mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-23 20:24:12 +08:00
io_uring: Fix release of pinned pages when __io_uaddr_map fails
Looking at the error path of __io_uaddr_map, if we fail after pinning
the pages for any reasons, ret will be set to -EINVAL and the error
handler won't properly release the pinned pages.
I didn't manage to trigger it without forcing a failure, but it can
happen in real life when memory is heavily fragmented.
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Fixes: 223ef47431
("io_uring: don't allow IORING_SETUP_NO_MMAP rings on highmem pages")
Link: https://lore.kernel.org/r/20240313213912.1920-1-krisman@suse.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
parent
9219e4a9d4
commit
67d1189d10
@ -2714,7 +2714,7 @@ static void *__io_uaddr_map(struct page ***pages, unsigned short *npages,
|
||||
struct page **page_array;
|
||||
unsigned int nr_pages;
|
||||
void *page_addr;
|
||||
int ret, i;
|
||||
int ret, i, pinned;
|
||||
|
||||
*npages = 0;
|
||||
|
||||
@ -2728,12 +2728,12 @@ static void *__io_uaddr_map(struct page ***pages, unsigned short *npages,
|
||||
if (!page_array)
|
||||
return ERR_PTR(-ENOMEM);
|
||||
|
||||
ret = pin_user_pages_fast(uaddr, nr_pages, FOLL_WRITE | FOLL_LONGTERM,
|
||||
page_array);
|
||||
if (ret != nr_pages) {
|
||||
err:
|
||||
io_pages_free(&page_array, ret > 0 ? ret : 0);
|
||||
return ret < 0 ? ERR_PTR(ret) : ERR_PTR(-EFAULT);
|
||||
|
||||
pinned = pin_user_pages_fast(uaddr, nr_pages, FOLL_WRITE | FOLL_LONGTERM,
|
||||
page_array);
|
||||
if (pinned != nr_pages) {
|
||||
ret = (pinned < 0) ? pinned : -EFAULT;
|
||||
goto free_pages;
|
||||
}
|
||||
|
||||
page_addr = page_address(page_array[0]);
|
||||
@ -2747,7 +2747,7 @@ err:
|
||||
* didn't support this feature.
|
||||
*/
|
||||
if (PageHighMem(page_array[i]))
|
||||
goto err;
|
||||
goto free_pages;
|
||||
|
||||
/*
|
||||
* No support for discontig pages for now, should either be a
|
||||
@ -2756,13 +2756,17 @@ err:
|
||||
* just fail them with EINVAL.
|
||||
*/
|
||||
if (page_address(page_array[i]) != page_addr)
|
||||
goto err;
|
||||
goto free_pages;
|
||||
page_addr += PAGE_SIZE;
|
||||
}
|
||||
|
||||
*pages = page_array;
|
||||
*npages = nr_pages;
|
||||
return page_to_virt(page_array[0]);
|
||||
|
||||
free_pages:
|
||||
io_pages_free(&page_array, pinned > 0 ? pinned : 0);
|
||||
return ERR_PTR(ret);
|
||||
}
|
||||
|
||||
static void *io_rings_map(struct io_ring_ctx *ctx, unsigned long uaddr,
|
||||
|
Loading…
Reference in New Issue
Block a user