lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <78d631ec-8f26-48d5-90c8-5123783b6cff@lucifer.local>
Date: Mon, 12 Jan 2026 15:10:52 +0000
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: syzbot <syzbot+bf5de69ebb4bdf86f59f@...kaller.appspotmail.com>
Cc: brauner@...nel.org, jack@...e.cz, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        viro@...iv.linux.org.uk
Subject: Re: [syzbot] [fs?] memory leak in __shmem_file_setup

Analysis below.

On Mon, Jan 12, 2026 at 01:28:17PM +0000, Lorenzo Stoakes wrote:
> Hi all,
>
> I have bisected this to commit ab04945f91bc ("mm: update mem char driver to use
> mmap_prepare"), i.e. my patch, so apologies for that.
>
> Will figure out what's happening here and come up with a hotfix.
>
> When I saw /dev/zero I did suspect this exact commit, would have saved me some
> bisecting had I just tested it first but there we are :P
>
> Cheers, Lorenzo
>
> On Sun, Jan 11, 2026 at 11:56:27PM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    f0b9d8eb98df Merge tag 'nfsd-6.19-3' of git://git.kernel.o..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12ec819a580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
> > dashboard link: https://syzkaller.appspot.com/bug?extid=bf5de69ebb4bdf86f59f
> > compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ec819a580000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11bcc19a580000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/aad2d47ff01d/disk-f0b9d8eb.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/c31e7ae85c07/vmlinux-f0b9d8eb.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/5525fab81561/bzImage-f0b9d8eb.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+bf5de69ebb4bdf86f59f@...kaller.appspotmail.com
> >
> > 2026/01/08 07:49:49 executed programs: 5
> > BUG: memory leak
> > unreferenced object 0xffff888112c4b240 (size 184):

This is just a knock-on from a leaked struct file object.

> >   comm "syz.0.17", pid 6070, jiffies 4294944898
> >   hex dump (first 32 bytes):
> >     00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff  ..........f.....
> >     98 38 89 09 81 88 ff ff 00 00 00 00 00 00 00 00  .8..............
> >   backtrace (crc 987747be):
> >     kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> >     slab_post_alloc_hook mm/slub.c:4958 [inline]
> >     slab_alloc_node mm/slub.c:5263 [inline]
> >     kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> >     alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
> >     alloc_file fs/file_table.c:354 [inline]
> >     alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
> >     __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
> >     shmem_kernel_file_setup mm/shmem.c:5865 [inline]
> >     __shmem_zero_setup mm/shmem.c:5905 [inline]
> >     shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
> >     mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
> >     vfs_mmap_prepare include/linux/fs.h:2058 [inline]
> >     call_mmap_prepare mm/vma.c:2596 [inline]
> >     __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
> >     mmap_region+0x19f/0x1e0 mm/vma.c:2786
> >     do_mmap+0x6a3/0xb60 mm/mmap.c:558
> >     vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
> >     ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
> >     __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
> >     __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
> >     __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
> >     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> >     do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> >     entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > BUG: memory leak
> > unreferenced object 0xffff888101e46ca8 (size 40):

It's a struct file...

Problem is in __mmap_new_file_vma() we unnecessarily do a get_file() even though
the f_op->mmap_prepare() has provided us a referenced counted file object,
meaning refcount -> 2, and then when we unmap it's 1 and... leak.

Will fix.

> >   comm "syz.0.17", pid 6070, jiffies 4294944898
> >   hex dump (first 32 bytes):
> >     ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >     00 00 00 00 00 00 00 00 f8 52 86 00 81 88 ff ff  .........R......
> >   backtrace (crc 2d2a393c):
> >     kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> >     slab_post_alloc_hook mm/slub.c:4958 [inline]
> >     slab_alloc_node mm/slub.c:5263 [inline]
> >     kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> >     lsm_file_alloc security/security.c:169 [inline]
> >     security_file_alloc+0x30/0x240 security/security.c:2380
> >     init_file+0x3e/0x160 fs/file_table.c:159
> >     alloc_empty_file+0x6f/0x1a0 fs/file_table.c:241
> >     alloc_file fs/file_table.c:354 [inline]
> >     alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
> >     __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
> >     shmem_kernel_file_setup mm/shmem.c:5865 [inline]
> >     __shmem_zero_setup mm/shmem.c:5905 [inline]
> >     shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
> >     mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
> >     vfs_mmap_prepare include/linux/fs.h:2058 [inline]
> >     call_mmap_prepare mm/vma.c:2596 [inline]
> >     __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
> >     mmap_region+0x19f/0x1e0 mm/vma.c:2786
> >     do_mmap+0x6a3/0xb60 mm/mmap.c:558
> >     vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
> >     ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
> >     __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
> >     __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
> >     __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
> >     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> >     do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> >     entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > BUG: memory leak
> > unreferenced object 0xffff888108f03840 (size 184):
> >   comm "syz-executor", pid 5988, jiffies 4294944899
> >   hex dump (first 32 bytes):
> >     01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >   backtrace (crc 5869ffdf):
> >     kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> >     slab_post_alloc_hook mm/slub.c:4958 [inline]
> >     slab_alloc_node mm/slub.c:5263 [inline]
> >     kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> >     prepare_creds+0x22/0x5e0 kernel/cred.c:185
> >     copy_creds+0x44/0x290 kernel/cred.c:286
> >     copy_process+0x979/0x2860 kernel/fork.c:2086
> >     kernel_clone+0x119/0x6c0 kernel/fork.c:2651
> >     __do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
> >     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> >     do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> >     entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > BUG: memory leak
> > unreferenced object 0xffff888109a7b8e0 (size 32):
> >   comm "syz-executor", pid 5988, jiffies 4294944899
> >   hex dump (first 32 bytes):
> >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >     f8 52 86 00 81 88 ff ff 00 00 00 00 00 00 00 00  .R..............
> >   backtrace (crc 336e1c5f):
> >     kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> >     slab_post_alloc_hook mm/slub.c:4958 [inline]
> >     slab_alloc_node mm/slub.c:5263 [inline]
> >     __do_kmalloc_node mm/slub.c:5656 [inline]
> >     __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
> >     kmalloc_noprof include/linux/slab.h:961 [inline]
> >     kzalloc_noprof include/linux/slab.h:1094 [inline]
> >     lsm_blob_alloc+0x4d/0x70 security/security.c:192
> >     lsm_cred_alloc security/security.c:209 [inline]
> >     security_prepare_creds+0x2f/0x270 security/security.c:2763
> >     prepare_creds+0x385/0x5e0 kernel/cred.c:215
> >     copy_creds+0x44/0x290 kernel/cred.c:286
> >     copy_process+0x979/0x2860 kernel/fork.c:2086
> >     kernel_clone+0x119/0x6c0 kernel/fork.c:2651
> >     __do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
> >     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> >     do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> >     entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > BUG: memory leak
> > unreferenced object 0xffff888109b169c0 (size 184):
> >   comm "syz.0.18", pid 6072, jiffies 4294944899
> >   hex dump (first 32 bytes):
> >     00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff  ..........f.....
> >     68 e6 05 0e 81 88 ff ff 00 00 00 00 00 00 00 00  h...............
> >   backtrace (crc 86e9bbaa):
> >     kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> >     slab_post_alloc_hook mm/slub.c:4958 [inline]
> >     slab_alloc_node mm/slub.c:5263 [inline]
> >     kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> >     alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
> >     alloc_file fs/file_table.c:354 [inline]
> >     alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
> >     __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
> >     shmem_kernel_file_setup mm/shmem.c:5865 [inline]
> >     __shmem_zero_setup mm/shmem.c:5905 [inline]
> >     shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
> >     mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
> >     vfs_mmap_prepare include/linux/fs.h:2058 [inline]
> >     call_mmap_prepare mm/vma.c:2596 [inline]
> >     __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
> >     mmap_region+0x19f/0x1e0 mm/vma.c:2786
> >     do_mmap+0x6a3/0xb60 mm/mmap.c:558
> >     vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
> >     ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
> >     __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
> >     __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
> >     __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
> >     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> >     do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> >     entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
> >
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@...glegroups.com.
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >
> > If the report is already addressed, let syzbot know by replying with:
> > #syz fix: exact-commit-title
> >
> > If you want syzbot to run the reproducer, reply with:
> > #syz test: git://repo/address.git branch-or-commit-hash
> > If you attach or paste a git patch, syzbot will apply it before testing.
> >
> > If you want to overwrite report's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> >
> > If the report is a duplicate of another one, reply with:
> > #syz dup: exact-subject-of-another-report
> >
> > If you want to undo deduplication, reply with:
> > #syz undup
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