[PATCH 3/3] io_uring/zcrx: fix resource leak and double-free hazard in io_import_umem

All of lore.kernel.org
 help / color / mirror / Atom feed

From: KobaK <kobak@nvidia.com>
To: Jens Axboe <axboe@kernel.dk>, Pavel Begunkov <asml.silence@gmail.com>
Cc: Keith Busch <kbusch@kernel.org>, Ming Lei <ming.lei@redhat.com>,
	io-uring@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, Koba Ko <kobak@nvidia.com>
Subject: [PATCH 3/3] io_uring/zcrx: fix resource leak and double-free hazard in io_import_umem
Date: Wed,  8 Apr 2026 14:54:08 +0800	[thread overview]
Message-ID: <20260408065408.2017967-4-kobak@nvidia.com> (raw)
In-Reply-To: <20260408065408.2017967-1-kobak@nvidia.com>

From: Koba Ko <kobak@nvidia.com>

io_import_umem() has two problems:

1. When io_account_mem() fails, the function returns an error but leaves
   live pinned pages and sg_table in the mem struct without cleaning them
   up. The caller happens to handle this today via io_zcrx_free_area() ->
   io_release_area_mem(), but the contract is fragile.

2. io_release_area_mem() doesn't NULL out mem->pages after kvfree(),
   making it unsafe to call twice. Since io_zcrx_free_area() always
   calls it during teardown, any earlier cleanup call would cause a
   double-free.

Fix both: populate mem fields before io_account_mem() so
io_release_area_mem() can do a proper cleanup on failure, and add
mem->pages = NULL in io_release_area_mem() to make it idempotent.

Fixes: 262ab205180d2 ("io_uring/zcrx: account area memory")
Signed-off-by: Koba Ko <kobak@nvidia.com>
---
 io_uring/zcrx.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 62d693287457f..c9ed1139c7bcd 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -188,6 +188,8 @@ static unsigned long io_count_account_pages(struct page **pages, unsigned nr_pag
 	return res;
 }
 
+static void io_release_area_mem(struct io_zcrx_mem *mem);
+
 static int io_import_umem(struct io_zcrx_ifq *ifq,
 			  struct io_zcrx_mem *mem,
 			  struct io_uring_zcrx_area_reg *area_reg)
@@ -213,16 +215,20 @@ static int io_import_umem(struct io_zcrx_ifq *ifq,
 		return ret;
 	}
 
-	mem->account_pages = io_count_account_pages(pages, nr_pages);
-	ret = io_account_mem(ifq->user, ifq->mm_account, mem->account_pages);
-	if (ret < 0)
-		mem->account_pages = 0;
-
 	mem->sgt = &mem->page_sg_table;
 	mem->pages = pages;
 	mem->nr_folios = nr_pages;
 	mem->size = area_reg->len;
-	return ret;
+
+	mem->account_pages = io_count_account_pages(pages, nr_pages);
+	ret = io_account_mem(ifq->user, ifq->mm_account, mem->account_pages);
+	if (ret < 0) {
+		mem->account_pages = 0;
+		io_release_area_mem(mem);
+		return ret;
+	}
+
+	return 0;
 }
 
 static void io_release_area_mem(struct io_zcrx_mem *mem)
@@ -236,6 +242,7 @@ static void io_release_area_mem(struct io_zcrx_mem *mem)
 		sg_free_table(mem->sgt);
 		mem->sgt = NULL;
 		kvfree(mem->pages);
+		mem->pages = NULL;
 	}
 }
 
-- 
2.43.0

next prev parent reply	other threads:[~2026-04-08  6:54 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-08  6:54 [PATCH 0/3] io_uring: fix resource leak issues KobaK
2026-04-08  6:54 ` [PATCH 1/3] io_uring: fix pinned pages and pages array leak in io_region_pin_pages() KobaK
2026-04-08  8:34   ` Pavel Begunkov
2026-04-08  6:54 ` [PATCH 2/3] io_uring/rsrc: use io_cache_free for node in io_buffer_register_bvec error path KobaK
2026-04-08  8:35   ` Pavel Begunkov
2026-04-08 12:49     ` Jens Axboe
2026-04-08  6:54 ` KobaK [this message]
2026-04-08  9:06   ` [PATCH 3/3] io_uring/zcrx: fix resource leak and double-free hazard in io_import_umem Pavel Begunkov
2026-04-08 12:51 ` [PATCH 0/3] io_uring: fix resource leak issues Jens Axboe

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:62d693287457 dfblob:c9ed1139c7bc )
 OR (
bs:"[PATCH 3/3] io_uring/zcrx: fix resource leak and double-free hazard in io_import_umem" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260408065408.2017967-4-kobak@nvidia.com \
    --to=kobak@nvidia.com \
    --cc=asml.silence@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=io-uring@vger.kernel.org \
    --cc=kbusch@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ming.lei@redhat.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.