* [PATCH for-next 0/3] zcrx accounting fixes
@ 2025-07-21 9:56 Pavel Begunkov
2025-07-21 9:56 ` [PATCH 1/3] io_uring/zcrx: fix null ifq on area destruction Pavel Begunkov
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Pavel Begunkov @ 2025-07-21 9:56 UTC (permalink / raw)
To: io-uring; +Cc: asml.silence, dw
A follow up on Dan's report + patch up possible page leaks
in io_zcrx_free_area().
Pavel Begunkov (3):
io_uring/zcrx: fix null ifq on area destruction
io_uring/zcrx: don't leak pages on account failure
io_uring/zcrx: fix leaking pages on sg init fail
io_uring/zcrx.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--
2.49.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/3] io_uring/zcrx: fix null ifq on area destruction
2025-07-21 9:56 [PATCH for-next 0/3] zcrx accounting fixes Pavel Begunkov
@ 2025-07-21 9:56 ` Pavel Begunkov
2025-07-21 9:56 ` [PATCH 2/3] io_uring/zcrx: don't leak pages on account failure Pavel Begunkov
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Pavel Begunkov @ 2025-07-21 9:56 UTC (permalink / raw)
To: io-uring; +Cc: asml.silence, dw
Dan reports that ifq can be null when infering arguments for
io_unaccount_mem() from io_zcrx_free_area(). Fix it by always setting a
correct ifq.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202507180628.gBxrOgqr-lkp@intel.com/
Fixes: 262ab205180d2 ("io_uring/zcrx: account area memory")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
io_uring/zcrx.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index dabce3ee0e8b..6b4bdefb40c4 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -377,8 +377,7 @@ static void io_free_rbuf_ring(struct io_zcrx_ifq *ifq)
static void io_zcrx_free_area(struct io_zcrx_area *area)
{
- if (area->ifq)
- io_zcrx_unmap_area(area->ifq, area);
+ io_zcrx_unmap_area(area->ifq, area);
io_release_area_mem(&area->mem);
if (area->mem.account_pages)
@@ -411,6 +410,7 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq,
area = kzalloc(sizeof(*area), GFP_KERNEL);
if (!area)
goto err;
+ area->ifq = ifq;
ret = io_import_area(ifq, &area->mem, area_reg);
if (ret)
@@ -445,7 +445,6 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq,
}
area->free_count = nr_iovs;
- area->ifq = ifq;
/* we're only supporting one area per ifq for now */
area->area_id = 0;
area_reg->rq_area_token = (u64)area->area_id << IORING_ZCRX_AREA_SHIFT;
--
2.49.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] io_uring/zcrx: don't leak pages on account failure
2025-07-21 9:56 [PATCH for-next 0/3] zcrx accounting fixes Pavel Begunkov
2025-07-21 9:56 ` [PATCH 1/3] io_uring/zcrx: fix null ifq on area destruction Pavel Begunkov
@ 2025-07-21 9:56 ` Pavel Begunkov
2025-07-21 9:56 ` [PATCH 3/3] io_uring/zcrx: fix leaking pages on sg init fail Pavel Begunkov
2025-07-21 12:48 ` [PATCH for-next 0/3] zcrx accounting fixes Jens Axboe
3 siblings, 0 replies; 5+ messages in thread
From: Pavel Begunkov @ 2025-07-21 9:56 UTC (permalink / raw)
To: io-uring; +Cc: asml.silence, dw
Someone needs to release pinned pages in io_import_umem() if accounting
fails. Assign them to the area but return an error, the following
io_zcrx_free_area() will clean them up.
