w-1-build-break.patch
 svcrdma-return-0-on-success-from-svc_rdma_copy_inline_range.patch
 powerpc-kexec-enable-smt-before-waking-offline-cpus.patch
+io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch
+io_uring-fix-filename-leak-in-__io_openat_prep.patch