[PATCH 6.19 813/844] io_uring/zcrx: fix sgtable leak on mapping failures

Next message: kernel test robot: "Re: [PATCH] mm/mglru: fix cgroup OOM during MGLRU state switching"
Previous message: Michael S. Tsirkin: "Re: [PATCH net-next v8] virtio_net: add page_pool support for buffer allocation"
In reply to: Sasha Levin: "[PATCH 6.19 804/844] kbuild: rpm-pkg: Fix manual debuginfo generation when using .src.rpm"
Next in thread: Sasha Levin: "[PATCH 6.19 834/844] net: nfc: nci: Fix parameter validation for packet data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sasha Levin

Date: Sat Feb 28 2026 - 16:16:11 EST

From: Pavel Begunkov <asml.silence@xxxxxxxxx>

[ Upstream commit a983aae397767e9da931128ff2b5bf9066513ce3 ]

In an unlikely case when io_populate_area_dma() fails, which could only
happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine,
io_zcrx_map_area() will have an initialised and not freed table. It was
supposed to be cleaned up in the error path, but !is_mapped prevents
that.

Fixes: 439a98b972fbb ("io_uring/zcrx: deduplicate area mapping")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx>
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
io_uring/zcrx.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 3d398283cf340..b133c85793c9c 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -288,6 +288,9 @@ static int io_zcrx_map_area(struct io_zcrx_ifq *ifq, struct io_zcrx_area *area)
}

ret = io_populate_area_dma(ifq, area);
+ if (ret && !area->mem.is_dmabuf)
+ dma_unmap_sgtable(ifq->dev, &area->mem.page_sg_table,
+ DMA_FROM_DEVICE, IO_DMA_ATTR);
if (ret == 0)
area->is_mapped = true;
return ret;
--
2.51.0