From: Pavel Begunkov <asml.silence@gmail.com>
To: KobaK <kobak@nvidia.com>, Jens Axboe <axboe@kernel.dk>
Cc: Keith Busch <kbusch@kernel.org>, Ming Lei <ming.lei@redhat.com>,
io-uring@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/3] io_uring/zcrx: fix resource leak and double-free hazard in io_import_umem
Date: Wed, 8 Apr 2026 10:06:23 +0100 [thread overview]
Message-ID: <b340d088-a221-43db-b524-1f181152db3d@gmail.com> (raw)
In-Reply-To: <20260408065408.2017967-4-kobak@nvidia.com>
On 4/8/26 07:54, KobaK wrote:
> From: Koba Ko <kobak@nvidia.com>
>
> io_import_umem() has two problems:
>
> 1. When io_account_mem() fails, the function returns an error but leaves
> live pinned pages and sg_table in the mem struct without cleaning them
> up. The caller happens to handle this today via io_zcrx_free_area() ->
> io_release_area_mem(), but the contract is fragile.
That was the intention for the caller to clean it up, but in either
case the function has already been rewritten. In general, it seems
you based your patches on top of an outdated tree.
> 2. io_release_area_mem() doesn't NULL out mem->pages after kvfree(),
> making it unsafe to call twice. Since io_zcrx_free_area() always
> calls it during teardown, any earlier cleanup call would cause a
> double-free.
>
> Fix both: populate mem fields before io_account_mem() so
> io_release_area_mem() can do a proper cleanup on failure, and add
> mem->pages = NULL in io_release_area_mem() to make it idempotent.
>
> Fixes: 262ab205180d2 ("io_uring/zcrx: account area memory")
> Signed-off-by: Koba Ko <kobak@nvidia.com>
> ---
...
>
> static void io_release_area_mem(struct io_zcrx_mem *mem)
> @@ -236,6 +242,7 @@ static void io_release_area_mem(struct io_zcrx_mem *mem)
> sg_free_table(mem->sgt);
> mem->sgt = NULL;
> kvfree(mem->pages);
> + mem->pages = NULL;
The entire struct io_zcrx_mem / area is freed right after,
calling io_zcrx_free_area() multiple times for the same area
is not allowed.
--
Pavel Begunkov
next prev parent reply other threads:[~2026-04-08 9:06 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 6:54 [PATCH 0/3] io_uring: fix resource leak issues KobaK
2026-04-08 6:54 ` [PATCH 1/3] io_uring: fix pinned pages and pages array leak in io_region_pin_pages() KobaK
2026-04-08 8:34 ` Pavel Begunkov
2026-04-08 6:54 ` [PATCH 2/3] io_uring/rsrc: use io_cache_free for node in io_buffer_register_bvec error path KobaK
2026-04-08 8:35 ` Pavel Begunkov
2026-04-08 12:49 ` Jens Axboe
2026-04-08 6:54 ` [PATCH 3/3] io_uring/zcrx: fix resource leak and double-free hazard in io_import_umem KobaK
2026-04-08 9:06 ` Pavel Begunkov [this message]
2026-04-08 12:51 ` [PATCH 0/3] io_uring: fix resource leak issues Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b340d088-a221-43db-b524-1f181152db3d@gmail.com \
--to=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=kbusch@kernel.org \
--cc=kobak@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@redhat.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox