io_uring: fix potential page leak in io_sqe_buffer_register()

If allocation of the 'imu' fails, then the existing pages aren't
unpinned in the error path. This is mostly a theoretical issue,
requiring fault injection to hit.

Move unpin_user_pages() to unified error handling to fix the page leak
issue.

Fixes: d8c2237d0aa9 ("io_uring: add io_pin_pages() helper")
Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>
Link: https://lore.kernel.org/r/20250617165644.79165-1-superman.xpt@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index 94a9db030e0e5f89c4b80b5ea1436d970c2d68c9..d724602697e7cfdf0229718d7be8874bf135c15d 100644 (file)
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -809,10 +809,8 @@ static struct io_rsrc_node *io_sqe_buffer_register(struct io_ring_ctx *ctx,
 
        imu->nr_bvecs = nr_pages;
        ret = io_buffer_account_pin(ctx, pages, nr_pages, imu, last_hpage);
-       if (ret) {
-               unpin_user_pages(pages, nr_pages);
+       if (ret)
                goto done;
-       }
 
        size = iov->iov_len;
        /* store original address for later verification */
@@ -842,6 +840,8 @@ done:
        if (ret) {
                if (imu)
                        io_free_imu(ctx, imu);
+               if (pages)
+                       unpin_user_pages(pages, nr_pages);
                io_cache_free(&ctx->node_cache, node);
                node = ERR_PTR(ret);
        }