lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <69369331.a70a0220.38f243.009e.GAE@google.com>
Date: Mon, 08 Dec 2025 00:58:25 -0800
From: syzbot <syzbot+eadd98df8bceb15d7fed@...kaller.appspotmail.com>
To: clm@...com, dsterba@...e.com, josef@...icpanda.com, 
	linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: [syzbot] [btrfs?] memory leak in btrfs_read_chunk_tree

Hello,

syzbot found the following issue on:

HEAD commit:    8f7aa3d3c732 Merge tag 'net-next-6.19' of git://git.kernel..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1412c01a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3bdbe6509b080086
dashboard link: https://syzkaller.appspot.com/bug?extid=eadd98df8bceb15d7fed
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16cbd192580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1676eab4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/75704c8ef83a/disk-8f7aa3d3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fc039c7b45ea/vmlinux-8f7aa3d3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/80c77928126a/bzImage-8f7aa3d3.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/4340667fac60/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1771dcc2580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+eadd98df8bceb15d7fed@...kaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff8881092fce00 (size 512):
  comm "syz.0.17", pid 6092, jiffies 4294942574
  hex dump (first 32 bytes):
    00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf  ..D..W@...W.}D..
    00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf  ..D..W@...W.}D..
  backtrace (crc d3ac311e):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4953 [inline]
    slab_alloc_node mm/slub.c:5258 [inline]
    __kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
    kmalloc_noprof include/linux/slab.h:957 [inline]
    kzalloc_noprof include/linux/slab.h:1094 [inline]
    alloc_fs_devices+0x20/0xc0 fs/btrfs/volumes.c:381
    open_seed_devices fs/btrfs/volumes.c:7172 [inline]
    read_one_dev fs/btrfs/volumes.c:7228 [inline]
    btrfs_read_chunk_tree+0xa8f/0xcf0 fs/btrfs/volumes.c:7521
    open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
    btrfs_fill_super fs/btrfs/super.c:987 [inline]
    btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
    btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
    btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
    vfs_get_tree+0x31/0x120 fs/super.c:1759
    fc_mount fs/namespace.c:1199 [inline]
    do_new_mount_fc fs/namespace.c:3636 [inline]
    do_new_mount fs/namespace.c:3712 [inline]
    path_mount+0x5b5/0x1320 fs/namespace.c:4022
    do_mount fs/namespace.c:4035 [inline]
    __do_sys_mount fs/namespace.c:4224 [inline]
    __se_sys_mount fs/namespace.c:4201 [inline]
    __x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881251dfc00 (size 1024):
  comm "syz.0.17", pid 6092, jiffies 4294942574
  hex dump (first 32 bytes):
    90 ce 2f 09 81 88 ff ff 90 ce 2f 09 81 88 ff ff  ../......./.....
    10 fc 1d 25 81 88 ff ff 10 fc 1d 25 81 88 ff ff  ...%.......%....
  backtrace (crc 3c4c04f1):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4953 [inline]
    slab_alloc_node mm/slub.c:5258 [inline]
    __kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
    kmalloc_noprof include/linux/slab.h:957 [inline]
    kzalloc_noprof include/linux/slab.h:1094 [inline]
    btrfs_alloc_device+0x5c/0x1f0 fs/btrfs/volumes.c:6907
    add_missing_dev+0x4b/0xf0 fs/btrfs/volumes.c:6867
    read_one_dev fs/btrfs/volumes.c:7241 [inline]
    btrfs_read_chunk_tree+0x7cf/0xcf0 fs/btrfs/volumes.c:7521
    open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
    btrfs_fill_super fs/btrfs/super.c:987 [inline]
    btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
    btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
    btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
    vfs_get_tree+0x31/0x120 fs/super.c:1759
    fc_mount fs/namespace.c:1199 [inline]
    do_new_mount_fc fs/namespace.c:3636 [inline]
    do_new_mount fs/namespace.c:3712 [inline]
    path_mount+0x5b5/0x1320 fs/namespace.c:4022
    do_mount fs/namespace.c:4035 [inline]
    __do_sys_mount fs/namespace.c:4224 [inline]
    __se_sys_mount fs/namespace.c:4201 [inline]
    __x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888126e4a400 (size 512):
  comm "syz.0.18", pid 6135, jiffies 4294942600
  hex dump (first 32 bytes):
    00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf  ..D..W@...W.}D..
    00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf  ..D..W@...W.}D..
  backtrace (crc 8b73c9ef):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4953 [inline]
    slab_alloc_node mm/slub.c:5258 [inline]
    __kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
    kmalloc_noprof include/linux/slab.h:957 [inline]
    kzalloc_noprof include/linux/slab.h:1094 [inline]
    alloc_fs_devices+0x20/0xc0 fs/btrfs/volumes.c:381
    open_seed_devices fs/btrfs/volumes.c:7172 [inline]
    read_one_dev fs/btrfs/volumes.c:7228 [inline]
    btrfs_read_chunk_tree+0xa8f/0xcf0 fs/btrfs/volumes.c:7521
    open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
    btrfs_fill_super fs/btrfs/super.c:987 [inline]
    btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
    btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
    btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
    vfs_get_tree+0x31/0x120 fs/super.c:1759
    fc_mount fs/namespace.c:1199 [inline]
    do_new_mount_fc fs/namespace.c:3636 [inline]
    do_new_mount fs/namespace.c:3712 [inline]
    path_mount+0x5b5/0x1320 fs/namespace.c:4022
    do_mount fs/namespace.c:4035 [inline]
    __do_sys_mount fs/namespace.c:4224 [inline]
    __se_sys_mount fs/namespace.c:4201 [inline]
    __x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88810ea93000 (size 1024):
  comm "syz.0.18", pid 6135, jiffies 4294942600
  hex dump (first 32 bytes):
    90 a4 e4 26 81 88 ff ff 90 a4 e4 26 81 88 ff ff  ...&.......&....
    10 30 a9 0e 81 88 ff ff 10 30 a9 0e 81 88 ff ff  .0.......0......
  backtrace (crc 2183446):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4953 [inline]
    slab_alloc_node mm/slub.c:5258 [inline]
    __kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
    kmalloc_noprof include/linux/slab.h:957 [inline]
    kzalloc_noprof include/linux/slab.h:1094 [inline]
    btrfs_alloc_device+0x5c/0x1f0 fs/btrfs/volumes.c:6907
    add_missing_dev+0x4b/0xf0 fs/btrfs/volumes.c:6867
    read_one_dev fs/btrfs/volumes.c:7241 [inline]
    btrfs_read_chunk_tree+0x7cf/0xcf0 fs/btrfs/volumes.c:7521
    open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
    btrfs_fill_super fs/btrfs/super.c:987 [inline]
    btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
    btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
    btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
    vfs_get_tree+0x31/0x120 fs/super.c:1759
    fc_mount fs/namespace.c:1199 [inline]
    do_new_mount_fc fs/namespace.c:3636 [inline]
    do_new_mount fs/namespace.c:3712 [inline]
    path_mount+0x5b5/0x1320 fs/namespace.c:4022
    do_mount fs/namespace.c:4035 [inline]
    __do_sys_mount fs/namespace.c:4224 [inline]
    __se_sys_mount fs/namespace.c:4201 [inline]
    __x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