Re: [PATCH] io_uring/nop: fix file reference leak with IOSQE_FIXED_FILE

Next message: Jakub Kicinski: "Re: [PATCH net-next v2] net: dsa: yt921x: Add limited ACL flow statistics support"
Previous message: John Groves: "[PATCH V6 04/10] dax/fsdev: don't leave a dangling dev_dax-&gt;pgmap on probe failure"
In reply to: Vasileios Almpanis: "[PATCH] io_uring/nop: fix file reference leak with IOSQE_FIXED_FILE"
Next in thread: Jens Axboe: "Re: [PATCH] io_uring/nop: fix file reference leak with IOSQE_FIXED_FILE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Mon Jun 15 2026 - 12:10:56 EST

On 6/15/26 8:45 AM, Vasileios Almpanis wrote:
> NOP file-acquisition support choses between a fixed (registered) file and
> a normal fget()'d file based on its own IORING_NOP_FIXED_FILE flag in
> sqe->nop_flags. However, a request's REQ_F_FIXED_FILE is set
> independently from the generic IOSQE_FIXED_FILE sqe flag during request
> init, before the issue handler runs.
>
> If a NOP is submitted with IOSQE_FIXED_FILE set (so REQ_F_FIXED_FILE is
> set) but without IORING_NOP_FIXED_FILE, io_nop() takes the normal path
> and grabs a real reference via io_file_get_normal(). On completion,
> io_put_file() only drops the reference when REQ_F_FIXED_FILE is clear,
> so the fget()'d file is never released and leaks:
>
> BUG: memory leak
> unreferenced object 0xffff88800f42c240 (size 176):
> kmem_cache_alloc_noprof+0x358/0x440
> alloc_empty_file+0x57/0x180
> path_openat+0x44/0x1e50
> do_file_open+0x121/0x200
> do_sys_openat2+0xa7/0x150
> __x64_sys_openat+0x82/0xf0
>
> Decide between fixed and normal file acquisition from REQ_F_FIXED_FILE,
> the same way io_assign_file() does for every other opcode, and fold
> IORING_NOP_FIXED_FILE into REQ_F_FIXED_FILE at prep time.

Fix looks good to me! I've written a test case for this as well, it's
in liburing.

--
Jens Axboe