[syzbot] [hfs?] memory leak in __hfs_bnode_create

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 508fed679541 Merge tag 'ras_core_for_v7.1_rc1' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1481bb16580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c7349847759051f
dashboard link: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1281bb16580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=107938ce580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/36836f0baa65/disk-508fed67.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ab35bf742ab5/vmlinux-508fed67.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5fbf86a0b4d3/bzImage-508fed67.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d2ddc5d747a0/mount_4.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+98547b...@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff88811cabc840 (size 96):
comm "syz.0.18", pid 6071, jiffies 4294943951
hex dump (first 32 bytes):
00 f0 54 15 81 88 ff ff 00 00 00 00 00 00 00 00 ..T.............
00 00 00 00 00 00 00 00 03 00 7f 00 00 00 00 00 ................
backtrace (crc 3e2dadb7):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547
hfsplus_btree_open+0x2fa/0x6d0 fs/hfsplus/btree.c:382
hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548
get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1694
vfs_get_tree+0x30/0x120 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3763 [inline]
do_new_mount fs/namespace.c:3839 [inline]
path_mount+0x5a9/0x1360 fs/namespace.c:4159
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount fs/namespace.c:4338 [inline]
__x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4338
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88812c724d80 (size 96):
comm "syz.0.19", pid 6082, jiffies 4294943963
hex dump (first 32 bytes):
00 90 e5 13 81 88 ff ff 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 03 00 7f 00 00 00 00 00 ................
backtrace (crc 289d56ee):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547
hfsplus_btree_open+0x2fa/0x6d0 fs/hfsplus/btree.c:382
hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548
get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1694
vfs_get_tree+0x30/0x120 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3763 [inline]
do_new_mount fs/namespace.c:3839 [inline]
path_mount+0x5a9/0x1360 fs/namespace.c:4159
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount fs/namespace.c:4338 [inline]
__x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4338
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

#syz test

diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 394542a47e60..926e4b40a065 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -270,7 +270,7 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
struct hfs_btree *tree;
struct hfs_btree_header_rec *head;
struct address_space *mapping;
- struct hfs_bnode *node;
+ struct hfs_bnode *node = NULL;
struct inode *inode;
struct page *page;
unsigned int size;
@@ -401,6 +401,8 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
put_page(page);
free_inode:
tree->inode->i_mapping->a_ops = &hfsplus_aops;
+ if (!IS_ERR_OR_NULL(node))
+ hfs_bnode_put(node);
iput(tree->inode);
free_tree:
kfree(tree);

[Edward Adam Davis]

#syz test

diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index f8b5a8ae58ff..05287716afd8 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -604,7 +604,10 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)

node_error:
set_bit(HFS_BNODE_ERROR, &node->flags);
- clear_bit(HFS_BNODE_NEW, &node->flags);
+ if (test_bit(HFS_BNODE_NEW, &node->flags)) {
+ hfs_bnode_free(node);
+ return ERR_PTR(-EIO);
+ }
wake_up(&node->lock_wq);
hfs_bnode_put(node);
return ERR_PTR(-EIO);

[Edward Adam Davis]

#syz test

diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c

index f8b5a8ae58ff..cde9f6fbedd7 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -604,6 +604,13 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)

node_error:
set_bit(HFS_BNODE_ERROR, &node->flags);

+ if (test_bit(HFS_BNODE_NEW, &node->flags)) {

+ if (num == HFSPLUS_TREE_HEAD) {
+ hfs_bnode_unhash(node);

+ hfs_bnode_free(node);
+ return ERR_PTR(-EIO);
+ }

+ }
clear_bit(HFS_BNODE_NEW, &node->flags);
wake_up(&node->lock_wq);
hfs_bnode_put(node);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hfs_bnode_create

BUG: memory leak
unreferenced object 0xffff88811d782480 (size 96):
comm "syz.0.17", pid 6738, jiffies 4294945815

hex dump (first 32 bytes):

00 a0 6b 13 81 88 ff ff 00 00 00 00 00 00 00 00 ..k.............

00 00 00 00 00 00 00 00 03 00 7f 00 00 00 00 00 ................

backtrace (crc e40892e2):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547

hfsplus_btree_open+0x2e1/0x5a0 fs/hfsplus/btree.c:382

hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548
get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1694
vfs_get_tree+0x30/0x120 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]

do_new_mount_fc fs/namespace.c:3758 [inline]
do_new_mount fs/namespace.c:3834 [inline]
path_mount+0x5a9/0x1370 fs/namespace.c:4154
do_mount fs/namespace.c:4167 [inline]
__do_sys_mount fs/namespace.c:4383 [inline]
__se_sys_mount fs/namespace.c:4360 [inline]
__x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4360

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak

unreferenced object 0xffff88811d780780 (size 96):
comm "syz.0.18", pid 6747, jiffies 4294945821

hex dump (first 32 bytes):

00 80 31 14 81 88 ff ff 00 00 00 00 00 00 00 00 ..1.............

00 00 00 00 00 00 00 00 03 00 7f 00 00 00 00 00 ................

backtrace (crc daa1adcb):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547

hfsplus_btree_open+0x2e1/0x5a0 fs/hfsplus/btree.c:382

hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548
get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1694
vfs_get_tree+0x30/0x120 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]

do_new_mount_fc fs/namespace.c:3758 [inline]
do_new_mount fs/namespace.c:3834 [inline]
path_mount+0x5a9/0x1370 fs/namespace.c:4154
do_mount fs/namespace.c:4167 [inline]
__do_sys_mount fs/namespace.c:4383 [inline]
__se_sys_mount fs/namespace.c:4360 [inline]
__x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4360

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak

unreferenced object 0xffff888113764300 (size 96):
comm "syz.0.19", pid 6759, jiffies 4294945830

hex dump (first 32 bytes):

00 f0 31 14 81 88 ff ff 00 00 00 00 00 00 00 00 ..1.............

00 00 00 00 00 00 00 00 03 00 7f 00 00 00 00 00 ................

backtrace (crc 1420922e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547

hfsplus_btree_open+0x2e1/0x5a0 fs/hfsplus/btree.c:382

hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548
get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1694
vfs_get_tree+0x30/0x120 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]

do_new_mount_fc fs/namespace.c:3758 [inline]
do_new_mount fs/namespace.c:3834 [inline]
path_mount+0x5a9/0x1370 fs/namespace.c:4154
do_mount fs/namespace.c:4167 [inline]
__do_sys_mount fs/namespace.c:4383 [inline]
__se_sys_mount fs/namespace.c:4360 [inline]
__x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4360

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF

Tested on:

commit: 43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=116024ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=208b81ceb4623b6b

dashboard link: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=1077c4ce580000

[Edward Adam Davis]

#syz test

diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c

index f8b5a8ae58ff..5a3e22006b76 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -598,12 +598,23 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)
if (key_size >= entry_size || key_size & 1)
goto node_error;
}
- clear_bit(HFS_BNODE_NEW, &node->flags);
- wake_up(&node->lock_wq);
+ if (num != HFSPLUS_TREE_HEAD) {
+ clear_bit(HFS_BNODE_NEW, &node->flags);
+ wake_up(&node->lock_wq);
+ }
return node;

node_error:
set_bit(HFS_BNODE_ERROR, &node->flags);
+ if (test_bit(HFS_BNODE_NEW, &node->flags)) {
+ if (num == HFSPLUS_TREE_HEAD) {

+ spin_lock(&tree->hash_lock);
+ hfs_bnode_unhash(node);
+ hfs_bnode_free(node);
+ spin_unlock(&tree->hash_lock);

+ return ERR_PTR(-EIO);
+ }
+ }
clear_bit(HFS_BNODE_NEW, &node->flags);
wake_up(&node->lock_wq);
hfs_bnode_put(node);

diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 394542a47e60..27ec484c3822 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -392,7 +392,14 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id)
sb->s_flags |= SB_RDONLY;
}

- hfs_bnode_put(node);

+ if (test_bit(HFS_BNODE_NEW, &node->flags)) {

+ spin_lock(&tree->hash_lock);
+ hfs_bnode_unhash(node);
+ hfs_bnode_free(node);
+ spin_unlock(&tree->hash_lock);
+ }
+ else
+ hfs_bnode_put(node);

return tree;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+98547b...@syzkaller.appspotmail.com
Tested-by: syzbot+98547b...@syzkaller.appspotmail.com

Tested on:

commit: 43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=15d441ba580000

kernel config: https://syzkaller.appspot.com/x/.config?x=208b81ceb4623b6b
dashboard link: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=173fc4ce580000

Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

#syz test

diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c

index f8b5a8ae58ff..65902104882a 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -598,14 +598,18 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)

if (key_size >= entry_size || key_size & 1)
goto node_error;
}
- clear_bit(HFS_BNODE_NEW, &node->flags);
- wake_up(&node->lock_wq);
+ if (num != HFSPLUS_TREE_HEAD) {
+ clear_bit(HFS_BNODE_NEW, &node->flags);
+ wake_up(&node->lock_wq);
+ }
return node;

node_error:
set_bit(HFS_BNODE_ERROR, &node->flags);
- clear_bit(HFS_BNODE_NEW, &node->flags);
- wake_up(&node->lock_wq);
+ if (num != HFSPLUS_TREE_HEAD) {
+ clear_bit(HFS_BNODE_NEW, &node->flags);
+ wake_up(&node->lock_wq);
+ }

hfs_bnode_put(node);
return ERR_PTR(-EIO);
}
@@ -694,6 +698,10 @@ void hfs_bnode_put(struct hfs_bnode *node)
hfs_bnode_free(node);
return;

}
+ if (test_bit(HFS_BNODE_NEW, &node->flags)) {

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+98547b...@syzkaller.appspotmail.com
Tested-by: syzbot+98547b...@syzkaller.appspotmail.com

Tested on:

commit: 43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=144f58ce580000

kernel config: https://syzkaller.appspot.com/x/.config?x=208b81ceb4623b6b
dashboard link: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=15d81906580000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+98547b...@syzkaller.appspotmail.com
Tested-by: syzbot+98547b...@syzkaller.appspotmail.com

Tested on:

commit: 43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=154682d2580000

kernel config: https://syzkaller.appspot.com/x/.config?x=208b81ceb4623b6b
dashboard link: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=14441906580000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+98547b...@syzkaller.appspotmail.com
Tested-by: syzbot+98547b...@syzkaller.appspotmail.com

Tested on:

commit: 43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=15df58ce580000

kernel config: https://syzkaller.appspot.com/x/.config?x=208b81ceb4623b6b
dashboard link: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=10d49a6a580000

[Edward Adam Davis]

hfs_bnode_put() does not support deallocating a newly created btree
head node; therefore, regardless of whether hfsplus_bnode_find() succeeds
or fails, it cannot effectively reclaim the memory allocated for a newly
created head node.

When finding a head node, if the node is a newly created one, we can use
hfs_bnode_free() to reclaim its memory.

[1]

BUG: memory leak
unreferenced object 0xffff88811cabc840 (size 96):

backtrace (crc 3e2dadb7):

__hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547
hfsplus_btree_open+0x2fa/0x6d0 fs/hfsplus/btree.c:382
hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548

Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
Reported-by: syzbot+98547b...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
Tested-by: syzbot+98547b...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/hfsplus/bnode.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)

--
2.43.0