From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 29 Dec 2025 15:31:43 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1931b40f1d109f748b58edbbcda9cd0904d58fef;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	io_uring-fix-filename-leak-in-__io_openat_prep.patch
	io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch
---

diff --git a/queue-6.1/io_uring-fix-filename-leak-in-__io_openat_prep.patch b/queue-6.1/io_uring-fix-filename-leak-in-__io_openat_prep.patch
new file mode 100644
index 0000000000..c2f0d91344
--- /dev/null
+++ b/queue-6.1/io_uring-fix-filename-leak-in-__io_openat_prep.patch
@@ -0,0 +1,49 @@
+From b14fad555302a2104948feaff70503b64c80ac01 Mon Sep 17 00:00:00 2001
+From: Prithvi Tambewagh <activprithvi@gmail.com>
+Date: Thu, 25 Dec 2025 12:58:29 +0530
+Subject: io_uring: fix filename leak in __io_openat_prep()
+
+From: Prithvi Tambewagh <activprithvi@gmail.com>
+
+Commit b14fad555302a2104948feaff70503b64c80ac01 upstream.
+
+ __io_openat_prep() allocates a struct filename using getname(). However,
+for the condition of the file being installed in the fixed file table as
+well as having O_CLOEXEC flag set, the function returns early. At that
+point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,
+the memory for the newly allocated struct filename is not cleaned up,
+causing a memory leak.
+
+Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the
+successful getname() call, so that when the request is torn down, the
+filename will be cleaned up, along with other resources needing cleanup.
+
+Reported-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f
+Tested-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
+Fixes: b9445598d8c6 ("io_uring: openat directly into fixed fd table")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/openclose.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/io_uring/openclose.c
++++ b/io_uring/openclose.c
+@@ -54,13 +54,13 @@ static int __io_openat_prep(struct io_ki
+ 		open->filename = NULL;
+ 		return ret;
+ 	}
++	req->flags |= REQ_F_NEED_CLEANUP;
+ 
+ 	open->file_slot = READ_ONCE(sqe->file_index);
+ 	if (open->file_slot && (open->how.flags & O_CLOEXEC))
+ 		return -EINVAL;
+ 
+ 	open->nofile = rlimit(RLIMIT_NOFILE);
+-	req->flags |= REQ_F_NEED_CLEANUP;
+ 	return 0;
+ }
+ 
diff --git a/queue-6.1/io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch b/queue-6.1/io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch
new file mode 100644
index 0000000000..0d5e409e6c
--- /dev/null
+++ b/queue-6.1/io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch
@@ -0,0 +1,53 @@
+From bcf84b1aaa6c5a5ad583d6ab856a052d5791e4cc Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 1 Dec 2025 13:25:22 -0700
+Subject: io_uring/poll: correctly handle io_poll_add() return value on update
+
+From: Jens Axboe <axboe@kernel.dk>
+
+Commit 84230ad2d2afbf0c44c32967e525c0ad92e26b4e upstream.
+
+When the core of io_uring was updated to handle completions
+consistently and with fixed return codes, the POLL_REMOVE opcode
+with updates got slightly broken. If a POLL_ADD is pending and
+then POLL_REMOVE is used to update the events of that request, if that
+update causes the POLL_ADD to now trigger, then that completion is lost
+and a CQE is never posted.
+
+Additionally, ensure that if an update does cause an existing POLL_ADD
+to complete, that the completion value isn't always overwritten with
+-ECANCELED. For that case, whatever io_poll_add() set the value to
+should just be retained.
+
+Cc: stable@vger.kernel.org
+Fixes: 97b388d70b53 ("io_uring: handle completions in the core")
+Reported-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
+Tested-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/poll.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/io_uring/poll.c
++++ b/io_uring/poll.c
+@@ -1038,12 +1038,17 @@ found:
+ 
+ 		ret2 = io_poll_add(preq, issue_flags & ~IO_URING_F_UNLOCKED);
+ 		/* successfully updated, don't complete poll request */
+-		if (!ret2 || ret2 == -EIOCBQUEUED)
++		if (ret2 == IOU_ISSUE_SKIP_COMPLETE)
+ 			goto out;
++		/* request completed as part of the update, complete it */
++		else if (ret2 == IOU_OK)
++			goto complete;
+ 	}
+ 
+-	req_set_fail(preq);
+ 	io_req_set_res(preq, -ECANCELED, 0);
++complete:
++	if (preq->cqe.res < 0)
++		req_set_fail(preq);
+ 	io_req_task_complete(preq, &locked);
+ out:
+ 	io_ring_submit_unlock(ctx, issue_flags);
diff --git a/queue-6.1/series b/queue-6.1/series
index 16c6e2ade6..ec670e8058 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -373,3 +373,5 @@ fsnotify-do-not-generate-access-modify-events-on-child-for-special-files.patch
 nfsd-mark-variable-__maybe_unused-to-avoid-w-1-build-break.patch
 svcrdma-return-0-on-success-from-svc_rdma_copy_inline_range.patch
 powerpc-kexec-enable-smt-before-waking-offline-cpus.patch
+io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch
+io_uring-fix-filename-leak-in-__io_openat_prep.patch