From c30efa1f5bafdfe1046a29b0c0f3b7f7b41cbea4 Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Date: Tue, 2 Dec 2025 01:57:40 +0530
Subject: [PATCH] io_uring: fix memory leak by freeing cached requests before
 percpu_ref exit

In io_ring_ctx_free(), io_req_caches_free() was called after
percpu_ref_exit(). The cached requests need percpu_ref_put_many()
to balance the percpu_ref_get_many() done during allocation in
__io_alloc_req_refill(). If percpu_ref_exit() runs first, those
put operations cannot properly balance the references, leaving
allocated io_kiocb objects unreachable and causing kmemleak to
report them as memory leaks.

Move io_req_caches_free() before percpu_ref_exit() to ensure the
cached requests are freed while the percpu_ref is still valid.

Reported-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug\?extid\=641eec6b7af1f62f2b99
Fixes: 63de899cb622 ("io_uring: count allocated requests")
Cc: stable@vger.kernel.org
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
 io_uring/io_uring.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 02339b74ba8d..99ddabb07fbd 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2868,9 +2868,9 @@ static __cold void io_ring_ctx_free(struct io_ring_ctx *ctx)
 	if (!(ctx->flags & IORING_SETUP_NO_SQARRAY))
 		static_branch_dec(&io_key_has_sqarray);
 
+	io_req_caches_free(ctx);
 	percpu_ref_exit(&ctx->refs);
 	free_uid(ctx->user);
-	io_req_caches_free(ctx);
 
 	WARN_ON_ONCE(ctx->nr_req_allocated);
 
-- 
2.34.1