From nobody Mon Jun 15 05:17:01 2026 Received: from MW6PR02CU001.outbound.protection.outlook.com (mail-westus2azon11012032.outbound.protection.outlook.com [52.101.48.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D60E536495E; Wed, 8 Apr 2026 06:54:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.48.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775631263; cv=fail; b=ONnZbJNlFX1wRCaFBau1y9L66kqTGphVwmLtg+1If40BxvB/RjcJeD4rfC0f5StLmky+hthekw5k1aWNE/b4dffnD5REv+PiVrrYS+bgOnigQMbdbo96CNHHr6Y4V80xP4gsUGZWodd6HGhO5GmDIgQXLLVEQALDe9s4XUMW+OA= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775631263; c=relaxed/simple; bh=Fc0PkfxjbOmxusn9lg48Yk29/IhMhLdVSlcHiNlncNs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=d5UUeIZSrobZLgguFYQ2OHpjwFx9oqe/2YxQbbJG4vd12hpu+KWlBjd6MAzBA5loBcuAjXe0xIXLZ1O9rVplOVF/ZadTLYmiSrJMdLaOPMJPw9ATrek2zyReCF108qyp4A9EZOUdGkLU0Q3qj3P0QaFySuwfvF6HVgfAX4lLqbs= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=Ii7UkdVm; arc=fail smtp.client-ip=52.101.48.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="Ii7UkdVm" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ax7GiawnNWWMT8fWwzLkX6EOgZiPkZKTb5iYECgs8EjHrp69FrSYOD1SUqQJkbfUtDzY/YkEJ6TiAAFgMwrYI7fZkbZmCqMCDZAYcIVezqzYL/zmex4DcTlNz0N+rBPlkqlYasFXMMMO9BpeYYAUZ2ed4Xn+E31vET3kDGHd78aGv0E9iPTREa45bpUmJXHmeQAhIdECR25QCTLsefY5ZT0CweNfxC/n2Xx+t3deV0J8ESAutThtIWONHkZtKNxFV7YzAYEOxfIZ9awn6b2nMSPlBcmTJBbQuelZHEdjH/WGPZ9rUkDkf9j4FOi8c0awnOWT3tz9kGOyYx+dRNZgjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hV/2srNa4z7lJxx79cn3ybAgn7icbGz7Xw873E7u0z8=; b=S+wa1iH0q6MNx7EzoToRJVfxmMUpweCu34Tax4YqWtkxJkxQhCQzhpJtX2XjgcvVE41uKa+rzDP9B+70N1Kbn8a11zKXqA5YOA1bY9e0UVH9+wv+t1IyLKe5pYUbyCK8DOYHKJh7YJEEXa1zRTm8dV/uUywGcNXnVpaibf1Np861mhE0WEW5N1bHR+hN5cc2JNerm84kO/uHto25R6yhNqFYjTJSOh1n/e3mt2R4MOfWLglX1My0SsZHLKn5Ks05sdUnxcRUONi2WTyvMbxx8jJyruWRqXhI38vlIAO+CfyFgcdb7/v5Yz/R1VxJsxkXEiYA+ig8TGq0mmcp+LScDA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hV/2srNa4z7lJxx79cn3ybAgn7icbGz7Xw873E7u0z8=; b=Ii7UkdVmJE+beRAN8NIao+KjUokDNgfvE1lCa5d8BXH27VXDuaffS5m41XtdR0TSgoDwJMiiQAE3bpTZRddsqhtWsKksCnTjhBCoGsM3WWqdBEKZX4DUY83bs393o/ycvRaFTf4w52KT4XLoBS5QM8bvoFk/PCxXIf2YONgBZyg8ddywqP4Edc9zZDo/fnxLLTltqj8inin2H8T2yJEtzyzG1oIwK8Or7fYMzJufMs4D88Oq+sxtMTuklTEVeeJCNZlFRcMpQXZKt6JGTXfcDmDnfkQL6I2zHnaNykzcizKYOcHq5Qj1EyQEYn73S2SIMSSQFDLdQ1dnuKgYeFgjkg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; Received: from CHXPR12MB999244.namprd12.prod.outlook.com (2603:10b6:610:2fc::17) by LV3PR12MB9412.namprd12.prod.outlook.com (2603:10b6:408:211::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17; Wed, 8 Apr 2026 06:54:19 +0000 Received: from CHXPR12MB999244.namprd12.prod.outlook.com ([fe80::168f:599c:f74d:7688]) by CHXPR12MB999244.namprd12.prod.outlook.com ([fe80::168f:599c:f74d:7688%5]) with mapi id 15.20.9769.018; Wed, 8 Apr 2026 06:54:19 +0000 From: KobaK To: Jens Axboe , Pavel Begunkov Cc: Keith Busch , Ming Lei , io-uring@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Koba Ko Subject: [PATCH 1/3] io_uring: fix pinned pages and pages array leak in io_region_pin_pages() Date: Wed, 8 Apr 2026 14:54:06 +0800 Message-ID: <20260408065408.2017967-2-kobak@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260408065408.2017967-1-kobak@nvidia.com> References: <20260408065408.2017967-1-kobak@nvidia.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: TY4PR01CA0026.jpnprd01.prod.outlook.com (2603:1096:405:2bf::12) To CHXPR12MB999244.namprd12.prod.outlook.com (2603:10b6:610:2fc::17) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CHXPR12MB999244:EE_|LV3PR12MB9412:EE_ X-MS-Office365-Filtering-Correlation-Id: 239d698f-268c-4d18-aeab-08de953ba852 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016|22082099003|18002099003|56012099003; X-Microsoft-Antispam-Message-Info: W98h8IbKcKhMFZPyrhKKHv6HTG7aXW0R5iYMVk3bp4e0+Q8HnDWhkF3i9taJVY5Jv3p6RMoA8Fl+Q1t5bIGWk/f1cfEby1wC5fJUd8RJy4iWxv3v2RXRHox0VBGM8en/R3G92SGf5uaVuOHwUECq19ffUISW7YMSESe/cPet+rb0HU9OyUn4yEZs7BOo/Iy6p4/YcU0HlYDjFFSWlqoARUaB5UDhumeZd5E38Y8eMXzFCclx2emvbh2Iv0UJQehZvo/DeOzymu0jG+Q0SDg2Gf6Qsz04JQJ4Bmw6WZDyNNaDKO0/8NO4sXS9JAELhI+3TNJAM/EcgUyG3Xrq314jSDWaOxQkVNFrtvl8LFDnPMEpFuG+/lBTx3R8zxXL6LeKNXwoZpMy8wm1C6pQClcYrY6z6RFLLHBhrIqbjx+WnCMVDrmrRAzbE2s8nIHRvjDYfeMWxGih424OtNJPcXfnSLtedhWAOddZrZ8Y4082y3BYuCJzlxIceYkZrm8CEkeeq/+zRb1/eJf/Y1hkbHhxQ+dt03Oxih56cFPwVEsjVVd42tBAIojpqS6AHRbs6Dpkr/W7HxftxmIUemMyXlSfliEK8XMqPKQLYIVY5i3ktRlB8GomyPmDxBDckWc6N1jy9ApXLBMVTDvZAA+6UcaCeWvw1tcO+uAlvRNXEWOFjGWUtDiEAzAA9miFP136EysgjLaQTj6tzFfzMYWJdPh9QPnWMSQO4Z9FtlqkccOdKHc= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CHXPR12MB999244.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(22082099003)(18002099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?SmFYZVFxTWtkYm1DUTdnQmxRbzVOTkgySlZCUlhyNFcrK3ZKTnMrMzZ0R3VJ?= =?utf-8?B?aE9kQ1E2THFOU3NLMFY2b0wvVUxNMkR4VHdqRnVacnBtVktuUWdEY0o1K3E2?= =?utf-8?B?cnNtQTJoNE84bGNJRyt6djkvY3lBbGRTZTZWVjhJeGhvQjNVa3VGdjNHYmJh?= =?utf-8?B?WVNmMUFXRmwvc3phSDF4cW5vQ2x6U2hUMVdyYVBJYk5RNFVPOVBCSGdITDVD?= =?utf-8?B?TjlIK2dOdXQwQnFWbDhCNGNTQjBnZE5XbUlHSXk1Vmx6cndCWHRwNDg3a1JE?= =?utf-8?B?ek11ZWRyNitneFVMZmZuLy8vRG1wN2xINCttUExlMWY5eTJWTkFzdVA4QTVn?= =?utf-8?B?Yko1ckQ5WXVCbmN5YURCMmJBM1EyWnZxOHRJbzBOOUd6QU0yM2lzbWU2YWls?= =?utf-8?B?dUJkVnZqRWkvMzhsOWdpZXVUOUhEcXdrc3ZKS1lTVjZSdEo2U2Y1dmxRWG1R?= =?utf-8?B?SEZKdmJyTUd5djZLS0o2cytFY3dRY3VJVGFqQzJEV2Yra2daSDRhbzRtd0Q4?= =?utf-8?B?THUwS2ROWWVnRURLSUpYOXVhTVRIalN5SVN0SVl4TC9hbC83WkRVZW0xUXZm?= =?utf-8?B?MEFobHNhcnM4VGJCUVZlRVord2xLd0FEUTBIUjlJWlpPQ08wZG9TMlJQOXdj?= =?utf-8?B?UnlMM0NFSC9nOUVUdEJpSUw4U3U3OFo0dkJNTm5FTmdYbnpBVUgzQjlQL0da?= =?utf-8?B?TWNSRitlV0lza3YxaWN0ZTJGSVRnUUNXaklSYjlOM2JIUTZkKyt0T2FvK25j?= =?utf-8?B?Z0Z6ZWdSbzdkUkRFY2lqVndhNm51c1dIUHdKWENWVnpJOXBPUVpZd1NqMzcw?= =?utf-8?B?RzVyWmZvdVFBdUxzZERGZGVESi9tQ2IxeHF5Y0g5dEw5Uk9jb1Y2TnlRbnBq?= =?utf-8?B?M3RrUlArNUtJYlVVcjFMd25icjFXanMzcUdoMTVrc0RxQ0d6bDdYaHlHQURU?= =?utf-8?B?aUVpOW0vRHJ6WEp3a01ZNGJQSHFjbWtZeXpFZXdaWTA0NmZ3cjBFb040ZWk4?= =?utf-8?B?NzkyRWZvMTM5cFoyL2JmK2J3RXB0b0VZK1F1bk1zYWUraDgyS3FzeENjSkNm?= =?utf-8?B?UzhsdzVaNEwzaHJNQWdQN3hPNnFlaGtOSzRnSnRrQi8wcFllMmFhcytaV1p4?= =?utf-8?B?S3YwOTFiSFVWcHpZVGRnWTVWdC9pVSt6L2xwS0t3M3ZOR1JyRUtCeVJOcmYr?= =?utf-8?B?eHdTeFYxZjByZzd5TzM2VEZZTTQvUzFHa3QrdWczcjdWcGo2WXFMMnpqVlpa?= =?utf-8?B?U2wzdzdwZUNTU3pUSk9tdXFEOHp3VHNmL0JxVDIwQmY2Q3lNOCt5Y0l6RSsz?= =?utf-8?B?VEpkUW1acm5kVG9kcFVnbXJKTjBuMVJ5M3FGZ05JM3JpOFFkV0hJTVNTSmxN?= =?utf-8?B?OUJHb2dNWUtUSWhkUVhaQWxhU25xY1VnTXVoakJDZzdWYitlR2U3ZDJISm42?= =?utf-8?B?WU1jazdreTQ0eXVZUFU4MVIzbUhLMDMveC9BYy9xOFQrSFVkNU9icm5IRCs4?= =?utf-8?B?TjRzZmRhUG9wNHowVUluK0hWUytPQ0gyWHd3MzROV2o2UlNHVE5yU1hUUkMw?= =?utf-8?B?TjlJUXlxUFRnc0JwSGV4Z2hENk1GSm9VdHVReXQvREZyZW04ckEzU1BRTGM0?= =?utf-8?B?WlZ3RGFOMGhhSzVUQ3hUQ0hydUFWK1lsRzdITW9GRzE1VEpad0I3ZzBQeVBS?= =?utf-8?B?MjR1eWRqTy9sU1lCNHpldmVWeTc4LzIxTGpwTEV4MjhIQlhVcXNDY1d4VTNF?= =?utf-8?B?cWVXWW9FdFhvRmVHeXNnTmVCc29hNXBXN2pNQU1SZTIrYS9wRmZYL0l5NjU0?= =?utf-8?B?WEZSSUI4RjV0aDBsR25UY0V1M1A4eUNwdUNud1ErNnNtN1BQZ2RyaUVTQ0la?= =?utf-8?B?WkRXdjFjbTZTY0RaQU0vYjBTU1AxSk44VDJSQjFzNEVNSXVlVTdpK0tTRjF1?= =?utf-8?B?WXI4NFE0a1lqTkdCTStuS0pyMTQ0L3VVMUVhZURpajRpaE9ueU5lNzVLWWE1?= =?utf-8?B?aHR1S29lWTZSUGNvR3hWK1dFWGhnZjZaVDRUVlI1bkFlS0RkNE40ME1RRzNP?= =?utf-8?B?MnVIdUlXVGRIWUgyMFBvMUVsdXdvWnEyeEhGbWw1OHQrS0xLdFpjS1FXUWho?= =?utf-8?B?SWJFNDhoYnFROUdXSlNwYjBodHlvNSsrd2I2Y2ZNSVRmb1pHamlTSW12cnho?= =?utf-8?B?bHZZOGdiV0cyY1hqOWpabkRVVVRCMEhjcDZ2WHpoYW10V3FBaEg0V2NGZU9S?= =?utf-8?B?dUpYZGtOMHdwOFl0ZDE4OEJPQTJib2VoZG83c21QVlVkbVlqK2U3U1F5TGFE?= =?utf-8?B?N2pzMXVLS2RVSTg0dWJtR0J5MndlZ2JaaERFRFk3bGFoZDZna2s4QT09?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: 239d698f-268c-4d18-aeab-08de953ba852 X-MS-Exchange-CrossTenant-AuthSource: CHXPR12MB999244.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2026 06:54:19.3331 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 2WNcIgjMxczOxt9jOyUdXpFpCbdStLHtBdFnC7gcQgpiqkdVUicjocTmvJxslnbPta7ZsZxMndohipSAo167FA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV3PR12MB9412 From: Koba Ko When io_pin_pages() succeeds but the subsequent nr_pages sanity check fires (WARN_ON_ONCE), the function returns -EFAULT without unpinning the user pages or freeing the kvmalloc'd pages array. The caller's cleanup via io_free_region() won't help either, because mr->pages was never assigned =E2=80=94 so the entire cleanup block is skipped. Add unpin_user_pages() and kvfree() before the error return to prevent the leak. Fixes: a90558b36ccee ("io_uring/memmap: helper for pinning region pages") Signed-off-by: Koba Ko --- io_uring/memmap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/io_uring/memmap.c b/io_uring/memmap.c index e6958968975a8..9f0d3750ce3bc 100644 --- a/io_uring/memmap.c +++ b/io_uring/memmap.c @@ -141,8 +141,11 @@ static int io_region_pin_pages(struct io_mapped_region= *mr, pages =3D io_pin_pages(reg->user_addr, size, &nr_pages); if (IS_ERR(pages)) return PTR_ERR(pages); - if (WARN_ON_ONCE(nr_pages !=3D mr->nr_pages)) + if (WARN_ON_ONCE(nr_pages !=3D mr->nr_pages)) { + unpin_user_pages(pages, nr_pages); + kvfree(pages); return -EFAULT; + } =20 mr->pages =3D pages; mr->flags |=3D IO_REGION_F_USER_PROVIDED; --=20 2.43.0 From nobody Mon Jun 15 05:17:01 2026 Received: from DM1PR04CU001.outbound.protection.outlook.com (mail-centralusazon11010019.outbound.protection.outlook.com [52.101.61.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 25435358372; Wed, 8 Apr 2026 06:54:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.61.19 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775631268; cv=fail; b=HpNHT3iEDOkh4f6MLyEuOfr4gDpCzvb/RY0/RV/xqcpWdo3VpVmRyiUHq5tAjXs3XbPmi3FgBEnYanAuuuKetYmuD+vIJbMdEREn9X+YXFf+0aEJNDHQupPjZn2T+0i/nDhfwADzAZOApvJbqqhmB4L0YA9rq5AqvclnhEErfUo= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775631268; c=relaxed/simple; bh=Gmghc4hYwQN33TVwD8dPuTvQHI7RWq2Fzjl8UqY3cg4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=do9TBQqccaMkh8vfK8XaGE/wgU9Pg5ltiDljD0+9tMbkDY6ptkilBdIqJ08ap4yTxYXredZJxKKVkO6+10yyvZxMv3fwJ0ftQvwKiRs8HY6+uyEHKEJjk1etGEc1OVM6/NcLWClZmSuNGviyuJyhwBfZscmON5hDj1SBQJjxF4c= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=qGRWuRy0; arc=fail smtp.client-ip=52.101.61.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="qGRWuRy0" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GsD+DraOfSA7FB3KYBKaLN0xsyvCquiLYG4YD4VbypL8xdONEM4KhOcvOVy1K4xJz9VQp7o9jnWlhDInJb5xgWyIoWmwf5vP/jZPDnPyZU1q225Z/FdaWmiFoGa62+JXwgl15brsq+b6Kz7XqUte/7NnGpIJmMuXYgWnoFltOa0bmosHlOtAVHmkAWfGiFEYMY9Yz6cpuxD15+peHvfkIww7oUUjQ5OkbdfboJHHuZ3lqj/Ox59GNoQqLWFId4aGrHPPTJOZkfpzuMHmBHlFCE/W7D4yqGoLKxsCdnu5nMlWB3/bH8fdqGxUet7MmokMMF6NSJcKt/dABeJcl9PDPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Oe2sD63im7pL3L8gWAYsykcbIOy3PCysyyAGNhvF5B0=; b=aIiFQz2mFEbg1PZ3DpVxHyjOtBX0VweSQrKXnvBi5Tu6J8RCoUmSGFNb1cFApBT4SHIWxcKvwUJcwAW8/IxpzTkCokU9yxVx/PCR7aMFjsu/lBgxE3lei5zDl3TrSRckPUoAI8k8TFXoFlDcHGcgO2uSqMjqwGbteP8S/8FojsI6sFi7Si+WF1H4zuNoqY7eLbI66TxJb5M4Caxc6Zg8haXeAsXz+prSN4//rZqKbq/krQCe6YwuztswyEmCVyydb9iKHRSW+pmwmzVnp1RPrC924lQ6qUi5H6CunMkzQQx/oYLDPrWJPZNmALvKEFFm9aWByL23YQVfmX9ItTdnLA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Oe2sD63im7pL3L8gWAYsykcbIOy3PCysyyAGNhvF5B0=; b=qGRWuRy0kfUCY9EGd6W616wp7T1a6krsV4SQlXzmd1td7RQWtINas92jjw+4fiZzoznOeZ473jjRcU/pXBMK1SdDJMYTgdPI0WrtLYR+95qTyvOOk+Ln35Fl/v7TI5mEGpXBqaXNha+ciddJTQCiLVG89ZfqDFm/dCo4NVc52edb9G+1/izZFcc44UrSZOognECbQqBA8exP5Ix8m5rEbY4P8qIdjpyZ2hauaeGJdWpzLcBtCGOVIy9AmxX0yrfbczae2N9iE8iT/micgN/98gtM2XfTHvWwy42GwL7BUzqqw4T/qQUHaDjcvOKNXlZEZLvtYqEY/M+y6mzwhnbbZw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; Received: from CHXPR12MB999244.namprd12.prod.outlook.com (2603:10b6:610:2fc::17) by LV3PR12MB9412.namprd12.prod.outlook.com (2603:10b6:408:211::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17; Wed, 8 Apr 2026 06:54:24 +0000 Received: from CHXPR12MB999244.namprd12.prod.outlook.com ([fe80::168f:599c:f74d:7688]) by CHXPR12MB999244.namprd12.prod.outlook.com ([fe80::168f:599c:f74d:7688%5]) with mapi id 15.20.9769.018; Wed, 8 Apr 2026 06:54:24 +0000 From: KobaK To: Jens Axboe , Pavel Begunkov Cc: Keith Busch , Ming Lei , io-uring@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Koba Ko Subject: [PATCH 2/3] io_uring/rsrc: use io_cache_free for node in io_buffer_register_bvec error path Date: Wed, 8 Apr 2026 14:54:07 +0800 Message-ID: <20260408065408.2017967-3-kobak@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260408065408.2017967-1-kobak@nvidia.com> References: <20260408065408.2017967-1-kobak@nvidia.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: TY4PR01CA0027.jpnprd01.prod.outlook.com (2603:1096:405:2bf::11) To CHXPR12MB999244.namprd12.prod.outlook.com (2603:10b6:610:2fc::17) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CHXPR12MB999244:EE_|LV3PR12MB9412:EE_ X-MS-Office365-Filtering-Correlation-Id: 715980f9-df29-4761-059c-08de953bab58 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016|22082099003|18002099003|56012099003; X-Microsoft-Antispam-Message-Info: jxw9zvwxFARx43QrZPHWxmigUX8fLpkeECJzlojYpBeo9hJ9OwXJSDhmMpzx3LMyi24FVWoWRdrZS+OaWxsDYkwopzbSe6Jzxn12ojuVw7SOfidl8+5TgMf+QsXBdIkwTjpTKtM+KC2xMowa7UUkghTZ7xZyUzqq3wdGx9xMAwwkPF9iH/7Jckxvb1R4FMm9nGGydU0UjPhA49CRkFLAXiugoRAfmp7Ip3Yf/pEhiswM8CkKhQ4hiugG1J1g0Lxynxq63jx5tndgo9mYqRRwamcFL9DbWOi9tx3gWLypr+EA6NroJz5y1OgBbuXCIFPM5jjs5lb/hN2BwHExKsqw7vb2bpJyaNt0qLS2QtHxH8Mjmdw68q9ja1ydyxHXUdBMfVWGdckye9MvDGszCB08fHgXA3Z1vl4kbduzSjxOHC9YWnq3dsofZWsfodXejX7PIZRzHF8umT8KwSdTstJvDo67ZrcIda6mEr+T7ZUSHQ88ah4KamZFtDyAq6DEfAwkM90T01FhV0Ovk1vmL/tsMMjH/s3/gOCK+XylvZazM3T0PgBDmLAUHAmzCI++tphR8saSOBfbC+6TeAWTI+xKKryvV6YCOkPyGbgXu98bQIXz8d7LfIw13efdBtiNUo6IZaEau0A/y6oPAZY80DALbTTPKDnHefnTmaz7k95n1LlXqLRoY2FSYgokxFjZy8qjXV3S/wToGJhon5S9osjzTWD6fRQRh23uDL8vMuwMQW8= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CHXPR12MB999244.