From: KobaK <kobak@nvidia.com>
To: Jens Axboe <axboe@kernel.dk>, Pavel Begunkov <asml.silence@gmail.com>
Cc: Keith Busch <kbusch@kernel.org>, Ming Lei <ming.lei@redhat.com>,
io-uring@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, Koba Ko <kobak@nvidia.com>
Subject: [PATCH 1/3] io_uring: fix pinned pages and pages array leak in io_region_pin_pages()
Date: Wed, 8 Apr 2026 14:54:06 +0800 [thread overview]
Message-ID: <20260408065408.2017967-2-kobak@nvidia.com> (raw)
In-Reply-To: <20260408065408.2017967-1-kobak@nvidia.com>
From: Koba Ko <kobak@nvidia.com>
When io_pin_pages() succeeds but the subsequent nr_pages sanity check
fires (WARN_ON_ONCE), the function returns -EFAULT without unpinning the
user pages or freeing the kvmalloc'd pages array. The caller's cleanup
via io_free_region() won't help either, because mr->pages was never
assigned — so the entire cleanup block is skipped.
Add unpin_user_pages() and kvfree() before the error return to prevent
the leak.
Fixes: a90558b36ccee ("io_uring/memmap: helper for pinning region pages")
Signed-off-by: Koba Ko <kobak@nvidia.com>
---
io_uring/memmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/io_uring/memmap.c b/io_uring/memmap.c
index e6958968975a8..9f0d3750ce3bc 100644
--- a/io_uring/memmap.c
+++ b/io_uring/memmap.c
@@ -141,8 +141,11 @@ static int io_region_pin_pages(struct io_mapped_region *mr,
pages = io_pin_pages(reg->user_addr, size, &nr_pages);
if (IS_ERR(pages))
return PTR_ERR(pages);
- if (WARN_ON_ONCE(nr_pages != mr->nr_pages))
+ if (WARN_ON_ONCE(nr_pages != mr->nr_pages)) {
+ unpin_user_pages(pages, nr_pages);
+ kvfree(pages);
return -EFAULT;
+ }
mr->pages = pages;
mr->flags |= IO_REGION_F_USER_PROVIDED;
--
2.43.0
next prev parent reply other threads:[~2026-04-08 6:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 6:54 [PATCH 0/3] io_uring: fix resource leak issues KobaK
2026-04-08 6:54 ` KobaK [this message]
2026-04-08 8:34 ` [PATCH 1/3] io_uring: fix pinned pages and pages array leak in io_region_pin_pages() Pavel Begunkov
2026-04-08 6:54 ` [PATCH 2/3] io_uring/rsrc: use io_cache_free for node in io_buffer_register_bvec error path KobaK
2026-04-08 8:35 ` Pavel Begunkov
2026-04-08 12:49 ` Jens Axboe
2026-04-08 6:54 ` [PATCH 3/3] io_uring/zcrx: fix resource leak and double-free hazard in io_import_umem KobaK
2026-04-08 9:06 ` Pavel Begunkov
2026-04-08 12:51 ` [PATCH 0/3] io_uring: fix resource leak issues Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260408065408.2017967-2-kobak@nvidia.com \
--to=kobak@nvidia.com \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=kbusch@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@redhat.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.