Re: [syzbot] [io-uring?] memory leak in io_submit_sqes (5)
From: shaurya
Date: Mon Dec 01 2025 - 15:36:55 EST
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
From c30efa1f5bafdfe1046a29b0c0f3b7f7b41cbea4 Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@xxxxxxxxxxxxx>
Date: Tue, 2 Dec 2025 01:57:40 +0530
Subject: [PATCH] io_uring: fix memory leak by freeing cached requests before
percpu_ref exit
In io_ring_ctx_free(), io_req_caches_free() was called after
percpu_ref_exit(). The cached requests need percpu_ref_put_many()
to balance the percpu_ref_get_many() done during allocation in
__io_alloc_req_refill(). If percpu_ref_exit() runs first, those
put operations cannot properly balance the references, leaving
allocated io_kiocb objects unreachable and causing kmemleak to
report them as memory leaks.
Move io_req_caches_free() before percpu_ref_exit() to ensure the
cached requests are freed while the percpu_ref is still valid.
Reported-by: syzbot+641eec6b7af1f62f2b99@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug\?extid\=641eec6b7af1f62f2b99
Fixes: 63de899cb622 ("io_uring: count allocated requests")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Shaurya Rane <ssrane_b23@xxxxxxxxxxxxx>
---
io_uring/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 02339b74ba8d..99ddabb07fbd 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2868,9 +2868,9 @@ static __cold void io_ring_ctx_free(struct io_ring_ctx *ctx)
if (!(ctx->flags & IORING_SETUP_NO_SQARRAY))
static_branch_dec(&io_key_has_sqarray);
+ io_req_caches_free(ctx);
percpu_ref_exit(&ctx->refs);
free_uid(ctx->user);
- io_req_caches_free(ctx);
WARN_ON_ONCE(ctx->nr_req_allocated);
--
2.34.1