[PATCH 1/3] io_uring: fix pinned pages and pages array leak in io_region_pin_pages()

Next message: KobaK: "[PATCH 2/3] io_uring/rsrc: use io_cache_free for node in io_buffer_register_bvec error path"
Previous message: KobaK: "[PATCH 0/3] io_uring: fix resource leak issues"
In reply to: KobaK: "[PATCH 0/3] io_uring: fix resource leak issues"
Next in thread: Pavel Begunkov: "Re: [PATCH 1/3] io_uring: fix pinned pages and pages array leak in io_region_pin_pages()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: KobaK

Date: Wed Apr 08 2026 - 02:55:36 EST

From: Koba Ko <kobak@xxxxxxxxxx>

When io_pin_pages() succeeds but the subsequent nr_pages sanity check
fires (WARN_ON_ONCE), the function returns -EFAULT without unpinning the
user pages or freeing the kvmalloc'd pages array. The caller's cleanup
via io_free_region() won't help either, because mr->pages was never
assigned — so the entire cleanup block is skipped.

Add unpin_user_pages() and kvfree() before the error return to prevent
the leak.

Fixes: a90558b36ccee ("io_uring/memmap: helper for pinning region pages")
Signed-off-by: Koba Ko <kobak@xxxxxxxxxx>
---
io_uring/memmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/io_uring/memmap.c b/io_uring/memmap.c
index e6958968975a8..9f0d3750ce3bc 100644
--- a/io_uring/memmap.c
+++ b/io_uring/memmap.c
@@ -141,8 +141,11 @@ static int io_region_pin_pages(struct io_mapped_region *mr,
pages = io_pin_pages(reg->user_addr, size, &nr_pages);
if (IS_ERR(pages))
return PTR_ERR(pages);
- if (WARN_ON_ONCE(nr_pages != mr->nr_pages))
+ if (WARN_ON_ONCE(nr_pages != mr->nr_pages)) {
+ unpin_user_pages(pages, nr_pages);
+ kvfree(pages);
return -EFAULT;
+ }

mr->pages = pages;
mr->flags |= IO_REGION_F_USER_PROVIDED;
--
2.43.0