io_uring: fix potential page leak in io_sqe_buffer_register()

JIRA: https://issues.redhat.com/browse/RHEL-105612
Conflicts: There are context differences due to upstream commit
ed9f311 ("io_uring: cache nodes and mapped buffers").

commit e1c7583
Author: Penglei Jiang <superman.xpt@gmail.com>
Date:   Tue Jun 17 09:56:44 2025 -0700

    io_uring: fix potential page leak in io_sqe_buffer_register()
    
    If allocation of the 'imu' fails, then the existing pages aren't
    unpinned in the error path. This is mostly a theoretical issue,
    requiring fault injection to hit.
    
    Move unpin_user_pages() to unified error handling to fix the page leak
    issue.
    
    Fixes: d8c2237 ("io_uring: add io_pin_pages() helper")
    Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>
    Link: https://lore.kernel.org/r/20250617165644.79165-1-superman.xpt@gmail.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

Signed-off-by: Jeff Moyer <jmoyer@redhat.com>

Author: JeffMoyer

io_uring/rsrc.c

@@ -766,10 +766,8 @@ static struct io_rsrc_node *io_sqe_buffer_register(struct io_ring_ctx *ctx,
 		goto done;
 
 	ret = io_buffer_account_pin(ctx, pages, nr_pages, imu, last_hpage);
-	if (ret) {
-		unpin_user_pages(pages, nr_pages);
+	if (ret)
 		goto done;
-	}
 
 	size = iov->iov_len;
 	/* store original address for later verification */
@@ -795,6 +793,8 @@ static struct io_rsrc_node *io_sqe_buffer_register(struct io_ring_ctx *ctx,
 done:
 	if (ret) {
 		kvfree(imu);
+		if (pages)
+			unpin_user_pages(pages, nr_pages);
 		if (node)
 			io_put_rsrc_node(ctx, node);
 		node = ERR_PTR(ret);