[PATCH v4 2/5] io_uring/cmd: zero-init pdu in io_uring_cmd_prep() to avoid UB

Next message: Aithal, Srikanth: "Re: [PATCH 05/21] KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish"
Previous message: Manivannan Sadhasivam: "Re: [PATCH V11 02/12] PCI: host-generic: Add common helpers for parsing Root Port properties"
In reply to: Sidong Yang: "[PATCH v4 4/5] rust: miscdevice: Add `uring_cmd` support"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH v4 2/5] io_uring/cmd: zero-init pdu in io_uring_cmd_prep() to avoid UB"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sidong Yang

Date: Wed Apr 08 2026 - 10:14:22 EST

The pdu field in io_uring_cmd may contain stale data when a request
object is recycled from the slab cache. Accessing uninitialized or
garbage memory can lead to undefined behavior in users of the pdu.

Ensure the pdu buffer is cleared during io_uring_cmd_prep() so that
each command starts from a well-defined state. This avoids exposing
uninitialized memory and prevents potential misinterpretation of data
from previous requests.

No functional change is intended other than guaranteeing that pdu is
always zero-initialized before use.

Signed-off-by: Sidong Yang <sidong.yang@xxxxxxxxxx>
---
io_uring/uring_cmd.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c
index ee7b49f47cb5..fa3a6f832460 100644
--- a/io_uring/uring_cmd.c
+++ b/io_uring/uring_cmd.c
@@ -209,6 +209,7 @@ int io_uring_cmd_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
if (!ac)
return -ENOMEM;
ioucmd->sqe = sqe;
+ memset(&ioucmd->pdu, 0, sizeof(ioucmd->pdu));
return 0;
}

--
2.43.0