[syzbot] [gfs2?] memory leak in __kthread_create_on_node
5 views
Skip to first unread message
syzbot
Jan 30, 2026, 9:23:24 AM (yesterday) Jan 30
to agru...@redhat.com, gf...@lists.linux.dev, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 8dfce8991b95 Merge tag 'pinctrl-v6.19-3' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14361322580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7d0fbecb37bff8
dashboard link: https://syzkaller.appspot.com/bug?extid=aac438d7a1c44071e04b
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1409c644580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16121694580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5812cc8b60db/disk-8dfce899.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/47a4b40e4e44/vmlinux-8dfce899.xz
kernel image: https://storage.googleapis.com/syzbot-assets/18e043c20056/bzImage-8dfce899.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ebd5c2300445/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=15765d8a580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aac438...@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff888125a2dec0 (size 32):
comm "syz.4.75", pid 6411, jiffies 4294948981
hex dump (first 32 bytes):
67 66 73 32 5f 6c 6f 67 64 2f 73 79 7a 3a 73 79 gfs2_logd/syz:sy
7a 2e 30 00 00 00 00 00 00 00 00 00 00 00 00 00 z.0.............
backtrace (crc d543dd03):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_node_track_caller_noprof+0x47b/0x690 mm/slub.c:5768
kvasprintf+0x6e/0xf0 lib/kasprintf.c:25
__kthread_create_on_node+0x9e/0x1c0 kernel/kthread.c:519
kthread_create_on_node+0x73/0xa0 kernel/kthread.c:587
init_threads fs/gfs2/ops_fstype.c:1065 [inline]
gfs2_fill_super+0xdf8/0x1210 fs/gfs2/ops_fstype.c:1265
get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1691
gfs2_get_tree+0x26/0xd0 fs/gfs2/ops_fstype.c:1332
vfs_get_tree+0x30/0x120 fs/super.c:1751
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5a9/0x1350 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888126a2a300 (size 4480):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 01 00 00 00 80 00 00 00 00 00 00 00 ................
backtrace (crc 4b33760e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x422/0x590 mm/slub.c:5315
alloc_task_struct_node kernel/fork.c:184 [inline]
dup_task_struct kernel/fork.c:915 [inline]
copy_process+0x286/0x2870 kernel/fork.c:2052
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
BUG: memory leak
unreferenced object 0xffff888109c85180 (size 184):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc c5f4f48b):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270
prepare_creds+0x22/0x600 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x2870 kernel/fork.c:2086
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
BUG: memory leak
unreferenced object 0xffff888102bd9780 (size 32):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f8 52 86 00 81 88 ff ff 00 00 00 00 00 00 00 00 .R..............
backtrace (crc 336e1c5f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_cred_alloc security/security.c:209 [inline]
security_prepare_creds+0x2d/0x290 security/security.c:2763
prepare_creds+0x395/0x600 kernel/cred.c:215
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x2870 kernel/fork.c:2086
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
BUG: memory leak
unreferenced object 0xffff8881098abc00 (size 192):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ................
01 00 00 00 00 00 00 00 80 d5 78 82 ff ff ff ff ..........x.....
backtrace (crc 1df624ea):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__kmalloc_cache_noprof+0x41a/0x590 mm/slub.c:5775
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
set_kthread_struct+0x58/0x150 kernel/kthread.c:125
copy_process+0x1569/0x2870 kernel/fork.c:2150
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
BUG: memory leak
unreferenced object 0xffff88812baec5c0 (size 64):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
e0 35 8f 89 ff ff ff ff 00 00 00 00 00 00 00 00 .5..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 8e7806b9):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_task_alloc security/security.c:244 [inline]
security_task_alloc+0x2a/0x260 security/security.c:2682
copy_process+0xf07/0x2870 kernel/fork.c:2203
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
BUG: memory leak
unreferenced object 0xffff888101e37a80 (size 1152):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
90 7a e3 01 81 88 ff ff 90 7a e3 01 81 88 ff ff .z.......z......
