syzbot


memory leak in io_submit_sqes (4)

Status: fixed on 2023/06/08 14:41
Subsystems: io-uring
[Documentation on labels]
Reported-by: syzbot+6c95df01470a47fc3af4@syzkaller.appspotmail.com
Fix commit: febb985c06cb io_uring/poll: add hash if ready poll request can't complete inline
First crash: 413d, last: 413d
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] memory leak in io_submit_sqes (4) 2 (5) 2023/01/09 22:12
[PATCH] io_uring/poll: add hash if ready poll request can't complete inline 1 (1) 2023/01/09 21:58
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream memory leak in io_submit_sqes fs io-uring C 2 1274d 1293d 15/26 fixed on 2020/09/16 22:51
upstream memory leak in io_submit_sqes (2) fs io-uring C 1 1090d 1089d 20/26 fixed on 2021/04/09 19:46
upstream memory leak in io_submit_sqes (3) fs io-uring C 1 1003d 1003d 0/26 auto-obsoleted due to no activity on 2022/10/10 15:32
Last patch testing requests (2)
Created Duration User Patch Repo Result
2023/01/09 21:51 17m axboe@kernel.dk git://git.kernel.dk/linux.git syztest OK log
2023/01/09 13:10 9m asml.silence@gmail.com git://git.kernel.dk/linux.git syztest report log

Sample crash report:
executing program
executing program
executing program
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88810de89200 (size 256):
  comm "syz-executor286", pid 5100, jiffies 4294952261 (age 14.130s)
  hex dump (first 32 bytes):
    00 8f 90 0a 81 88 ff ff 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00  .........@......
  backtrace:
    [<ffffffff84769af3>] __io_alloc_req_refill+0x55/0x193 io_uring/io_uring.c:1040
    [<ffffffff8476b084>] io_alloc_req_refill io_uring/io_uring.h:378 [inline]
    [<ffffffff8476b084>] io_submit_sqes.cold+0x65/0x8a io_uring/io_uring.c:2384
    [<ffffffff823986bd>] __do_sys_io_uring_enter+0x76d/0x1490 io_uring/io_uring.c:3345
    [<ffffffff848ef735>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff848ef735>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84a00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

BUG: memory leak
unreferenced object 0xffff888109cac600 (size 96):
  comm "syz-executor286", pid 5100, jiffies 4294952261 (age 14.130s)
  hex dump (first 32 bytes):
    00 8f 90 0a 81 88 ff ff 00 00 00 00 00 00 00 00  ................
    7b 20 00 c0 00 00 00 00 00 00 00 00 00 00 00 00  { ..............
  backtrace:
    [<ffffffff814f94a0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1062
    [<ffffffff823a702c>] kmalloc include/linux/slab.h:580 [inline]
    [<ffffffff823a702c>] io_req_alloc_apoll io_uring/poll.c:650 [inline]
    [<ffffffff823a702c>] io_arm_poll_handler+0x1fc/0x470 io_uring/poll.c:694
    [<ffffffff82395e4d>] io_queue_async+0x8d/0x2e0 io_uring/io_uring.c:2006
    [<ffffffff82397b98>] io_queue_sqe io_uring/io_uring.c:2037 [inline]
    [<ffffffff82397b98>] io_submit_sqe io_uring/io_uring.c:2286 [inline]
    [<ffffffff82397b98>] io_submit_sqes+0x968/0xb70 io_uring/io_uring.c:2397
    [<ffffffff823986bd>] __do_sys_io_uring_enter+0x76d/0x1490 io_uring/io_uring.c:3345
    [<ffffffff848ef735>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff848ef735>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84a00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

BUG: memory leak
unreferenced object 0xffff88810a72bb00 (size 256):
  comm "syz-executor286", pid 5100, jiffies 4294952261 (age 14.130s)
  hex dump (first 32 bytes):
    00 8f 90 0a 81 88 ff ff 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00  .........@......
  backtrace:
    [<ffffffff84769af3>] __io_alloc_req_refill+0x55/0x193 io_uring/io_uring.c:1040
    [<ffffffff8476b084>] io_alloc_req_refill io_uring/io_uring.h:378 [inline]
    [<ffffffff8476b084>] io_submit_sqes.cold+0x65/0x8a io_uring/io_uring.c:2384
    [<ffffffff823986bd>] __do_sys_io_uring_enter+0x76d/0x1490 io_uring/io_uring.c:3345
    [<ffffffff848ef735>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff848ef735>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84a00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

BUG: memory leak
unreferenced object 0xffff88810f18f600 (size 96):
  comm "syz-executor286", pid 5100, jiffies 4294952261 (age 14.130s)
  hex dump (first 32 bytes):
    00 8f 90 0a 81 88 ff ff 00 00 00 00 00 00 00 00  ................
    7b 20 00 c0 00 00 00 00 00 00 00 00 00 00 00 00  { ..............
  backtrace:
    [<ffffffff814f94a0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1062
    [<ffffffff823a702c>] kmalloc include/linux/slab.h:580 [inline]
    [<ffffffff823a702c>] io_req_alloc_apoll io_uring/poll.c:650 [inline]
    [<ffffffff823a702c>] io_arm_poll_handler+0x1fc/0x470 io_uring/poll.c:694
    [<ffffffff82395e4d>] io_queue_async+0x8d/0x2e0 io_uring/io_uring.c:2006
    [<ffffffff82397b98>] io_queue_sqe io_uring/io_uring.c:2037 [inline]
    [<ffffffff82397b98>] io_submit_sqe io_uring/io_uring.c:2286 [inline]
    [<ffffffff82397b98>] io_submit_sqes+0x968/0xb70 io_uring/io_uring.c:2397
    [<ffffffff823986bd>] __do_sys_io_uring_enter+0x76d/0x1490 io_uring/io_uring.c:3345
    [<ffffffff848ef735>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff848ef735>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84a00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd


Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/01/08 10:06 upstream 0a71553536d2 1dac8c7a .config console log report syz C ci-upstream-gce-leak memory leak in io_submit_sqes
* Struck through repros no longer work on HEAD.