[lvc-project] [PATCH] lib: free pagelist on error in iov_iter_extract_pages()
Dmitry Antipov
dmantipov at yandex.ru
Tue May 12 11:12:49 MSK 2026
On Fri, 2026-05-08 at 11:33 -0700, Caleb Sander Mateos wrote:
> Indeed, it looks like *all* callers of iov_iter_extract_pages()
> pass a non-NULL struct page **.
This is not true for 6.12.x at least (where this issue was initially discovered)
where bio_map_user_iov() do the following:
...
while (iov_iter_count(iter)) {
struct page *stack_pages[UIO_FASTIOV];
struct page **pages = stack_pages;
ssize_t bytes;
size_t offs;
int npages;
if (nr_vecs > ARRAY_SIZE(stack_pages))
/* Stack pages aren't enough, so set 'pages' to NULL
and force allocation by want_pages_array(). */
pages = NULL;
bytes = iov_iter_extract_pages(iter, &pages, LONG_MAX,
nr_vecs, extraction_flags, &offs);
if (unlikely(bytes <= 0)) {
/* If 'pages' was allocated (and so pages != stack_pages), memory leak here */
ret = bytes ? bytes : -EFAULT;
goto out_unmap;
}
For 6.12.x and may be other stables, the simplest possible fix is
https://lore.kernel.org/stable/20260505094529.406783-1-dmantipov@yandex.ru/T/#u.
For upstream, it may be better to tweak iov_iter_extract_pages() itself, but
it may be required to adjust all of the callers.
Dmitry
More information about the lvc-project
mailing list