[syzbot] [fs?] memory leak in getname_flags
0 views
Skip to first unread message
syzbot
6:15 AM (18 hours ago) 6:15 AM
to bra...@kernel.org, ja...@suse.cz, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot found the following issue on:
HEAD commit: b927546677c8 Merge tag 'dma-mapping-6.19-2025-12-22' of gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=146fef1a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153e90fc580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=126fef1a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7c1254aadd0a/disk-b9275466.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/15b98aa2b078/vmlinux-b9275466.xz
kernel image: https://storage.googleapis.com/syzbot-assets/10a68a086ef8/bzImage-b9275466.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+00e61c...@syzkaller.appspotmail.com
2025/12/24 09:11:05 executed programs: 5
BUG: memory leak
unreferenced object 0xffff8881098a2000 (size 4096):
comm "syz.0.17", pid 6087, jiffies 4294944491
hex dump (first 32 bytes):
20 20 8a 09 81 88 ff ff 40 02 00 00 00 20 00 00 ......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 5d427fb2):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881009ea000 (size 4096):
comm "syz.0.18", pid 6090, jiffies 4294944493
hex dump (first 32 bytes):
20 a0 9e 00 81 88 ff ff 40 02 00 00 00 20 00 00 .......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 254b05b2):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881009eb000 (size 4096):
comm "syz.0.19", pid 6092, jiffies 4294944494
hex dump (first 32 bytes):
20 b0 9e 00 81 88 ff ff 40 02 00 00 00 20 00 00 .......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 9f4244d8):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881098a6000 (size 4096):
comm "syz.0.20", pid 6134, jiffies 4294945094
hex dump (first 32 bytes):
20 60 8a 09 81 88 ff ff 40 02 00 00 00 20 00 00 `......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc d8f470d9):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881098a1000 (size 4096):
comm "syz.0.21", pid 6135, jiffies 4294945095
hex dump (first 32 bytes):
20 10 8a 09 81 88 ff ff 40 02 00 00 00 20 00 00 .......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4828ba4d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: b927546677c8 Merge tag 'dma-mapping-6.19-2025-12-22' of gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=146fef1a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153e90fc580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=126fef1a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7c1254aadd0a/disk-b9275466.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/15b98aa2b078/vmlinux-b9275466.xz
kernel image: https://storage.googleapis.com/syzbot-assets/10a68a086ef8/bzImage-b9275466.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+00e61c...@syzkaller.appspotmail.com
2025/12/24 09:11:05 executed programs: 5
BUG: memory leak
unreferenced object 0xffff8881098a2000 (size 4096):
comm "syz.0.17", pid 6087, jiffies 4294944491
hex dump (first 32 bytes):
20 20 8a 09 81 88 ff ff 40 02 00 00 00 20 00 00 ......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 5d427fb2):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881009ea000 (size 4096):
comm "syz.0.18", pid 6090, jiffies 4294944493
hex dump (first 32 bytes):
20 a0 9e 00 81 88 ff ff 40 02 00 00 00 20 00 00 .......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 254b05b2):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881009eb000 (size 4096):
comm "syz.0.19", pid 6092, jiffies 4294944494
hex dump (first 32 bytes):
20 b0 9e 00 81 88 ff ff 40 02 00 00 00 20 00 00 .......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 9f4244d8):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881098a6000 (size 4096):
comm "syz.0.20", pid 6134, jiffies 4294945094
hex dump (first 32 bytes):
20 60 8a 09 81 88 ff ff 40 02 00 00 00 20 00 00 `......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc d8f470d9):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881098a1000 (size 4096):
comm "syz.0.21", pid 6135, jiffies 4294945095
hex dump (first 32 bytes):
20 10 8a 09 81 88 ff ff 40 02 00 00 00 20 00 00 .......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4828ba4d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Prithvi Tambewagh
9:37 AM (14 hours ago) 9:37 AM
to syzbot+00e61c...@syzkaller.appspotmail.com, bra...@kernel.org, ja...@suse.cz, vi...@zeniv.linux.org.uk, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Prithvi Tambewagh
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b927546677c876e26eba308550207c2ddf812a43
Signed-off-by: Prithvi Tambewagh <activp...@gmail.com>
---
io_uring/openclose.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/io_uring/openclose.c b/io_uring/openclose.c
index bfeb91b31bba..fc190a3d8112 100644
--- a/io_uring/openclose.c
+++ b/io_uring/openclose.c
@@ -75,8 +75,11 @@ static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe
}
open->file_slot = READ_ONCE(sqe->file_index);
- if (open->file_slot && (open->how.flags & O_CLOEXEC))
+ if (open->file_slot && (open->how.flags & O_CLOEXEC)) {
+ putname(open->filename);
+ open->filename = NULL;
return -EINVAL;
+ }
open->nofile = rlimit(RLIMIT_NOFILE);
req->flags |= REQ_F_NEED_CLEANUP;
base-commit: b927546677c876e26eba308550207c2ddf812a43
--
2.34.1
Signed-off-by: Prithvi Tambewagh <activp...@gmail.com>
---
io_uring/openclose.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/io_uring/openclose.c b/io_uring/openclose.c
index bfeb91b31bba..fc190a3d8112 100644
--- a/io_uring/openclose.c
+++ b/io_uring/openclose.c
@@ -75,8 +75,11 @@ static int __io_openat_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe
}
open->file_slot = READ_ONCE(sqe->file_index);
- if (open->file_slot && (open->how.flags & O_CLOEXEC))
+ if (open->file_slot && (open->how.flags & O_CLOEXEC)) {
+ putname(open->filename);
+ open->filename = NULL;
return -EINVAL;
+ }
open->nofile = rlimit(RLIMIT_NOFILE);
req->flags |= REQ_F_NEED_CLEANUP;
base-commit: b927546677c876e26eba308550207c2ddf812a43
--
2.34.1
syzbot
10:07 AM (14 hours ago) 10:07 AM
to activp...@gmail.com, bra...@kernel.org, ja...@suse.cz, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+00e61c...@syzkaller.appspotmail.com
Tested-by: syzbot+00e61c...@syzkaller.appspotmail.com
Tested on:
commit: b9275466 Merge tag 'dma-mapping-6.19-2025-12-22' of gi..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=170e209a580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+00e61c...@syzkaller.appspotmail.com
Tested-by: syzbot+00e61c...@syzkaller.appspotmail.com
Tested on:
commit: b9275466 Merge tag 'dma-mapping-6.19-2025-12-22' of gi..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=170e209a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11e790fc580000
dashboard link: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages