tmakin/tegra-linux-noble
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

io_uring: Fix release of pinned pages when __io_uaddr_map fails

Browse Source 
BugLink: https://bugs.launchpad.net/bugs/2060097

[ Upstream commit 67d1189d1095d471ed7fa426c7e384a7140a5dd7 ]

Looking at the error path of __io_uaddr_map, if we fail after pinning
the pages for any reasons, ret will be set to -EINVAL and the error
handler won't properly release the pinned pages.

I didn't manage to trigger it without forcing a failure, but it can
happen in real life when memory is heavily fragmented.

Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Fixes: 223ef47431 ("io_uring: don't allow IORING_SETUP_NO_MMAP rings on highmem pages")
Link: https://lore.kernel.org/r/20240313213912.1920-1-krisman@suse.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 4d376d7ad62b6a8e8dfff56b559d9d275e5b9b3a)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
This commit is contained in:
Gabriel Krisman Bertazi
2024-03-13 17:39:12 -04:00
committed by Roxana Nicolescu
parent 529bf278e7
commit 49e5557ee0
1 changed files with 13 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
io_uring/io_uring.c
+13 -9
View File
@@ -2702,7 +2702,7 @@ static void *__io_uaddr_map(struct page ***pages, unsigned short *npages,
struct page **page_array;
unsigned int nr_pages;
void *page_addr;
int ret, i;
int ret, i, pinned;
*npages = 0;
@@ -2716,12 +2716,12 @@ static void *__io_uaddr_map(struct page ***pages, unsigned short *npages,
if (!page_array)
return ERR_PTR(-ENOMEM);
ret = pin_user_pages_fast(uaddr, nr_pages, FOLL_WRITE | FOLL_LONGTERM,
page_array);
if (ret != nr_pages) {
err:
io_pages_free(&page_array, ret > 0 ? ret : 0);
return ret < 0 ? ERR_PTR(ret) : ERR_PTR(-EFAULT);
pinned = pin_user_pages_fast(uaddr, nr_pages, FOLL_WRITE | FOLL_LONGTERM,
page_array);
if (pinned != nr_pages) {
ret = (pinned < 0) ? pinned : -EFAULT;
goto free_pages;
}
page_addr = page_address(page_array[0]);
@@ -2735,7 +2735,7 @@ err:
* didn't support this feature.
*/
if (PageHighMem(page_array[i]))
goto err;
goto free_pages;
/*
* No support for discontig pages for now, should either be a
@@ -2744,13 +2744,17 @@ err:
* just fail them with EINVAL.
*/
if (page_address(page_array[i]) != page_addr)
goto err;
goto free_pages;
page_addr += PAGE_SIZE;
}
*pages = page_array;
*npages = nr_pages;
return page_to_virt(page_array[0]);
free_pages:
io_pages_free(&page_array, pinned > 0 ? pinned : 0);
return ERR_PTR(ret);
}
static void *io_rings_map(struct io_ring_ctx *ctx, unsigned long uaddr,