[syzbot] [io-uring?] memory leak in iovec_from_user (4)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: b54345928fa1 Merge tag 'gfs2-for-6.19-rc6' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15f82052580000
kernel config: https://syzkaller.appspot.com/x/.config?x=87bc41cae23d2144
dashboard link: https://syzkaller.appspot.com/bug?extid=df0b387708573ad096ce
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=147ef99a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109655fa580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/23b084ff7602/disk-b5434592.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3ecd3b0e8e34/vmlinux-b5434592.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b42ab3574030/bzImage-b5434592.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+df0b38...@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff88812944f000 (size 4096):
comm "syz.3.20", pid 6138, jiffies 4294947163
hex dump (first 32 bytes):
40 02 00 00 00 20 00 00 03 00 00 00 00 00 00 00 @.... ..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 8ab58d7d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kmalloc_array_noprof include/linux/slab.h:1003 [inline]
iovec_from_user lib/iov_iter.c:1321 [inline]
iovec_from_user+0x108/0x140 lib/iov_iter.c:1304
__import_iovec+0x71/0x350 lib/iov_iter.c:1375
io_import_vec io_uring/rw.c:99 [inline]
__io_import_rw_buffer+0x1e2/0x260 io_uring/rw.c:120
io_import_rw_buffer io_uring/rw.c:139 [inline]
io_rw_do_import io_uring/rw.c:313 [inline]
io_prep_rw+0xb5/0x120 io_uring/rw.c:325
io_prep_rwv io_uring/rw.c:343 [inline]
io_prep_writev+0x23/0x80 io_uring/rw.c:363
io_init_req io_uring/io_uring.c:2235 [inline]
io_submit_sqe io_uring/io_uring.c:2282 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2435
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3285
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888129450000 (size 4096):
comm "syz.3.20", pid 6138, jiffies 4294947163
hex dump (first 32 bytes):
40 02 00 00 00 20 00 00 03 00 00 00 00 00 00 00 @.... ..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 8ab58d7d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kmalloc_array_noprof include/linux/slab.h:1003 [inline]
iovec_from_user lib/iov_iter.c:1321 [inline]
iovec_from_user+0x108/0x140 lib/iov_iter.c:1304
__import_iovec+0x71/0x350 lib/iov_iter.c:1375
io_import_vec io_uring/rw.c:99 [inline]
__io_import_rw_buffer+0x1e2/0x260 io_uring/rw.c:120
io_import_rw_buffer io_uring/rw.c:139 [inline]
io_rw_do_import io_uring/rw.c:313 [inline]
io_prep_rw+0xb5/0x120 io_uring/rw.c:325
io_prep_rwv io_uring/rw.c:343 [inline]
io_prep_writev+0x23/0x80 io_uring/rw.c:363
io_init_req io_uring/io_uring.c:2235 [inline]
io_submit_sqe io_uring/io_uring.c:2282 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2435
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3285
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888129451000 (size 4096):
comm "syz.3.20", pid 6138, jiffies 4294947163
hex dump (first 32 bytes):
40 02 00 00 00 20 00 00 03 00 00 00 00 00 00 00 @.... ..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 8ab58d7d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kmalloc_array_noprof include/linux/slab.h:1003 [inline]
iovec_from_user lib/iov_iter.c:1321 [inline]
iovec_from_user+0x108/0x140 lib/iov_iter.c:1304
__import_iovec+0x71/0x350 lib/iov_iter.c:1375
io_import_vec io_uring/rw.c:99 [inline]
__io_import_rw_buffer+0x1e2/0x260 io_uring/rw.c:120
io_import_rw_buffer io_uring/rw.c:139 [inline]
io_rw_do_import io_uring/rw.c:313 [inline]
io_prep_rw+0xb5/0x120 io_uring/rw.c:325
io_prep_rwv io_uring/rw.c:343 [inline]
io_prep_writev+0x23/0x80 io_uring/rw.c:363
io_init_req io_uring/io_uring.c:2235 [inline]
io_submit_sqe io_uring/io_uring.c:2282 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2435
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3285
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888129453000 (size 4096):
comm "syz.3.20", pid 6138, jiffies 4294947164
hex dump (first 32 bytes):
40 02 00 00 00 20 00 00 03 00 00 00 00 00 00 00 @.... ..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 8ab58d7d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kmalloc_array_noprof include/linux/slab.h:1003 [inline]
iovec_from_user lib/iov_iter.c:1321 [inline]
iovec_from_user+0x108/0x140 lib/iov_iter.c:1304
__import_iovec+0x71/0x350 lib/iov_iter.c:1375
io_import_vec io_uring/rw.c:99 [inline]
__io_import_rw_buffer+0x1e2/0x260 io_uring/rw.c:120
io_import_rw_buffer io_uring/rw.c:139 [inline]
io_rw_do_import io_uring/rw.c:313 [inline]
io_prep_rw+0xb5/0x120 io_uring/rw.c:325
io_prep_rwv io_uring/rw.c:343 [inline]
io_prep_writev+0x23/0x80 io_uring/rw.c:363
io_init_req io_uring/io_uring.c:2235 [inline]
io_submit_sqe io_uring/io_uring.c:2282 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2435
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3285
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888129452000 (size 4096):
comm "syz.3.20", pid 6138, jiffies 4294947164
hex dump (first 32 bytes):
40 02 00 00 00 20 00 00 03 00 00 00 00 00 00 00 @.... ..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 8ab58d7d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kmalloc_array_noprof include/linux/slab.h:1003 [inline]
iovec_from_user lib/iov_iter.c:1321 [inline]
iovec_from_user+0x108/0x140 lib/iov_iter.c:1304
__import_iovec+0x71/0x350 lib/iov_iter.c:1375
io_import_vec io_uring/rw.c:99 [inline]
__io_import_rw_buffer+0x1e2/0x260 io_uring/rw.c:120
io_import_rw_buffer io_uring/rw.c:139 [inline]
io_rw_do_import io_uring/rw.c:313 [inline]
io_prep_rw+0xb5/0x120 io_uring/rw.c:325
io_prep_rwv io_uring/rw.c:343 [inline]
io_prep_writev+0x23/0x80 io_uring/rw.c:363
io_init_req io_uring/io_uring.c:2235 [inline]
io_submit_sqe io_uring/io_uring.c:2282 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2435
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3285
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888129454000 (size 4096):
comm "syz.3.20", pid 6138, jiffies 4294947164
hex dump (first 32 bytes):
40 02 00 00 00 20 00 00 03 00 00 00 00 00 00 00 @.... ..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 8ab58d7d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kmalloc_array_noprof include/linux/slab.h:1003 [inline]
iovec_from_user lib/iov_iter.c:1321 [inline]
iovec_from_user+0x108/0x140 lib/iov_iter.c:1304
__import_iovec+0x71/0x350 lib/iov_iter.c:1375
io_import_vec io_uring/rw.c:99 [inline]
__io_import_rw_buffer+0x1e2/0x260 io_uring/rw.c:120
io_import_rw_buffer io_uring/rw.c:139 [inline]
io_rw_do_import io_uring/rw.c:313 [inline]
io_prep_rw+0xb5/0x120 io_uring/rw.c:325
io_prep_rwv io_uring/rw.c:343 [inline]
io_prep_writev+0x23/0x80 io_uring/rw.c:363
io_init_req io_uring/io_uring.c:2235 [inline]
io_submit_sqe io_uring/io_uring.c:2282 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2435
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3285
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Jens Axboe]

On 1/14/26 1:35 AM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: b54345928fa1 Merge tag 'gfs2-for-6.19-rc6' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15f82052580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=87bc41cae23d2144
> dashboard link: https://syzkaller.appspot.com/bug?extid=df0b387708573ad096ce
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=147ef99a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109655fa580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/23b084ff7602/disk-b5434592.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/3ecd3b0e8e34/vmlinux-b5434592.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/b42ab3574030/bzImage-b5434592.xz

I still think these are false positives, and forcing another kmemleak scan
would make them go away. Which the syzbot reproducers should arguably just
do. As mentioned in the email from this week, I ran into various others
of these, all of them invalid. A rescan sorts it out.

#syz invalid

--
Jens Axboe