| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <693a635a.a70a0220.33cd7b.0029.GAE@google.com>
Date: Wed, 10 Dec 2025 22:23:22 -0800
From: syzbot <syzbot+2f8aa76e6acc9fce6638@...kaller.appspotmail.com>
To: clm@...com, dsterba@...e.com, josef@...icpanda.com,
linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: [syzbot] [btrfs?] memory leak in qgroup_reserve_data
Hello,
syzbot found the following issue on:
HEAD commit: ba65a4e7120a Merge tag 'clk-for-linus' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=149a1992580000
kernel config: https://syzkaller.appspot.com/x/.config?x=69400c231dedfdcf
dashboard link: https://syzkaller.appspot.com/bug?extid=2f8aa76e6acc9fce6638
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17674ec2580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=129a1992580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/35dd946c3f76/disk-ba65a4e7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4279760dbda5/vmlinux-ba65a4e7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/66920d2c9825/bzImage-ba65a4e7.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a1009b9f463a/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=15666eb4580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2f8aa76e6acc9fce6638@...kaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff888108c93440 (size 64):
comm "syz.0.25", pid 6287, jiffies 4294945820
hex dump (first 32 bytes):
00 10 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
50 36 c9 08 81 88 ff ff 50 36 c9 08 81 88 ff ff P6......P6......
backtrace (crc 5115bfd6):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3b2/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
extent_changeset_alloc fs/btrfs/extent_io.h:203 [inline]
qgroup_reserve_data+0x42c/0x4d0 fs/btrfs/qgroup.c:4199
btrfs_qgroup_reserve_data+0x9a/0xb0 fs/btrfs/qgroup.c:4257
btrfs_check_data_free_space+0x101/0x200 fs/btrfs/delalloc-space.c:164
btrfs_page_mkwrite+0x180/0xd30 fs/btrfs/file.c:1888
do_page_mkwrite+0x6c/0x100 mm/memory.c:3528
wp_page_shared mm/memory.c:3929 [inline]
do_wp_page+0x4fe/0x1d50 mm/memory.c:4148
handle_pte_fault mm/memory.c:6289 [inline]
__handle_mm_fault+0x125f/0x1e50 mm/memory.c:6411
handle_mm_fault+0x31c/0x630 mm/memory.c:6580
do_user_addr_fault+0x34f/0xba0 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x64/0xb0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
BUG: memory leak
unreferenced object 0xffff888108c93640 (size 64):
comm "syz.0.25", pid 6287, jiffies 4294945820
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 ff 0f 00 00 00 00 00 00 ................
50 34 c9 08 81 88 ff ff 50 34 c9 08 81 88 ff ff P4......P4......
backtrace (crc d90ae07a):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3b2/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
ulist_prealloc+0x7a/0xd0 fs/btrfs/ulist.c:114
extent_changeset_prealloc fs/btrfs/extent_io.h:213 [inline]
set_extent_bit+0x104/0xc40 fs/btrfs/extent-io-tree.c:1083
btrfs_set_record_extent_bits+0x56/0xa0 fs/btrfs/extent-io-tree.c:1868
qgroup_reserve_data+0x116/0x4d0 fs/btrfs/qgroup.c:4206
btrfs_qgroup_reserve_data+0x9a/0xb0 fs/btrfs/qgroup.c:4257
btrfs_check_data_free_space+0x101/0x200 fs/btrfs/delalloc-space.c:164
btrfs_page_mkwrite+0x180/0xd30 fs/btrfs/file.c:1888
do_page_mkwrite+0x6c/0x100 mm/memory.c:3528
wp_page_shared mm/memory.c:3929 [inline]
do_wp_page+0x4fe/0x1d50 mm/memory.c:4148
handle_pte_fault mm/memory.c:6289 [inline]
__handle_mm_fault+0x125f/0x1e50 mm/memory.c:6411
handle_mm_fault+0x31c/0x630 mm/memory.c:6580
do_user_addr_fault+0x34f/0xba0 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x64/0xb0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
BUG: memory leak
unreferenced object 0xffff8881294d0cc0 (size 64):
comm "syz.0.25", pid 6288, jiffies 4294945820
hex dump (first 32 bytes):
00 10 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
d0 03 4d 29 81 88 ff ff d0 03 4d 29 81 88 ff ff ..M)......M)....
backtrace (crc 99a57742):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3b2/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
extent_changeset_alloc fs/btrfs/extent_io.h:203 [inline]
qgroup_reserve_data+0x42c/0x4d0 fs/btrfs/qgroup.c:4199
btrfs_qgroup_reserve_data+0x9a/0xb0 fs/btrfs/qgroup.c:4257
btrfs_check_data_free_space+0x101/0x200 fs/btrfs/delalloc-space.c:164
btrfs_page_mkwrite+0x180/0xd30 fs/btrfs/file.c:1888
do_page_mkwrite+0x6c/0x100 mm/memory.c:3528
wp_page_shared mm/memory.c:3929 [inline]
do_wp_page+0x4fe/0x1d50 mm/memory.c:4148
handle_pte_fault mm/memory.c:6289 [inline]
__handle_mm_fault+0x125f/0x1e50 mm/memory.c:6411
handle_mm_fault+0x31c/0x630 mm/memory.c:6580
do_user_addr_fault+0x239/0xba0 arch/x86/mm/fault.c:1387
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x64/0xb0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
BUG: memory leak
unreferenced object 0xffff8881294d03c0 (size 64):
comm "syz.0.25", pid 6288, jiffies 4294945820
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 ff 0f 00 00 00 00 00 00 ................
d0 0c 4d 29 81 88 ff ff d0 0c 4d 29 81 88 ff ff ..M)......M)....
backtrace (crc edd2342):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3b2/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
ulist_prealloc+0x7a/0xd0 fs/btrfs/ulist.c:114
extent_changeset_prealloc fs/btrfs/extent_io.h:213 [inline]
set_extent_bit+0x104/0xc40 fs/btrfs/extent-io-tree.c:1083
btrfs_set_record_extent_bits+0x56/0xa0 fs/btrfs/extent-io-tree.c:1868
qgroup_reserve_data+0x116/0x4d0 fs/btrfs/qgroup.c:4206
btrfs_qgroup_reserve_data+0x9a/0xb0 fs/btrfs/qgroup.c:4257
btrfs_check_data_free_space+0x101/0x200 fs/btrfs/delalloc-space.c:164
btrfs_page_mkwrite+0x180/0xd30 fs/btrfs/file.c:1888
do_page_mkwrite+0x6c/0x100 mm/memory.c:3528
wp_page_shared mm/memory.c:3929 [inline]
do_wp_page+0x4fe/0x1d50 mm/memory.c:4148
handle_pte_fault mm/memory.c:6289 [inline]
__handle_mm_fault+0x125f/0x1e50 mm/memory.c:6411
handle_mm_fault+0x31c/0x630 mm/memory.c:6580
do_user_addr_fault+0x239/0xba0 arch/x86/mm/fault.c:1387
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x64/0xb0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
BUG: memory leak
unreferenced object 0xffff888108c93600 (size 64):
comm "syz.0.25", pid 6287, jiffies 4294945820
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10 36 c9 08 81 88 ff ff 10 36 c9 08 81 88 ff ff .6.......6......
backtrace (crc cafc2d90):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3b2/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
extent_changeset_alloc fs/btrfs/extent_io.h:203 [inline]
qgroup_reserve_data+0x42c/0x4d0 fs/btrfs/qgroup.c:4199
btrfs_qgroup_reserve_data+0x2e/0xb0 fs/btrfs/qgroup.c:4250
btrfs_check_data_free_space+0x101/0x200 fs/btrfs/delalloc-space.c:164
btrfs_page_mkwrite+0x180/0xd30 fs/btrfs/file.c:1888
do_page_mkwrite+0x6c/0x100 mm/memory.c:3528
wp_page_shared mm/memory.c:3929 [inline]
do_wp_page+0x4fe/0x1d50 mm/memory.c:4148
handle_pte_fault mm/memory.c:6289 [inline]
__handle_mm_fault+0x125f/0x1e50 mm/memory.c:6411
handle_mm_fault+0x31c/0x630 mm/memory.c:6580
do_user_addr_fault+0x34f/0xba0 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x64/0xb0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Powered by blists - more mailing lists