Merge tag 'io_uring-6.6-2023-10-20' of git://git.kernel.dk/linux

torvalds · torvalds · commit 747b7628ca66 · 2023-10-20T10:28:46.000-07:00
Pull io_uring fix from Jens Axboe:
 "Just a single fix for a bug report that came in, fixing a case where
  failure to init a ring with IORING_SETUP_NO_MMAP can trigger a NULL
  pointer dereference"

* tag 'io_uring-6.6-2023-10-20' of git://git.kernel.dk/linux:
  io_uring: fix crash with IORING_SETUP_NO_MMAP and invalid SQ ring address
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
@@ -2674,7 +2674,11 @@ static void io_pages_free(struct page ***pages, int npages)
 
 	if (!pages)
 		return;
+
 	page_array = *pages;
+	if (!page_array)
+		return;
+
 	for (i = 0; i < npages; i++)
 		unpin_user_page(page_array[i]);
 	kvfree(page_array);
@@ -2758,7 +2762,9 @@ static void io_rings_free(struct io_ring_ctx *ctx)
 		ctx->sq_sqes = NULL;
 	} else {
 		io_pages_free(&ctx->ring_pages, ctx->n_ring_pages);
+		ctx->n_ring_pages = 0;
 		io_pages_free(&ctx->sqe_pages, ctx->n_sqe_pages);
+		ctx->n_sqe_pages = 0;
 	}
 }
 
