| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6919bd8f.a70a0220.3124cb.007d.GAE@google.com>
Date: Sun, 16 Nov 2025 04:03:27 -0800
From: syzbot <syzbot+cf08c551fecea9fd1320@...kaller.appspotmail.com>
To: andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
daniel@...earbox.net, eddyz87@...il.com, haoluo@...gle.com,
john.fastabend@...il.com, jolsa@...nel.org, kpsingh@...nel.org,
linux-kernel@...r.kernel.org, martin.lau@...ux.dev, sdf@...ichev.me,
song@...nel.org, syzkaller-bugs@...glegroups.com, yonghong.song@...ux.dev
Subject: [syzbot] [bpf?] memory leak in map_create
Hello,
syzbot found the following issue on:
HEAD commit: 24172e0d7990 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17818692580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
dashboard link: https://syzkaller.appspot.com/bug?extid=cf08c551fecea9fd1320
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17a64658580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ac3c12580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ded911fa4408/disk-24172e0d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a1f3e61cb784/vmlinux-24172e0d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b92fd0e25cb7/bzImage-24172e0d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cf08c551fecea9fd1320@...kaller.appspotmail.com
2025/11/12 11:58:15 executed programs: 5
BUG: memory leak
unreferenced object 0xffff888125a64000 (size 1024):
comm "syz.0.17", pid 6096, jiffies 4294942817
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 7b9fb9b4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
__do_kmalloc_node mm/slub.c:5649 [inline]
__kmalloc_node_noprof+0x3b4/0x6c0 mm/slub.c:5656
kmalloc_node_noprof include/linux/slab.h:987 [inline]
__bpf_map_area_alloc+0x17a/0x1a0 kernel/bpf/syscall.c:395
htab_map_alloc+0x67/0x950 kernel/bpf/hashtab.c:489
map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512
__sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131
__do_sys_bpf kernel/bpf/syscall.c:6259 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6257 [inline]
__x64_sys_bpf+0x22/0x30 kernel/bpf/syscall.c:6257
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4d6674b0 (size 8):
comm "syz.0.17", pid 6096, jiffies 4294942817
hex dump (first 8 bytes on cpu 0):
00 00 00 00 00 00 00 00 ........
backtrace (crc 0):
pcpu_alloc_noprof+0x83a/0xd80 mm/percpu.c:1890
bpf_map_alloc_percpu+0x7b/0x190 kernel/bpf/syscall.c:575
bpf_map_init_elem_count include/linux/bpf.h:2532 [inline]
htab_map_alloc+0x165/0x950 kernel/bpf/hashtab.c:527
map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512
__sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131
__do_sys_bpf kernel/bpf/syscall.c:6259 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6257 [inline]
__x64_sys_bpf+0x22/0x30 kernel/bpf/syscall.c:6257
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888125a64400 (size 1024):
comm "syz.0.17", pid 6096, jiffies 4294942817
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 2cb93737):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
__do_kmalloc_node mm/slub.c:5649 [inline]
__kmalloc_node_noprof+0x3b4/0x6c0 mm/slub.c:5656
kmalloc_node_noprof include/linux/slab.h:987 [inline]
__bpf_map_area_alloc+0x17a/0x1a0 kernel/bpf/syscall.c:395
htab_map_alloc+0x18c/0x950 kernel/bpf/hashtab.c:532
map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512
__sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131
__do_sys_bpf kernel/bpf/syscall.c:6259 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6257 [inline]
__x64_sys_bpf+0x22/0x30 kernel/bpf/syscall.c:6257
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4d6674b8 (size 208):
comm "syz.0.17", pid 6096, jiffies 4294942817
hex dump (first 32 bytes on cpu 0):
e0 f7 2c 27 81 88 ff ff 00 00 00 00 00 00 00 00 ..,'............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc ee549e23):
pcpu_alloc_noprof+0x83a/0xd80 mm/percpu.c:1890
bpf_mem_alloc_init+0x2fe/0x540 kernel/bpf/memalloc.c:525
htab_map_alloc+0x6ce/0x950 kernel/bpf/hashtab.c:579
map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512
__sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131
__do_sys_bpf kernel/bpf/syscall.c:6259 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6257 [inline]
__x64_sys_bpf+0x22/0x30 kernel/bpf/syscall.c:6257
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881272cf4e0 (size 96):
comm "syz.0.17", pid 6096, jiffies 4294942817
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 0):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
__do_kmalloc_node mm/slub.c:5649 [inline]
__kmalloc_node_noprof+0x3b4/0x6c0 mm/slub.c:5656
kmalloc_node_noprof include/linux/slab.h:987 [inline]
__alloc+0x92/0xd0 kernel/bpf/memalloc.c:155
alloc_bulk+0x242/0x3a0 kernel/bpf/memalloc.c:246
prefill_mem_cache kernel/bpf/memalloc.c:499 [inline]
bpf_mem_alloc_init+0x471/0x540 kernel/bpf/memalloc.c:546
htab_map_alloc+0x6ce/0x950 kernel/bpf/hashtab.c:579
map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512
__sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131
__do_sys_bpf kernel/bpf/syscall.c:6259 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6257 [inline]
__x64_sys_bpf+0x22/0x30 kernel/bpf/syscall.c:6257
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881272cf720 (size 96):
comm "syz.0.17", pid 6096, jiffies 4294942817
hex dump (first 32 bytes):
e0 f4 2c 27 81 88 ff ff 00 00 00 00 00 00 00 00 ..,'............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 6bfb1ae8):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
__do_kmalloc_node mm/slub.c:5649 [inline]
__kmalloc_node_noprof+0x3b4/0x6c0 mm/slub.c:5656
kmalloc_node_noprof include/linux/slab.h:987 [inline]
__alloc+0x92/0xd0 kernel/bpf/memalloc.c:155
alloc_bulk+0x242/0x3a0 kernel/bpf/memalloc.c:246
prefill_mem_cache kernel/bpf/memalloc.c:499 [inline]
bpf_mem_alloc_init+0x471/0x540 kernel/bpf/memalloc.c:546
htab_map_alloc+0x6ce/0x950 kernel/bpf/hashtab.c:579
map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512
__sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131
__do_sys_bpf kernel/bpf/syscall.c:6259 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6257 [inline]
__x64_sys_bpf+0x22/0x30 kernel/bpf/syscall.c:6257
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881272cf660 (size 96):
comm "syz.0.17", pid 6096, jiffies 4294942817
hex dump (first 32 bytes):
20 f7 2c 27 81 88 ff ff 00 00 00 00 00 00 00 00 .,'............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc ebf498a1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
__do_kmalloc_node mm/slub.c:5649 [inline]
__kmalloc_node_noprof+0x3b4/0x6c0 mm/slub.c:5656
kmalloc_node_noprof include/linux/slab.h:987 [inline]
__alloc+0x92/0xd0 kernel/bpf/memalloc.c:155
alloc_bulk+0x242/0x3a0 kernel/bpf/memalloc.c:246
prefill_mem_cache kernel/bpf/memalloc.c:499 [inline]
bpf_mem_alloc_init+0x471/0x540 kernel/bpf/memalloc.c:546
htab_map_alloc+0x6ce/0x950 kernel/bpf/hashtab.c:579
map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512
__sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131
__do_sys_bpf kernel/bpf/syscall.c:6259 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6257 [inline]
__x64_sys_bpf+0x22/0x30 kernel/bpf/syscall.c:6257
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Powered by blists - more mailing lists