From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A7EAC3AB27C
	for <netdev@vger.kernel.org>; Wed,  8 Apr 2026 09:06:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775639184; cv=none; b=Vi7MvWyoFhS8buGaCMNDQqjxOEkaOGXNlRwdVIvQggCHLbT4Fu7lVyF+jEDNwkFtzH/49YEIIuyF4H9yezyUSyYYKZvGnx8+MQPV6hHnYn6oeww8kXEwsynEui+wY0RhOk5u/hi3YkO5SaSj4+FrtrOkcUv2+35slTsUJRu/I0Q=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775639184; c=relaxed/simple;
	bh=mdm06uitMSIygZ2FFukfM08Ps+ox3D4Zv39fmrbxrNY=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=i+opw3/l7geoMwlYVUCwE4qNlwsvV0b7Q4axX8ER1f6+ncdkUMSMx2Hy6M4hKqbmXNB/WlvexbMxE+fp9j5c/tNUEhZWosEja3+L8McVHuHX3GxNtDtmg8DEDY63yFPrnpw1zRl6ucU5wauKVsY5WnxvTr9TahNPJMxhkf2oeqM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=feoWZSg5; arc=none smtp.client-ip=209.85.128.53
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="feoWZSg5"
Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-488b0046078so31201715e9.1
        for <netdev@vger.kernel.org>; Wed, 08 Apr 2026 02:06:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775639178; x=1776243978; darn=vger.kernel.org;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :from:to:cc:subject:date:message-id:reply-to;
        bh=NIhuu56MjNTiGSChY1cvm3H2MZijRdRaDUQH6s036E4=;
        b=feoWZSg5P7kF6fv47qFKXPWQBO0DaaIXa0DCjqrqzw9KVM27JVjM7cHPTMTcFWpuUU
         iNGwJFRxRMOUV3gyZhNyV8qBzXB61duaqBegKxlsdh+LeUSfMaKik0HyxiPCx3CEus8s
         swh1/M0Q3BkAtyVp/4wH4knQe0sNB5qv4SZRqy2X9h64GHipaypAVd/YZn5oVjDoW6BN
         LzG6BEoI0oWsGqzIR3AbM7SYC5QqVNLkbmVR4TdXA3S2QJfcxunwUH6lQZ0s2nDf8x0d
         BrbpaD2svigGW7vHnpJkII3F4tz2ytDE13z1RU9Zo52suMdWNB3lsUwgeNLdSOuLCPoF
         Ih0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775639178; x=1776243978;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=NIhuu56MjNTiGSChY1cvm3H2MZijRdRaDUQH6s036E4=;
        b=P3uwPsQjh56lFsiZOCKTs0UdEuWQdJ2pPaCB0OGM+tlcKkFgjnan+/wXEQtfEOhpTF
         BDc0r8ArGTUB/O6b/JMXe1B7GTETAMMGtGt4M6adNjfqi1LFwa10gNBgQFm5ZwaFrXVU
         RUE9Wit+Ijv8EoTGpmTBZRsu820pzPW/rPb3P3flVS46KlDDmbL3hMAxtmCvJTeZ2axC
         gxui5yPVRkDdU6TVEEeF+toUmcKXzXbOSA2ua8nlmfNoem9nD7oif1ns2mVz229Bt3/f
         63b6ecm/lHa3pYHYNr6CG8yMXJ7ju9IScBMwKWhN+wUgc3LkoD5yh/XuEmFVRAMSLvGc
         3R+w==
X-Forwarded-Encrypted: i=1; AJvYcCWy2M6xw52fuV0cd42opY07rrUfBE/1j+JKmi35kFJLN/yrJZnp8a+BSjTAWlRpWX1Vt9U9TA8=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx3alcy6vmjVgOIZH18H8wY7e7wJwhHyk1q5yAHlYkW1amYeOo3
	Wnh+pWn7qdRz5FersHVBuyVXisX22NJEDY140VHjnEoFhWNEiiXQC5C5
X-Gm-Gg: AeBDieuQM3JyK+mCk/m3+nV04gi4u6Z0Y2l8FPMy8HO9XzODDLXWrIonAsDv0EfcLft
	r8JRL8jTZUStgRCz2BDfTREvqKMtsfuKMCM6JCU1lSwr3djE8oA4bwGwQqMzIyOtjKtdzPpRY92
	8M3LdlCMcxv+aa20pLCX/tmfVeGWp1yvfMUeD/MVRg+yGD/C/O276rW9hfuP7yY/4TEle9P/2bD
	Tc973bUdvLf++BD1wYrzsYU94urWZFEQAh+qD/UVMma6Zj/K8JPGJyNX8cDlmDzkLss0ieT9/lr
	LOLLnY7lvlSO/5toa4MtI/9yHyDfD8bsnTDE6d5R5m9Ar8zjuqO0Et889HS246E9CwN3Qxl5aeB
	xCBSXWnR7LJgIfpko1w4U3lf5ZTo8IFj1EuEL2dM8eX7WoPfMQw4VFHZKRabFKas0sbpbKrj0B5
	ZyLiP1nypnhQGd9LNhfcLdnHc2uKUvIIkj8n+XjzydC7h9Dv6Fc1930CrWaztTJ8aCrBsMTNbHq
	caEbMnD5UuvAmTDzbMqT/uYRFaipq1c2u+b6imVJTjtJiu0KJ8987Df1fE=
X-Received: by 2002:a05:600c:4f4e:b0:488:a98b:b891 with SMTP id 5b1f17b1804b1-488a98bbd04mr227789945e9.3.1775639178483;
        Wed, 08 Apr 2026 02:06:18 -0700 (PDT)
Received: from ?IPV6:2620:10d:c096:325:77fd:1068:74c8:af87? ([2620:10d:c092:600::1:eaba])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488a952a03asm293928175e9.0.2026.04.08.02.06.17
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 08 Apr 2026 02:06:17 -0700 (PDT)
Message-ID: <b340d088-a221-43db-b524-1f181152db3d@gmail.com>
Date: Wed, 8 Apr 2026 10:06:23 +0100
Precedence: bulk
X-Mailing-List: netdev@vger.kernel.org
List-Id: <netdev.vger.kernel.org>
List-Subscribe: <mailto:netdev+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netdev+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH 3/3] io_uring/zcrx: fix resource leak and double-free
 hazard in io_import_umem
To: KobaK <kobak@nvidia.com>, Jens Axboe <axboe@kernel.dk>
Cc: Keith Busch <kbusch@kernel.org>, Ming Lei <ming.lei@redhat.com>,
 io-uring@vger.kernel.org, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org
References: <20260408065408.2017967-1-kobak@nvidia.com>
 <20260408065408.2017967-4-kobak@nvidia.com>
Content-Language: en-US
From: Pavel Begunkov <asml.silence@gmail.com>
In-Reply-To: <20260408065408.2017967-4-kobak@nvidia.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 4/8/26 07:54, KobaK wrote:
> From: Koba Ko <kobak@nvidia.com>
> 
> io_import_umem() has two problems:
> 
> 1. When io_account_mem() fails, the function returns an error but leaves
>     live pinned pages and sg_table in the mem struct without cleaning them
>     up. The caller happens to handle this today via io_zcrx_free_area() ->
>     io_release_area_mem(), but the contract is fragile.

That was the intention for the caller to clean it up, but in either
case the function has already been rewritten. In general, it seems
you based your patches on top of an outdated tree.

> 2. io_release_area_mem() doesn't NULL out mem->pages after kvfree(),
>     making it unsafe to call twice. Since io_zcrx_free_area() always
>     calls it during teardown, any earlier cleanup call would cause a
>     double-free.
> 
> Fix both: populate mem fields before io_account_mem() so
> io_release_area_mem() can do a proper cleanup on failure, and add
> mem->pages = NULL in io_release_area_mem() to make it idempotent.
> 
> Fixes: 262ab205180d2 ("io_uring/zcrx: account area memory")
> Signed-off-by: Koba Ko <kobak@nvidia.com>
> ---
...
>   
>   static void io_release_area_mem(struct io_zcrx_mem *mem)
> @@ -236,6 +242,7 @@ static void io_release_area_mem(struct io_zcrx_mem *mem)
>   		sg_free_table(mem->sgt);
>   		mem->sgt = NULL;
>   		kvfree(mem->pages);
> +		mem->pages = NULL;

The entire struct io_zcrx_mem / area is freed right after,
calling io_zcrx_free_area() multiple times for the same area
is not allowed.

-- 
Pavel Begunkov