[syzbot] [btrfs?] memory leak in btrfs_read_chunk_tree

6 views

Skip to first unread message

syzbot

unread,

Dec 8, 2025, 3:58:27 AM (3 days ago) Dec 8

to c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: 8f7aa3d3c732 Merge tag 'net-next-6.19' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1412c01a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3bdbe6509b080086
dashboard link: https://syzkaller.appspot.com/bug?extid=eadd98df8bceb15d7fed
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16cbd192580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1676eab4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/75704c8ef83a/disk-8f7aa3d3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fc039c7b45ea/vmlinux-8f7aa3d3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/80c77928126a/bzImage-8f7aa3d3.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/4340667fac60/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1771dcc2580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+eadd98...@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff8881092fce00 (size 512):
comm "syz.0.17", pid 6092, jiffies 4294942574
hex dump (first 32 bytes):
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
backtrace (crc d3ac311e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_fs_devices+0x20/0xc0 fs/btrfs/volumes.c:381
open_seed_devices fs/btrfs/volumes.c:7172 [inline]
read_one_dev fs/btrfs/volumes.c:7228 [inline]
btrfs_read_chunk_tree+0xa8f/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881251dfc00 (size 1024):
comm "syz.0.17", pid 6092, jiffies 4294942574
hex dump (first 32 bytes):
90 ce 2f 09 81 88 ff ff 90 ce 2f 09 81 88 ff ff ../......./.....
10 fc 1d 25 81 88 ff ff 10 fc 1d 25 81 88 ff ff ...%.......%....
backtrace (crc 3c4c04f1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
btrfs_alloc_device+0x5c/0x1f0 fs/btrfs/volumes.c:6907
add_missing_dev+0x4b/0xf0 fs/btrfs/volumes.c:6867
read_one_dev fs/btrfs/volumes.c:7241 [inline]
btrfs_read_chunk_tree+0x7cf/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888126e4a400 (size 512):
comm "syz.0.18", pid 6135, jiffies 4294942600
hex dump (first 32 bytes):
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
backtrace (crc 8b73c9ef):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_fs_devices+0x20/0xc0 fs/btrfs/volumes.c:381
open_seed_devices fs/btrfs/volumes.c:7172 [inline]
read_one_dev fs/btrfs/volumes.c:7228 [inline]
btrfs_read_chunk_tree+0xa8f/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88810ea93000 (size 1024):
comm "syz.0.18", pid 6135, jiffies 4294942600
hex dump (first 32 bytes):
90 a4 e4 26 81 88 ff ff 90 a4 e4 26 81 88 ff ff ...&.......&....
10 30 a9 0e 81 88 ff ff 10 30 a9 0e 81 88 ff ff .0.......0......
backtrace (crc 2183446):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__kmalloc_cache_noprof+0x3a6/0x570 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
btrfs_alloc_device+0x5c/0x1f0 fs/btrfs/volumes.c:6907
add_missing_dev+0x4b/0xf0 fs/btrfs/volumes.c:6867
read_one_dev fs/btrfs/volumes.c:7241 [inline]
btrfs_read_chunk_tree+0x7cf/0xcf0 fs/btrfs/volumes.c:7521
open_ctree+0xe0a/0x2410 fs/btrfs/disk-io.c:3459
btrfs_fill_super fs/btrfs/super.c:987 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1951 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2128
vfs_get_tree+0x31/0x120 fs/super.c:1759
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

harikrishna

unread,

Dec 9, 2025, 11:53:07 AM (yesterday) Dec 9

to syzbot+eadd98...@syzkaller.appspotmail.com, syzkall...@googlegroups.com

#syz test

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index ae1742a35e76..b416f7d642bb 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -7188,6 +7188,8 @@ static int read_one_dev(struct extent_buffer *leaf,
if (!btrfs_test_opt(fs_info, DEGRADED)) {
btrfs_report_missing_device(fs_info, devid,
dev_uuid, true);
+ //1
+ free_fs_devices(fs_devices);
return -ENOENT;
}

@@ -7196,6 +7198,8 @@ static int read_one_dev(struct extent_buffer *leaf,
btrfs_err(fs_info,
"failed to add missing dev %llu: %ld",
devid, PTR_ERR(device));
+ //2
+ free_fs_devices(fs_devices);
return PTR_ERR(device);
}
btrfs_report_missing_device(fs_info, devid, dev_uuid, false);
@@ -7204,6 +7208,8 @@ static int read_one_dev(struct extent_buffer *leaf,
if (!btrfs_test_opt(fs_info, DEGRADED)) {
btrfs_report_missing_device(fs_info,
devid, dev_uuid, true);
+ //3
+ free_fs_devices(fs_devices);
return -ENOENT;
}
btrfs_report_missing_device(fs_info, devid,
@@ -7242,6 +7248,9 @@ static int read_one_dev(struct extent_buffer *leaf,
BUG_ON(test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state));
if (device->generation !=
btrfs_device_generation(leaf, dev_item))
+ //4
+ free_fs_devices(fs_devices);
+ btrfs_free_device(device);
return -EINVAL;
}

@@ -7253,6 +7262,9 @@ static int read_one_dev(struct extent_buffer *leaf,
btrfs_err(fs_info,
"device total_bytes should be at most %llu but
found %llu",
max_total_bytes, device->total_bytes);
+ //5
+ free_fs_devices(fs_devices);
+ btrfs_free_device(device);
return -EINVAL;
}
}

syzbot

unread,

Dec 9, 2025, 11:55:08 AM (yesterday) Dec 9

to harico...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/btrfs/volumes.c
patch: **** unexpected end of file in patch

Tested on:

commit: cb015814 Merge tag 'f2fs-for-6.19-rc1' of git://git.ke..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=3bdbe6509b080086
dashboard link: https://syzkaller.appspot.com/bug?extid=eadd98df8bceb15d7fed
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=11ecd992580000

harikrishna

unread,

Dec 9, 2025, 11:59:44 AM (yesterday) Dec 9

to syzbot+eadd98...@syzkaller.appspotmail.com, syzkall...@googlegroups.com

syzbot

unread,

Dec 9, 2025, 12:09:04 PM (yesterday) Dec 9

to harico...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

patch: https://syzkaller.appspot.com/x/patch.diff?x=10679a1a580000

HariKrishna Sagala

unread,

5:05 AM (18 hours ago) 5:05 AM

to syzbot+eadd98...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, syzbot+eadd98...@syzkaller.appspotmail.com

#syz test

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c

index ae1742a35e76..fa912137c94d 100644

+ btrfs_free_device(device);
+ free_fs_devices(fs_devices);

return -EINVAL;
}

@@ -7253,6 +7262,9 @@ static int read_one_dev(struct extent_buffer *leaf,
btrfs_err(fs_info,
"device total_bytes should be at most %llu but
found %llu",
max_total_bytes, device->total_bytes);
+ //5

+ btrfs_free_device(device);
+ free_fs_devices(fs_devices);
return -EINVAL;
}
}

syzbot

unread,

6:13 AM (17 hours ago) 6:13 AM

to harico...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in btrfs_read_chunk_tree

BUG: memory leak
unreferenced object 0xffff88812ca1a800 (size 512):
comm "syz.0.17", pid 6724, jiffies 4294946683

hex dump (first 32 bytes):
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..

backtrace (crc b9deaaec):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]

__kmalloc_cache_noprof+0x3b2/0x570 mm/slub.c:5766

kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_fs_devices+0x20/0xc0 fs/btrfs/volumes.c:381

open_seed_devices fs/btrfs/volumes.c:7125 [inline]
read_one_dev fs/btrfs/volumes.c:7181 [inline]
btrfs_read_chunk_tree+0xa8f/0xd20 fs/btrfs/volumes.c:7478
open_ctree+0xddd/0x23e0 fs/btrfs/disk-io.c:3443
btrfs_fill_super fs/btrfs/super.c:983 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1946 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2089 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2123
vfs_get_tree+0x31/0x120 fs/super.c:1751

fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5b5/0x1320 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak

unreferenced object 0xffff88811a7cb400 (size 1024):
comm "syz.0.17", pid 6724, jiffies 4294946683

hex dump (first 32 bytes):

90 a8 a1 2c 81 88 ff ff 90 a8 a1 2c 81 88 ff ff ...,.......,....
10 b4 7c 1a 81 88 ff ff 10 b4 7c 1a 81 88 ff ff ..|.......|.....
backtrace (crc 1c3757e):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]

__kmalloc_cache_noprof+0x3b2/0x570 mm/slub.c:5766

kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]

btrfs_alloc_device+0x5c/0x1f0 fs/btrfs/volumes.c:6860
add_missing_dev+0x4b/0xf0 fs/btrfs/volumes.c:6820
read_one_dev fs/btrfs/volumes.c:7196 [inline]
btrfs_read_chunk_tree+0x7cf/0xd20 fs/btrfs/volumes.c:7478
open_ctree+0xddd/0x23e0 fs/btrfs/disk-io.c:3443
btrfs_fill_super fs/btrfs/super.c:983 [inline]
btrfs_get_tree_super fs/btrfs/super.c:1946 [inline]
btrfs_get_tree_subvol fs/btrfs/super.c:2089 [inline]
btrfs_get_tree+0x735/0xe00 fs/btrfs/super.c:2123
vfs_get_tree+0x31/0x120 fs/super.c:1751

unreferenced object 0xffff88812ca1be00 (size 512):
comm "syz.0.18", pid 6765, jiffies 4294946709

hex dump (first 32 bytes):
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..

backtrace (crc e80f9fa6):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]

__kmalloc_cache_noprof+0x3b2/0x570 mm/slub.c:5766

kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_fs_devices+0x20/0xc0 fs/btrfs/volumes.c:381

unreferenced object 0xffff88811a7c8800 (size 1024):
comm "syz.0.18", pid 6765, jiffies 4294946709

hex dump (first 32 bytes):

90 be a1 2c 81 88 ff ff 90 be a1 2c 81 88 ff ff ...,.......,....
10 88 7c 1a 81 88 ff ff 10 88 7c 1a 81 88 ff ff ..|.......|.....
backtrace (crc 8f04a734):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]

__kmalloc_cache_noprof+0x3b2/0x570 mm/slub.c:5766

kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]

unreferenced object 0xffff888127bf8200 (size 512):
comm "syz.0.19", pid 6787, jiffies 4294946730

hex dump (first 32 bytes):
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..
00 fe 44 da de 57 40 6a 82 41 57 ec 7d 44 12 cf ..D..W@j.AW.}D..

backtrace (crc abd95a3a):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]

__kmalloc_cache_noprof+0x3b2/0x570 mm/slub.c:5766

kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_fs_devices+0x20/0xc0 fs/btrfs/volumes.c:381

unreferenced object 0xffff88810a2ff800 (size 1024):
comm "syz.0.19", pid 6787, jiffies 4294946730

hex dump (first 32 bytes):

90 82 bf 27 81 88 ff ff 90 82 bf 27 81 88 ff ff ...'.......'....
10 f8 2f 0a 81 88 ff ff 10 f8 2f 0a 81 88 ff ff ../......./.....
backtrace (crc d2573d23):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]

__kmalloc_cache_noprof+0x3b2/0x570 mm/slub.c:5766

kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]

Tested on:

commit: 0048fbb4 Merge tag 'locking-futex-2025-12-10' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15a8b992580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9a0268003e02068d
dashboard link: https://syzkaller.appspot.com/bug?extid=eadd98df8bceb15d7fed

compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1513da1a580000

syzbot

unread,

8:00 AM (15 hours ago) 8:00 AM

to linux-...@vger.kernel.org, syzkall...@googlegroups.com

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] btrfs: fix memory leak of fs_devices in degraded seed device path
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

In open_seed_devices(), when find_fsid() fails and we're in DEGRADED
mode, a new fs_devices is allocated via alloc_fs_devices() but is never
added to the seed_list before returning. This contrasts with the normal
path where fs_devices is properly added via list_add().

If any error occurs later in read_one_dev() or btrfs_read_chunk_tree(),
the cleanup code iterates seed_list to free seed devices, but this
orphaned fs_devices is never found and never freed, causing a memory
leak. Any devices allocated via add_missing_dev() and attached to this
fs_devices are also leaked.

Fix this by adding the newly allocated fs_devices to seed_list in the
degraded path, consistent with the normal path.

Fixes: 7239ff4b6f5b ("btrfs: handle missing seed devices when starting degraded")
Reported-by: syzbot+eadd98...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=eadd98df8bceb15d7fed
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/btrfs/volumes.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index ae1742a35e76..13c514684cfb 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -7128,6 +7128,7 @@ static struct btrfs_fs_devices *open_seed_devices(struct btrfs_fs_info *fs_info,

fs_devices->seeding = true;
fs_devices->opened = 1;
+ list_add(&fs_devices->seed_list, &fs_info->fs_devices->seed_list);
return fs_devices;
}

--
2.43.0

syzbot

unread,

8:23 AM (15 hours ago) 8:23 AM

to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+eadd98...@syzkaller.appspotmail.com
Tested-by: syzbot+eadd98...@syzkaller.appspotmail.com

Tested on:

commit: 0048fbb4 Merge tag 'locking-futex-2025-12-10' of git:/..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=13543a1a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=9a0268003e02068d
dashboard link: https://syzkaller.appspot.com/bug?extid=eadd98df8bceb15d7fed
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=12843a1a580000

Note: testing is done by a robot and is best-effort only.

Reply all

Reply to author

Forward

0 new messages