From 272e645cc13ccff1ad124ba499282747cced7239 Mon Sep 17 00:00:00 2001
From: Dmitry Antipov <dmantipov@yandex.ru>
Date: Fri, 15 May 2026 12:26:34 +0300
Subject: [PATCH 6.12 2/2] block: bio-integrity: fix memory leak in bio_integrity_map_user()

Since 'iov_iter_extract_pages()' may allocate new array of pages
even when it returns non-zero error value, matching cleanup with
'vfree()' should be performed on all return paths afterwards. So
adjust 'bio_integrity_map_user()' to ensure that both 'pages' and
'bvec' arrays are always freed on return.

Fixes: 492c5d455969 ("block: bio-integrity: directly map user buffers")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
 block/bio-integrity.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/block/bio-integrity.c b/block/bio-integrity.c
index 6641ecbf6967..f788a9ba1f38 100644
--- a/block/bio-integrity.c
+++ b/block/bio-integrity.c
@@ -338,11 +338,9 @@ int bio_integrity_map_user(struct bio *bio, void __user *ubuf, ssize_t bytes,
 	copy = !iov_iter_is_aligned(&iter, align, align);
 	ret = iov_iter_extract_pages(&iter, &pages, bytes, nr_vecs, 0, &offset);
 	if (unlikely(ret < 0))
-		goto free_bvec;
+		goto out_free;
 
 	nr_bvecs = bvec_from_pages(bvec, pages, nr_vecs, bytes, offset);
-	if (pages != stack_pages)
-		kvfree(pages);
 	if (nr_bvecs > queue_max_integrity_segments(q))
 		copy = true;
 
@@ -352,15 +350,11 @@ int bio_integrity_map_user(struct bio *bio, void __user *ubuf, ssize_t bytes,
 	else
 		ret = bio_integrity_init_user(bio, bvec, nr_bvecs, bytes, seed);
 	if (ret)
-		goto release_pages;
-	if (bvec != stack_vec)
-		kfree(bvec);
-
-	return 0;
+		bio_integrity_unpin_bvec(bvec, nr_bvecs);
+out_free:
+	if (pages != stack_pages)
+		kvfree(pages);
 
-release_pages:
-	bio_integrity_unpin_bvec(bvec, nr_bvecs);
-free_bvec:
 	if (bvec != stack_vec)
 		kfree(bvec);
 	return ret;
-- 
2.54.0