lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <654b5d28-5e1b-4773-aca6-ef650fdb0e60@lucifer.local>
Date: Mon, 12 Jan 2026 13:28:17 +0000
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: syzbot <syzbot+bf5de69ebb4bdf86f59f@...kaller.appspotmail.com>
Cc: brauner@...nel.org, jack@...e.cz, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        viro@...iv.linux.org.uk
Subject: Re: [syzbot] [fs?] memory leak in __shmem_file_setup

Hi all,

I have bisected this to commit ab04945f91bc ("mm: update mem char driver to use
mmap_prepare"), i.e. my patch, so apologies for that.

Will figure out what's happening here and come up with a hotfix.

When I saw /dev/zero I did suspect this exact commit, would have saved me some
bisecting had I just tested it first but there we are :P

Cheers, Lorenzo

On Sun, Jan 11, 2026 at 11:56:27PM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    f0b9d8eb98df Merge tag 'nfsd-6.19-3' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12ec819a580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
> dashboard link: https://syzkaller.appspot.com/bug?extid=bf5de69ebb4bdf86f59f
> compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ec819a580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11bcc19a580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/aad2d47ff01d/disk-f0b9d8eb.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/c31e7ae85c07/vmlinux-f0b9d8eb.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/5525fab81561/bzImage-f0b9d8eb.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+bf5de69ebb4bdf86f59f@...kaller.appspotmail.com
>
> 2026/01/08 07:49:49 executed programs: 5
> BUG: memory leak
> unreferenced object 0xffff888112c4b240 (size 184):
>   comm "syz.0.17", pid 6070, jiffies 4294944898
>   hex dump (first 32 bytes):
>     00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff  ..........f.....
>     98 38 89 09 81 88 ff ff 00 00 00 00 00 00 00 00  .8..............
>   backtrace (crc 987747be):
>     kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
>     slab_post_alloc_hook mm/slub.c:4958 [inline]
>     slab_alloc_node mm/slub.c:5263 [inline]
>     kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
>     alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
>     alloc_file fs/file_table.c:354 [inline]
>     alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
>     __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
>     shmem_kernel_file_setup mm/shmem.c:5865 [inline]
>     __shmem_zero_setup mm/shmem.c:5905 [inline]
>     shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
>     mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
>     vfs_mmap_prepare include/linux/fs.h:2058 [inline]
>     call_mmap_prepare mm/vma.c:2596 [inline]
>     __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
>     mmap_region+0x19f/0x1e0 mm/vma.c:2786
>     do_mmap+0x6a3/0xb60 mm/mmap.c:558
>     vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
>     ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
>     __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
>     __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
>     __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
>     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>     do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
>     entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff888101e46ca8 (size 40):
>   comm "syz.0.17", pid 6070, jiffies 4294944898
>   hex dump (first 32 bytes):
>     ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 f8 52 86 00 81 88 ff ff  .........R......
>   backtrace (crc 2d2a393c):
>     kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
>     slab_post_alloc_hook mm/slub.c:4958 [inline]
>     slab_alloc_node mm/slub.c:5263 [inline]
>     kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
>     lsm_file_alloc security/security.c:169 [inline]
>     security_file_alloc+0x30/0x240 security/security.c:2380
>     init_file+0x3e/0x160 fs/file_table.c:159
>     alloc_empty_file+0x6f/0x1a0 fs/file_table.c:241
>     alloc_file fs/file_table.c:354 [inline]
>     alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
>     __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
>     shmem_kernel_file_setup mm/shmem.c:5865 [inline]
>     __shmem_zero_setup mm/shmem.c:5905 [inline]
>     shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
>     mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
>     vfs_mmap_prepare include/linux/fs.h:2058 [inline]
>     call_mmap_prepare mm/vma.c:2596 [inline]
>     __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
>     mmap_region+0x19f/0x1e0 mm/vma.c:2786
>     do_mmap+0x6a3/0xb60 mm/mmap.c:558
>     vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
>     ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
>     __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
>     __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
>     __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
>     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>     do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
>     entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff888108f03840 (size 184):
>   comm "syz-executor", pid 5988, jiffies 4294944899
>   hex dump (first 32 bytes):
>     01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace (crc 5869ffdf):
>     kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
>     slab_post_alloc_hook mm/slub.c:4958 [inline]
>     slab_alloc_node mm/slub.c:5263 [inline]
>     kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
>     prepare_creds+0x22/0x5e0 kernel/cred.c:185
>     copy_creds+0x44/0x290 kernel/cred.c:286
>     copy_process+0x979/0x2860 kernel/fork.c:2086
>     kernel_clone+0x119/0x6c0 kernel/fork.c:2651
>     __do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
>     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>     do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
>     entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff888109a7b8e0 (size 32):
>   comm "syz-executor", pid 5988, jiffies 4294944899
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     f8 52 86 00 81 88 ff ff 00 00 00 00 00 00 00 00  .R..............
>   backtrace (crc 336e1c5f):
>     kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
>     slab_post_alloc_hook mm/slub.c:4958 [inline]
>     slab_alloc_node mm/slub.c:5263 [inline]
>     __do_kmalloc_node mm/slub.c:5656 [inline]
>     __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
>     kmalloc_noprof include/linux/slab.h:961 [inline]
>     kzalloc_noprof include/linux/slab.h:1094 [inline]
>     lsm_blob_alloc+0x4d/0x70 security/security.c:192
>     lsm_cred_alloc security/security.c:209 [inline]
>     security_prepare_creds+0x2f/0x270 security/security.c:2763
>     prepare_creds+0x385/0x5e0 kernel/cred.c:215
>     copy_creds+0x44/0x290 kernel/cred.c:286
>     copy_process+0x979/0x2860 kernel/fork.c:2086
>     kernel_clone+0x119/0x6c0 kernel/fork.c:2651
>     __do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
>     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>     do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
>     entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff888109b169c0 (size 184):
>   comm "syz.0.18", pid 6072, jiffies 4294944899
>   hex dump (first 32 bytes):
>     00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff  ..........f.....
>     68 e6 05 0e 81 88 ff ff 00 00 00 00 00 00 00 00  h...............
>   backtrace (crc 86e9bbaa):
>     kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
>     slab_post_alloc_hook mm/slub.c:4958 [inline]
>     slab_alloc_node mm/slub.c:5263 [inline]
>     kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
>     alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
>     alloc_file fs/file_table.c:354 [inline]
>     alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
>     __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
>     shmem_kernel_file_setup mm/shmem.c:5865 [inline]
>     __shmem_zero_setup mm/shmem.c:5905 [inline]
>     shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
>     mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
>     vfs_mmap_prepare include/linux/fs.h:2058 [inline]
>     call_mmap_prepare mm/vma.c:2596 [inline]
>     __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
>     mmap_region+0x19f/0x1e0 mm/vma.c:2786
>     do_mmap+0x6a3/0xb60 mm/mmap.c:558
>     vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
>     ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
>     __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
>     __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
>     __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
>     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>     do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
>     entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