superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

io_uring: fix potential page leak in io_sqe_buffer_register() 

If allocation of the 'imu' fails, then the existing pages aren't
unpinned in the error path. This is mostly a theoretical issue,
requiring fault injection to hit.

Move unpin_user_pages() to unified error handling to fix the page leak
issue.

Fixes: d8c2237d0a ("io_uring: add io_pin_pages() helper")
Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>
Link: https://lore.kernel.org/r/20250617165644.79165-1-superman.xpt@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
pull/1270/head
Penglei Jiang 2025-06-17 09:56:44 -07:00 committed by Jens Axboe
parent f2320f1dd6
commit e1c75831f6
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
io_uring/rsrc.c
View File

@ -809,10 +809,8 @@ static struct io_rsrc_node *io_sqe_buffer_register(struct io_ring_ctx *ctx,
imu->nr_bvecs = nr_pages; imu->nr_bvecs = nr_pages;
ret = io_buffer_account_pin(ctx, pages, nr_pages, imu, last_hpage); ret = io_buffer_account_pin(ctx, pages, nr_pages, imu, last_hpage);
if (ret) { if (ret)
unpin_user_pages(pages, nr_pages);
goto done; goto done;
}
size = iov->iov_len; size = iov->iov_len;
/* store original address for later verification */ /* store original address for later verification */
@ -842,6 +840,8 @@ done:
if (ret) { if (ret) {
if (imu) if (imu)
io_free_imu(ctx, imu); io_free_imu(ctx, imu);
if (pages)
unpin_user_pages(pages, nr_pages);
io_cache_free(&ctx->node_cache, node); io_cache_free(&ctx->node_cache, node);
node = ERR_PTR(ret); node = ERR_PTR(ret);
} }