From: shaurya <ssranevjti@gmail.com>
To: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
Cc: axboe@kernel.dk, io-uring@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [io-uring?] memory leak in io_submit_sqes (5)
Date: Tue, 2 Dec 2025 02:06:39 +0530 [thread overview]
Message-ID: <d08c0c69-eafa-4768-906a-50a7e039e76d@gmail.com> (raw)
In-Reply-To: <692dcb58.a70a0220.2ea503.00b5.GAE@google.com>
[-- Attachment #1: Type: text/plain, Size: 84 bytes --]
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
[-- Attachment #2: 0001-io_uring-fix-memory-leak-by-freeing-cached-requests-.patch --]
[-- Type: text/x-patch, Size: 1632 bytes --]
From c30efa1f5bafdfe1046a29b0c0f3b7f7b41cbea4 Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Date: Tue, 2 Dec 2025 01:57:40 +0530
Subject: [PATCH] io_uring: fix memory leak by freeing cached requests before
percpu_ref exit
In io_ring_ctx_free(), io_req_caches_free() was called after
percpu_ref_exit(). The cached requests need percpu_ref_put_many()
to balance the percpu_ref_get_many() done during allocation in
__io_alloc_req_refill(). If percpu_ref_exit() runs first, those
put operations cannot properly balance the references, leaving
allocated io_kiocb objects unreachable and causing kmemleak to
report them as memory leaks.
Move io_req_caches_free() before percpu_ref_exit() to ensure the
cached requests are freed while the percpu_ref is still valid.
Reported-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug\?extid\=641eec6b7af1f62f2b99
Fixes: 63de899cb622 ("io_uring: count allocated requests")
Cc: stable@vger.kernel.org
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
io_uring/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 02339b74ba8d..99ddabb07fbd 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2868,9 +2868,9 @@ static __cold void io_ring_ctx_free(struct io_ring_ctx *ctx)
if (!(ctx->flags & IORING_SETUP_NO_SQARRAY))
static_branch_dec(&io_key_has_sqarray);
+ io_req_caches_free(ctx);
percpu_ref_exit(&ctx->refs);
free_uid(ctx->user);
- io_req_caches_free(ctx);
WARN_ON_ONCE(ctx->nr_req_allocated);
--
2.34.1
next prev parent reply other threads:[~2025-12-01 20:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-01 17:07 [syzbot] [io-uring?] memory leak in io_submit_sqes (5) syzbot
2025-12-01 20:16 ` Jens Axboe
2025-12-01 21:00 ` syzbot
2025-12-01 20:36 ` shaurya [this message]
2025-12-01 21:24 ` syzbot
2025-12-01 21:29 ` Jens Axboe
2025-12-01 21:31 ` Jens Axboe
2025-12-01 21:52 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d08c0c69-eafa-4768-906a-50a7e039e76d@gmail.com \
--to=ssranevjti@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox