From: syzbot <syzbot+bf5de69ebb4bdf86f59f@syzkaller.appspotmail.com>
To: brauner@kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
viro@zeniv.linux.org.uk
Subject: [syzbot] [fs?] memory leak in __shmem_file_setup
Date: Sun, 11 Jan 2026 23:56:27 -0800 [thread overview]
Message-ID: <6964a92b.050a0220.eaf7.008a.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: f0b9d8eb98df Merge tag 'nfsd-6.19-3' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12ec819a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=bf5de69ebb4bdf86f59f
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec819a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11bcc19a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aad2d47ff01d/disk-f0b9d8eb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c31e7ae85c07/vmlinux-f0b9d8eb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5525fab81561/bzImage-f0b9d8eb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bf5de69ebb4bdf86f59f@syzkaller.appspotmail.com
2026/01/08 07:49:49 executed programs: 5
BUG: memory leak
unreferenced object 0xffff888112c4b240 (size 184):
comm "syz.0.17", pid 6070, jiffies 4294944898
hex dump (first 32 bytes):
00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff ..........f.....
98 38 89 09 81 88 ff ff 00 00 00 00 00 00 00 00 .8..............
backtrace (crc 987747be):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
alloc_file fs/file_table.c:354 [inline]
alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
__shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
shmem_kernel_file_setup mm/shmem.c:5865 [inline]
__shmem_zero_setup mm/shmem.c:5905 [inline]
shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
vfs_mmap_prepare include/linux/fs.h:2058 [inline]
call_mmap_prepare mm/vma.c:2596 [inline]
__mmap_region+0x8b8/0x13e0 mm/vma.c:2692
mmap_region+0x19f/0x1e0 mm/vma.c:2786
do_mmap+0x6a3/0xb60 mm/mmap.c:558
vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
__x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888101e46ca8 (size 40):
comm "syz.0.17", pid 6070, jiffies 4294944898
hex dump (first 32 bytes):
ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 f8 52 86 00 81 88 ff ff .........R......
backtrace (crc 2d2a393c):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
lsm_file_alloc security/security.c:169 [inline]
security_file_alloc+0x30/0x240 security/security.c:2380
init_file+0x3e/0x160 fs/file_table.c:159
alloc_empty_file+0x6f/0x1a0 fs/file_table.c:241
alloc_file fs/file_table.c:354 [inline]
alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
__shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
shmem_kernel_file_setup mm/shmem.c:5865 [inline]
__shmem_zero_setup mm/shmem.c:5905 [inline]
shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
vfs_mmap_prepare include/linux/fs.h:2058 [inline]
call_mmap_prepare mm/vma.c:2596 [inline]
__mmap_region+0x8b8/0x13e0 mm/vma.c:2692
mmap_region+0x19f/0x1e0 mm/vma.c:2786
do_mmap+0x6a3/0xb60 mm/mmap.c:558
vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
__x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888108f03840 (size 184):
comm "syz-executor", pid 5988, jiffies 4294944899
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 5869ffdf):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
prepare_creds+0x22/0x5e0 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x979/0x2860 kernel/fork.c:2086
kernel_clone+0x119/0x6c0 kernel/fork.c:2651
__do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888109a7b8e0 (size 32):
comm "syz-executor", pid 5988, jiffies 4294944899
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f8 52 86 00 81 88 ff ff 00 00 00 00 00 00 00 00 .R..............
backtrace (crc 336e1c5f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x70 security/security.c:192
lsm_cred_alloc security/security.c:209 [inline]
security_prepare_creds+0x2f/0x270 security/security.c:2763
prepare_creds+0x385/0x5e0 kernel/cred.c:215
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x979/0x2860 kernel/fork.c:2086
kernel_clone+0x119/0x6c0 kernel/fork.c:2651
__do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888109b169c0 (size 184):
comm "syz.0.18", pid 6072, jiffies 4294944899
hex dump (first 32 bytes):
00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff ..........f.....
68 e6 05 0e 81 88 ff ff 00 00 00 00 00 00 00 00 h...............
backtrace (crc 86e9bbaa):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
alloc_file fs/file_table.c:354 [inline]
alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
__shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
shmem_kernel_file_setup mm/shmem.c:5865 [inline]
__shmem_zero_setup mm/shmem.c:5905 [inline]
shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
vfs_mmap_prepare include/linux/fs.h:2058 [inline]
call_mmap_prepare mm/vma.c:2596 [inline]
__mmap_region+0x8b8/0x13e0 mm/vma.c:2692
mmap_region+0x19f/0x1e0 mm/vma.c:2786
do_mmap+0x6a3/0xb60 mm/mmap.c:558
vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
__x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2026-01-12 7:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-12 7:56 syzbot [this message]
2026-01-12 13:28 ` [syzbot] [fs?] memory leak in __shmem_file_setup Lorenzo Stoakes
2026-01-12 15:10 ` Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6964a92b.050a0220.eaf7.008a.GAE@google.com \
--to=syzbot+bf5de69ebb4bdf86f59f@syzkaller.appspotmail.com \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.