backtrace (crc 1d024e88):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270
copy_signal kernel/fork.c:1699 [inline]
copy_process+0x1102/0x2870 kernel/fork.c:2218
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 8dfce8991b95 Merge tag 'pinctrl-v6.19-3' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14361322580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7d0fbecb37bff8
dashboard link: https://syzkaller.appspot.com/bug?extid=aac438d7a1c44071e04b
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1409c644580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16121694580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5812cc8b60db/disk-8dfce899.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/47a4b40e4e44/vmlinux-8dfce899.xz
kernel image: https://storage.googleapis.com/syzbot-assets/18e043c20056/bzImage-8dfce899.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ebd5c2300445/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=15765d8a580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aac438...@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff888125a2dec0 (size 32):
comm "syz.4.75", pid 6411, jiffies 4294948981
hex dump (first 32 bytes):
67 66 73 32 5f 6c 6f 67 64 2f 73 79 7a 3a 73 79 gfs2_logd/syz:sy
7a 2e 30 00 00 00 00 00 00 00 00 00 00 00 00 00 z.0.............
backtrace (crc d543dd03):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_node_track_caller_noprof+0x47b/0x690 mm/slub.c:5768
kvasprintf+0x6e/0xf0 lib/kasprintf.c:25
__kthread_create_on_node+0x9e/0x1c0 kernel/kthread.c:519
kthread_create_on_node+0x73/0xa0 kernel/kthread.c:587
init_threads fs/gfs2/ops_fstype.c:1065 [inline]
gfs2_fill_super+0xdf8/0x1210 fs/gfs2/ops_fstype.c:1265
get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1691
gfs2_get_tree+0x26/0xd0 fs/gfs2/ops_fstype.c:1332
vfs_get_tree+0x30/0x120 fs/super.c:1751
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5a9/0x1350 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888126a2a300 (size 4480):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 01 00 00 00 80 00 00 00 00 00 00 00 ................
backtrace (crc 4b33760e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x422/0x590 mm/slub.c:5315
alloc_task_struct_node kernel/fork.c:184 [inline]
dup_task_struct kernel/fork.c:915 [inline]
copy_process+0x286/0x2870 kernel/fork.c:2052
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
BUG: memory leak
unreferenced object 0xffff888109c85180 (size 184):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc c5f4f48b):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270
prepare_creds+0x22/0x600 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x2870 kernel/fork.c:2086
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
BUG: memory leak
unreferenced object 0xffff888102bd9780 (size 32):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f8 52 86 00 81 88 ff ff 00 00 00 00 00 00 00 00 .R..............
backtrace (crc 336e1c5f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_cred_alloc security/security.c:209 [inline]
security_prepare_creds+0x2d/0x290 security/security.c:2763
prepare_creds+0x395/0x600 kernel/cred.c:215
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x2870 kernel/fork.c:2086
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
BUG: memory leak
unreferenced object 0xffff8881098abc00 (size 192):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ................
01 00 00 00 00 00 00 00 80 d5 78 82 ff ff ff ff ..........x.....
backtrace (crc 1df624ea):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__kmalloc_cache_noprof+0x41a/0x590 mm/slub.c:5775
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
set_kthread_struct+0x58/0x150 kernel/kthread.c:125
copy_process+0x1569/0x2870 kernel/fork.c:2150
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
BUG: memory leak
unreferenced object 0xffff88812baec5c0 (size 64):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
e0 35 8f 89 ff ff ff ff 00 00 00 00 00 00 00 00 .5..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 8e7806b9):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_task_alloc security/security.c:244 [inline]
security_task_alloc+0x2a/0x260 security/security.c:2682
copy_process+0xf07/0x2870 kernel/fork.c:2203
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
BUG: memory leak
unreferenced object 0xffff888101e37a80 (size 1152):
comm "kthreadd", pid 2, jiffies 4294948981
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
90 7a e3 01 81 88 ff ff 90 7a e3 01 81 88 ff ff .z.......z......
backtrace (crc 1d024e88):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270
copy_signal kernel/fork.c:1699 [inline]
copy_process+0x1102/0x2870 kernel/fork.c:2218
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
kernel_thread+0x80/0xb0 kernel/fork.c:2712
create_kthread kernel/kthread.c:486 [inline]
kthreadd+0x196/0x260 kernel/kthread.c:844
ret_from_fork+0x23c/0x320 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jan 30, 2026, 9:37:51 AM (yesterday) Jan 30
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] gfs2: fix memory leak of kernel threads on mount failure
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Syzbot reported a memory leak in GFS2 when mounting fails after
init_threads() has successfully created kernel threads. The issue
occurs when gfs2_freeze_lock_shared() fails - the error path jumps
to fail_per_node without cleaning up the threads created by
init_threads().
The leak includes the thread name string, task_struct, credentials,
and other thread-related allocations that are never freed when the
mount operation fails at this point.
Fix this by ensuring gfs2_destroy_threads() is called in the
fail_per_node error path for read-write mounts, matching the
condition used when creating the threads.
Reported-by: syzbot+aac438...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=aac438d7a1c44071e04b
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/gfs2/ops_fstype.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index e7a88b717991..163dd7132957 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -1286,6 +1286,8 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc)
fail_per_node:
init_per_node(sdp, UNDO);
+ if (!sb_rdonly(sb))
+ gfs2_destroy_threads(sdp);
fail_inodes:
init_inodes(sdp, UNDO);
fail_sb:
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] gfs2: fix memory leak of kernel threads on mount failure
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Syzbot reported a memory leak in GFS2 when mounting fails after
init_threads() has successfully created kernel threads. The issue
occurs when gfs2_freeze_lock_shared() fails - the error path jumps
to fail_per_node without cleaning up the threads created by
init_threads().
The leak includes the thread name string, task_struct, credentials,
and other thread-related allocations that are never freed when the
mount operation fails at this point.
Fix this by ensuring gfs2_destroy_threads() is called in the
fail_per_node error path for read-write mounts, matching the
condition used when creating the threads.
Reported-by: syzbot+aac438...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=aac438d7a1c44071e04b
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/gfs2/ops_fstype.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index e7a88b717991..163dd7132957 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -1286,6 +1286,8 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc)
fail_per_node:
init_per_node(sdp, UNDO);
+ if (!sb_rdonly(sb))
+ gfs2_destroy_threads(sdp);
fail_inodes:
init_inodes(sdp, UNDO);
fail_sb:
--
2.43.0
syzbot
Jan 30, 2026, 10:20:06 AM (yesterday) Jan 30
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in gfs2_quota_init
BUG: memory leak
unreferenced object 0xffff88812de7c000 (size 8192):
comm "syz.6.189", pid 7764, jiffies 4294962014
gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149
gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275
get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1691
gfs2_get_tree+0x26/0xd0 fs/gfs2/ops_fstype.c:1334
commit: 4d310797 Merge tag 'pm-6.19-rc8' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ccc802580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in gfs2_quota_init
BUG: memory leak
unreferenced object 0xffff88812de7c000 (size 8192):
comm "syz.6.189", pid 7764, jiffies 4294962014
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 8429a099):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149
gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275
get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1691
gfs2_get_tree+0x26/0xd0 fs/gfs2/ops_fstype.c:1334
vfs_get_tree+0x30/0x120 fs/super.c:1751
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5a9/0x1350 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x5a9/0x1350 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 4d310797 Merge tag 'pm-6.19-rc8' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ccc802580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7d0fbecb37bff8
dashboard link: https://syzkaller.appspot.com/bug?extid=aac438d7a1c44071e04b
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=116fb38a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=aac438d7a1c44071e04b
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syzbot
Jan 30, 2026, 9:38:07 PM (15 hours ago) Jan 30
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] gfs2: fix memory leaks in gfs2_fill_super error path
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Fix two memory leaks in the gfs2_fill_super() error handling path when
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
transitioning a filesystem to read-write mode fails.
