From: syzbot <syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com>
To: brauner@kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
viro@zeniv.linux.org.uk
Subject: [syzbot] [fs?] memory leak in getname_flags
Date: Wed, 24 Dec 2025 03:15:21 -0800 [thread overview]
Message-ID: <694bcb49.050a0220.35954c.001a.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: b927546677c8 Merge tag 'dma-mapping-6.19-2025-12-22' of gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=146fef1a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153e90fc580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=126fef1a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7c1254aadd0a/disk-b9275466.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/15b98aa2b078/vmlinux-b9275466.xz
kernel image: https://storage.googleapis.com/syzbot-assets/10a68a086ef8/bzImage-b9275466.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
2025/12/24 09:11:05 executed programs: 5
BUG: memory leak
unreferenced object 0xffff8881098a2000 (size 4096):
comm "syz.0.17", pid 6087, jiffies 4294944491
hex dump (first 32 bytes):
20 20 8a 09 81 88 ff ff 40 02 00 00 00 20 00 00 ......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 5d427fb2):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881009ea000 (size 4096):
comm "syz.0.18", pid 6090, jiffies 4294944493
hex dump (first 32 bytes):
20 a0 9e 00 81 88 ff ff 40 02 00 00 00 20 00 00 .......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 254b05b2):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881009eb000 (size 4096):
comm "syz.0.19", pid 6092, jiffies 4294944494
hex dump (first 32 bytes):
20 b0 9e 00 81 88 ff ff 40 02 00 00 00 20 00 00 .......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 9f4244d8):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881098a6000 (size 4096):
comm "syz.0.20", pid 6134, jiffies 4294945094
hex dump (first 32 bytes):
20 60 8a 09 81 88 ff ff 40 02 00 00 00 20 00 00 `......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc d8f470d9):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881098a1000 (size 4096):
comm "syz.0.21", pid 6135, jiffies 4294945095
hex dump (first 32 bytes):
20 10 8a 09 81 88 ff ff 40 02 00 00 00 20 00 00 .......@.... ..
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4828ba4d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
getname_flags.part.0+0x26/0x280 fs/namei.c:146
getname_flags+0x4b/0x90 include/linux/audit.h:345
getname include/linux/fs.h:2498 [inline]
__io_openat_prep+0x87/0x1a0 io_uring/openclose.c:70
io_init_req io_uring/io_uring.c:2234 [inline]
io_submit_sqe io_uring/io_uring.c:2281 [inline]
io_submit_sqes+0x40d/0xf40 io_uring/io_uring.c:2434
__do_sys_io_uring_enter+0x841/0xcf0 io_uring/io_uring.c:3280
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2025-12-24 11:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-24 11:15 syzbot [this message]
2025-12-24 14:37 ` [PATCH] io_uring: Fix filename leak in __io_openat_prep Prithvi Tambewagh
2025-12-24 15:07 ` [syzbot] [fs?] memory leak in getname_flags syzbot
2025-12-25 6:34 ` Syzbot test for v2: io_uring: fix filename leak in __io_openat_prep() Prithvi Tambewagh
2025-12-25 7:03 ` [syzbot] [fs?] memory leak in getname_flags syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=694bcb49.050a0220.35954c.001a.GAE@google.com \
--to=syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.