io_uring: fix corner case forgetting to vunmap

commit 43eef70e7e2ac74e7767731dd806720c7fb5e010 upstream.

io_pages_unmap() is a bit tricky in trying to figure whether the pages
were previously vmap'ed or not. In particular If there is juts one page
it belives there is no need to vunmap. Paired io_pages_map(), however,
could've failed io_mem_alloc_compound() and attempted to
io_mem_alloc_single(), which does vmap, and that leads to unpaired vmap.

The solution is to fail if io_mem_alloc_compound() can't allocate a
single page. That's the easiest way to deal with it, and those two
functions are getting removed soon, so no need to overcomplicate it.

Cc: stable@vger.kernel.org
Fixes: 3ab1db3c6039e ("io_uring: get rid of remap_pfn_range() for mapping rings/sqes")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/477e75a3907a2fe83249e49c0a92cd480b2c60e0.1732569842.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/io_uring/memmap.c b/io_uring/memmap.c
index a0f32a255fd1e1a0e3bd0c2f20421d66fc0b2a25..de5b584b7fab9afc2cdaf1a9fe446097bf2882ba 100644 (file)
--- a/io_uring/memmap.c
+++ b/io_uring/memmap.c
@@ -72,6 +72,8 @@ void *io_pages_map(struct page ***out_pages, unsigned short *npages,
        ret = io_mem_alloc_compound(pages, nr_pages, size, gfp);
        if (!IS_ERR(ret))
                goto done;
+       if (nr_pages == 1)
+               goto fail;
 
        ret = io_mem_alloc_single(pages, nr_pages, size, gfp);
        if (!IS_ERR(ret)) {
@@ -80,7 +82,7 @@ done:
                *npages = nr_pages;
                return ret;
        }
-
+fail:
        kvfree(pages);
        *out_pages = NULL;
        *npages = 0;