First leak: kthread objects (thread_struct, task_struct, etc.)
When gfs2_freeze_lock_shared() fails after init_threads() succeeds,
the created kernel threads (logd and quotad) are never destroyed.
This occurs because the fail_per_node label doesn't call
gfs2_destroy_threads().
Second leak: quota bitmap buffer (8192 bytes)
When gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but
before other operations complete, the allocated quota bitmap is never
freed. The error path destroyed threads but didn't cleanup quota
structures.
The fix consolidates thread cleanup at the fail_per_node label for all
error paths, which is safe because gfs2_destroy_threads() checks for
NULL pointers before calling kthread_stop_put(). Quota cleanup is added
specifically to the gfs2_make_fs_rw() error path where quota structures
were initialized.
Syzbot detected these leaks with the following signatures:
Thread leak (PATH 3: gfs2_freeze_lock_shared failure):
unreferenced object 0xffff88801d7bca80 (size 4480):
copy_process+0x3a1/0x4670 kernel/fork.c:2422
kernel_clone+0xf3/0x6e0 kernel/fork.c:2779
kthread_create_on_node+0x100/0x150 kernel/kthread.c:478
init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611
gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265
Quota leak (PATH 4: gfs2_make_fs_rw failure):
unreferenced object 0xffff88812de7c000 (size 8192):
gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409
gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149
gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275
gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149
gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275
Reported-by: syzbot+aac438...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=aac438d7a1c44071e04b
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=aac438d7a1c44071e04b
---
fs/gfs2/ops_fstype.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index e7a88b717991..fdc70189e4f1 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -1276,7 +1276,7 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc)
if (error) {
gfs2_freeze_unlock(sdp);
- gfs2_destroy_threads(sdp);
+ gfs2_quota_cleanup(sdp);
fs_err(sdp, "can't make FS RW: %d\n", error);
goto fail_per_node;
syzbot
12:22 AM (13 hours ago) 12:22 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in gfs2_trans_begin
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: memory leak
unreferenced object 0xffff8881298e2480 (size 144):
comm "syz.6.189", pid 7630, jiffies 4294961882
hex dump (first 32 bytes):
ba 2d 7a 82 ff ff ff ff 05 00 00 00 00 00 00 00 .-z.............
0b 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 ................
backtrace (crc 61a3a826):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
gfs2_trans_begin+0x29/0xa0 fs/gfs2/trans.c:120
alloc_dinode fs/gfs2/inode.c:432 [inline]
gfs2_create_inode+0xbfa/0x17f0 fs/gfs2/inode.c:822
gfs2_atomic_open+0x96/0x190 fs/gfs2/inode.c:1402
atomic_open fs/namei.c:4304 [inline]
lookup_open fs/namei.c:4415 [inline]
open_last_lookups fs/namei.c:4549 [inline]
path_openat+0x158f/0x20f0 fs/namei.c:4793
do_filp_open+0x104/0x1f0 fs/namei.c:4823
do_sys_openat2+0xcb/0x180 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_open fs/open.c:1444 [inline]
__se_sys_open fs/open.c:1440 [inline]
__x64_sys_open+0x7e/0xf0 fs/open.c:1440
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: ad9a728a Merge tag 'for-linus-iommufd' of git://git.ke..
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13c94e94580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7d0fbecb37bff8
dashboard link: https://syzkaller.appspot.com/bug?extid=aac438d7a1c44071e04b
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=145aa252580000
dashboard link: https://syzkaller.appspot.com/bug?extid=aac438d7a1c44071e04b
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Reply all
Reply to author
Forward
0 new messages