Commit e1c75831 authored Jun 17, 2025 by Penglei Jiang Committed by Jens Axboe Jun 18, 2025

io_uring: fix potential page leak in io_sqe_buffer_register()



If allocation of the 'imu' fails, then the existing pages aren't
unpinned in the error path. This is mostly a theoretical issue,
requiring fault injection to hit.

Move unpin_user_pages() to unified error handling to fix the page leak
issue.

Fixes: d8c2237d ("io_uring: add io_pin_pages() helper")
Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>
Link: https://lore.kernel.org/r/20250617165644.79165-1-superman.xpt@gmail.com


Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent f2320f1d

io_uring/rsrc.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -809,10 +809,8 @@ static struct io_rsrc_node io_sqe_buffer_register(struct io_ring_ctx ctx,

		imu->nr_bvecs = nr_pages;
		ret = io_buffer_account_pin(ctx, pages, nr_pages, imu, last_hpage);
		if (ret) {
		unpin_user_pages(pages, nr_pages);
		if (ret)
		goto done;
		}

		size = iov->iov_len;
		/* store original address for later verification */
		@@ -842,6 +840,8 @@ static struct io_rsrc_node io_sqe_buffer_register(struct io_ring_ctx ctx,
		if (ret) {
		if (imu)
		io_free_imu(ctx, imu);
		if (pages)
		unpin_user_pages(pages, nr_pages);
		io_cache_free(&ctx->node_cache, node);
		node = ERR_PTR(ret);
		}