io_uring/zcrx: fix sgtable leak on mapping failures

[ Upstream commit a983aae397767e9da931128ff2b5bf9066513ce3 ]

In an unlikely case when io_populate_area_dma() fails, which could only
happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine,
io_zcrx_map_area() will have an initialised and not freed table. It was
supposed to be cleaned up in the error path, but !is_mapped prevents
that.

Fixes: 439a98b972fbb ("io_uring/zcrx: deduplicate area mapping")
Cc: stable@vger.kernel.org
Reported-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
index 03396769c775dc6f85277970300636fb9053e50d..030d632d983921e316e9dbbbe2c85df69b35c6fb 100644 (file)
--- a/io_uring/zcrx.c
+++ b/io_uring/zcrx.c
@@ -287,6 +287,9 @@ static int io_zcrx_map_area(struct io_zcrx_ifq *ifq, struct io_zcrx_area *area)
        }
 
        ret = io_populate_area_dma(ifq, area);
+       if (ret && !area->mem.is_dmabuf)
+               dma_unmap_sgtable(ifq->dev, &area->mem.page_sg_table,
+                                 DMA_FROM_DEVICE, IO_DMA_ATTR);
        if (ret == 0)
                area->is_mapped = true;
        return ret;