diff options
| author | Pavel Begunkov <asml.silence@gmail.com> | 2026-02-14 22:19:32 +0000 |
|---|---|---|
| committer | Sasha Levin <sashal@kernel.org> | 2026-03-04 07:21:43 -0500 |
| commit | ef075c1464ac9047e2cf7d23cb020bfd0b8e4b60 (patch) | |
| tree | 4def398e88c3a48ea1119bbde00cbd3d8e9c5d7c /io_uring | |
| parent | 07a0de6d01b16626bc34ebc074a86b9ec1ffa54b (diff) | |
io_uring/zcrx: fix sgtable leak on mapping failures
[ Upstream commit a983aae397767e9da931128ff2b5bf9066513ce3 ]
In an unlikely case when io_populate_area_dma() fails, which could only
happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine,
io_zcrx_map_area() will have an initialised and not freed table. It was
supposed to be cleaned up in the error path, but !is_mapped prevents
that.
Fixes: 439a98b972fbb ("io_uring/zcrx: deduplicate area mapping")
Cc: stable@vger.kernel.org
Reported-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'io_uring')
| -rw-r--r-- | io_uring/zcrx.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c index 3d398283cf34..b133c85793c9 100644 --- a/io_uring/zcrx.c +++ b/io_uring/zcrx.c @@ -288,6 +288,9 @@ static int io_zcrx_map_area(struct io_zcrx_ifq *ifq, struct io_zcrx_area *area) } ret = io_populate_area_dma(ifq, area); + if (ret && !area->mem.is_dmabuf) + dma_unmap_sgtable(ifq->dev, &area->mem.page_sg_table, + DMA_FROM_DEVICE, IO_DMA_ATTR); if (ret == 0) area->is_mapped = true; return ret; |