| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <698a26d3.050a0220.3b3015.007e.GAE@google.com>
Date: Mon, 09 Feb 2026 10:26:27 -0800
From: syzbot <syzbot+cae7809e9dc1459e4e63@...kaller.appspotmail.com>
To: Liam.Howlett@...cle.com, akpm@...ux-foundation.org, chao@...nel.org,
jaegeuk@...nel.org, jannh@...gle.com, linkinjeon@...nel.org,
linux-f2fs-devel@...ts.sourceforge.net, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-mm@...ck.org, lorenzo.stoakes@...cle.com,
pfalcato@...e.de, sj1557.seo@...sung.com, syzkaller-bugs@...glegroups.com,
vbabka@...e.cz
Subject: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
Hello,
syzbot found the following issue on:
HEAD commit: e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=122ae7fa580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7d0fbecb37bff8
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=130e2944580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/28d29c9b5ae2/disk-e7aa5724.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0683244c7a0f/vmlinux-e7aa5724.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cd8cc5cb8b94/bzImage-e7aa5724.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f78f58e821b0/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=10f7165a580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cae7809e9dc1459e4e63@...kaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff888113218600 (size 512):
comm "sed", pid 6046, jiffies 4294945902
hex dump (first 32 bytes):
00 8e 13 29 81 88 ff ff 00 12 86 27 81 88 ff ff ...).......'....
00 5a 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 .Z..............
backtrace (crc 49909e19):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_empty_sheaf+0x36/0x50 mm/slub.c:2618
__kfree_rcu_sheaf+0x155/0x210 mm/slub.c:6304
kfree_rcu_sheaf mm/slab_common.c:1631 [inline]
kvfree_call_rcu+0x202/0x3d0 mm/slab_common.c:1981
ma_free_rcu lib/maple_tree.c:208 [inline]
ma_free_rcu+0x29/0x40 lib/maple_tree.c:205
mas_free lib/maple_tree.c:1174 [inline]
mas_replace_node lib/maple_tree.c:1581 [inline]
mas_wr_node_store+0x5fc/0x730 lib/maple_tree.c:3553
mas_wr_store_entry+0x4eb/0x760 lib/maple_tree.c:3764
mas_store_prealloc+0x358/0x740 lib/maple_tree.c:5169
vma_iter_store_overwrite mm/vma.h:544 [inline]
commit_merge+0x28e/0x490 mm/vma.c:763
vma_expand+0x264/0x460 mm/vma.c:1200
vma_merge_new_range+0xe3/0x350 mm/vma.c:1099
__mmap_region+0x54b/0x15b0 mm/vma.c:2747
mmap_region+0xfb/0x1e0 mm/vma.c:2830
do_mmap+0x7ac/0xb80 mm/mmap.c:558
vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
BUG: memory leak
unreferenced object 0xffff888127861200 (size 512):
comm "udevd", pid 6236, jiffies 4294948784
hex dump (first 32 bytes):
00 86 21 13 81 88 ff ff 18 e0 05 00 81 88 ff ff ..!.............
00 5a 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 .Z..............
backtrace (crc 5b72581e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_empty_sheaf+0x36/0x50 mm/slub.c:2618
__kfree_rcu_sheaf+0x155/0x210 mm/slub.c:6304
kfree_rcu_sheaf mm/slab_common.c:1631 [inline]
kvfree_call_rcu+0x202/0x3d0 mm/slab_common.c:1981
ma_free_rcu lib/maple_tree.c:208 [inline]
ma_free_rcu+0x29/0x40 lib/maple_tree.c:205
mas_topiary_node lib/maple_tree.c:2311 [inline]
mas_topiary_node lib/maple_tree.c:2299 [inline]
mas_topiary_replace+0xb0f/0x1400 lib/maple_tree.c:2410
mas_wmb_replace lib/maple_tree.c:2433 [inline]
mas_spanning_rebalance+0x14e1/0x24b0 lib/maple_tree.c:2738
mas_wr_spanning_store+0x983/0x10d0 lib/maple_tree.c:3479
mas_wr_store_entry+0x4d5/0x760 lib/maple_tree.c:3767
mas_store_gfp+0x341/0x640 lib/maple_tree.c:5138
vma_iter_clear_gfp include/linux/mm.h:1141 [inline]
do_vmi_align_munmap+0x259/0x2d0 mm/vma.c:1574
do_vmi_munmap+0x17c/0x280 mm/vma.c:1627
__vm_munmap+0xec/0x200 mm/vma.c:3247
__do_sys_munmap mm/mmap.c:1077 [inline]
__se_sys_munmap mm/mmap.c:1074 [inline]
__x64_sys_munmap+0x1f/0x30 mm/mmap.c:1074
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88812c458000 (size 4480):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 ................
backtrace (crc ad4af9e6):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x422/0x590 mm/slub.c:5315
alloc_task_struct_node kernel/fork.c:184 [inline]
dup_task_struct kernel/fork.c:915 [inline]
copy_process+0x286/0x2870 kernel/fork.c:2052
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881274a1540 (size 184):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 54e589bc):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270
prepare_creds+0x22/0x600 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x2870 kernel/fork.c:2086
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888109639020 (size 32):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f8 52 86 00 81 88 ff ff 00 00 00 00 00 00 00 00 .R..............
backtrace (crc 336e1c5f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_cred_alloc security/security.c:209 [inline]
security_prepare_creds+0x2d/0x290 security/security.c:2763
prepare_creds+0x395/0x600 kernel/cred.c:215
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x2870 kernel/fork.c:2086
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888126fdbd80 (size 64):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
c0 c3 4e 46 81 88 ff ff 00 00 00 00 00 00 00 00 ..NF............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 508a43e4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_task_alloc security/security.c:244 [inline]
security_task_alloc+0x2a/0x260 security/security.c:2682
copy_process+0xf07/0x2870 kernel/fork.c:2203
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Powered by blists - more mailing lists