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(22082099003)(18002099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?p3An5W3eXAp1yDRQWivRPasHilVSWXtrHB43IIqQIVNMP4ERB5lidMBoobPi?= =?us-ascii?Q?pUre9q6PFKUDVzf36ZZtv82CyvfnaxrHqXIVTvo67U2jndCAbRrerEACEHg2?= =?us-ascii?Q?wkRKJQjEqxR/RhiSjwp6WLRh7rv3HmhwOh6zQG0iSRnN0aBJx5XBtE0YdIdV?= =?us-ascii?Q?i3dfIluKgea6zqO/wGFuTXC5mBfPdbwIRXCueDKTHxpYBKsONdE2cWJa1FXT?= =?us-ascii?Q?aQO1X9xS4MlaHBthboxQe0dazn7+9R6iaveg7vC/NhTMlZhfrtOjKK2j8mYk?= =?us-ascii?Q?SyI8QUFH2nyiHoHaAPQNGbHU6VgkxgoXycTGsbnjf1CFZqwpNBilTRUMZvrh?= =?us-ascii?Q?R1BWHhPin7fqiQQlxrzai1GlgDHDAlcYfQ+XV3bGSBm7P38iZEhOyaKjxlzF?= =?us-ascii?Q?i3JX9W/XaZ3FpCYk052MonrqiCipk0Ghq/+E3O6g5agJHjsNlB6MsJvWNCaI?= =?us-ascii?Q?cXVHH5pxrcrcwZRlhu/UwqwOjUuiGfkV3B/2/++4/KA+3yOO2BeXECzE3Z+D?= =?us-ascii?Q?2H8N49Cn6l3trz6GM8NCSOjCyMGY+9PR1wXITRrMDSSU2+jZn77mmNXzA6Sw?= =?us-ascii?Q?n2wJp3RkaeTmsTtXubngqECCdO1rsn7tGMgQdFfAgNN4J8EsOF33vStQkv5X?= =?us-ascii?Q?+VpGgeHAndYJUwCp7tpgBuesOH37oFFWknXFhguaOW4F9LV+4sWM7iXNA26w?= =?us-ascii?Q?JDzfO4VC9b58Q1Gq+h3aQaDn3JrjJ4cOi59F4kp508VAS2RXlnJDNbRrW4AF?= =?us-ascii?Q?dUPHaRTf2dzrKmuYA+ooit/WS8D+PF8BL7ZXsZrOXl2ptHjGhvTU5N7UzYhH?= =?us-ascii?Q?YmEf9Y2HRwgJyzEncsgd6c9toAP/YWMJuTb8rfKlyMl7qfQNdIhehIASA6kx?= =?us-ascii?Q?7/wAFdHnAqK5iEWhX0l9/OWH2hgBvhnbbeLly8WY1dB8xwOPm5QftMa7L76W?= =?us-ascii?Q?nxMueTjkaQnbNfRRyAbjXyQKwMBSaMPyAPdxblhramJWn2PqJgTkvZZ+3gPY?= =?us-ascii?Q?VLTGmiVrbLnJ/3rnSU7yJA3JWmQWutZRpofO8sM9xHUT9WkPskUS+h2yPwMh?= =?us-ascii?Q?1c4nKh2uxF53guNFdKWsvOR4Q2P4t2ncdjmLsqqq0v1rhZ7bBkHkYPAXL9so?= =?us-ascii?Q?bXP8TpFBRLoC/r1FEKEX+iAPlzkOscFJSnC3W9/0EBVlotQRQQ2Y1nbwC2vD?= =?us-ascii?Q?hMw4uO4knw+TsKzzD6cHxXOIc5uy+bjAO0UhnmUT/5jxcApQHRu5nRNQI7dA?= =?us-ascii?Q?zOtLqBca3RhYgbXd3EwkL1O/EVxr31ceRnKGdE8KounGdsJy06MBTlwrEx35?= =?us-ascii?Q?hup0lbSb3Utmm860HYYvpz+T8iN4C+ndC404QvUeIBh07W7sd5uyshNYyqBP?= =?us-ascii?Q?T65MKQAiYNP5ECxrPP2lWkmNp3I01QCYnFHTm80zCldd8YkySAZbNkEdcx3U?= =?us-ascii?Q?EKA2UHHKMbjACtV8lnzqU+pUqBgnIOgiedliBOF0hXSjujlkulra1XOfAvdj?= =?us-ascii?Q?Nb2SZ9EF10QBPfy65qKXx6BSANGKPQc8uTLz36MMhAAT4SCJ+OYLbzvpaW6s?= =?us-ascii?Q?y+cT2k6efegQ5K5awCU+AWsxzdiwJMkYpHB+cTvXKQbbqiKb9fl8V6/YESJl?= =?us-ascii?Q?bN5vu/a3u+aVF7z4YYuQlS8q7PQSzkPqfqoUz87LuYw9EGwrfQXFnifLE7MF?= =?us-ascii?Q?KDRdwC1As+Egadxshj6DWTk6/aGA6S0yuQd37HQQydo1Dk78nASarnb4oPnN?= =?us-ascii?Q?8CjdpG/Thg=3D=3D?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: 715980f9-df29-4761-059c-08de953bab58 X-MS-Exchange-CrossTenant-AuthSource: CHXPR12MB999244.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2026 06:54:24.4003 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: fSUcYnohyG5JAs+hlAMwaLK5j1/pTVqQKOCPb1TBJQxbnfFgh/Z7kegp9HVF+bCNhH3PaplXYQ8RKeSvcO98ZA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV3PR12MB9412 Content-Type: text/plain; charset="utf-8" From: Koba Ko io_buffer_register_bvec() allocates the rsrc node via io_rsrc_node_alloc() which pulls from ctx->node_cache. On imu allocation failure, the node is freed with raw kfree() instead of io_cache_free(&ctx->node_cache, node), bypassing the cache return path and wasting a reuse opportunity. Every other error path in this file correctly