Re: [PATCH v2] xen/gntdev: fix error handling in ioctl
From: Juergen Gross
Date: Fri Jun 26 2026 - 07:54:56 EST
On 22.06.26 13:25, Wentao Liang wrote:
When gntdev_ioctl_map_grant_ref() fails to copy the operation result
back to userspace after successfully adding the mapping to the list,
the error path returns -EFAULT without releasing the reference
acquired by gntdev_alloc_map(). The mapping remains in priv->maps
with a refcount of 1, causing a memory leak and a dangling list
entry.
Additionally, gntdev_add_map() may modify map->index to avoid overlap
with existing mappings. Therefore, the index returned to userspace
must be obtained after gntdev_add_map() completes.
Fix this by holding the mutex across gntdev_add_map(), retrieving
the correct index, and copy_to_user(). If copy_to_user() fails,
remove the mapping from the list and release the reference while
still holding the lock.
Cc: stable@xxxxxxxxxxxxxxx
Fix these issues by properly handling all error cases.
Fixes: 1401c00e59ea ("xen/gntdev: convert priv->lock to a mutex")
Fixes: 68b025c813c2 ("xen-gntdev: Add reference counting to maps")
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
Juergen
Attachment:
OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature