Re: [PATCH] io_uring/waitid: clear waitid info before copying it to userspace

Next message: Caleb James DeLisle: "[PATCH v3 4/4] clocksource/timer-econet-en751221: Support EN751627 without percpu IRQ"
Previous message: Caleb James DeLisle: "[PATCH v3 1/4] dt-bindings: timer: econet: Update EN751627 for multi-IRQ"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Sat May 16 2026 - 14:28:16 EST

On 5/16/26 12:24 PM, 강희찬 wrote:
>
> IORING_OP_WAITID stores its result fields in struct io_waitid::info and
> later copies them to userspace siginfo. The prep path initializes the
> request arguments, but it does not initialize info itself.
>
> If the wait operation completes without reporting a child event, the common
> wait code can return without writing wo_info. In that case io_waitid_finish()
> still copies iw->info to userspace, exposing stale bytes from the reused
> io_kiocb command storage.
>
> Clear the result storage during prep so the io_uring path matches the
> regular waitid syscall, which uses a zero-initialized struct waitid_info.
>
> Fixes: f31ecf671ddc ("io_uring: add IORING_OP_WAITID support")
> Cc: stable@xxxxxxxxxxxxxxx # 6.7+
> Signed-off-by: Heechan Kang <gganji11@xxxxxxxxx>
> ---
> io_uring/waitid.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/io_uring/waitid.c b/io_uring/waitid.c
> index d25d60aed6a..32f68fd7fcd 100644
> --- a/io_uring/waitid.c
> +++ b/io_uring/waitid.c
> @@ -275,6 +275,7 @@int io_waitid_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
> iw->options = READ_ONCE(sqe->file_index);
> iw->head = NULL;
> iw->infop = u64_to_user_ptr(READ_ONCE(sqe->addr2));
> + memset(&iw->info, 0, sizeof(iw->info));
> return 0;
> }

Patch looks fine, but you can't send html formatted stuff - it won't make
it to the list, and it also corrupts the patch so it can't get applied.
Send everything plain/text.

--
Jens Axboe