Re: [PATCH v2] io_uring/waitid: clear waitid info before copying it to userspace

Next message: Jens Axboe: "Re: [PATCH] io_uring: propagate array_index_nospec opcode into req-&gt;opcode"
Previous message: Jens Axboe: "Re: [PATCH] io_uring: propagate array_index_nospec opcode into req-&gt;opcode"
In reply to: Heechan Kang: "[PATCH v2] io_uring/waitid: clear waitid info before copying it to userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Sat May 16 2026 - 15:06:24 EST

On Sun, 17 May 2026 03:47:09 +0900, Heechan Kang wrote:
> IORING_OP_WAITID stores its result fields in struct io_waitid::info and
> later copies them to userspace siginfo. The prep path initializes the
> request arguments, but it does not initialize info itself.
>
> If the wait operation completes without reporting a child event, the common
> wait code can return without writing wo_info. In that case io_waitid_finish()
> still copies iw->info to userspace, exposing stale bytes from the reused
> io_kiocb command storage.
>
> [...]

Applied, thanks!

[1/1] io_uring/waitid: clear waitid info before copying it to userspace
commit: 93d93f5f8da791e98159795c6ef683f45bd95d13

Best regards,
--
Jens Axboe