From: Pavel Begunkov <asml.silence@gmail.com>
To: KobaK <kobak@nvidia.com>, Jens Axboe <axboe@kernel.dk>
Cc: Keith Busch <kbusch@kernel.org>, Ming Lei <ming.lei@redhat.com>,
io-uring@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/3] io_uring: fix pinned pages and pages array leak in io_region_pin_pages()
Date: Wed, 8 Apr 2026 09:34:59 +0100 [thread overview]
Message-ID: <336062ec-5fcd-46ad-a839-6ddbff7f9fb9@gmail.com> (raw)
In-Reply-To: <20260408065408.2017967-2-kobak@nvidia.com>
On 4/8/26 07:54, KobaK wrote:
> From: Koba Ko <kobak@nvidia.com>
>
> When io_pin_pages() succeeds but the subsequent nr_pages sanity check
> fires (WARN_ON_ONCE), the function returns -EFAULT without unpinning the
> user pages or freeing the kvmalloc'd pages array. The caller's cleanup
> via io_free_region() won't help either, because mr->pages was never
> assigned — so the entire cleanup block is skipped.
>
> Add unpin_user_pages() and kvfree() before the error return to prevent
> the leak.
>
> Fixes: a90558b36ccee ("io_uring/memmap: helper for pinning region pages")
> Signed-off-by: Koba Ko <kobak@nvidia.com>
It's a WARN path, it should never happen, but if it does, that means
io_pin_pages() is buggy, and it's better to leak rather than risk
something nastier.
> ---
> io_uring/memmap.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/io_uring/memmap.c b/io_uring/memmap.c
> index e6958968975a8..9f0d3750ce3bc 100644
> --- a/io_uring/memmap.c
> +++ b/io_uring/memmap.c
> @@ -141,8 +141,11 @@ static int io_region_pin_pages(struct io_mapped_region *mr,
> pages = io_pin_pages(reg->user_addr, size, &nr_pages);
> if (IS_ERR(pages))
> return PTR_ERR(pages);
> - if (WARN_ON_ONCE(nr_pages != mr->nr_pages))
> + if (WARN_ON_ONCE(nr_pages != mr->nr_pages)) {
> + unpin_user_pages(pages, nr_pages);
> + kvfree(pages);
> return -EFAULT;
> + }
>
> mr->pages = pages;
> mr->flags |= IO_REGION_F_USER_PROVIDED;
--
Pavel Begunkov
next prev parent reply other threads:[~2026-04-08 8:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 6:54 [PATCH 0/3] io_uring: fix resource leak issues KobaK
2026-04-08 6:54 ` [PATCH 1/3] io_uring: fix pinned pages and pages array leak in io_region_pin_pages() KobaK
2026-04-08 8:34 ` Pavel Begunkov [this message]
2026-04-08 6:54 ` [PATCH 2/3] io_uring/rsrc: use io_cache_free for node in io_buffer_register_bvec error path KobaK
2026-04-08 8:35 ` Pavel Begunkov
2026-04-08 12:49 ` Jens Axboe
2026-04-08 6:54 ` [PATCH 3/3] io_uring/zcrx: fix resource leak and double-free hazard in io_import_umem KobaK
2026-04-08 9:06 ` Pavel Begunkov
2026-04-08 12:51 ` [PATCH 0/3] io_uring: fix resource leak issues Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=336062ec-5fcd-46ad-a839-6ddbff7f9fb9@gmail.com \
--to=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=kbusch@kernel.org \
--cc=kobak@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@redhat.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.