From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 29 Dec 2025 15:31:34 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2df9587bf0459a3542cc4d736cbd640492dfeec8;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	io_uring-fix-filename-leak-in-__io_openat_prep.patch
---

diff --git a/queue-5.15/io_uring-fix-filename-leak-in-__io_openat_prep.patch b/queue-5.15/io_uring-fix-filename-leak-in-__io_openat_prep.patch
new file mode 100644
index 0000000000..4013420b1b
--- /dev/null
+++ b/queue-5.15/io_uring-fix-filename-leak-in-__io_openat_prep.patch
@@ -0,0 +1,47 @@
+From 9ea6b9cb5285a1245845dedde05638005aba037b Mon Sep 17 00:00:00 2001
+From: Prithvi Tambewagh <activprithvi@gmail.com>
+Date: Thu, 25 Dec 2025 12:58:29 +0530
+Subject: io_uring: fix filename leak in __io_openat_prep()
+
+From: Prithvi Tambewagh <activprithvi@gmail.com>
+
+ __io_openat_prep() allocates a struct filename using getname(). However,
+for the condition of the file being installed in the fixed file table as
+well as having O_CLOEXEC flag set, the function returns early. At that
+point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,
+the memory for the newly allocated struct filename is not cleaned up,
+causing a memory leak.
+
+Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the
+successful getname() call, so that when the request is torn down, the
+filename will be cleaned up, along with other resources needing cleanup.
+
+Reported-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f
+Tested-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
+Fixes: b9445598d8c6 ("io_uring: openat directly into fixed fd table")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -4326,13 +4326,13 @@ static int __io_openat_prep(struct io_ki
+ 		req->open.filename = NULL;
+ 		return ret;
+ 	}
++	req->flags |= REQ_F_NEED_CLEANUP;
+ 
+ 	req->open.file_slot = READ_ONCE(sqe->file_index);
+ 	if (req->open.file_slot && (req->open.how.flags & O_CLOEXEC))
+ 		return -EINVAL;
+ 
+ 	req->open.nofile = rlimit(RLIMIT_NOFILE);
+-	req->flags |= REQ_F_NEED_CLEANUP;
+ 	return 0;
+ }
+ 
diff --git a/queue-5.15/series b/queue-5.15/series
index b01ab8898c..e7a078e4e9 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -322,3 +322,4 @@ pm-runtime-do-not-clear-needs_force_resume-with-enabled-runtime-pm.patch
 fsnotify-do-not-generate-access-modify-events-on-child-for-special-files.patch
 nfsd-mark-variable-__maybe_unused-to-avoid-w-1-build-break.patch
 svcrdma-return-0-on-success-from-svc_rdma_copy_inline_range.patch
+io_uring-fix-filename-leak-in-__io_openat_prep.patch