Commit a983aae3 authored Feb 14, 2026 by Pavel Begunkov Committed by Jens Axboe Feb 14, 2026

io_uring/zcrx: fix sgtable leak on mapping failures



In an unlikely case when io_populate_area_dma() fails, which could only
happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine,
io_zcrx_map_area() will have an initialised and not freed table. It was
supposed to be cleaned up in the error path, but !is_mapped prevents
that.

Fixes: 439a98b9 ("io_uring/zcrx: deduplicate area mapping")
Cc: stable@vger.kernel.org
Reported-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent d7d95207

io_uring/zcrx.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -288,6 +288,9 @@ static int io_zcrx_map_area(struct io_zcrx_ifq ifq, struct io_zcrx_area area)
		}

		ret = io_populate_area_dma(ifq, area);
		if (ret && !area->mem.is_dmabuf)
		dma_unmap_sgtable(ifq->dev, &area->mem.page_sg_table,
		DMA_FROM_DEVICE, IO_DMA_ATTR);
		if (ret == 0)
		area->is_mapped = true;
		return ret;