[syzbot] [cifs?] memory leak in smb3_fs_context_parse_param
7 views
Skip to first unread message
syzbot
Nov 7, 2025, 2:30:30 AM (23 hours ago) Nov 7
to bhar...@microsoft.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, p...@manguebit.org, ronnies...@gmail.com, samba-t...@lists.samba.org, sfr...@samba.org, spr...@microsoft.com, syzkall...@googlegroups.com, t...@talpey.com
Hello,
syzbot found the following issue on:
HEAD commit: c2c2ccfd4ba7 Merge tag 'net-6.18-rc5' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=127d2a58580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
dashboard link: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104c7012580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1206e17c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b0451ba3fe41/disk-c2c2ccfd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d3e8c67119ab/vmlinux-c2c2ccfd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1d8e176e5054/bzImage-c2c2ccfd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+72afd4...@syzkaller.appspotmail.com
2025/11/07 05:48:37 executed programs: 5
BUG: memory leak
unreferenced object 0xffff888108910420 (size 96):
comm "syz.0.17", pid 6085, jiffies 4294942570
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_node_track_caller_noprof+0x3aa/0x6b0 mm/slub.c:5751
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888128afa060 (size 96):
comm "syz.0.18", pid 6087, jiffies 4294942571
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_node_track_caller_noprof+0x3aa/0x6b0 mm/slub.c:5751
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888128afa300 (size 96):
comm "syz.0.19", pid 6090, jiffies 4294942572
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5654
kmalloc_noprof include/linux/slab.h:961 [inline]
smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629
smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888128afa360 (size 96):
comm "syz.0.19", pid 6090, jiffies 4294942572
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_node_track_caller_noprof+0x3aa/0x6b0 mm/slub.c:5751
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888112c7d900 (size 96):
comm "syz.0.21", pid 6128, jiffies 4294943114
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5654
kmalloc_noprof include/linux/slab.h:961 [inline]
smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629
smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888112c7d420 (size 96):
comm "syz.0.21", pid 6128, jiffies 4294943114
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_node_track_caller_noprof+0x3aa/0x6b0 mm/slub.c:5751
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c2c2ccfd4ba7 Merge tag 'net-6.18-rc5' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=127d2a58580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
dashboard link: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=104c7012580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1206e17c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b0451ba3fe41/disk-c2c2ccfd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d3e8c67119ab/vmlinux-c2c2ccfd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1d8e176e5054/bzImage-c2c2ccfd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+72afd4...@syzkaller.appspotmail.com
2025/11/07 05:48:37 executed programs: 5
BUG: memory leak
unreferenced object 0xffff888108910420 (size 96):
comm "syz.0.17", pid 6085, jiffies 4294942570
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_node_track_caller_noprof+0x3aa/0x6b0 mm/slub.c:5751
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888128afa060 (size 96):
comm "syz.0.18", pid 6087, jiffies 4294942571
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_node_track_caller_noprof+0x3aa/0x6b0 mm/slub.c:5751
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888128afa300 (size 96):
comm "syz.0.19", pid 6090, jiffies 4294942572
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5654
kmalloc_noprof include/linux/slab.h:961 [inline]
smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629
smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888128afa360 (size 96):
comm "syz.0.19", pid 6090, jiffies 4294942572
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_node_track_caller_noprof+0x3aa/0x6b0 mm/slub.c:5751
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888112c7d900 (size 96):
comm "syz.0.21", pid 6128, jiffies 4294943114
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5654
kmalloc_noprof include/linux/slab.h:961 [inline]
smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629
smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888112c7d420 (size 96):
comm "syz.0.21", pid 6128, jiffies 4294943114
hex dump (first 32 bytes):
2f 2f f2 62 06 08 ba df 58 6f dc ea 95 9a 9b 2f //.b....Xo...../
51 39 f9 0d 6d 44 94 29 55 db 15 58 2e 49 0a 7d Q9..mD.)U..X.I.}
backtrace (crc 79c9c7ba):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4975 [inline]
slab_alloc_node mm/slub.c:5280 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kmalloc_node_track_caller_noprof+0x3aa/0x6b0 mm/slub.c:5751
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
vfs_parse_fs_param+0xf4/0x190 fs/fs_context.c:146
vfs_fsconfig_locked fs/fsopen.c:303 [inline]
__do_sys_fsconfig+0x7d3/0x900 fs/fsopen.c:473
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Edward Adam Davis
Nov 7, 2025, 7:49:04 AM (18 hours ago) Nov 7
to syzbot+72afd4...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index e60927b2a7c8..0e1949bcd6ea 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1435,12 +1435,16 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
cifs_errorf(fc, "Unknown error parsing devname\n");
goto cifs_parse_mount_err;
}
+ kfree_sensitive(ctx->source);
+ ctx->source = NULL;
ctx->source = smb3_fs_context_fullpath(ctx, '/');
if (IS_ERR(ctx->source)) {
ctx->source = NULL;
cifs_errorf(fc, "OOM when copying UNC string\n");
goto cifs_parse_mount_err;
}
+ kfree_sensitive(fc->source);
+ fc->source = NULL;
fc->source = kstrdup(ctx->source, GFP_KERNEL);
if (fc->source == NULL) {
cifs_errorf(fc, "OOM when copying UNC string\n");
--
2.43.0
diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index e60927b2a7c8..0e1949bcd6ea 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1435,12 +1435,16 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
cifs_errorf(fc, "Unknown error parsing devname\n");
goto cifs_parse_mount_err;
}
+ kfree_sensitive(ctx->source);
+ ctx->source = NULL;
ctx->source = smb3_fs_context_fullpath(ctx, '/');
if (IS_ERR(ctx->source)) {
ctx->source = NULL;
cifs_errorf(fc, "OOM when copying UNC string\n");
goto cifs_parse_mount_err;
}
+ kfree_sensitive(fc->source);
+ fc->source = NULL;
fc->source = kstrdup(ctx->source, GFP_KERNEL);
if (fc->source == NULL) {
cifs_errorf(fc, "OOM when copying UNC string\n");
--
2.43.0
Edward Adam Davis
Nov 7, 2025, 9:02:00 AM (17 hours ago) Nov 7
to syzbot+72afd4...@syzkaller.appspotmail.com, bhar...@microsoft.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, p...@manguebit.org, ronnies...@gmail.com, samba-t...@lists.samba.org, sfr...@samba.org, spr...@microsoft.com, syzkall...@googlegroups.com, t...@talpey.com
The user calls fsconfig twice, but when the program exits, free() only
frees ctx->source for the second fsconfig, not the first.
Regarding fc->source, there is no code in the fs context related to its
memory reclamation.
To fix this memory leak, release the source memory corresponding to ctx
or fc before each parsing.
syzbot reported:
Closes: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/smb/client/fs_context.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index e60927b2a7c8..0e1949bcd6ea 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1435,12 +1435,14 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
frees ctx->source for the second fsconfig, not the first.
Regarding fc->source, there is no code in the fs context related to its
memory reclamation.
To fix this memory leak, release the source memory corresponding to ctx
or fc before each parsing.
syzbot reported:
BUG: memory leak
unreferenced object 0xffff888128afa360 (size 96):
backtrace (crc 79c9c7ba):
unreferenced object 0xffff888128afa360 (size 96):
kstrdup+0x3c/0x80 mm/util.c:84
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
BUG: memory leak
unreferenced object 0xffff888112c7d900 (size 96):
backtrace (crc 79c9c7ba):
unreferenced object 0xffff888112c7d900 (size 96):
smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629
smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438
Reported-by: syzbot+72afd4...@syzkaller.appspotmail.com
smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438
Closes: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/smb/client/fs_context.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index e60927b2a7c8..0e1949bcd6ea 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
cifs_errorf(fc, "Unknown error parsing devname\n");
goto cifs_parse_mount_err;
}
+ kfree(ctx->source);
goto cifs_parse_mount_err;
}
ctx->source = smb3_fs_context_fullpath(ctx, '/');
if (IS_ERR(ctx->source)) {
ctx->source = NULL;
cifs_errorf(fc, "OOM when copying UNC string\n");
goto cifs_parse_mount_err;
}
+ kfree(fc->source);
if (IS_ERR(ctx->source)) {
ctx->source = NULL;
cifs_errorf(fc, "OOM when copying UNC string\n");
goto cifs_parse_mount_err;
}
Paulo Alcantara
Nov 7, 2025, 9:30:53 AM (16 hours ago) Nov 7
to Edward Adam Davis, syzbot+72afd4...@syzkaller.appspotmail.com, bhar...@microsoft.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, ronnies...@gmail.com, samba-t...@lists.samba.org, sfr...@samba.org, spr...@microsoft.com, syzkall...@googlegroups.com, t...@talpey.com
Edward Adam Davis <ead...@qq.com> writes:
> The user calls fsconfig twice, but when the program exits, free() only
> frees ctx->source for the second fsconfig, not the first.
> Regarding fc->source, there is no code in the fs context related to its
> memory reclamation.
>
> To fix this memory leak, release the source memory corresponding to ctx
> or fc before each parsing.
>
> syzbot reported:
> BUG: memory leak
> unreferenced object 0xffff888128afa360 (size 96):
> backtrace (crc 79c9c7ba):
> kstrdup+0x3c/0x80 mm/util.c:84
> smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
>
> BUG: memory leak
> unreferenced object 0xffff888112c7d900 (size 96):
> backtrace (crc 79c9c7ba):
> smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629
> smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438
>
> Reported-by: syzbot+72afd4...@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac
> Signed-off-by: Edward Adam Davis <ead...@qq.com>
> ---
> fs/smb/client/fs_context.c | 2 ++
> 1 file changed, 2 insertions(+)
Reviewed-by: Paulo Alcantara (Red Hat) <p...@manguebit.org>
> The user calls fsconfig twice, but when the program exits, free() only
> frees ctx->source for the second fsconfig, not the first.
> Regarding fc->source, there is no code in the fs context related to its
> memory reclamation.
>
> To fix this memory leak, release the source memory corresponding to ctx
> or fc before each parsing.
>
> syzbot reported:
> BUG: memory leak
> unreferenced object 0xffff888128afa360 (size 96):
> backtrace (crc 79c9c7ba):
> kstrdup+0x3c/0x80 mm/util.c:84
> smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
>
> BUG: memory leak
> unreferenced object 0xffff888112c7d900 (size 96):
> backtrace (crc 79c9c7ba):
> smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629
> smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438
>
> Reported-by: syzbot+72afd4...@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac
> Signed-off-by: Edward Adam Davis <ead...@qq.com>
> ---
> fs/smb/client/fs_context.c | 2 ++
> 1 file changed, 2 insertions(+)
syzbot
Nov 7, 2025, 9:39:06 AM (16 hours ago) Nov 7
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+72afd4...@syzkaller.appspotmail.com
Tested-by: syzbot+72afd4...@syzkaller.appspotmail.com
Tested on:
commit: 4a0c9b33 Merge tag 'probes-fixes-v6.18-rc4' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16097012580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+72afd4...@syzkaller.appspotmail.com
Tested-by: syzbot+72afd4...@syzkaller.appspotmail.com
Tested on:
commit: 4a0c9b33 Merge tag 'probes-fixes-v6.18-rc4' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16097012580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
dashboard link: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14915342580000
dashboard link: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages