From: KobaK <kobak@nvidia.com>
To: Jens Axboe <axboe@kernel.dk>, Pavel Begunkov <asml.silence@gmail.com>
Cc: Keith Busch <kbusch@kernel.org>, Ming Lei <ming.lei@redhat.com>,
io-uring@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, Koba Ko <kobak@nvidia.com>
Subject: [PATCH 0/3] io_uring: fix resource leak issues
Date: Wed, 8 Apr 2026 14:54:05 +0800 [thread overview]
Message-ID: <20260408065408.2017967-1-kobak@nvidia.com> (raw)
From: Koba Ko <kobak@nvidia.com>
Three resource leak fixes found by code audit:
1. memmap: pinned pages and pages array leak on WARN_ON path in
io_region_pin_pages() — mr->pages is never assigned so the caller's
cleanup is a no-op.
2. rsrc: kfree() used instead of io_cache_free() in
io_buffer_register_bvec() error path — bypasses cache return.
3. zcrx: io_import_umem() leaves live pinned pages in a partially
initialized struct on io_account_mem() failure, and
io_release_area_mem() is not idempotent (missing pages = NULL),
creating a double-free hazard.
Koba Ko (3):
io_uring: fix pinned pages and pages array leak in
io_region_pin_pages()
io_uring/rsrc: use io_cache_free for node in io_buffer_register_bvec
error path
io_uring/zcrx: fix resource leak and double-free hazard in
io_import_umem
io_uring/memmap.c | 5 ++++-
io_uring/rsrc.c | 2 +-
io_uring/zcrx.c | 19 +++++++++++++------
3 files changed, 18 insertions(+), 8 deletions(-)
--
2.43.0
next reply other threads:[~2026-04-08 6:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 6:54 KobaK [this message]
2026-04-08 6:54 ` [PATCH 1/3] io_uring: fix pinned pages and pages array leak in io_region_pin_pages() KobaK
2026-04-08 8:34 ` Pavel Begunkov
2026-04-08 6:54 ` [PATCH 2/3] io_uring/rsrc: use io_cache_free for node in io_buffer_register_bvec error path KobaK
2026-04-08 8:35 ` Pavel Begunkov
2026-04-08 12:49 ` Jens Axboe
2026-04-08 6:54 ` [PATCH 3/3] io_uring/zcrx: fix resource leak and double-free hazard in io_import_umem KobaK
2026-04-08 9:06 ` Pavel Begunkov
2026-04-08 12:51 ` [PATCH 0/3] io_uring: fix resource leak issues Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260408065408.2017967-1-kobak@nvidia.com \
--to=kobak@nvidia.com \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=kbusch@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@redhat.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.