Fixes: 262ab205180d2 ("io_uring/zcrx: account area memory")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
io_uring/zcrx.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 6b4bdefb40c4..6a983f1ab592 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -199,15 +199,13 @@ static int io_import_umem(struct io_zcrx_ifq *ifq,
mem->account_pages = io_count_account_pages(pages, nr_pages);
ret = io_account_mem(ifq->ctx, mem->account_pages);
- if (ret < 0) {
+ if (ret < 0)
mem->account_pages = 0;
- return ret;
- }
mem->pages = pages;
mem->nr_folios = nr_pages;
mem->size = area_reg->len;
- return 0;
+ return ret;
}
static void io_release_area_mem(struct io_zcrx_mem *mem)
--
2.49.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] io_uring/zcrx: fix leaking pages on sg init fail
2025-07-21 9:56 [PATCH for-next 0/3] zcrx accounting fixes Pavel Begunkov
2025-07-21 9:56 ` [PATCH 1/3] io_uring/zcrx: fix null ifq on area destruction Pavel Begunkov
2025-07-21 9:56 ` [PATCH 2/3] io_uring/zcrx: don't leak pages on account failure Pavel Begunkov
@ 2025-07-21 9:56 ` Pavel Begunkov
2025-07-21 12:48 ` [PATCH for-next 0/3] zcrx accounting fixes Jens Axboe
3 siblings, 0 replies; 5+ messages in thread
From: Pavel Begunkov @ 2025-07-21 9:56 UTC (permalink / raw)
To: io-uring; +Cc: asml.silence, dw
If sg_alloc_table_from_pages() fails, io_import_umem() returns without
cleaning up pinned pages first. Fix it.
Fixes: b84621d96ee02 ("io_uring/zcrx: allocate sgtable for umem areas")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
io_uring/zcrx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 6a983f1ab592..2d8bc4219463 100644
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -194,8 +194,10 @@ static int io_import_umem(struct io_zcrx_ifq *ifq,
ret = sg_alloc_table_from_pages(&mem->page_sg_table, pages, nr_pages,
0, nr_pages << PAGE_SHIFT,
GFP_KERNEL_ACCOUNT);
- if (ret)
+ if (ret) {
+ unpin_user_pages(pages, nr_pages);
return ret;
+ }
mem->account_pages = io_count_account_pages(pages, nr_pages);
ret = io_account_mem(ifq->ctx, mem->account_pages);
--
2.49.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH for-next 0/3] zcrx accounting fixes
2025-07-21 9:56 [PATCH for-next 0/3] zcrx accounting fixes Pavel Begunkov
` (2 preceding siblings ...)
2025-07-21 9:56 ` [PATCH 3/3] io_uring/zcrx: fix leaking pages on sg init fail Pavel Begunkov
@ 2025-07-21 12:48 ` Jens Axboe
3 siblings, 0 replies; 5+ messages in thread
From: Jens Axboe @ 2025-07-21 12:48 UTC (permalink / raw)
To: io-uring, Pavel Begunkov; +Cc: dw
On Mon, 21 Jul 2025 10:56:19 +0100, Pavel Begunkov wrote:
> A follow up on Dan's report + patch up possible page leaks
> in io_zcrx_free_area().
>
> Pavel Begunkov (3):
> io_uring/zcrx: fix null ifq on area destruction
> io_uring/zcrx: don't leak pages on account failure
> io_uring/zcrx: fix leaking pages on sg init fail
>
> [...]
Applied, thanks!
[1/3] io_uring/zcrx: fix null ifq on area destruction
commit: 720df2310b89cf76c1dc1a05902536282506f8bf
[2/3] io_uring/zcrx: don't leak pages on account failure
commit: 6bbd3411ff87df1ca38ff32d36eb5dc673ca8021
[3/3] io_uring/zcrx: fix leaking pages on sg init fail
commit: d9f595b9a65e9c9eb03e21f3db98fde158d128db
Best regards,
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-07-21 12:48 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-21 9:56 [PATCH for-next 0/3] zcrx accounting fixes Pavel Begunkov
2025-07-21 9:56 ` [PATCH 1/3] io_uring/zcrx: fix null ifq on area destruction Pavel Begunkov
2025-07-21 9:56 ` [PATCH 2/3] io_uring/zcrx: don't leak pages on account failure Pavel Begunkov
2025-07-21 9:56 ` [PATCH 3/3] io_uring/zcrx: fix leaking pages on sg init fail Pavel Begunkov
2025-07-21 12:48 ` [PATCH for-next 0/3] zcrx accounting fixes Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox