From: David Howells <dhowells@redhat.com>
To: Christian Brauner <christian@brauner.io>
Cc: David Howells <dhowells@redhat.com>,
Paulo Alcantara <pc@manguebit.org>,
netfs@lists.linux.dev, linux-afs@lists.infradead.org,
linux-cifs@vger.kernel.org, ceph-devel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
Matthew Wilcox <willy@infradead.org>,
Christoph Hellwig <hch@infradead.org>,
Jens Axboe <axboe@kernel.dk>
Subject: [PATCH v2 06/14] iov_iter: Fix a memory leak in iov_iter_extract_user_pages()
Date: Wed, 24 Jun 2026 12:57:27 +0100 [thread overview]
Message-ID: <20260624115737.2964520-7-dhowells@redhat.com> (raw)
In-Reply-To: <20260624115737.2964520-1-dhowells@redhat.com>
There's a potential memory leak in callers of iov_iter_extract_user_pages()
whereby if a pages array is allocated in function, it isn't freed before
returning of an error or 0.
Now, it's not a leak per se in iov_iter_extract_user_pages() as, if an
array is allocated, it's returned through *pages, so it's incumbent on the
caller to free it. However, not all callers do.
Fix this by freeing the table and clearing *pages before returning an error
or 0. Note that iov_iter_extract_pages() and its subfunctions are allowed
to return 0 without returning an array (for instance if the iterator count
is 0).
Fixes: 7d58fe731028 ("iov_iter: Add a function to extract a page list from an iterator")
Closes: https://sashiko.dev/#/patchset/20260616100821.2062304-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Paulo Alcantara <pc@manguebit.org>
cc: Matthew Wilcox <willy@infradead.org>
cc: Christoph Hellwig <hch@infradead.org>
cc: Jens Axboe <axboe@kernel.dk>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
---
lib/iov_iter.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 1661c237b643..5a6434709716 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1756,6 +1756,7 @@ static ssize_t iov_iter_extract_user_pages(struct iov_iter *i,
unsigned long addr;
unsigned int gup_flags = 0;
size_t offset;
+ bool will_alloc = !*pages;
int res;
if (i->data_source == ITER_DEST)
@@ -1772,8 +1773,14 @@ static ssize_t iov_iter_extract_user_pages(struct iov_iter *i,
if (!maxpages)
return -ENOMEM;
res = pin_user_pages_fast(addr, maxpages, gup_flags, *pages);
- if (unlikely(res <= 0))
+ if (unlikely(res <= 0)) {
+ if (will_alloc) {
+ kvfree(*pages);
+ *pages = NULL;
+ }
return res;
+ }
+
maxsize = min_t(size_t, maxsize, res * PAGE_SIZE - offset);
iov_iter_advance(i, maxsize);
return maxsize;
next prev parent reply other threads:[~2026-06-24 11:58 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 11:57 [PATCH v2 00/14] netfs: Miscellaneous fixes David Howells
2026-06-24 11:57 ` [PATCH v2 01/14] netfs: Fix decision whether to disallow write-streaming due to fscache use David Howells
2026-06-24 11:57 ` [PATCH v2 02/14] cachefiles: Fix double fput David Howells
2026-06-24 11:57 ` [PATCH v2 03/14] cachefiles: Fix file burial to take lock when unsetting S_KERNEL_FILE David Howells
2026-06-24 11:57 ` [PATCH v2 04/14] iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages() David Howells
2026-06-24 13:41 ` Christoph Hellwig
2026-06-24 11:57 ` [PATCH v2 05/14] iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages() David Howells
2026-06-24 11:57 ` David Howells [this message]
2026-06-24 11:57 ` [PATCH v2 07/14] iov_iter: Remove unused variable in kunit_iov_iter.c David Howells
2026-06-24 11:57 ` [PATCH v2 08/14] scatterlist: Fix offset in folio calc in extract_xarray_to_sg() David Howells
2026-06-24 11:57 ` [PATCH v2 09/14] netfs: Fix kdoc warning David Howells
2026-06-24 11:57 ` [PATCH v2 10/14] netfs: Replace wb_lock with a bit lock for asynchronicity David Howells
2026-06-24 11:57 ` [PATCH v2 11/14] netfs: Fix writethrough to use collection offload David Howells
2026-06-24 11:57 ` [PATCH v2 12/14] netfs: Fix writeback error handling David Howells
2026-06-24 11:57 ` [PATCH v2 13/14] netfs: Fix folio state after ENOMEM whilst under writeback iteration David Howells
2026-06-24 11:57 ` [PATCH v2 14/14] netfs: Fix DIO write retry for filesystems without a ->prepare_write() David Howells
2026-06-24 14:21 ` ChenXiaoSong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260624115737.2964520-7-dhowells@redhat.com \
--to=dhowells@redhat.com \
--cc=axboe@kernel.dk \
--cc=ceph-devel@vger.kernel.org \
--cc=christian@brauner.io \
--cc=hch@infradead.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netfs@lists.linux.dev \
--cc=pc@manguebit.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.