uses io_cache_free for nodes. Fixes: 27cb27b6d5ea4 ("io_uring: add support for kernel registered bvecs") Signed-off-by: Koba Ko --- io_uring/rsrc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c index 1b96ab5e98c99..6f46cf9cd13d7 100644 --- a/io_uring/rsrc.c +++ b/io_uring/rsrc.c @@ -961,7 +961,7 @@ int io_buffer_register_bvec(struct io_uring_cmd *cmd, s= truct request *rq, */ imu =3D io_alloc_imu(ctx, blk_rq_nr_phys_segments(rq)); if (!imu) { - kfree(node); + io_cache_free(&ctx->node_cache, node); ret =3D -ENOMEM; goto unlock; } --=20 2.43.0 From nobody Mon Jun 15 05:17:01 2026 Received: from SA9PR02CU001.outbound.protection.outlook.com (mail-southcentralusazon11013031.outbound.protection.outlook.com [40.93.196.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 054CE366062; Wed, 8 Apr 2026 06:54:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.93.196.31 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775631275; cv=fail; b=cTLHF80m+k7QCzXpvrLJ3c5J3+6W36P6LBsgFp1VhQawF0ODtbQLtwqXefdgto++goYRBtttArqUFnXVT7GqD8ay4dHEnlGZL1RtGvSaYVQoc+tiH1LbSD34rYH/GxsqLEx6TaLqbswnHrfH9RPuKcwa8XI/qqW4teoKAEztMKM= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775631275; c=relaxed/simple; bh=UsxKP573jh2Vy+Tg2uSBSBszQtOVKvmmVqtYavvyp1I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=udAMOCFdzl82ixLYxxCj+A+Mqt9wRYkWBjq5XX6WfaoSR3Nr71iBQbNPWofPbDbmoA6dzwdXQH8IXm4G1QNaSJ09Dj24IOEXseEOzZDvgZPfQKdalpCRxBG8Lme5Qw1O8jtjKboUHs/w9jscwbEPZv30Nn5guHRArXg+ebltHVE= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=oX6YTCsC; arc=fail smtp.client-ip=40.93.196.31 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="oX6YTCsC" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ggWRQZMnl9Ih8ZCV6V+Gpztbt9CpaSeZSKWIRzQxUQdll6UTO+uNNQS1ay7b3oGRGrVrHTYRzZk+03RTq2uHnTC/exc333T5asU9dl3EBXTHFcmf3J0UMUSTxyLEsNQxRTKMv73Xd7HtIsJo5tk+xcQPIS9fOpIafp57AEyH55owLlnxCQ+JyF9qcXkyqrZX+JVHdkU4mCzJ0OmUtPK2R9XGZgdbBrx5P7D+052pyay/uixEuK+uAy9XMUmjIuSDOMgyiVT5zzHB+B/go5wh2xR65wycV7LK2MDOdwndccgKFQW1z6EkfPnCp+ZnU6MaqhycI8Jhbh9rtRjGCQ2skQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4cfIpFDPbsM47dnFIlGRurpF0kuARXygaGIVwAwQsK0=; b=KKufNZMNifr9pezTfDyhndtcY8nh8DPCn0/wI+yYhPj+uruQftTbQAL5uFRp74UOXedV15sGlIIfaVpBi89oHbxoATAUJcDdWKj02ZRYcFBbc9g99eB2JJIxKLpYDWg0fz6IvncYewx1uCpAMMBOIPr2Igd5RIogLnIaLTvbEhn4G37O2AqXlUZwh6gFieoJz/XhmMZ411J5CR55znGMlgdOF8zhYhsUfmLocBaF9r679wNW5QYf7JEc2SBuMUrRjgzYahCtpE/Q9WlhvM7JI6eGwse3ZpnCF10Pekl9P/Usbcp8r4Mn8JCzcGcVvwtzvdQA6xbLM5whh0x1gbXFPw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4cfIpFDPbsM47dnFIlGRurpF0kuARXygaGIVwAwQsK0=; b=oX6YTCsCICr1mbsstUSqG4NquSj4XlIHTy9r3Ru+qFIFPjzdy5ppBhNCU3rFQsNm/VfIuraz1Fv9TR1ytAwFIAoE9OzI3ROx0xPwSqPyrvaRXjA2EWe8QmPMLfTB0WWYTxFpXNNBWGcvjht6HRbA0GgmaHwvRWQ2KJjEQEmKsdkU+QXhGyKnww2VXc4LYxQolWENhxX/yuBnv6ioyAKUTiX+cz3FW2oogzgik9UrbDy+vDReyEbOj/LGahvgdR5/3F81dSRuJScoLsGMTMfNp2QFBc9Z3FEUVD3w5ad2v55/yElg7Yt+W3tC3zS6eMRZ4UjpYTtjqF1fUgf1HC2cng== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; Received: from CHXPR12MB999244.namprd12.prod.outlook.com (2603:10b6:610:2fc::17) by LV3PR12MB9412.namprd12.prod.outlook.com (2603:10b6:408:211::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17; Wed, 8 Apr 2026 06:54:29 +0000 Received: from CHXPR12MB999244.namprd12.prod.outlook.com ([fe80::168f:599c:f74d:7688]) by CHXPR12MB999244.namprd12.prod.outlook.com ([fe80::168f:599c:f74d:7688%5]) with mapi id 15.20.9769.018; Wed, 8 Apr 2026 06:54:29 +0000 From: KobaK To: Jens Axboe , Pavel Begunkov Cc: Keith Busch , Ming Lei , io-uring@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Koba Ko Subject: [PATCH 3/3] io_uring/zcrx: fix resource leak and double-free hazard in io_import_umem Date: Wed, 8 Apr 2026 14:54:08 +0800 Message-ID: <20260408065408.2017967-4-kobak@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260408065408.2017967-1-kobak@nvidia.com> References: <20260408065408.2017967-1-kobak@nvidia.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: TY4PR01CA0023.jpnprd01.prod.outlook.com (2603:1096:405:2bf::16) To CHXPR12MB999244.namprd12.prod.outlook.com (2603:10b6:610:2fc::17) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CHXPR12MB999244:EE_|LV3PR12MB9412:EE_ X-MS-Office365-Filtering-Correlation-Id: c6b508f6-7bd6-4cd1-54fc-08de953bae23 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016|22082099003|18002099003|56012099003; X-Microsoft-Antispam-Message-Info: 2eQ1cHlXS8E065luHIUpr7i0Pz3oVl6ZWvfk/T/jYJjxbF6AoCnasXd95y2TQnPhlEn9IhybB47WhMB3qJSXCLBhgkTc6VVbf4OB37jF0uTt0MZntFFyfGHS7LsFb0M2u51BCTYrDW3q1mrXwRxuUy8DxZ3JtxuYVbBaVAZHyxLIs5RLrlGjds9jVa/s9F4BT4tnmDykmiwFIKgPa51J5HaT+wAYXGeecY7pEa8c86cBr3QzmFM8w7clNt32z+nMLQyp0n+kouNfIzcy3s9q8xrZ1DMHEJmYjcm8ZQpV2y5LPjc50NIWBO2wsClX2NL8XjesWev+nTPZwvwywsYQ5zn9w7RJkjooVF4Q+WitDN/39HamvXQ8T4UTnIZTndOI+w3V3Dm2LJeuR5fBTV47Tqldmi0w/YVaspQT9O4COMjkepSJET91lvGbrSx5NaR80wTvFbGpL395Q3Sw7hUfFkmBKSkIcZEjmdtcJmwYdMky2UBL28fh04oNxhKS3jKmeXdMiNxvypKy8oOOP9uqdSKC0A39WW3Iv5m+14TvGSiAtTBNZCiT+SZpWWxug43etUBwj5WFCLisxhSL0uj9rh09U/ZrLSZ5Ae/X+h8DzhwCTw6Vyc4fSgwK+7O9ovsAXhRPOzf7ioTPu0nXWD/8qfmSch3XlRudBlCwu6TMMVWx7CyBF9ONmHuUBRRupFQuOLOmxCOcqUePX8BtVmAn0f7XVJfsKzQdlXgFaoQftZ8= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CHXPR12MB999244.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(22082099003)(18002099003)(56012099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Sxiuaj+TakAc5R1xHr1qkrzM763Evt1Q6qv/I725evSKPiVMKSfJrEWOgFHR?= =?us-ascii?Q?E0Z71Z8aTmoOz3I2j6850M+kRK1D0JPQEEkSwkcoq4oMoxX+RrDtJN8mPULP?= =?us-ascii?Q?naI+0zgzumXV7qtsw1qV+T3gENN8wT5LttWEUV/WBuvdqKM6cCoxvssUioWd?= =?us-ascii?Q?8lCKtxZ/aECbFCYyGKtbk8e5ydWAIPLlYu1dBOEhyy0hGiIv/CahRMX6fGlz?= =?us-ascii?Q?iKCa3V2oiJGHifcCC8p9dAC8AIrwbdt4nUeu8YemdqVINRVcq529HvDwEVTv?= =?us-ascii?Q?rcyVw3W9x8RMj3Jg59GDPmjLT0Aya1F1bssRnX4p0Tyn/Q5CN375zgrUahSk?= =?us-ascii?Q?7N/JpyxZp1GNiGgBwX5iqrTxw7/iTOqZoSkt8ILC8Z1Wn+vXTucKCFHpGd+Z?= =?us-ascii?Q?WM2lt//vXTCtidN/U5znSc1ZhhvmjZJ7rbEDBB2TErG+OUo9KIJ1zn34iex5?= =?us-ascii?Q?WTjUd4Ubj9SCZ5KDVHs84hhuywKB1/ZiSHdt9yjUfdpr6YYGAcK5dmjzaw+P?= =?us-ascii?Q?EPIpX/zb4/QlkPF9elHhTeja6EHEEfP5LJSDxKWIws/LcZOazhsl+5JPFBwO?= =?us-ascii?Q?HRoy5a1VscOU9ZqFHKQq4QOuUymElwDJggZ9NaArLngIAJ3E8ttPrODChPaR?= =?us-ascii?Q?Cl1iZ0rcuLz7MD5lTKwxYDPZNRR2+zMj08jsX440Mph0d/uYdSneEX42FZTQ?= =?us-ascii?Q?Yzu8Y+uprwwXOOYz0KSPF4RBPvnXHseDAWhdY1v3Vu0eO9V9xNkShhucYucM?= =?us-ascii?Q?X7CyQhhr0vHdwGUPvHeu3PzZnvHRPBDBgL+L1V/cA5JEqh5MvXE4mIN7eyhD?= =?us-ascii?Q?s/EUA1gpKXp6jDVMQNWA9kbjWTh/MDmxcNJIRiJFV1UJcg67YLhmsPriocPk?= =?us-ascii?Q?dMRELI/dp7NbhamGwJ+w0sU62x4mtYYSZGG6hAppTuDceRNnNAEtpB+Hc05X?= =?us-ascii?Q?Whiu4fEMuf5O5a+wFymqJcyfTyBUbeeavFZNmDJKBkI/Xz/sgQpCEiytIn77?= =?us-ascii?Q?AuUVgP/eEl4mWs4FSEROSXp7imWuZILpk81Htodk1tpiZyrzXjN3YE4M5Ri8?= =?us-ascii?Q?N7OICpmJM0hDjHMuBsEnCl8YqKN1A+lu+/oRtdg8c+fniuxJsPfkFAOqpG/9?= =?us-ascii?Q?Zd5ApBY+KcGNIzxbHxL1fEU3qNnLZIJS4sDS3LNgw5okEBaBVFTyYIc1D+yA?= =?us-ascii?Q?y5/ydvyPySE3ZF6p03DQ4uXsrw0SQ5nocvYXa189xTPr199+C7C2CrCxCJsY?= =?us-ascii?Q?YRchQ1ZXDyS/I8fNYCLelC+9xD6XQQBY+AaCIVdVmajPNIxHPNHSDPKVyn8k?= =?us-ascii?Q?EzwwQKlEyblr51h84yyUfYNtXSUdmCCAL6eVDU5cF/0e5DYykPjranmcrO3M?= =?us-ascii?Q?cqWgqGM3bIvP9SKU78SbOKGek/4KGRSUx+eoJbCEXDdzRkFeuf40gO7DM5Nl?= =?us-ascii?Q?wZ5wMQrJAPH8rlo52lE8DOAFlEA0KGKbrlkqBrccyHtQgouA7vdCF8AfZwM3?= =?us-ascii?Q?8dCrw1oIoSfcAbL9jejfBzbdKw9+vzDeh2rNHBslWWl7AlhAcWzo6Pl/KoWP?= =?us-ascii?Q?TRp5H5XvF2kgQPRdGK56VZPpUoma3JD8Dki9Pt6q7Vq+aFtMJwMUjDsJNyKd?= =?us-ascii?Q?GwsXA6cev8d/hbzyuDjSXdEuE6fDhC1CQFjTmLtk1LiVl6IRWs/bAT3f5NCJ?= =?us-ascii?Q?CBksTtM4eJ9ZBn9h1CFaE2LM2IuT3LPPZ5PhxH/183vlWnNuDXHw3UORIrY+?= =?us-ascii?Q?yIiB7OUdmw=3D=3D?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: c6b508f6-7bd6-4cd1-54fc-08de953bae23 X-MS-Exchange-CrossTenant-AuthSource: CHXPR12MB999244.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2026 06:54:29.0898 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 6Lnl1tZWuaf5+vneId0EXpkaf8L1BZ9bKMCs25eMTEQV330assy4iurL10goqj8WZkDADCi+3DuJfigdJq3VEQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV3PR12MB9412 Content-Type: text/plain; charset="utf-8" From: Koba Ko io_import_umem() has two problems: 1. When io_account_mem() fails, the function returns an error but leaves live pinned pages and sg_table in the mem struct without cleaning them up. The caller happens to handle this today via io_zcrx_free_area() -> io_release_area_mem(), but the contract is fragile. 2. io_release_area_mem() doesn't NULL out mem->pages after kvfree(), making it unsafe to call twice. Since io_zcrx_free_area() always calls it during teardown, any earlier cleanup call would cause a double-free. Fix both: populate mem fields before io_account_mem() so io_release_area_mem() can do a proper cleanup on failure, and add mem->pages =3D NULL in io_release_area_mem() to make it idempotent. Fixes: 262ab205180d2 ("io_uring/zcrx: account area memory") Signed-off-by: Koba Ko --- io_uring/zcrx.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c index 62d693287457f..c9ed1139c7bcd 100644 --- a/io_uring/zcrx.c +++ b/io_uring/zcrx.c @@ -188,6 +188,8 @@ static unsigned long io_count_account_pages(struct page= **pages, unsigned nr_pag return res; } =20 +static void io_release_area_mem(struct io_zcrx_mem *mem); + static int io_import_umem(struct io_zcrx_ifq *ifq, struct io_zcrx_mem *mem, struct io_uring_zcrx_area_reg *area_reg) @@ -213,16 +215,20 @@ static int io_import_umem(struct io_zcrx_ifq *ifq, return ret; } =20 - mem->account_pages =3D io_count_account_pages(pages, nr_pages); - ret =3D io_account_mem(ifq->user, ifq->mm_account, mem->account_pages); - if (ret < 0) - mem->account_pages =3D 0; - mem->sgt =3D &mem->page_sg_table; mem->pages =3D pages; mem->nr_folios =3D nr_pages; mem->size =3D area_reg->len; - return ret; + + mem->account_pages =3D io_count_account_pages(pages, nr_pages); + ret =3D io_account_mem(ifq->user, ifq->mm_account, mem->account_pages); + if (ret < 0) { + mem->account_pages =3D 0; + io_release_area_mem(mem); + return ret; + } + + return 0; } =20 static void io_release_area_mem(struct io_zcrx_mem *mem) @@ -236,6 +242,7 @@ static void io_release_area_mem(struct io_zcrx_mem *mem) sg_free_table(mem->sgt); mem->sgt =3D NULL; kvfree(mem->pages); + mem->pages =3D NULL; } } =20 --=20 2.43.0