io_uring: take page references for NOMMU pbuf_ring mmaps

Under !CONFIG_MMU, io_uring_get_unmapped_area() returns the kernel
virtual address of the io_mapped_region's backing pages directly;
the user's VMA aliases the kernel allocation. io_uring_mmap() then
just returns 0 -- it takes no page references.

The CONFIG_MMU path uses vm_insert_pages(), which takes a reference on
each inserted page.  Those references are released when the VMA is torn
down (zap_pte_range -> put_page). io_free_region() -> release_pages()
drops the io_uring-side references, but the pages survive until munmap
drops the VMA-side references.

Under NOMMU there are no VMA-side references. io_unregister_pbuf_ring ->
io_put_bl -> io_free_region -> release_pages drops the only references
and the pages return to the buddy allocator while the user's VMA still
has vm_start pointing into them.  The user can then write into whatever
the allocator hands out next.

Mirror the MMU lifetime: take get_page references in io_uring_mmap() and
release them via vm_ops->close.  NOMMU's delete_vma() calls vma_close()
which runs ->close on munmap.

This also incidentally addresses the duplicate-vm_start case: two mmaps
of SQ_RING and CQ_RING resolve to the same ctx->ring_region pointer.
With page refs taken per mmap, the second mmap takes its own refs and
the pages survive until both mmaps are closed.  The nommu rb-tree BUG_ON
on duplicate vm_start is a separate mm/nommu.c concern (it should share
the existing region rather than BUG), but the page lifetime is now
correct.

Cc: Jens Axboe <axboe@kernel.dk>
Reported-by: Anthropic
Assisted-by: gkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026042115-body-attention-d15b@gregkh
[axboe: get rid of region lookup, just iterate pages in vma]
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/memmap.c b/io_uring/memmap.c
index e6958968975a86478f358375525aeeca07dc99b3..4f9b439319c466f1c365d05cb2e06af48570cdc5 100644 (file)
--- a/io_uring/memmap.c
+++ b/io_uring/memmap.c
@@ -366,9 +366,53 @@ unsigned long io_uring_get_unmapped_area(struct file *filp, unsigned long addr,
 
 #else /* !CONFIG_MMU */
 
+/*
+ * Drop the pages that were initially referenced and added in
+ * io_uring_mmap(). We cannot have had a mremap() as that isn't supported,
+ * hence the vma should be identical to the one we initially referenced and
+ * mapped, and partial unmaps and splitting isn't possible on a file backed
+ * mapping.
+ */
+static void io_uring_nommu_vm_close(struct vm_area_struct *vma)
+{
+       unsigned long index;
+
+       for (index = vma->vm_start; index < vma->vm_end; index += PAGE_SIZE)
+               put_page(virt_to_page((void *) index));
+}
+
+static const struct vm_operations_struct io_uring_nommu_vm_ops = {
+       .close = io_uring_nommu_vm_close,
+};
+
 int io_uring_mmap(struct file *file, struct vm_area_struct *vma)
 {
-       return is_nommu_shared_mapping(vma->vm_flags) ? 0 : -EINVAL;
+       struct io_ring_ctx *ctx = file->private_data;
+       struct io_mapped_region *region;
+       unsigned long i;
+
+       if (!is_nommu_shared_mapping(vma->vm_flags))
+               return -EINVAL;
+
+       guard(mutex)(&ctx->mmap_lock);
+       region = io_mmap_get_region(ctx, vma->vm_pgoff);
+       if (!region || !io_region_is_set(region))
+               return -EINVAL;
+
+       if ((vma->vm_end - vma->vm_start) !=
+           (unsigned long) region->nr_pages << PAGE_SHIFT)
+               return -EINVAL;
+
+       /*
+        * Pin the pages so io_free_region()'s release_pages() does not
+        * drop the last reference while this VMA exists. delete_vma()
+        * in mm/nommu.c calls vma_close() which runs ->close above.
+        */
+       for (i = 0; i < region->nr_pages; i++)
+               get_page(region->pages[i]);
+
+       vma->vm_ops = &io_uring_nommu_vm_ops;
+       return 0;
 }
 
 unsigned int io_uring_nommu_mmap_capabilities(struct file *file)