Re: [syzbot] [io-uring?] memory leak in io_submit_sqes (5)

From: Jens Axboe
Date: Mon Dec 01 2025 - 16:31:44 EST

Next message: Richard Weinberger: "Re: [PATCH 1/4] dt-bindings: Document new common property: has-inaccessible-regs"
Previous message: Mehdi Ben Hadj Khelifa: "[PATCH v3 2/2] hfsplus: ensure sb->s_fs_info is always cleaned up"
In reply to: Jens Axboe: "Re: [syzbot] [io-uring?] memory leak in io_submit_sqes (5)"
Next in thread: syzbot: "Re: [syzbot] [io-uring?] memory leak in io_submit_sqes (5)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Let's try this again, seemed like a testing failure last time...

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/io_uring/poll.c b/io_uring/poll.c
index b9681d0f9f13..0d5bb90d4743 100644
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -936,12 +936,17 @@ int io_poll_remove(struct io_kiocb *req, unsigned int issue_flags)

ret2 = io_poll_add(preq, issue_flags & ~IO_URING_F_UNLOCKED);
/* successfully updated, don't complete poll request */
- if (!ret2 || ret2 == -EIOCBQUEUED)
+ if (ret2 == IOU_ISSUE_SKIP_COMPLETE)
goto out;
+ /* request completed as part of the update, complete it */
+ else if (ret2 == IOU_COMPLETE)
+ goto complete;
}

- req_set_fail(preq);
io_req_set_res(preq, -ECANCELED, 0);
+complete:
+ if (preq->cqe.res < 0)
+ req_set_fail(preq);
preq->io_task_work.func = io_req_task_complete;
io_req_task_work_add(preq);
out:

--
Jens Axboe

Next message: Richard Weinberger: "Re: [PATCH 1/4] dt-bindings: Document new common property: has-inaccessible-regs"
Previous message: Mehdi Ben Hadj Khelifa: "[PATCH v3 2/2] hfsplus: ensure sb->s_fs_info is always cleaned up"
In reply to: Jens Axboe: "Re: [syzbot] [io-uring?] memory leak in io_submit_sqes (5)"
Next in thread: syzbot: "Re: [syzbot] [io-uring?] memory leak in io_submit_sqes (5)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]