[syzbot] [btrfs?] memory leak in btrfs_read_chunk_tree
0 views
Skip to first unread message
syzbot
Dec 8, 2025, 3:58:27 AM (yesterday) Dec 8
to c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 8f7aa3d3c732 Merge tag 'net-next-6.19' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1412c01a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3bdbe6509b080086
dashboard link: https://syzkaller.appspot.com/bug?extid=eadd98df8bceb15d7fed
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16cbd192580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1676eab4580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/75704c8ef83a/disk-8f7aa3d3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fc039c7b45ea/vmlinux-8f7aa3d3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/80c77928126a/bzImage-8f7aa3d3.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/4340667fac60/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1771dcc2580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+eadd98...@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff8881092fce00 (size 512):
comm "syz.0.17", pid 6092, jiffies 4294942574
hex dump (first 32 bytes):
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
backtrace (crc d3ac311e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_fs_devices+0x20/0xc0 fs/btrfs/volumes.c:381
open_seed_devices fs/btrfs/volumes.c:7172 [inline]
read_one_dev fs/btrfs/volumes.c:7228 [inline]
btrfs_read_chunk_tree+0xa8f/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881251dfc00 (size 1024):
comm "syz.0.17", pid 6092, jiffies 4294942574
hex dump (first 32 bytes):
90 ce 2f 09 81 88 ff ff 90 ce 2f 09 81 88 ff ff ../......./.....
10 fc 1d 25 81 88 ff ff 10 fc 1d 25 81 88 ff ff ...%.......%....
backtrace (crc 3c4c04f1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
btrfs_alloc_device+0x5c/0x1f0 fs/btrfs/volumes.c:6907
add_missing_dev+0x4b/0xf0 fs/btrfs/volumes.c:6867
read_one_dev fs/btrfs/volumes.c:7241 [inline]
btrfs_read_chunk_tree+0x7cf/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888126e4a400 (size 512):
comm "syz.0.18", pid 6135, jiffies 4294942600
hex dump (first 32 bytes):
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
backtrace (crc 8b73c9ef):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_fs_devices+0x20/0xc0 fs/btrfs/volumes.c:381
open_seed_devices fs/btrfs/volumes.c:7172 [inline]
read_one_dev fs/btrfs/volumes.c:7228 [inline]
btrfs_read_chunk_tree+0xa8f/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810ea93000 (size 1024):
comm "syz.0.18", pid 6135, jiffies 4294942600
hex dump (first 32 bytes):
90 a4 e4 26 81 88 ff ff 90 a4 e4 26 81 88 ff ff ...&.......&....
10 30 a9 0e 81 88 ff ff 10 30 a9 0e 81 88 ff ff .0.......0......
backtrace (crc 2183446):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
btrfs_alloc_device+0x5c/0x1f0 fs/btrfs/volumes.c:6907
add_missing_dev+0x4b/0xf0 fs/btrfs/volumes.c:6867
read_one_dev fs/btrfs/volumes.c:7241 [inline]
btrfs_read_chunk_tree+0x7cf/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 8f7aa3d3c732 Merge tag 'net-next-6.19' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1412c01a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3bdbe6509b080086
dashboard link: https://syzkaller.appspot.com/bug?extid=eadd98df8bceb15d7fed
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16cbd192580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1676eab4580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/75704c8ef83a/disk-8f7aa3d3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fc039c7b45ea/vmlinux-8f7aa3d3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/80c77928126a/bzImage-8f7aa3d3.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/4340667fac60/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1771dcc2580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+eadd98...@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff8881092fce00 (size 512):
comm "syz.0.17", pid 6092, jiffies 4294942574
hex dump (first 32 bytes):
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
backtrace (crc d3ac311e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_fs_devices+0x20/0xc0 fs/btrfs/volumes.c:381
open_seed_devices fs/btrfs/volumes.c:7172 [inline]
read_one_dev fs/btrfs/volumes.c:7228 [inline]
btrfs_read_chunk_tree+0xa8f/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881251dfc00 (size 1024):
comm "syz.0.17", pid 6092, jiffies 4294942574
hex dump (first 32 bytes):
90 ce 2f 09 81 88 ff ff 90 ce 2f 09 81 88 ff ff ../......./.....
10 fc 1d 25 81 88 ff ff 10 fc 1d 25 81 88 ff ff ...%.......%....
backtrace (crc 3c4c04f1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
btrfs_alloc_device+0x5c/0x1f0 fs/btrfs/volumes.c:6907
add_missing_dev+0x4b/0xf0 fs/btrfs/volumes.c:6867
read_one_dev fs/btrfs/volumes.c:7241 [inline]
btrfs_read_chunk_tree+0x7cf/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888126e4a400 (size 512):
comm "syz.0.18", pid 6135, jiffies 4294942600
hex dump (first 32 bytes):
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
backtrace (crc 8b73c9ef):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_fs_devices+0x20/0xc0 fs/btrfs/volumes.c:381
open_seed_devices fs/btrfs/volumes.c:7172 [inline]
read_one_dev fs/btrfs/volumes.c:7228 [inline]
btrfs_read_chunk_tree+0xa8f/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810ea93000 (size 1024):
comm "syz.0.18", pid 6135, jiffies 4294942600
hex dump (first 32 bytes):
90 a4 e4 26 81 88 ff ff 90 a4 e4 26 81 88 ff ff ...&.......&....
10 30 a9 0e 81 88 ff ff 10 30 a9 0e 81 88 ff ff .0.......0......
backtrace (crc 2183446):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
btrfs_alloc_device+0x5c/0x1f0 fs/btrfs/volumes.c:6907
add_missing_dev+0x4b/0xf0 fs/btrfs/volumes.c:6867
read_one_dev fs/btrfs/volumes.c:7241 [inline]
btrfs_read_chunk_tree+0x7cf/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages