* Re: [syzbot] [hfs?] memory leak in hfs_init_fs_context
2025-11-13 4:27 [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
@ 2025-11-13 21:47 ` Viacheslav Dubeyko
2025-11-14 1:24 ` Mehdi Ben Hadj Khelifa
` (7 subsequent siblings)
8 siblings, 0 replies; 34+ messages in thread
From: Viacheslav Dubeyko @ 2025-11-13 21:47 UTC (permalink / raw)
To: syzkaller-bugs@googlegroups.com, frank.li@vivo.com,
glaubitz@physik.fu-berlin.de, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, slava@dubeyko.com,
syzbot+ad45f827c88778ff7df6@syzkaller.appspotmail.com
Issue has been created:
https://github.com/hfs-linux-kernel/hfs-linux-kernel/issues/239
Thanks,
Slava.
On Wed, 2025-11-12 at 20:27 -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 4ea7c1717f3f Merge tag 'for-linus' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17346c12580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
> dashboard link: https://syzkaller.appspot.com/bug?extid=ad45f827c88778ff7df6
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=143f5c12580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c9a7cd980000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/1f8cf51c9042/disk-4ea7c171.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/6f227246b5b7/vmlinux-4ea7c171.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/f935766a00b3/bzImage-4ea7c171.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/bee9311f4026/mount_4.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+ad45f827c88778ff7df6@syzkaller.appspotmail.com
>
> BUG: memory leak
> unreferenced object 0xffff888111778c00 (size 512):
> comm "syz.0.17", pid 6092, jiffies 4294942644
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace (crc eb1d7412):
> kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> slab_post_alloc_hook mm/slub.c:4979 [inline]
> slab_alloc_node mm/slub.c:5284 [inline]
> __kmalloc_cache_noprof+0x3a6/0x5b0 mm/slub.c:5762
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> hfs_init_fs_context+0x24/0xd0 fs/hfs/super.c:411
> alloc_fs_context+0x214/0x430 fs/fs_context.c:315
> do_new_mount fs/namespace.c:3707 [inline]
> path_mount+0x93c/0x12e0 fs/namespace.c:4037
> do_mount fs/namespace.c:4050 [inline]
> __do_sys_mount fs/namespace.c:4238 [inline]
> __se_sys_mount fs/namespace.c:4215 [inline]
> __x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4215
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff88810a2e8800 (size 512):
> comm "syz.0.18", pid 6098, jiffies 4294942646
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace (crc eb1d7412):
> kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> slab_post_alloc_hook mm/slub.c:4979 [inline]
> slab_alloc_node mm/slub.c:5284 [inline]
> __kmalloc_cache_noprof+0x3a6/0x5b0 mm/slub.c:5762
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> hfs_init_fs_context+0x24/0xd0 fs/hfs/super.c:411
> alloc_fs_context+0x214/0x430 fs/fs_context.c:315
> do_new_mount fs/namespace.c:3707 [inline]
> path_mount+0x93c/0x12e0 fs/namespace.c:4037
> do_mount fs/namespace.c:4050 [inline]
> __do_sys_mount fs/namespace.c:4238 [inline]
> __se_sys_mount fs/namespace.c:4215 [inline]
> __x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4215
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff88810a2e8e00 (size 512):
> comm "syz.0.19", pid 6102, jiffies 4294942648
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace (crc eb1d7412):
> kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> slab_post_alloc_hook mm/slub.c:4979 [inline]
> slab_alloc_node mm/slub.c:5284 [inline]
> __kmalloc_cache_noprof+0x3a6/0x5b0 mm/slub.c:5762
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> hfs_init_fs_context+0x24/0xd0 fs/hfs/super.c:411
> alloc_fs_context+0x214/0x430 fs/fs_context.c:315
> do_new_mount fs/namespace.c:3707 [inline]
> path_mount+0x93c/0x12e0 fs/namespace.c:4037
> do_mount fs/namespace.c:4050 [inline]
> __do_sys_mount fs/namespace.c:4238 [inline]
> __se_sys_mount fs/namespace.c:4215 [inline]
> __x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4215
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff8881263ed600 (size 512):
> comm "syz.0.20", pid 6125, jiffies 4294943177
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace (crc eb1d7412):
> kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> slab_post_alloc_hook mm/slub.c:4979 [inline]
> slab_alloc_node mm/slub.c:5284 [inline]
> __kmalloc_cache_noprof+0x3a6/0x5b0 mm/slub.c:5762
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> hfs_init_fs_context+0x24/0xd0 fs/hfs/super.c:411
> alloc_fs_context+0x214/0x430 fs/fs_context.c:315
> do_new_mount fs/namespace.c:3707 [inline]
> path_mount+0x93c/0x12e0 fs/namespace.c:4037
> do_mount fs/namespace.c:4050 [inline]
> __do_sys_mount fs/namespace.c:4238 [inline]
> __se_sys_mount fs/namespace.c:4215 [inline]
> __x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4215
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff88810db18c00 (size 512):
> comm "syz.0.21", pid 6127, jiffies 4294943179
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace (crc eb1d7412):
> kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> slab_post_alloc_hook mm/slub.c:4979 [inline]
> slab_alloc_node mm/slub.c:5284 [inline]
> __kmalloc_cache_noprof+0x3a6/0x5b0 mm/slub.c:5762
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> hfs_init_fs_context+0x24/0xd0 fs/hfs/super.c:411
> alloc_fs_context+0x214/0x430 fs/fs_context.c:315
> do_new_mount fs/namespace.c:3707 [inline]
> path_mount+0x93c/0x12e0 fs/namespace.c:4037
> do_mount fs/namespace.c:4050 [inline]
> __do_sys_mount fs/namespace.c:4238 [inline]
> __se_sys_mount fs/namespace.c:4215 [inline]
> __x64_sys_mount+0x1a2/0x1e0 fs/namespace.c:4215
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
--
Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
^ permalink raw reply [flat|nested] 34+ messages in thread* (no subject)
2025-11-13 4:27 [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
2025-11-13 21:47 ` Viacheslav Dubeyko
@ 2025-11-14 1:24 ` Mehdi Ben Hadj Khelifa
2025-11-14 2:03 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
2025-11-14 3:18 ` Mehdi Ben Hadj Khelifa
` (6 subsequent siblings)
8 siblings, 1 reply; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-14 1:24 UTC (permalink / raw)
To: syzbot+ad45f827c88778ff7df6
Cc: frank.li, glaubitz, linux-fsdevel, linux-kernel, slava,
syzkaller-bugs, Mehdi Ben Hadj Khelifa
#syz test
diff --git a/fs/super.c b/fs/super.c
index 5bab94fb7e03..a9112b17b79f 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -484,6 +484,7 @@ void deactivate_locked_super(struct super_block *s)
put_filesystem(fs);
put_super(s);
+ kfree(s->s_fs_info);
} else {
super_unlock_excl(s);
}
--
2.51.2
^ permalink raw reply related [flat|nested] 34+ messages in thread* Re: [syzbot] [hfs?] memory leak in hfs_init_fs_context
2025-11-14 1:24 ` Mehdi Ben Hadj Khelifa
@ 2025-11-14 2:03 ` syzbot
0 siblings, 0 replies; 34+ messages in thread
From: syzbot @ 2025-11-14 2:03 UTC (permalink / raw)
To: frank.li, glaubitz, linux-fsdevel, linux-kernel,
mehdi.benhadjkhelifa, slava, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
roller area network core
[ 9.749562][ T1] NET: Registered PF_CAN protocol family
[ 9.750438][ T1] can: raw protocol
[ 9.750982][ T1] can: broadcast manager protocol
[ 9.751738][ T1] can: netlink gateway - max_hops=1
[ 9.752496][ T1] can: SAE J1939
[ 9.753010][ T1] can: isotp protocol (max_pdu_size 8300)
[ 9.754130][ T1] Bluetooth: RFCOMM TTY layer initialized
[ 9.754932][ T1] Bluetooth: RFCOMM socket layer initialized
[ 9.755826][ T1] Bluetooth: RFCOMM ver 1.11
[ 9.756640][ T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 9.757547][ T1] Bluetooth: BNEP filters: protocol multicast
[ 9.758499][ T1] Bluetooth: BNEP socket layer initialized
[ 9.759429][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 9.760557][ T1] Bluetooth: HIDP socket layer initialized
[ 9.762424][ T1] NET: Registered PF_RXRPC protocol family
[ 9.763241][ T1] Key type rxrpc registered
[ 9.764425][ T1] Key type rxrpc_s registered
[ 9.765548][ T1] NET: Registered PF_KCM protocol family
[ 9.766688][ T1] lec:lane_module_init: lec.c: initialized
[ 9.767737][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 9.768664][ T1] l2tp_core: L2TP core driver, V2.0
[ 9.769494][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 9.770289][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 9.771155][ T1] l2tp_netlink: L2TP netlink interface
[ 9.771938][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 9.772847][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 9.774041][ T1] NET: Registered PF_PHONET protocol family
[ 9.774894][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 9.775717][ T1] sctp: Hash tables configured (bind 256/256)
[ 9.777068][ T1] NET: Registered PF_RDS protocol family
[ 9.778075][ T1] Registered RDS/infiniband transport
[ 9.778994][ T1] Registered RDS/tcp transport
[ 9.779692][ T1] tipc: Activated (version 2.0.0)
[ 9.780699][ T1] NET: Registered PF_TIPC protocol family
[ 9.782344][ T1] tipc: Started in single node mode
[ 9.784387][ T1] smc: adding smcd device lo without pnetid
[ 9.785913][ T1] NET: Registered PF_SMC protocol family
[ 9.787625][ T1] 9pnet: Installing 9P2000 support
[ 9.789167][ T1] NET: Registered PF_CAIF protocol family
[ 9.791371][ T1] NET: Registered PF_IEEE802154 protocol family
[ 9.792806][ T1] Key type dns_resolver registered
[ 9.794259][ T1] Key type ceph registered
[ 9.795165][ T1] libceph: loaded (mon/osd proto 15/24)
[ 9.796573][ T1] batman_adv: B.A.T.M.A.N. advanced 2025.4 (compatibility version 15) loaded
[ 9.798385][ T1] openvswitch: Open vSwitch switching datapath
[ 9.799992][ T1] NET: Registered PF_VSOCK protocol family
[ 9.800986][ T1] mpls_gso: MPLS GSO support
[ 9.819559][ T1] IPI shorthand broadcast: enabled
[ 10.013424][ T1] sched_clock: Marking stable (9984532893, 23793120)->(10012625265, -4299252)
[ 10.021125][ T1] registered taskstats version 1
[ 10.025750][ T1] Loading compiled-in X.509 certificates
[ 10.058263][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: ea23c8da7267aa5b617cb0954f38b31bf7cab05f'
[ 10.088097][ T1] zswap: loaded using pool 842
[ 10.089329][ T1] Demotion targets for Node 0: null
[ 10.090444][ T1] Demotion targets for Node 1: null
[ 10.091182][ T1] kmemleak: Kernel memory leak detector initialized (mem pool available: 15732)
[ 10.093020][ T1] Key type .fscrypt registered
[ 10.093752][ T1] Key type fscrypt-provisioning registered
[ 10.095763][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 10.099093][ T1] Btrfs loaded, assert=on, zoned=yes, fsverity=yes
[ 10.100242][ T1] Key type big_key registered
[ 10.101201][ T1] Key type encrypted registered
[ 10.101898][ T1] AppArmor: AppArmor sha256 policy hashing enabled
[ 10.102910][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 10.103860][ T1] Loading compiled-in module X.509 certificates
[ 10.135501][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: ea23c8da7267aa5b617cb0954f38b31bf7cab05f'
[ 10.137680][ T1] ima: Allocated hash algorithm: sha256
[ 10.138660][ T1] ima: No architecture policies found
[ 10.139629][ T1] evm: Initialising EVM extended attributes:
[ 10.140520][ T1] evm: security.selinux (disabled)
[ 10.141260][ T1] evm: security.SMACK64 (disabled)
[ 10.142032][ T1] evm: security.SMACK64EXEC (disabled)
[ 10.142977][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 10.143870][ T1] evm: security.SMACK64MMAP (disabled)
[ 10.144647][ T1] evm: security.apparmor
[ 10.145278][ T1] evm: security.ima
[ 10.145794][ T1] evm: security.capability
[ 10.146417][ T1] evm: HMAC attrs: 0x1
[ 10.147566][ T1] PM: Magic number: 1:78:913
[ 10.148733][ T1] tty ptyz9: hash matches
[ 10.149389][ T1] tty ptywc: hash matches
[ 10.150164][ T1] netconsole: network logging started
[ 10.151137][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 10.153632][ T1] rdma_rxe: loaded
[ 10.154685][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 10.157212][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 10.159121][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 10.160513][ T3094] faux_driver regulatory: Direct firmware load for regulatory.db failed with error -2
[ 10.161920][ T3094] faux_driver regulatory: Falling back to sysfs fallback for: regulatory.db
[ 10.163450][ T1] clk: Disabling unused clocks
[ 10.164221][ T1] ALSA device list:
[ 10.164750][ T1] #0: Dummy 1
[ 10.165239][ T1] #1: Loopback 1
[ 10.165745][ T1] #2: Virtual MIDI Card 1
[ 10.167530][ T1] check access for rdinit=/init failed: -2, ignoring
[ 10.168530][ T1] md: Waiting for all devices to be available before autodetect
[ 10.169637][ T1] md: If you don't use raid, use raid=noautodetect
[ 10.170520][ T1] md: Autodetecting RAID arrays.
[ 10.171192][ T1] md: autorun ...
[ 10.171746][ T1] md: ... autorun DONE.
[ 10.355755][ T1] EXT4-fs (sda1): orphan cleanup on readonly fs
[ 10.357816][ T1] EXT4-fs (sda1): mounted filesystem 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 ro with ordered data mode. Quota mode: none.
[ 10.359703][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 10.362032][ T1] devtmpfs: mounted
[ 10.368420][ T1] Freeing unused kernel image (initmem) memory: 16140K
[ 10.370400][ T1] Write protecting the kernel read-only data: 94208k
[ 10.374836][ T1] Freeing unused kernel image (text/rodata gap) memory: 1156K
[ 10.377014][ T1] Freeing unused kernel image (rodata/data gap) memory: 964K
[ 10.479434][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 10.481095][ T1] x86/mm: Checking user space page tables
[ 10.573323][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 10.574604][ T1] Failed to set sysctl parameter 'kernel.hung_task_all_cpu_backtrace=1': parameter not found
[ 10.578671][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 10.580258][ T1] Run /sbin/init as init process
[ 10.915515][ T5147] mount (5147) used greatest stack depth: 12376 bytes left
[ 10.959767][ T5148] EXT4-fs (sda1): re-mounted 4f91c6db-4997-4bb4-91b8-7e83a20c1bf1 r/w.
[ 10.962072][ T5148] mount (5148) used greatest stack depth: 11720 bytes left
mount: mounting devtmpfs on /dev failed: Device or resource busy
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[ 11.009468][ T5152] mount (5152) used greatest stack depth: 10488 bytes left
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [ 11.409279][ T5182] udevd[5182]: starting version 3.2.14
[ 11.616899][ T5183] udevd[5183]: starting eudev-3.2.14
[ 11.618261][ T5182] udevd (5182) used greatest stack depth: 9464 bytes left
done
Starting system message bus: done
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-10.2.0 starting
dev: loaded udev
no interfaces have a carrier
[ 16.257231][ T5478] 8021q: adding VLAN 0 to HW filter on device bond0
[ 16.264394][ T5549] Oops: general protection fault, probably for non-canonical address 0x6564752f62696c4f: 0000 [#1] SMP PTI
[ 16.265069][ T5478] eql: remember to turn off Van-Jacobson compression on your slave devices
[ 16.275854][ T5549] CPU: 1 UID: 0 PID: 5549 Comm: rcS Not tainted syzkaller #0 PREEMPT(full)
[ 16.275872][ T5549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 16.275881][ T5549] RIP: 0010:tomoyo_get_name+0xa9/0x270
[ 16.308751][ T5549] Code: 0f 85 6a 01 00 00 e8 b6 b1 ec fe 89 d8 48 c1 e3 04 48 8b 9b c0 1a 85 89 48 89 04 24 49 39 dd 0f 84 b2 00 00 00 e8 97 b1 ec fe <44> 8b 7b 20 89 ee 44 89 ff e8 39 a9 ec fe 41 39 ef 0f 85 85 00 00
[ 16.328351][ T5549] RSP: 0018:ffffc90002807c28 EFLAGS: 00010293
[ 16.334412][ T5549] RAX: 0000000000000000 RBX: 6564752f62696c2f RCX: ffffffff8274e487
[ 16.342387][ T5549] RDX: ffff888102fdb480 RSI: ffffffff8274e479 RDI: 0000000000000004
[ 16.350405][ T5549] RBP: 000000000367e4aa R08: 0000000000000004 R09: 0000000061736c61
[ 16.358373][ T5549] R10: 000000000367e4aa R11: 0000000000000000 R12: ffff88810984c000
[ 16.366511][ T5549] R13: ffffffff898520c0 R14: 0000000000000038 R15: 0000000061736c61
[ 16.374647][ T5549] FS: 00007fdabe210c80(0000) GS:ffff8881b26c2000(0000) knlGS:0000000000000000
[ 16.383729][ T5549] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 16.390297][ T5549] CR2: 00007fec51a9a7b8 CR3: 000000010966c000 CR4: 00000000003526f0
[ 16.398302][ T5549] Call Trace:
[ 16.401564][ T5549] <TASK>
[ 16.404607][ T5549] ? tomoyo_assign_namespace+0x84/0x1d0
[ 16.410156][ T5549] tomoyo_assign_domain+0x249/0x490
[ 16.415496][ T5549] tomoyo_find_next_domain+0x4d1/0xdb0
[ 16.420969][ T5549] tomoyo_bprm_check_security+0x72/0xc0
[ 16.426508][ T5549] security_bprm_check+0x1b9/0x1e0
[ 16.431605][ T5549] bprm_execve+0x381/0x830
[ 16.436100][ T5549] do_execveat_common.isra.0+0x262/0x2e0
[ 16.441713][ T5549] __x64_sys_execve+0x3d/0x50
[ 16.446381][ T5549] do_syscall_64+0xa4/0xfa0
[ 16.450879][ T5549] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 16.456743][ T5549] RIP: 0033:0x7fdabe3ab107
[ 16.461148][ T5549] Code: 0f 00 64 c7 00 07 00 00 00 b8 ff ff ff ff c9 c3 0f 1f 00 48 8b 05 a9 ee 0f 00 48 8b 10 e9 01 00 00 00 90 b8 3b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c1 ec 0f 00 f7 d8 64 89 01 48
[ 16.480773][ T5549] RSP: 002b:00007fffd1b40b78 EFLAGS: 00000206 ORIG_RAX: 000000000000003b
[ 16.489522][ T5549] RAX: ffffffffffffffda RBX: 000055ca63b60d30 RCX: 00007fdabe3ab107
[ 16.497466][ T5549] RDX: 000055ca63b57bb8 RSI: 000055ca63b60d30 RDI: 000055ca63b60ce8
[ 16.505417][ T5549] RBP: 000055ca63b60ce8 R08: 0000000000000000 R09: 0000000000000000
[ 16.513806][ T5549] R10: 0000000000000008 R11: 0000000000000206 R12: 000055ca63b57bb8
[ 16.521843][ T5549] R13: 00007fdabe570e8b R14: 000055ca63b57bb8 R15: 0000000000000000
[ 16.529794][ T5549] </TASK>
[ 16.532798][ T5549] Modules linked in:
[ 16.536769][ T5549] ---[ end trace 0000000000000000 ]---
[ 16.542535][ T5549] RIP: 0010:tomoyo_get_name+0xa9/0x270
[ 16.548074][ T5549] Code: 0f 85 6a 01 00 00 e8 b6 b1 ec fe 89 d8 48 c1 e3 04 48 8b 9b c0 1a 85 89 48 89 04 24 49 39 dd 0f 84 b2 00 00 00 e8 97 b1 ec fe <44> 8b 7b 20 89 ee 44 89 ff e8 39 a9 ec fe 41 39 ef 0f 85 85 00 00
[ 16.567885][ T5549] RSP: 0018:ffffc90002807c28 EFLAGS: 00010293
[ 16.574145][ T5549] RAX: 0000000000000000 RBX: 6564752f62696c2f RCX: ffffffff8274e487
[ 16.582126][ T5549] RDX: ffff888102fdb480 RSI: ffffffff8274e479 RDI: 0000000000000004
[ 16.590202][ T5549] RBP: 000000000367e4aa R08: 0000000000000004 R09: 0000000061736c61
[ 16.598259][ T5549] R10: 000000000367e4aa R11: 0000000000000000 R12: ffff88810984c000
[ 16.606251][ T5549] R13: ffffffff898520c0 R14: 0000000000000038 R15: 0000000061736c61
[ 16.614332][ T5549] FS: 00007fdabe210c80(0000) GS:ffff8881b26c2000(0000) knlGS:0000000000000000
[ 16.623328][ T5549] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 16.629908][ T5549] CR2: 00007fec51a9a7b8 CR3: 000000010966c000 CR4: 00000000003526f0
[ 16.637983][ T5549] Kernel panic - not syncing: Fatal exception
[ 16.644472][ T5549] Kernel Offset: disabled
[ 16.648952][ T5549] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3937347293=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at 4e1406b4def
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"4e1406b4defac0e2a9d9424c70706f79a7750cf3\"
/usr/bin/ld: /tmp/cctPnRU9.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16bad7cd980000
Tested on:
commit: 6da43bbe Merge tag 'vfio-v6.18-rc6' of https://github...
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
dashboard link: https://syzkaller.appspot.com/bug?extid=ad45f827c88778ff7df6
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11f2b60a580000
^ permalink raw reply [flat|nested] 34+ messages in thread
* (no subject)
2025-11-13 4:27 [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
2025-11-13 21:47 ` Viacheslav Dubeyko
2025-11-14 1:24 ` Mehdi Ben Hadj Khelifa
@ 2025-11-14 3:18 ` Mehdi Ben Hadj Khelifa
2025-11-14 3:00 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
2025-11-14 5:12 ` [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure Mehdi Ben Hadj Khelifa
` (5 subsequent siblings)
8 siblings, 1 reply; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-14 3:18 UTC (permalink / raw)
To: syzbot+ad45f827c88778ff7df6
Cc: frank.li, glaubitz, linux-fsdevel, linux-kernel, slava,
syzkaller-bugs, Mehdi Ben Hadj Khelifa
#syz test
diff --git a/fs/super.c b/fs/super.c
index 5bab94fb7e03..b1a78189b2c5 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1690,6 +1690,7 @@ int get_tree_bdev_flags(struct fs_context *fc,
if (!error)
error = fill_super(s, fc);
if (error) {
+ fc->s_fs_info = s->s_fs_info;
deactivate_locked_super(s);
return error;
}
--
2.51.2
^ permalink raw reply related [flat|nested] 34+ messages in thread* [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-13 4:27 [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
` (2 preceding siblings ...)
2025-11-14 3:18 ` Mehdi Ben Hadj Khelifa
@ 2025-11-14 5:12 ` Mehdi Ben Hadj Khelifa
2025-11-14 4:26 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
` (2 more replies)
2025-11-14 16:01 ` Mehdi Ben Hadj Khelifa
` (4 subsequent siblings)
8 siblings, 3 replies; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-14 5:12 UTC (permalink / raw)
To: syzbot+ad45f827c88778ff7df6
Cc: frank.li, glaubitz, linux-fsdevel, linux-kernel, slava,
syzkaller-bugs, Mehdi Ben Hadj Khelifa
#syz test
diff --git a/fs/super.c b/fs/super.c
index 5bab94fb7e03..a99e5281b057 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1690,6 +1690,11 @@ int get_tree_bdev_flags(struct fs_context *fc,
if (!error)
error = fill_super(s, fc);
if (error) {
+ /*
+ * return back sb_info ownership to fc to be freed by put_fs_context()
+ */
+ fc->s_fs_info = s->s_fs_info;
+ s->s_fs_info = NULL;
deactivate_locked_super(s);
return error;
}
--
2.51.2
^ permalink raw reply related [flat|nested] 34+ messages in thread* Re: [syzbot] [hfs?] memory leak in hfs_init_fs_context
2025-11-14 5:12 ` [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure Mehdi Ben Hadj Khelifa
@ 2025-11-14 4:26 ` syzbot
2025-11-14 11:55 ` [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure Christian Brauner
2025-11-19 13:43 ` Christian Brauner
2 siblings, 0 replies; 34+ messages in thread
From: syzbot @ 2025-11-14 4:26 UTC (permalink / raw)
To: frank.li, glaubitz, linux-fsdevel, linux-kernel,
mehdi.benhadjkhelifa, slava, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
SYZFAIL: failed to recv rpc
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
Warning: Permanently added '10.128.1.132' (ED25519) to the list of known hosts.
2025/11/14 04:25:22 parsed 1 programs
[ 38.568834][ T5812] cgroup: Unknown subsys name 'net'
[ 38.681579][ T5812] cgroup: Unknown subsys name 'cpuset'
[ 38.687948][ T5812] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 47.206806][ T5812] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 48.634442][ T5821] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[ 49.057992][ T31] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 49.068464][ T31] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 49.080224][ T12] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 49.088091][ T12] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 49.177421][ T5870] chnl_net:caif_netlink_parms(): no params data found
[ 49.197720][ T5870] bridge0: port 1(bridge_slave_0) entered blocking state
[ 49.205546][ T5870] bridge0: port 1(bridge_slave_0) entered disabled state
[ 49.212806][ T5870] bridge_slave_0: entered allmulticast mode
[ 49.219093][ T5870] bridge_slave_0: entered promiscuous mode
[ 49.226954][ T5870] bridge0: port 2(bridge_slave_1) entered blocking state
[ 49.234019][ T5870] bridge0: port 2(bridge_slave_1) entered disabled state
[ 49.241114][ T5870] bridge_slave_1: entered allmulticast mode
[ 49.247273][ T5870] bridge_slave_1: entered promiscuous mode
[ 49.257812][ T5870] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 49.267520][ T5870] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 49.283802][ T5870] team0: Port device team_slave_0 added
[ 49.289970][ T5870] team0: Port device team_slave_1 added
[ 49.299659][ T5870] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 49.306737][ T5870] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 49.332781][ T5870] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 49.344098][ T5870] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 49.351244][ T5870] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 49.377242][ T5870] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 49.395484][ T5870] hsr_slave_0: entered promiscuous mode
[ 49.401255][ T5870] hsr_slave_1: entered promiscuous mode
[ 49.429633][ T5870] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 49.437511][ T5870] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 49.445536][ T5870] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 49.453283][ T5870] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 49.466311][ T5870] bridge0: port 2(bridge_slave_1) entered blocking state
[ 49.473549][ T5870] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 49.480828][ T5870] bridge0: port 1(bridge_slave_0) entered blocking state
[ 49.487888][ T5870] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 49.506659][ T5870] 8021q: adding VLAN 0 to HW filter on device bond0
[ 49.515852][ T31] bridge0: port 1(bridge_slave_0) entered disabled state
[ 49.523955][ T31] bridge0: port 2(bridge_slave_1) entered disabled state
[ 49.533442][ T5870] 8021q: adding VLAN 0 to HW filter on device team0
[ 49.541649][ T31] bridge0: port 1(bridge_slave_0) entered blocking state
[ 49.548678][ T31] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 49.557491][ T4775] bridge0: port 2(bridge_slave_1) entered blocking state
[ 49.564551][ T4775] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 49.609789][ T5870] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 49.624774][ T5870] veth0_vlan: entered promiscuous mode
[ 49.632240][ T5870] veth1_vlan: entered promiscuous mode
[ 49.642980][ T5870] veth0_macvtap: entered promiscuous mode
[ 49.649568][ T5870] veth1_macvtap: entered promiscuous mode
[ 49.658587][ T5870] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 49.667884][ T5870] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 49.677213][ T4775] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 49.685998][ T4775] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 49.696282][ T4775] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 49.705044][ T4775] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 49.739615][ T5893] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 49.746762][ T5893] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 49.754212][ T5893] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 49.761539][ T5893] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 49.768803][ T5893] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 49.777506][ T12] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 49.811620][ T12] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 49.872308][ T12] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 49.932883][ T12] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
2025/11/14 04:25:36 executed programs: 0
[ 52.871628][ T12] bridge_slave_1: left allmulticast mode
[ 52.877509][ T12] bridge_slave_1: left promiscuous mode
[ 52.883233][ T12] bridge0: port 2(bridge_slave_1) entered disabled state
[ 52.890693][ T12] bridge_slave_0: left allmulticast mode
[ 52.896320][ T12] bridge_slave_0: left promiscuous mode
[ 52.902081][ T12] bridge0: port 1(bridge_slave_0) entered disabled state
[ 52.942851][ T12] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 52.951925][ T12] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 52.960999][ T12] bond0 (unregistering): Released all slaves
[ 53.054718][ T12] hsr_slave_0: left promiscuous mode
[ 53.060223][ T12] hsr_slave_1: left promiscuous mode
[ 53.065682][ T12] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 53.073538][ T12] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 53.081030][ T12] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 53.088412][ T12] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 53.097247][ T12] veth1_macvtap: left promiscuous mode
[ 53.102787][ T12] veth0_macvtap: left promiscuous mode
[ 53.108333][ T12] veth1_vlan: left promiscuous mode
[ 53.113692][ T12] veth0_vlan: left promiscuous mode
[ 53.146117][ T12] team0 (unregistering): Port device team_slave_1 removed
[ 53.154944][ T12] team0 (unregistering): Port device team_slave_0 removed
[ 55.775892][ T5893] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 55.783123][ T5893] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 55.790299][ T5893] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 55.797638][ T5893] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 55.805009][ T5893] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 55.842807][ T5987] chnl_net:caif_netlink_parms(): no params data found
[ 55.861642][ T5987] bridge0: port 1(bridge_slave_0) entered blocking state
[ 55.868694][ T5987] bridge0: port 1(bridge_slave_0) entered disabled state
[ 55.876286][ T5987] bridge_slave_0: entered allmulticast mode
[ 55.882536][ T5987] bridge_slave_0: entered promiscuous mode
[ 55.888863][ T5987] bridge0: port 2(bridge_slave_1) entered blocking state
[ 55.896054][ T5987] bridge0: port 2(bridge_slave_1) entered disabled state
[ 55.903160][ T5987] bridge_slave_1: entered allmulticast mode
[ 55.909310][ T5987] bridge_slave_1: entered promiscuous mode
[ 55.921259][ T5987] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 55.931363][ T5987] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 55.946114][ T5987] team0: Port device team_slave_0 added
[ 55.952406][ T5987] team0: Port device team_slave_1 added
[ 55.962372][ T5987] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 55.969330][ T5987] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 55.995474][ T5987] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 56.006426][ T5987] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 56.013527][ T5987] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 56.039738][ T5987] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 56.056635][ T5987] hsr_slave_0: entered promiscuous mode
[ 56.062419][ T5987] hsr_slave_1: entered promiscuous mode
[ 56.253249][ T5987] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 56.261855][ T5987] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 56.269702][ T5987] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 56.278553][ T5987] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 56.294272][ T5987] bridge0: port 2(bridge_slave_1) entered blocking state
[ 56.301460][ T5987] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 56.308739][ T5987] bridge0: port 1(bridge_slave_0) entered blocking state
[ 56.315923][ T5987] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 56.338321][ T5987] 8021q: adding VLAN 0 to HW filter on device bond0
[ 56.348077][ T31] bridge0: port 1(bridge_slave_0) entered disabled state
[ 56.356081][ T31] bridge0: port 2(bridge_slave_1) entered disabled state
[ 56.366155][ T5987] 8021q: adding VLAN 0 to HW filter on device team0
[ 56.374820][ T49] bridge0: port 1(bridge_slave_0) entered blocking state
[ 56.381909][ T49] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 56.400099][ T49] bridge0: port 2(bridge_slave_1) entered blocking state
[ 56.407204][ T49] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 56.458214][ T5987] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 56.477365][ T5987] veth0_vlan: entered promiscuous mode
[ 56.485374][ T5987] veth1_vlan: entered promiscuous mode
[ 56.498620][ T5987] veth0_macvtap: entered promiscuous mode
[ 56.506001][ T5987] veth1_macvtap: entered promiscuous mode
[ 56.516830][ T5987] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 56.526501][ T5987] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 56.536259][ T31] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 56.554454][ T31] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 56.571101][ T49] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 56.579028][ T49] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 56.589211][ T31] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 56.602245][ T35] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 56.602375][ T31] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 56.610080][ T35] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2609802501=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at 4e1406b4def
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"4e1406b4defac0e2a9d9424c70706f79a7750cf3\"
/usr/bin/ld: /tmp/ccG1R0tu.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: 6da43bbe Merge tag 'vfio-v6.18-rc6' of https://github...
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
dashboard link: https://syzkaller.appspot.com/bug?extid=ad45f827c88778ff7df6
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16ceb60a580000
^ permalink raw reply [flat|nested] 34+ messages in thread* Re: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-14 5:12 ` [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure Mehdi Ben Hadj Khelifa
2025-11-14 4:26 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
@ 2025-11-14 11:55 ` Christian Brauner
2025-11-14 16:05 ` Mehdi Ben Hadj Khelifa
2025-11-14 17:15 ` Mehdi Ben Hadj Khelifa
2025-11-19 13:43 ` Christian Brauner
2 siblings, 2 replies; 34+ messages in thread
From: Christian Brauner @ 2025-11-14 11:55 UTC (permalink / raw)
To: Mehdi Ben Hadj Khelifa
Cc: syzbot+ad45f827c88778ff7df6, frank.li, glaubitz, linux-fsdevel,
linux-kernel, slava, syzkaller-bugs
On Fri, Nov 14, 2025 at 06:12:12AM +0100, Mehdi Ben Hadj Khelifa wrote:
> #syz test
>
> diff --git a/fs/super.c b/fs/super.c
> index 5bab94fb7e03..a99e5281b057 100644
> --- a/fs/super.c
> +++ b/fs/super.c
> @@ -1690,6 +1690,11 @@ int get_tree_bdev_flags(struct fs_context *fc,
> if (!error)
> error = fill_super(s, fc);
> if (error) {
> + /*
> + * return back sb_info ownership to fc to be freed by put_fs_context()
> + */
> + fc->s_fs_info = s->s_fs_info;
> + s->s_fs_info = NULL;
> deactivate_locked_super(s);
> return error;
> }
> --
> 2.51.2
>
No, either free it in hfs_fill_super() when it fails or add a wrapper
around kill_block_super() for hfs and free it after ->kill_sb() has run.
^ permalink raw reply [flat|nested] 34+ messages in thread* Re: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-14 11:55 ` [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure Christian Brauner
@ 2025-11-14 16:05 ` Mehdi Ben Hadj Khelifa
2025-11-14 17:15 ` Mehdi Ben Hadj Khelifa
1 sibling, 0 replies; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-14 16:05 UTC (permalink / raw)
To: Christian Brauner
Cc: syzbot+ad45f827c88778ff7df6, frank.li, glaubitz, linux-fsdevel,
linux-kernel, slava, syzkaller-bugs
On 11/14/25 12:55 PM, Christian Brauner wrote:
> On Fri, Nov 14, 2025 at 06:12:12AM +0100, Mehdi Ben Hadj Khelifa wrote:
>> #syz test
>>
>> diff --git a/fs/super.c b/fs/super.c
>> index 5bab94fb7e03..a99e5281b057 100644
>> --- a/fs/super.c
>> +++ b/fs/super.c
>> @@ -1690,6 +1690,11 @@ int get_tree_bdev_flags(struct fs_context *fc,
>> if (!error)
>> error = fill_super(s, fc);
>> if (error) {
>> + /*
>> + * return back sb_info ownership to fc to be freed by put_fs_context()
>> + */
>> + fc->s_fs_info = s->s_fs_info;
>> + s->s_fs_info = NULL;
>> deactivate_locked_super(s);
>> return error;
>> }
>> --
>> 2.51.2
>>
>
> No, either free it in hfs_fill_super() when it fails or add a wrapper
> around kill_block_super() for hfs and free it after ->kill_sb() has run.
Ah. I just saw your reply after my I just sent out a new similar test.
I will be working on it with your suggestion.
Best Regards,
Mehdi Ben Hadj Khelifa
^ permalink raw reply [flat|nested] 34+ messages in thread* Re: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-14 11:55 ` [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure Christian Brauner
2025-11-14 16:05 ` Mehdi Ben Hadj Khelifa
@ 2025-11-14 17:15 ` Mehdi Ben Hadj Khelifa
1 sibling, 0 replies; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-14 17:15 UTC (permalink / raw)
To: Christian Brauner
Cc: syzbot+ad45f827c88778ff7df6, frank.li, glaubitz, linux-fsdevel,
linux-kernel, slava, syzkaller-bugs
On 11/14/25 12:55 PM, Christian Brauner wrote:
> On Fri, Nov 14, 2025 at 06:12:12AM +0100, Mehdi Ben Hadj Khelifa wrote:
>> #syz test
>>
>> diff --git a/fs/super.c b/fs/super.c
>> index 5bab94fb7e03..a99e5281b057 100644
>> --- a/fs/super.c
>> +++ b/fs/super.c
>> @@ -1690,6 +1690,11 @@ int get_tree_bdev_flags(struct fs_context *fc,
>> if (!error)
>> error = fill_super(s, fc);
>> if (error) {
>> + /*
>> + * return back sb_info ownership to fc to be freed by put_fs_context()
>> + */
>> + fc->s_fs_info = s->s_fs_info;
>> + s->s_fs_info = NULL;
>> deactivate_locked_super(s);
>> return error;
>> }
>> --
>> 2.51.2
>>
>
> No, either free it in hfs_fill_super() when it fails or add a wrapper
> around kill_block_super() for hfs and free it after ->kill_sb() has run.
Sorry for the noise,Resending with proper CCs:
I forgot to mention. I was giving back the ownership to the filesystem
context because upon setup_bdev_super fails put_fs_context still gets
called even if I would free s_fs_info in the kill_sb,so hfs_free_fc
would get a NULL pointer to kfree as a result..I don't think that would
be desirable.
I would be sending my patch out for more discussion.
Best Regards,
Mehdi Ben Hadj Khelifa
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-14 5:12 ` [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure Mehdi Ben Hadj Khelifa
2025-11-14 4:26 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
2025-11-14 11:55 ` [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure Christian Brauner
@ 2025-11-19 13:43 ` Christian Brauner
2025-11-19 14:13 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
2 siblings, 1 reply; 34+ messages in thread
From: Christian Brauner @ 2025-11-19 13:43 UTC (permalink / raw)
To: Mehdi Ben Hadj Khelifa
Cc: syzbot+ad45f827c88778ff7df6, frank.li, glaubitz, linux-fsdevel,
linux-kernel, slava, syzkaller-bugs
On Fri, Nov 14, 2025 at 06:12:12AM +0100, Mehdi Ben Hadj Khelifa wrote:
> #syz test
>
> diff --git a/fs/super.c b/fs/super.c
> index 5bab94fb7e03..a99e5281b057 100644
> --- a/fs/super.c
> +++ b/fs/super.c
> @@ -1690,6 +1690,11 @@ int get_tree_bdev_flags(struct fs_context *fc,
> if (!error)
> error = fill_super(s, fc);
> if (error) {
> + /*
> + * return back sb_info ownership to fc to be freed by put_fs_context()
> + */
> + fc->s_fs_info = s->s_fs_info;
> + s->s_fs_info = NULL;
> deactivate_locked_super(s);
> return error;
> }
#syz test: https://github.com/brauner/linux.git work.hfs.fixes
^ permalink raw reply [flat|nested] 34+ messages in thread* Re: [syzbot] [hfs?] memory leak in hfs_init_fs_context
2025-11-19 13:43 ` Christian Brauner
@ 2025-11-19 14:13 ` syzbot
2025-11-19 14:16 ` Christian Brauner
0 siblings, 1 reply; 34+ messages in thread
From: syzbot @ 2025-11-19 14:13 UTC (permalink / raw)
To: brauner, frank.li, glaubitz, linux-fsdevel, linux-kernel,
mehdi.benhadjkhelifa, slava, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
pc
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
Warning: Permanently added '10.128.10.29' (ED25519) to the list of known hosts.
2025/11/19 14:11:52 parsed 1 programs
[ 42.022753][ T5811] cgroup: Unknown subsys name 'net'
[ 42.175712][ T5811] cgroup: Unknown subsys name 'cpuset'
[ 42.182256][ T5811] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 50.184013][ T5811] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 51.419720][ T5824] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[ 51.816926][ T58] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 51.825249][ T58] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 51.836771][ T31] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 51.844633][ T31] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 51.992800][ T5887] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 52.000051][ T5887] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 52.007203][ T5887] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 52.014500][ T5887] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 52.021816][ T5887] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 52.104921][ T5895] chnl_net:caif_netlink_parms(): no params data found
[ 52.123774][ T5895] bridge0: port 1(bridge_slave_0) entered blocking state
[ 52.130962][ T5895] bridge0: port 1(bridge_slave_0) entered disabled state
[ 52.138313][ T5895] bridge_slave_0: entered allmulticast mode
[ 52.144523][ T5895] bridge_slave_0: entered promiscuous mode
[ 52.151904][ T5895] bridge0: port 2(bridge_slave_1) entered blocking state
[ 52.159070][ T5895] bridge0: port 2(bridge_slave_1) entered disabled state
[ 52.166257][ T5895] bridge_slave_1: entered allmulticast mode
[ 52.172607][ T5895] bridge_slave_1: entered promiscuous mode
[ 52.184675][ T5895] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 52.194790][ T5895] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 52.210335][ T5895] team0: Port device team_slave_0 added
[ 52.216530][ T5895] team0: Port device team_slave_1 added
[ 52.226332][ T5895] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 52.233294][ T5895] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 52.259593][ T5895] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 52.270857][ T5895] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 52.277950][ T5895] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 52.304091][ T5895] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 52.330778][ T5895] hsr_slave_0: entered promiscuous mode
[ 52.337739][ T5895] hsr_slave_1: entered promiscuous mode
[ 52.365548][ T5895] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 52.373816][ T5895] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 52.382570][ T5895] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 52.390442][ T5895] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 52.402050][ T5895] bridge0: port 2(bridge_slave_1) entered blocking state
[ 52.409208][ T5895] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 52.416560][ T5895] bridge0: port 1(bridge_slave_0) entered blocking state
[ 52.424189][ T5895] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 52.442787][ T5895] 8021q: adding VLAN 0 to HW filter on device bond0
[ 52.452023][ T31] bridge0: port 1(bridge_slave_0) entered disabled state
[ 52.461111][ T31] bridge0: port 2(bridge_slave_1) entered disabled state
[ 52.470558][ T5895] 8021q: adding VLAN 0 to HW filter on device team0
[ 52.479109][ T31] bridge0: port 1(bridge_slave_0) entered blocking state
[ 52.486350][ T31] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 52.496004][ T2979] bridge0: port 2(bridge_slave_1) entered blocking state
[ 52.503421][ T2979] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 52.520122][ T5895] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 52.531213][ T5895] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 52.567709][ T5895] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 52.582539][ T5895] veth0_vlan: entered promiscuous mode
[ 52.589714][ T5895] veth1_vlan: entered promiscuous mode
[ 52.600093][ T5895] veth0_macvtap: entered promiscuous mode
[ 52.606771][ T5895] veth1_macvtap: entered promiscuous mode
[ 52.615855][ T5895] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 52.625167][ T5895] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 52.634137][ T58] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.642907][ T58] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.652172][ T58] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.661018][ T58] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.696362][ T35] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 52.736176][ T35] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 52.776000][ T35] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
2025/11/19 14:12:05 executed programs: 0
[ 52.826029][ T35] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 55.913007][ T35] bridge_slave_1: left allmulticast mode
[ 55.924242][ T35] bridge_slave_1: left promiscuous mode
[ 55.930898][ T35] bridge0: port 2(bridge_slave_1) entered disabled state
[ 55.939182][ T35] bridge_slave_0: left allmulticast mode
[ 55.945141][ T35] bridge_slave_0: left promiscuous mode
[ 55.951004][ T35] bridge0: port 1(bridge_slave_0) entered disabled state
[ 56.026188][ T35] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 56.036592][ T35] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 56.046139][ T35] bond0 (unregistering): Released all slaves
[ 56.106597][ T35] hsr_slave_0: left promiscuous mode
[ 56.112214][ T35] hsr_slave_1: left promiscuous mode
[ 56.118098][ T35] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 56.126443][ T35] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 56.133898][ T35] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 56.141694][ T35] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 56.150927][ T35] veth1_macvtap: left promiscuous mode
[ 56.157067][ T35] veth0_macvtap: left promiscuous mode
[ 56.163187][ T35] veth1_vlan: left promiscuous mode
[ 56.168965][ T35] veth0_vlan: left promiscuous mode
[ 56.196836][ T35] team0 (unregistering): Port device team_slave_1 removed
[ 56.205815][ T35] team0 (unregistering): Port device team_slave_0 removed
[ 58.084150][ T5133] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 58.091289][ T5133] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 58.098477][ T5133] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 58.105739][ T5133] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 58.112872][ T5133] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 58.147089][ T5988] chnl_net:caif_netlink_parms(): no params data found
[ 58.166338][ T5988] bridge0: port 1(bridge_slave_0) entered blocking state
[ 58.173578][ T5988] bridge0: port 1(bridge_slave_0) entered disabled state
[ 58.180784][ T5988] bridge_slave_0: entered allmulticast mode
[ 58.187051][ T5988] bridge_slave_0: entered promiscuous mode
[ 58.193583][ T5988] bridge0: port 2(bridge_slave_1) entered blocking state
[ 58.200740][ T5988] bridge0: port 2(bridge_slave_1) entered disabled state
[ 58.207833][ T5988] bridge_slave_1: entered allmulticast mode
[ 58.214030][ T5988] bridge_slave_1: entered promiscuous mode
[ 58.225238][ T5988] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 58.235910][ T5988] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 58.251413][ T5988] team0: Port device team_slave_0 added
[ 58.257776][ T5988] team0: Port device team_slave_1 added
[ 58.267463][ T5988] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 58.274482][ T5988] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 58.300974][ T5988] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 58.311990][ T5988] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 58.318969][ T5988] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 58.344994][ T5988] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 58.362193][ T5988] hsr_slave_0: entered promiscuous mode
[ 58.368062][ T5988] hsr_slave_1: entered promiscuous mode
[ 58.548290][ T5988] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 58.556831][ T5988] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 58.564665][ T5988] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 58.572522][ T5988] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 58.586118][ T5988] bridge0: port 2(bridge_slave_1) entered blocking state
[ 58.593280][ T5988] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 58.600654][ T5988] bridge0: port 1(bridge_slave_0) entered blocking state
[ 58.607726][ T5988] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 58.630191][ T5988] 8021q: adding VLAN 0 to HW filter on device bond0
[ 58.640402][ T58] bridge0: port 1(bridge_slave_0) entered disabled state
[ 58.649632][ T58] bridge0: port 2(bridge_slave_1) entered disabled state
[ 58.659837][ T5988] 8021q: adding VLAN 0 to HW filter on device team0
[ 58.669532][ T58] bridge0: port 1(bridge_slave_0) entered blocking state
[ 58.676712][ T58] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 58.686492][ T35] bridge0: port 2(bridge_slave_1) entered blocking state
[ 58.693655][ T35] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 58.709390][ T5988] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 58.720129][ T5988] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 58.769091][ T5988] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 58.787789][ T5988] veth0_vlan: entered promiscuous mode
[ 58.795800][ T5988] veth1_vlan: entered promiscuous mode
[ 58.808550][ T5988] veth0_macvtap: entered promiscuous mode
[ 58.816434][ T5988] veth1_macvtap: entered promiscuous mode
[ 58.826869][ T5988] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 58.837590][ T5988] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 58.847552][ T2979] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 58.862969][ T2979] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 58.881016][ T2979] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 58.894676][ T35] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 58.903471][ T35] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 58.917260][ T31] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 58.925507][ T2979] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 58.934333][ T31] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3582148735=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at 4e1406b4d
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"4e1406b4defac0e2a9d9424c70706f79a7750cf3\"
/usr/bin/ld: /tmp/ccMkllK7.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=10715332580000
Tested on:
commit: 058747ce hfs: ensure sb->s_fs_info is always cleaned up
git tree: https://github.com/brauner/linux.git work.hfs.fixes
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=ad45f827c88778ff7df6
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
^ permalink raw reply [flat|nested] 34+ messages in thread* Re: [syzbot] [hfs?] memory leak in hfs_init_fs_context
2025-11-19 14:13 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
@ 2025-11-19 14:16 ` Christian Brauner
2025-11-19 15:08 ` syzbot
0 siblings, 1 reply; 34+ messages in thread
From: Christian Brauner @ 2025-11-19 14:16 UTC (permalink / raw)
To: syzbot
Cc: frank.li, glaubitz, linux-fsdevel, linux-kernel,
mehdi.benhadjkhelifa, slava, syzkaller-bugs
On Wed, Nov 19, 2025 at 06:13:08AM -0800, syzbot wrote:
> Hello,
>
> syzbot tried to test the proposed patch but the build/boot failed:
>
> pc
>
> SYZFAIL: failed to recv rpc
> fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
>
>
> Warning: Permanently added '10.128.10.29' (ED25519) to the list of known hosts.
> 2025/11/19 14:11:52 parsed 1 programs
> [ 42.022753][ T5811] cgroup: Unknown subsys name 'net'
> [ 42.175712][ T5811] cgroup: Unknown subsys name 'cpuset'
> [ 42.182256][ T5811] cgroup: Unknown subsys name 'rlimit'
> Setting up swapspace version 1, size = 127995904 bytes
> [ 50.184013][ T5811] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
> [ 51.419720][ T5824] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
> [ 51.816926][ T58] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
> [ 51.825249][ T58] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
> [ 51.836771][ T31] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
> [ 51.844633][ T31] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
> [ 51.992800][ T5887] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
> [ 52.000051][ T5887] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
> [ 52.007203][ T5887] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
> [ 52.014500][ T5887] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
> [ 52.021816][ T5887] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
> [ 52.104921][ T5895] chnl_net:caif_netlink_parms(): no params data found
> [ 52.123774][ T5895] bridge0: port 1(bridge_slave_0) entered blocking state
> [ 52.130962][ T5895] bridge0: port 1(bridge_slave_0) entered disabled state
> [ 52.138313][ T5895] bridge_slave_0: entered allmulticast mode
> [ 52.144523][ T5895] bridge_slave_0: entered promiscuous mode
> [ 52.151904][ T5895] bridge0: port 2(bridge_slave_1) entered blocking state
> [ 52.159070][ T5895] bridge0: port 2(bridge_slave_1) entered disabled state
> [ 52.166257][ T5895] bridge_slave_1: entered allmulticast mode
> [ 52.172607][ T5895] bridge_slave_1: entered promiscuous mode
> [ 52.184675][ T5895] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
> [ 52.194790][ T5895] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
> [ 52.210335][ T5895] team0: Port device team_slave_0 added
> [ 52.216530][ T5895] team0: Port device team_slave_1 added
> [ 52.226332][ T5895] batman_adv: batadv0: Adding interface: batadv_slave_0
> [ 52.233294][ T5895] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
> [ 52.259593][ T5895] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
> [ 52.270857][ T5895] batman_adv: batadv0: Adding interface: batadv_slave_1
> [ 52.277950][ T5895] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
> [ 52.304091][ T5895] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
> [ 52.330778][ T5895] hsr_slave_0: entered promiscuous mode
> [ 52.337739][ T5895] hsr_slave_1: entered promiscuous mode
> [ 52.365548][ T5895] netdevsim netdevsim0 netdevsim0: renamed from eth0
> [ 52.373816][ T5895] netdevsim netdevsim0 netdevsim1: renamed from eth1
> [ 52.382570][ T5895] netdevsim netdevsim0 netdevsim2: renamed from eth2
> [ 52.390442][ T5895] netdevsim netdevsim0 netdevsim3: renamed from eth3
> [ 52.402050][ T5895] bridge0: port 2(bridge_slave_1) entered blocking state
> [ 52.409208][ T5895] bridge0: port 2(bridge_slave_1) entered forwarding state
> [ 52.416560][ T5895] bridge0: port 1(bridge_slave_0) entered blocking state
> [ 52.424189][ T5895] bridge0: port 1(bridge_slave_0) entered forwarding state
> [ 52.442787][ T5895] 8021q: adding VLAN 0 to HW filter on device bond0
> [ 52.452023][ T31] bridge0: port 1(bridge_slave_0) entered disabled state
> [ 52.461111][ T31] bridge0: port 2(bridge_slave_1) entered disabled state
> [ 52.470558][ T5895] 8021q: adding VLAN 0 to HW filter on device team0
> [ 52.479109][ T31] bridge0: port 1(bridge_slave_0) entered blocking state
> [ 52.486350][ T31] bridge0: port 1(bridge_slave_0) entered forwarding state
> [ 52.496004][ T2979] bridge0: port 2(bridge_slave_1) entered blocking state
> [ 52.503421][ T2979] bridge0: port 2(bridge_slave_1) entered forwarding state
> [ 52.520122][ T5895] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
> [ 52.531213][ T5895] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
> [ 52.567709][ T5895] 8021q: adding VLAN 0 to HW filter on device batadv0
> [ 52.582539][ T5895] veth0_vlan: entered promiscuous mode
> [ 52.589714][ T5895] veth1_vlan: entered promiscuous mode
> [ 52.600093][ T5895] veth0_macvtap: entered promiscuous mode
> [ 52.606771][ T5895] veth1_macvtap: entered promiscuous mode
> [ 52.615855][ T5895] batman_adv: batadv0: Interface activated: batadv_slave_0
> [ 52.625167][ T5895] batman_adv: batadv0: Interface activated: batadv_slave_1
> [ 52.634137][ T58] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
> [ 52.642907][ T58] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
> [ 52.652172][ T58] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
> [ 52.661018][ T58] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
> [ 52.696362][ T35] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
> [ 52.736176][ T35] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
> [ 52.776000][ T35] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
> 2025/11/19 14:12:05 executed programs: 0
> [ 52.826029][ T35] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
> [ 55.913007][ T35] bridge_slave_1: left allmulticast mode
> [ 55.924242][ T35] bridge_slave_1: left promiscuous mode
> [ 55.930898][ T35] bridge0: port 2(bridge_slave_1) entered disabled state
> [ 55.939182][ T35] bridge_slave_0: left allmulticast mode
> [ 55.945141][ T35] bridge_slave_0: left promiscuous mode
> [ 55.951004][ T35] bridge0: port 1(bridge_slave_0) entered disabled state
> [ 56.026188][ T35] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
> [ 56.036592][ T35] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
> [ 56.046139][ T35] bond0 (unregistering): Released all slaves
> [ 56.106597][ T35] hsr_slave_0: left promiscuous mode
> [ 56.112214][ T35] hsr_slave_1: left promiscuous mode
> [ 56.118098][ T35] batman_adv: batadv0: Interface deactivated: batadv_slave_0
> [ 56.126443][ T35] batman_adv: batadv0: Removing interface: batadv_slave_0
> [ 56.133898][ T35] batman_adv: batadv0: Interface deactivated: batadv_slave_1
> [ 56.141694][ T35] batman_adv: batadv0: Removing interface: batadv_slave_1
> [ 56.150927][ T35] veth1_macvtap: left promiscuous mode
> [ 56.157067][ T35] veth0_macvtap: left promiscuous mode
> [ 56.163187][ T35] veth1_vlan: left promiscuous mode
> [ 56.168965][ T35] veth0_vlan: left promiscuous mode
> [ 56.196836][ T35] team0 (unregistering): Port device team_slave_1 removed
> [ 56.205815][ T35] team0 (unregistering): Port device team_slave_0 removed
> [ 58.084150][ T5133] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
> [ 58.091289][ T5133] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
> [ 58.098477][ T5133] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
> [ 58.105739][ T5133] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
> [ 58.112872][ T5133] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
> [ 58.147089][ T5988] chnl_net:caif_netlink_parms(): no params data found
> [ 58.166338][ T5988] bridge0: port 1(bridge_slave_0) entered blocking state
> [ 58.173578][ T5988] bridge0: port 1(bridge_slave_0) entered disabled state
> [ 58.180784][ T5988] bridge_slave_0: entered allmulticast mode
> [ 58.187051][ T5988] bridge_slave_0: entered promiscuous mode
> [ 58.193583][ T5988] bridge0: port 2(bridge_slave_1) entered blocking state
> [ 58.200740][ T5988] bridge0: port 2(bridge_slave_1) entered disabled state
> [ 58.207833][ T5988] bridge_slave_1: entered allmulticast mode
> [ 58.214030][ T5988] bridge_slave_1: entered promiscuous mode
> [ 58.225238][ T5988] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
> [ 58.235910][ T5988] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
> [ 58.251413][ T5988] team0: Port device team_slave_0 added
> [ 58.257776][ T5988] team0: Port device team_slave_1 added
> [ 58.267463][ T5988] batman_adv: batadv0: Adding interface: batadv_slave_0
> [ 58.274482][ T5988] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
> [ 58.300974][ T5988] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
> [ 58.311990][ T5988] batman_adv: batadv0: Adding interface: batadv_slave_1
> [ 58.318969][ T5988] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
> [ 58.344994][ T5988] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
> [ 58.362193][ T5988] hsr_slave_0: entered promiscuous mode
> [ 58.368062][ T5988] hsr_slave_1: entered promiscuous mode
> [ 58.548290][ T5988] netdevsim netdevsim0 netdevsim0: renamed from eth0
> [ 58.556831][ T5988] netdevsim netdevsim0 netdevsim1: renamed from eth1
> [ 58.564665][ T5988] netdevsim netdevsim0 netdevsim2: renamed from eth2
> [ 58.572522][ T5988] netdevsim netdevsim0 netdevsim3: renamed from eth3
> [ 58.586118][ T5988] bridge0: port 2(bridge_slave_1) entered blocking state
> [ 58.593280][ T5988] bridge0: port 2(bridge_slave_1) entered forwarding state
> [ 58.600654][ T5988] bridge0: port 1(bridge_slave_0) entered blocking state
> [ 58.607726][ T5988] bridge0: port 1(bridge_slave_0) entered forwarding state
> [ 58.630191][ T5988] 8021q: adding VLAN 0 to HW filter on device bond0
> [ 58.640402][ T58] bridge0: port 1(bridge_slave_0) entered disabled state
> [ 58.649632][ T58] bridge0: port 2(bridge_slave_1) entered disabled state
> [ 58.659837][ T5988] 8021q: adding VLAN 0 to HW filter on device team0
> [ 58.669532][ T58] bridge0: port 1(bridge_slave_0) entered blocking state
> [ 58.676712][ T58] bridge0: port 1(bridge_slave_0) entered forwarding state
> [ 58.686492][ T35] bridge0: port 2(bridge_slave_1) entered blocking state
> [ 58.693655][ T35] bridge0: port 2(bridge_slave_1) entered forwarding state
> [ 58.709390][ T5988] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
> [ 58.720129][ T5988] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
> [ 58.769091][ T5988] 8021q: adding VLAN 0 to HW filter on device batadv0
> [ 58.787789][ T5988] veth0_vlan: entered promiscuous mode
> [ 58.795800][ T5988] veth1_vlan: entered promiscuous mode
> [ 58.808550][ T5988] veth0_macvtap: entered promiscuous mode
> [ 58.816434][ T5988] veth1_macvtap: entered promiscuous mode
> [ 58.826869][ T5988] batman_adv: batadv0: Interface activated: batadv_slave_0
> [ 58.837590][ T5988] batman_adv: batadv0: Interface activated: batadv_slave_1
> [ 58.847552][ T2979] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
> [ 58.862969][ T2979] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
> [ 58.881016][ T2979] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
> [ 58.894676][ T35] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
> [ 58.903471][ T35] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
> SYZFAIL: failed to recv rpc
> fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
> [ 58.917260][ T31] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
> [ 58.925507][ T2979] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
> [ 58.934333][ T31] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
>
>
> syzkaller build log:
> go env (err=<nil>)
> AR='ar'
> CC='gcc'
> CGO_CFLAGS='-O2 -g'
> CGO_CPPFLAGS=''
> CGO_CXXFLAGS='-O2 -g'
> CGO_ENABLED='1'
> CGO_FFLAGS='-O2 -g'
> CGO_LDFLAGS='-O2 -g'
> CXX='g++'
> GCCGO='gccgo'
> GO111MODULE='auto'
> GOAMD64='v1'
> GOARCH='amd64'
> GOAUTH='netrc'
> GOBIN=''
> GOCACHE='/syzkaller/.cache/go-build'
> GOCACHEPROG=''
> GODEBUG=''
> GOENV='/syzkaller/.config/go/env'
> GOEXE=''
> GOEXPERIMENT=''
> GOFIPS140='off'
> GOFLAGS=''
> GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3582148735=/tmp/go-build -gno-record-gcc-switches'
> GOHOSTARCH='amd64'
> GOHOSTOS='linux'
> GOINSECURE=''
> GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
> GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
> GONOPROXY=''
> GONOSUMDB=''
> GOOS='linux'
> GOPATH='/syzkaller/jobs-2/linux/gopath'
> GOPRIVATE=''
> GOPROXY='https://proxy.golang.org,direct'
> GOROOT='/usr/local/go'
> GOSUMDB='sum.golang.org'
> GOTELEMETRY='local'
> GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
> GOTMPDIR=''
> GOTOOLCHAIN='auto'
> GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
> GOVCS=''
> GOVERSION='go1.24.4'
> GOWORK=''
> PKG_CONFIG='pkg-config'
>
> git status (err=<nil>)
> HEAD detached at 4e1406b4d
> nothing to commit, working tree clean
>
>
> tput: No value for $TERM and no -T specified
> tput: No value for $TERM and no -T specified
> Makefile:31: run command via tools/syz-env for best compatibility, see:
> Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
> go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" ./sys/syz-sysgen
> make .descriptions
> tput: No value for $TERM and no -T specified
> tput: No value for $TERM and no -T specified
> Makefile:31: run command via tools/syz-env for best compatibility, see:
> Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
> bin/syz-sysgen
> touch .descriptions
> GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
> mkdir -p ./bin/linux_amd64
> g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
> -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
> -DHOSTGOOS_linux=1 -DGIT_REVISION=\"4e1406b4defac0e2a9d9424c70706f79a7750cf3\"
> /usr/bin/ld: /tmp/ccMkllK7.o: in function `Connection::Connect(char const*, char const*)':
> executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
> ./tools/check-syzos.sh 2>/dev/null
>
>
> Error text is too large and was truncated, full error text is at:
> https://syzkaller.appspot.com/x/error.txt?x=10715332580000
>
>
> Tested on:
>
> commit: 058747ce hfs: ensure sb->s_fs_info is always cleaned up
> git tree: https://github.com/brauner/linux.git work.hfs.fixes
> kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
> dashboard link: https://syzkaller.appspot.com/bug?extid=ad45f827c88778ff7df6
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>
> Note: no patches were applied.
Groan, unrelated error.
What do I do? Just restart?
#syz test https://github.com/brauner/linux.git work.hfs.fixes
^ permalink raw reply [flat|nested] 34+ messages in thread* Re: [syzbot] [hfs?] memory leak in hfs_init_fs_context
2025-11-19 14:16 ` Christian Brauner
@ 2025-11-19 15:08 ` syzbot
0 siblings, 0 replies; 34+ messages in thread
From: syzbot @ 2025-11-19 15:08 UTC (permalink / raw)
To: brauner, frank.li, glaubitz, linux-fsdevel, linux-kernel,
mehdi.benhadjkhelifa, slava, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+ad45f827c88778ff7df6@syzkaller.appspotmail.com
Tested-by: syzbot+ad45f827c88778ff7df6@syzkaller.appspotmail.com
Tested on:
commit: 058747ce hfs: ensure sb->s_fs_info is always cleaned up
git tree: https://github.com/brauner/linux.git work.hfs.fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=122ab914580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=ad45f827c88778ff7df6
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 34+ messages in thread
* (no subject)
2025-11-13 4:27 [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
` (3 preceding siblings ...)
2025-11-14 5:12 ` [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure Mehdi Ben Hadj Khelifa
@ 2025-11-14 16:01 ` Mehdi Ben Hadj Khelifa
2025-11-14 15:29 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
2025-11-18 17:00 ` Mehdi Ben Hadj Khelifa
` (3 subsequent siblings)
8 siblings, 1 reply; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-14 16:01 UTC (permalink / raw)
To: syzbot+ad45f827c88778ff7df6
Cc: frank.li, glaubitz, linux-fsdevel, linux-kernel, slava,
syzkaller-bugs, Mehdi Ben Hadj Khelifa
#syz test
diff --git a/fs/super.c b/fs/super.c
index 5bab94fb7e03..8fadf97fcc42 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1690,6 +1690,11 @@ int get_tree_bdev_flags(struct fs_context *fc,
if (!error)
error = fill_super(s, fc);
if (error) {
+ /*
+ * return s_fs_info ownership to fc to be cleaned up by put_fs_context()
+ */
+ fc->s_fs_info = s->s_fs_info;
+ s->s_fs_info = NULL;
deactivate_locked_super(s);
return error;
}
--
2.51.2
^ permalink raw reply related [flat|nested] 34+ messages in thread* Re: [syzbot] [hfs?] memory leak in hfs_init_fs_context
2025-11-14 16:01 ` Mehdi Ben Hadj Khelifa
@ 2025-11-14 15:29 ` syzbot
0 siblings, 0 replies; 34+ messages in thread
From: syzbot @ 2025-11-14 15:29 UTC (permalink / raw)
To: frank.li, glaubitz, linux-fsdevel, linux-kernel,
mehdi.benhadjkhelifa, slava, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
SYZFAIL: failed to recv rpc
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
Warning: Permanently added '10.128.1.80' (ED25519) to the list of known hosts.
2025/11/14 15:28:16 parsed 1 programs
[ 40.296558][ T5813] cgroup: Unknown subsys name 'net'
[ 40.388732][ T5813] cgroup: Unknown subsys name 'cpuset'
[ 40.395379][ T5813] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 48.529645][ T5813] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 49.725319][ T5826] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[ 50.124830][ T5874] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 50.132081][ T5874] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 50.139390][ T5874] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 50.146668][ T5874] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 50.153951][ T5874] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 50.211546][ T5881] chnl_net:caif_netlink_parms(): no params data found
[ 50.232138][ T5881] bridge0: port 1(bridge_slave_0) entered blocking state
[ 50.239234][ T5881] bridge0: port 1(bridge_slave_0) entered disabled state
[ 50.246331][ T5881] bridge_slave_0: entered allmulticast mode
[ 50.252736][ T5881] bridge_slave_0: entered promiscuous mode
[ 50.259377][ T5881] bridge0: port 2(bridge_slave_1) entered blocking state
[ 50.266469][ T5881] bridge0: port 2(bridge_slave_1) entered disabled state
[ 50.273698][ T5881] bridge_slave_1: entered allmulticast mode
[ 50.279872][ T5881] bridge_slave_1: entered promiscuous mode
[ 50.291361][ T5881] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 50.301121][ T5881] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 50.314859][ T5881] team0: Port device team_slave_0 added
[ 50.321138][ T5881] team0: Port device team_slave_1 added
[ 50.337350][ T5881] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 50.344455][ T5881] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 50.370408][ T5881] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 50.381546][ T5881] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 50.388602][ T5881] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 50.414701][ T5881] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 50.432432][ T5881] hsr_slave_0: entered promiscuous mode
[ 50.438187][ T5881] hsr_slave_1: entered promiscuous mode
[ 50.464974][ T5881] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 50.472557][ T5881] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 50.480523][ T5881] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 50.488191][ T5881] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 50.501383][ T5881] bridge0: port 2(bridge_slave_1) entered blocking state
[ 50.508462][ T5881] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 50.515715][ T5881] bridge0: port 1(bridge_slave_0) entered blocking state
[ 50.522863][ T5881] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 50.540612][ T5881] 8021q: adding VLAN 0 to HW filter on device bond0
[ 50.549623][ T31] bridge0: port 1(bridge_slave_0) entered disabled state
[ 50.557084][ T31] bridge0: port 2(bridge_slave_1) entered disabled state
[ 50.566000][ T5881] 8021q: adding VLAN 0 to HW filter on device team0
[ 50.574224][ T74] bridge0: port 1(bridge_slave_0) entered blocking state
[ 50.581282][ T74] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 50.589909][ T31] bridge0: port 2(bridge_slave_1) entered blocking state
[ 50.596984][ T31] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 50.635045][ T5881] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 50.648984][ T5881] veth0_vlan: entered promiscuous mode
[ 50.655799][ T5881] veth1_vlan: entered promiscuous mode
[ 50.666178][ T5881] veth0_macvtap: entered promiscuous mode
[ 50.672895][ T5881] veth1_macvtap: entered promiscuous mode
[ 50.681496][ T5881] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 50.690818][ T5881] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 50.699598][ T74] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 50.708503][ T74] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 50.717969][ T74] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 50.727859][ T31] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 50.770674][ T31] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 50.781957][ T989] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 50.790035][ T989] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 50.800571][ T12] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 50.808621][ T12] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 50.816550][ T31] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 50.869426][ T31] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 50.899153][ T31] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
2025/11/14 15:28:29 executed programs: 0
[ 53.832316][ T31] bridge_slave_1: left allmulticast mode
[ 53.838115][ T31] bridge_slave_1: left promiscuous mode
[ 53.843745][ T31] bridge0: port 2(bridge_slave_1) entered disabled state
[ 53.851578][ T31] bridge_slave_0: left allmulticast mode
[ 53.857222][ T31] bridge_slave_0: left promiscuous mode
[ 53.862866][ T31] bridge0: port 1(bridge_slave_0) entered disabled state
[ 53.918713][ T31] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 53.927986][ T31] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 53.936965][ T31] bond0 (unregistering): Released all slaves
[ 53.989491][ T31] hsr_slave_0: left promiscuous mode
[ 53.995049][ T31] hsr_slave_1: left promiscuous mode
[ 54.000970][ T31] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 54.008418][ T31] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 54.015806][ T31] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 54.023374][ T31] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 54.031704][ T31] veth1_macvtap: left promiscuous mode
[ 54.037164][ T31] veth0_macvtap: left promiscuous mode
[ 54.042886][ T31] veth1_vlan: left promiscuous mode
[ 54.048139][ T31] veth0_vlan: left promiscuous mode
[ 54.071579][ T31] team0 (unregistering): Port device team_slave_1 removed
[ 54.079731][ T31] team0 (unregistering): Port device team_slave_0 removed
[ 56.471062][ T5135] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 56.478199][ T5135] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 56.485237][ T5135] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 56.492501][ T5135] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 56.499741][ T5135] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 56.533269][ T5987] chnl_net:caif_netlink_parms(): no params data found
[ 56.551048][ T5987] bridge0: port 1(bridge_slave_0) entered blocking state
[ 56.558200][ T5987] bridge0: port 1(bridge_slave_0) entered disabled state
[ 56.565306][ T5987] bridge_slave_0: entered allmulticast mode
[ 56.571616][ T5987] bridge_slave_0: entered promiscuous mode
[ 56.578339][ T5987] bridge0: port 2(bridge_slave_1) entered blocking state
[ 56.585394][ T5987] bridge0: port 2(bridge_slave_1) entered disabled state
[ 56.592725][ T5987] bridge_slave_1: entered allmulticast mode
[ 56.599055][ T5987] bridge_slave_1: entered promiscuous mode
[ 56.609383][ T5987] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 56.619214][ T5987] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 56.633179][ T5987] team0: Port device team_slave_0 added
[ 56.639450][ T5987] team0: Port device team_slave_1 added
[ 56.649461][ T5987] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 56.656391][ T5987] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 56.682534][ T5987] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 56.693636][ T5987] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 56.700652][ T5987] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 56.726541][ T5987] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 56.742791][ T5987] hsr_slave_0: entered promiscuous mode
[ 56.748575][ T5987] hsr_slave_1: entered promiscuous mode
[ 56.899621][ T5987] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 56.907406][ T5987] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 56.916005][ T5987] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 56.923914][ T5987] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 56.936978][ T5987] bridge0: port 2(bridge_slave_1) entered blocking state
[ 56.944085][ T5987] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 56.951366][ T5987] bridge0: port 1(bridge_slave_0) entered blocking state
[ 56.958429][ T5987] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 56.978679][ T5987] 8021q: adding VLAN 0 to HW filter on device bond0
[ 56.988116][ T31] bridge0: port 1(bridge_slave_0) entered disabled state
[ 56.995621][ T31] bridge0: port 2(bridge_slave_1) entered disabled state
[ 57.009787][ T5987] 8021q: adding VLAN 0 to HW filter on device team0
[ 57.019929][ T31] bridge0: port 1(bridge_slave_0) entered blocking state
[ 57.026986][ T31] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 57.035013][ T31] bridge0: port 2(bridge_slave_1) entered blocking state
[ 57.042090][ T31] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 57.091660][ T5987] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 57.108045][ T5987] veth0_vlan: entered promiscuous mode
[ 57.115202][ T5987] veth1_vlan: entered promiscuous mode
[ 57.128314][ T5987] veth0_macvtap: entered promiscuous mode
[ 57.135072][ T5987] veth1_macvtap: entered promiscuous mode
[ 57.144855][ T5987] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 57.153327][ T5987] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 57.163642][ T74] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 57.175835][ T74] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 57.187129][ T74] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 57.200636][ T74] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 57.217417][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 57.227482][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 57.228996][ T74] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 57.243335][ T74] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3285272391=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at 4e1406b4d
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=4e1406b4defac0e2a9d9424c70706f79a7750cf3 -X github.com/google/syzkaller/prog.gitRevisionDate=20251106-151142" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"4e1406b4defac0e2a9d9424c70706f79a7750cf3\"
/usr/bin/ld: /tmp/ccvacM34.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: 6da43bbe Merge tag 'vfio-v6.18-rc6' of https://github...
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
dashboard link: https://syzkaller.appspot.com/bug?extid=ad45f827c88778ff7df6
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=140237cd980000
^ permalink raw reply [flat|nested] 34+ messages in thread
* (no subject)
2025-11-13 4:27 [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
` (4 preceding siblings ...)
2025-11-14 16:01 ` Mehdi Ben Hadj Khelifa
@ 2025-11-18 17:00 ` Mehdi Ben Hadj Khelifa
2025-11-18 17:15 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
2025-11-18 18:27 ` Mehdi Ben Hadj Khelifa
` (2 subsequent siblings)
8 siblings, 1 reply; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-18 17:00 UTC (permalink / raw)
To: syzbot+ad45f827c88778ff7df6
Cc: frank.li, glaubitz, linux-fsdevel, linux-kernel, slava,
syzkaller-bugs, Mehdi Ben Hadj Khelifa
#syz test
Signed-off-by: Mehdi Ben Hadj Khelifa <mehdi.benhadjkhelifa@gmail.com>
---
fs/super.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/super.c b/fs/super.c
index 5bab94fb7e03..3f48e5cd733f 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1723,6 +1723,8 @@ void kill_block_super(struct super_block *sb)
if (bdev) {
sync_blockdev(bdev);
bdev_fput(sb->s_bdev_file);
+ }else{
+ kfree(sb->s_fs_info);
}
}
--
2.52.0
^ permalink raw reply related [flat|nested] 34+ messages in thread* (no subject)
2025-11-13 4:27 [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
` (5 preceding siblings ...)
2025-11-18 17:00 ` Mehdi Ben Hadj Khelifa
@ 2025-11-18 18:27 ` Mehdi Ben Hadj Khelifa
2025-11-18 17:40 ` Al Viro
2025-11-18 20:32 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
2025-11-18 19:21 ` Mehdi Ben Hadj Khelifa
2025-11-19 5:31 ` Mehdi Ben Hadj Khelifa
8 siblings, 2 replies; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-18 18:27 UTC (permalink / raw)
To: syzbot+ad45f827c88778ff7df6
Cc: frank.li, glaubitz, linux-fsdevel, linux-kernel, slava,
syzkaller-bugs, Mehdi Ben Hadj Khelifa
#syz test
diff --git a/fs/hfs/super.c b/fs/hfs/super.c
index 47f50fa555a4..46cdff89fb00 100644
--- a/fs/hfs/super.c
+++ b/fs/hfs/super.c
@@ -431,10 +431,21 @@ static int hfs_init_fs_context(struct fs_context *fc)
return 0;
}
+static void hfs_kill_sb(struct super_block *sb)
+{
+ generic_shutdown_super(sb);
+ hfs_mdb_put(sb);
+ if (sb->s_bdev) {
+ sync_blockdev(sb->s_bdev);
+ bdev_fput(sb->s_bdev_file);
+ }
+
+}
+
static struct file_system_type hfs_fs_type = {
.owner = THIS_MODULE,
.name = "hfs",
- .kill_sb = kill_block_super,
+ .kill_sb = hfs_kill_sb,
.fs_flags = FS_REQUIRES_DEV,
.init_fs_context = hfs_init_fs_context,
};
--
2.52.0
^ permalink raw reply related [flat|nested] 34+ messages in thread* Re:
2025-11-18 18:27 ` Mehdi Ben Hadj Khelifa
@ 2025-11-18 17:40 ` Al Viro
2025-11-18 20:32 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
1 sibling, 0 replies; 34+ messages in thread
From: Al Viro @ 2025-11-18 17:40 UTC (permalink / raw)
To: Mehdi Ben Hadj Khelifa
Cc: syzbot+ad45f827c88778ff7df6, frank.li, glaubitz, linux-fsdevel,
linux-kernel, slava, syzkaller-bugs
On Tue, Nov 18, 2025 at 07:27:06PM +0100, Mehdi Ben Hadj Khelifa wrote:
> #syz test
>
> diff --git a/fs/hfs/super.c b/fs/hfs/super.c
> index 47f50fa555a4..46cdff89fb00 100644
> --- a/fs/hfs/super.c
> +++ b/fs/hfs/super.c
> @@ -431,10 +431,21 @@ static int hfs_init_fs_context(struct fs_context *fc)
> return 0;
> }
>
> +static void hfs_kill_sb(struct super_block *sb)
> +{
> + generic_shutdown_super(sb);
> + hfs_mdb_put(sb);
> + if (sb->s_bdev) {
> + sync_blockdev(sb->s_bdev);
> + bdev_fput(sb->s_bdev_file);
> + }
> +
> +}
> +
> static struct file_system_type hfs_fs_type = {
> .owner = THIS_MODULE,
> .name = "hfs",
> - .kill_sb = kill_block_super,
> + .kill_sb = hfs_kill_sb,
> .fs_flags = FS_REQUIRES_DEV,
> .init_fs_context = hfs_init_fs_context,
> };
Remove the calls of hfs_mdb_put() from hfs_fill_super() and
hfs_put_super() in addition to that.
^ permalink raw reply [flat|nested] 34+ messages in thread* Re: [syzbot] [hfs?] memory leak in hfs_init_fs_context
2025-11-18 18:27 ` Mehdi Ben Hadj Khelifa
2025-11-18 17:40 ` Al Viro
@ 2025-11-18 20:32 ` syzbot
1 sibling, 0 replies; 34+ messages in thread
From: syzbot @ 2025-11-18 20:32 UTC (permalink / raw)
To: frank.li, glaubitz, linux-fsdevel, linux-kernel,
mehdi.benhadjkhelifa, slava, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+ad45f827c88778ff7df6@syzkaller.appspotmail.com
Tested-by: syzbot+ad45f827c88778ff7df6@syzkaller.appspotmail.com
Tested on:
commit: 8b690556 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16ca7884580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=ad45f827c88778ff7df6
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15e328b4580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 34+ messages in thread
* (no subject)
2025-11-13 4:27 [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
` (6 preceding siblings ...)
2025-11-18 18:27 ` Mehdi Ben Hadj Khelifa
@ 2025-11-18 19:21 ` Mehdi Ben Hadj Khelifa
2025-11-18 20:32 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
2025-11-19 5:31 ` Mehdi Ben Hadj Khelifa
8 siblings, 1 reply; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-18 19:21 UTC (permalink / raw)
To: syzbot+ad45f827c88778ff7df6
Cc: frank.li, glaubitz, linux-fsdevel, linux-kernel, slava,
syzkaller-bugs, Mehdi Ben Hadj Khelifa
#syz test
diff --git a/fs/hfs/super.c b/fs/hfs/super.c
index 47f50fa555a4..06e1c25e47dc 100644
--- a/fs/hfs/super.c
+++ b/fs/hfs/super.c
@@ -49,8 +49,6 @@ static void hfs_put_super(struct super_block *sb)
{
cancel_delayed_work_sync(&HFS_SB(sb)->mdb_work);
hfs_mdb_close(sb);
- /* release the MDB's resources */
- hfs_mdb_put(sb);
}
static void flush_mdb(struct work_struct *work)
@@ -383,7 +381,6 @@ static int hfs_fill_super(struct super_block *sb, struct fs_context *fc)
bail_no_root:
pr_err("get root inode failed\n");
bail:
- hfs_mdb_put(sb);
return res;
}
@@ -431,10 +428,21 @@ static int hfs_init_fs_context(struct fs_context *fc)
return 0;
}
+static void hfs_kill_sb(struct super_block *sb)
+{
+ generic_shutdown_super(sb);
+ hfs_mdb_put(sb);
+ if (sb->s_bdev) {
+ sync_blockdev(sb->s_bdev);
+ bdev_fput(sb->s_bdev_file);
+ }
+
+}
+
static struct file_system_type hfs_fs_type = {
.owner = THIS_MODULE,
.name = "hfs",
- .kill_sb = kill_block_super,
+ .kill_sb = hfs_kill_sb,
.fs_flags = FS_REQUIRES_DEV,
.init_fs_context = hfs_init_fs_context,
};
--
2.52.0
^ permalink raw reply related [flat|nested] 34+ messages in thread* (no subject)
2025-11-13 4:27 [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
` (7 preceding siblings ...)
2025-11-18 19:21 ` Mehdi Ben Hadj Khelifa
@ 2025-11-19 5:31 ` Mehdi Ben Hadj Khelifa
2025-11-19 5:19 ` [syzbot] [hfs?] memory leak in hfs_init_fs_context syzbot
8 siblings, 1 reply; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-19 5:31 UTC (permalink / raw)
To: syzbot+ad45f827c88778ff7df6
Cc: frank.li, glaubitz, linux-fsdevel, linux-kernel, slava,
syzkaller-bugs, Mehdi Ben Hadj Khelifa
#syz test
diff --git a/fs/hfs/super.c b/fs/hfs/super.c
index 47f50fa555a4..06e1c25e47dc 100644
--- a/fs/hfs/super.c
+++ b/fs/hfs/super.c
@@ -49,8 +49,6 @@ static void hfs_put_super(struct super_block *sb)
{
cancel_delayed_work_sync(&HFS_SB(sb)->mdb_work);
hfs_mdb_close(sb);
- /* release the MDB's resources */
- hfs_mdb_put(sb);
}
static void flush_mdb(struct work_struct *work)
@@ -383,7 +381,6 @@ static int hfs_fill_super(struct super_block *sb, struct fs_context *fc)
bail_no_root:
pr_err("get root inode failed\n");
bail:
- hfs_mdb_put(sb);
return res;
}
@@ -431,10 +428,21 @@ static int hfs_init_fs_context(struct fs_context *fc)
return 0;
}
+static void hfs_kill_sb(struct super_block *sb)
+{
+ generic_shutdown_super(sb);
+ hfs_mdb_put(sb);
+ if (sb->s_bdev) {
+ sync_blockdev(sb->s_bdev);
+ bdev_fput(sb->s_bdev_file);
+ }
+
+}
+
static struct file_system_type hfs_fs_type = {
.owner = THIS_MODULE,
.name = "hfs",
- .kill_sb = kill_block_super,
+ .kill_sb = hfs_kill_sb,
.fs_flags = FS_REQUIRES_DEV,
.init_fs_context = hfs_init_fs_context,
};
--
2.52.0
^ permalink raw reply related [flat|nested] 34+ messages in thread
* Re: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-14 16:52 [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure Mehdi Ben Hadj Khelifa
@ 2025-11-18 14:59 ` Al Viro
2025-11-18 16:21 ` Mehdi Ben Hadj Khelifa
2025-11-26 14:01 ` kernel test robot
1 sibling, 1 reply; 34+ messages in thread
From: Al Viro @ 2025-11-18 14:59 UTC (permalink / raw)
To: Mehdi Ben Hadj Khelifa
Cc: brauner, jack, syzbot+ad45f827c88778ff7df6, frank.li, glaubitz,
linux-fsdevel, linux-kernel, slava, syzkaller-bugs, skhan,
david.hunter.linux, khalid, linux-kernel-mentees
On Fri, Nov 14, 2025 at 05:52:27PM +0100, Mehdi Ben Hadj Khelifa wrote:
> Failure in setup_bdev_super() triggers an error path where
> fc->s_fs_info ownership has already been transferred to the superblock via
> sget_fc() call in get_tree_bdev_flags() and calling put_fs_context() in
> do_new_mount() to free the s_fs_info for the specific filesystem gets
> passed in a NULL pointer.
>
> Pass back the ownership of the s_fs_info pointer to the filesystem context
> once the error path has been triggered to be cleaned up gracefully in
> put_fs_context().
>
> Fixes: cb50b348c71f ("convenience helpers: vfs_get_super() and sget_fc()")
> Reported-by: syzbot+ad45f827c88778ff7df6@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=ad45f827c88778ff7df6
> Signed-off-by: Mehdi Ben Hadj Khelifa <mehdi.benhadjkhelifa@gmail.com>
> ---
> Note:This patch might need some more testing as I only did run selftests
> with no regression, check dmesg output for no regression, run reproducer
> with no bug.
Almost certainly bogus; quite a few fill_super() callbacks seriously count
upon "->kill_sb() will take care care of cleanup if we return an error".
^ permalink raw reply [flat|nested] 34+ messages in thread* Re: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-18 14:59 ` Al Viro
@ 2025-11-18 16:21 ` Mehdi Ben Hadj Khelifa
2025-11-18 16:35 ` Al Viro
0 siblings, 1 reply; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-18 16:21 UTC (permalink / raw)
To: Al Viro
Cc: brauner, jack, syzbot+ad45f827c88778ff7df6, frank.li, glaubitz,
linux-fsdevel, linux-kernel, slava, syzkaller-bugs, skhan,
david.hunter.linux, khalid, linux-kernel-mentees
On 11/18/25 3:59 PM, Al Viro wrote:
> On Fri, Nov 14, 2025 at 05:52:27PM +0100, Mehdi Ben Hadj Khelifa wrote:
>> Failure in setup_bdev_super() triggers an error path where
>> fc->s_fs_info ownership has already been transferred to the superblock via
>> sget_fc() call in get_tree_bdev_flags() and calling put_fs_context() in
>> do_new_mount() to free the s_fs_info for the specific filesystem gets
>> passed in a NULL pointer.
>>
>> Pass back the ownership of the s_fs_info pointer to the filesystem context
>> once the error path has been triggered to be cleaned up gracefully in
>> put_fs_context().
>>
>> Fixes: cb50b348c71f ("convenience helpers: vfs_get_super() and sget_fc()")
>> Reported-by: syzbot+ad45f827c88778ff7df6@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=ad45f827c88778ff7df6
>> Signed-off-by: Mehdi Ben Hadj Khelifa <mehdi.benhadjkhelifa@gmail.com>
>> ---
>> Note:This patch might need some more testing as I only did run selftests
>> with no regression, check dmesg output for no regression, run reproducer
>> with no bug.
>
> Almost certainly bogus; quite a few fill_super() callbacks seriously count
> upon "->kill_sb() will take care care of cleanup if we return an error".
So should I then free the allocated s_fs_info in the kill_block_super
instead and check for the null pointer in put_fs_context to not execute
kfree in subsequent call to hfs_free_fc()?
Because the error generated in setup_bdev_super() when returned to
do_new_mount() (after a lot of error propagation) it doesn't get handled:
if (!err)
err = do_new_mount_fc(fc, path, mnt_flags);
put_fs_context(fc);
return err;
Also doesn't get handled anywhere in the call stack after IIUC:
In path_mount:
return do_new_mount(path, type_page, sb_flags, mnt_flags, dev_name,
data_page);
In do_mount:
return path_mount(dev_name, &path, type_page, flags, data_page);
So what is recommended in this case ?
Best Regards,
Mehdi Ben Hadj Khelifa
^ permalink raw reply [flat|nested] 34+ messages in thread* Re: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-18 16:21 ` Mehdi Ben Hadj Khelifa
@ 2025-11-18 16:35 ` Al Viro
2025-11-18 16:55 ` Al Viro
2025-11-18 17:58 ` Mehdi Ben Hadj Khelifa
0 siblings, 2 replies; 34+ messages in thread
From: Al Viro @ 2025-11-18 16:35 UTC (permalink / raw)
To: Mehdi Ben Hadj Khelifa
Cc: brauner, jack, syzbot+ad45f827c88778ff7df6, frank.li, glaubitz,
linux-fsdevel, linux-kernel, slava, syzkaller-bugs, skhan,
david.hunter.linux, khalid, linux-kernel-mentees
On Tue, Nov 18, 2025 at 05:21:59PM +0100, Mehdi Ben Hadj Khelifa wrote:
> > Almost certainly bogus; quite a few fill_super() callbacks seriously count
> > upon "->kill_sb() will take care care of cleanup if we return an error".
>
> So should I then free the allocated s_fs_info in the kill_block_super
> instead and check for the null pointer in put_fs_context to not execute
> kfree in subsequent call to hfs_free_fc()?
Huh? How the hell would kill_block_super() know what to do with ->s_fs_info
for that particular fs type? kill_block_super() is a convenience helper,
no more than that...
> Because the error generated in setup_bdev_super() when returned to
> do_new_mount() (after a lot of error propagation) it doesn't get handled:
> if (!err)
> err = do_new_mount_fc(fc, path, mnt_flags);
> put_fs_context(fc);
> return err;
Would be hard to handle something that is already gone, wouldn't it?
deactivate_locked_super() after the fill_super() failure is where
the superblock is destroyed - nothing past that point could possibly
be of any use.
I would still like the details on the problem you are seeing.
Normal operation (for filesystems that preallocate ->s_fs_info and hang
it off fc) goes like this:
* fc->s_fs_info is allocated in ->init_fs_context()
* it is modified (possibly) in ->parse_param()
* eventually ->get_tree() is called and at some point it
asks for superblock by calling sget_fc(). It may fail (in which
case fc->s_fs_info stays where it is), if may return a preexisting
superblock (ditto) *OR* it may create and return a new superblock.
In that case fc->s_fs_info is no more - it's been moved over to
sb->s_fs_info. NULL is left behind. From that point on the
responsibility for that sucker is with the filesystem; nothing in
VFS has any idea where to find it.
Again, there is no such thing as transferring it back to fc - once
fill_super() has been called, there might be any number of additional
things that need to be undone.
For HFS I would expect that hfs_fill_super() would call hfs_mdb_put(sb)
on all failures and have it called from subsequent ->put_super() if
we succeed and later unmount the filesystem. That seems to be where
->s_fs_info is taken out of superblock and freed.
What do you observe getting leaked and in which case does that happen?
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-18 16:35 ` Al Viro
@ 2025-11-18 16:55 ` Al Viro
2025-11-18 18:05 ` Mehdi Ben Hadj Khelifa
2025-11-18 17:58 ` Mehdi Ben Hadj Khelifa
1 sibling, 1 reply; 34+ messages in thread
From: Al Viro @ 2025-11-18 16:55 UTC (permalink / raw)
To: Mehdi Ben Hadj Khelifa
Cc: brauner, jack, syzbot+ad45f827c88778ff7df6, frank.li, glaubitz,
linux-fsdevel, linux-kernel, slava, syzkaller-bugs, skhan,
david.hunter.linux, khalid, linux-kernel-mentees
On Tue, Nov 18, 2025 at 04:35:09PM +0000, Al Viro wrote:
> For HFS I would expect that hfs_fill_super() would call hfs_mdb_put(sb)
> on all failures and have it called from subsequent ->put_super() if
> we succeed and later unmount the filesystem. That seems to be where
> ->s_fs_info is taken out of superblock and freed.
>
> What do you observe getting leaked and in which case does that happen?
AFAICS, the problem is with aca740cecbe5 "fs: open block device after superblock
creation" where you get a failure exit stuck between getting a new superblock
from sget_fc() and calling fill_super().
That is where the gap has been introduced. I see two possible solutions:
one is to have failure of setup_bdev_super() (and only it) steal ->s_fs_info
back, on the theory that filesystem didn't have a chance to do anything
yet. Another is to move the call of hfs_mdb_put() from failure exits of
hfs_fill_super() *and* from hfs_put_super() into hfs_kill_sb(), that
would do that:
generic_shutdown_super(sb);
hfs_mdb_put(sb);
if (sb->s_bdev) {
sync_blockdev(sb->s_bdev);
bdev_fput(sb->s_bdev_file);
}
^ permalink raw reply [flat|nested] 34+ messages in thread* Re: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-18 16:55 ` Al Viro
@ 2025-11-18 18:05 ` Mehdi Ben Hadj Khelifa
0 siblings, 0 replies; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-18 18:05 UTC (permalink / raw)
To: Al Viro
Cc: brauner, jack, syzbot+ad45f827c88778ff7df6, frank.li, glaubitz,
linux-fsdevel, linux-kernel, slava, syzkaller-bugs, skhan,
david.hunter.linux, khalid, linux-kernel-mentees
On 11/18/25 5:55 PM, Al Viro wrote:
> On Tue, Nov 18, 2025 at 04:35:09PM +0000, Al Viro wrote:
>
>> For HFS I would expect that hfs_fill_super() would call hfs_mdb_put(sb)
>> on all failures and have it called from subsequent ->put_super() if
>> we succeed and later unmount the filesystem. That seems to be where
>> ->s_fs_info is taken out of superblock and freed.
>>
>> What do you observe getting leaked and in which case does that happen?
Sorry for my other late reply. My thunderbird client had some issues and
got delayed and seperated emails somehow...
>
> AFAICS, the problem is with aca740cecbe5 "fs: open block device after superblock
> creation" where you get a failure exit stuck between getting a new superblock
> from sget_fc() and calling fill_super().
>
Yes this is what I mentionned in my earlier mail.(not the commit causing
the issue though).
> That is where the gap has been introduced. I see two possible solutions:
> one is to have failure of setup_bdev_super() (and only it) steal ->s_fs_info
> back, on the theory that filesystem didn't have a chance to do anything
> yet. Another is to move the call of hfs_mdb_put() from failure exits of
> hfs_fill_super() *and* from hfs_put_super() into hfs_kill_sb(), that
> would do that:
>
> generic_shutdown_super(sb);
> hfs_mdb_put(sb);
> if (sb->s_bdev) {
> sync_blockdev(sb->s_bdev);
> bdev_fput(sb->s_bdev_file);
> }
I will do the second approach, test it send it for review shortly.
Best regards,
Mehdi Ben Hadj Khelifa
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-18 16:35 ` Al Viro
2025-11-18 16:55 ` Al Viro
@ 2025-11-18 17:58 ` Mehdi Ben Hadj Khelifa
1 sibling, 0 replies; 34+ messages in thread
From: Mehdi Ben Hadj Khelifa @ 2025-11-18 17:58 UTC (permalink / raw)
To: Al Viro
Cc: brauner, jack, syzbot+ad45f827c88778ff7df6, frank.li, glaubitz,
linux-fsdevel, linux-kernel, slava, syzkaller-bugs, skhan,
david.hunter.linux, khalid, linux-kernel-mentees
On 11/18/25 5:35 PM, Al Viro wrote:
> On Tue, Nov 18, 2025 at 05:21:59PM +0100, Mehdi Ben Hadj Khelifa wrote:
>
>>> Almost certainly bogus; quite a few fill_super() callbacks seriously count
>>> upon "->kill_sb() will take care care of cleanup if we return an error".
>>
>> So should I then free the allocated s_fs_info in the kill_block_super
>> instead and check for the null pointer in put_fs_context to not execute
>> kfree in subsequent call to hfs_free_fc()?
>
> Huh? How the hell would kill_block_super() know what to do with ->s_fs_info
> for that particular fs type? kill_block_super() is a convenience helper,
> no more than that...
>
Yes, I missed that. Since i only looked at the hfs_free_fc(), I forgot
that in kill_block_super() it handles all fs types not only hfs which
only frees s_fs_info.
>> Because the error generated in setup_bdev_super() when returned to
>> do_new_mount() (after a lot of error propagation) it doesn't get handled:
>> if (!err)
>> err = do_new_mount_fc(fc, path, mnt_flags);
>> put_fs_context(fc);
>> return err;
>
> Would be hard to handle something that is already gone, wouldn't it?
> deactivate_locked_super() after the fill_super() failure is where
> the superblock is destroyed - nothing past that point could possibly
> be of any use.
>
> I would still like the details on the problem you are seeing.
The Problem isn't produced by fill_super failure, instead it's produced
by setup_bdev_super failure just a line before it. here is a snip from
fs/super:
error = setup_bdev_super(s, fc->sb_flags, fc);
if (!error)
error = fill_super(s, fc);
if (error) {
deactivate_locked_super(s);
return error;
}
and in the above code, fc->s_fs_info has already been transferred to sb
as you have mentionned in the sget_fc() function before the above snip.
But subsequent calls after setup_bdev_super fail to free s_fs_info IIUC.
>
> Normal operation (for filesystems that preallocate ->s_fs_info and hang
> it off fc) goes like this:
>
> * fc->s_fs_info is allocated in ->init_fs_context()
> * it is modified (possibly) in ->parse_param()
> * eventually ->get_tree() is called and at some point it
> asks for superblock by calling sget_fc(). It may fail (in which
> case fc->s_fs_info stays where it is), if may return a preexisting
> superblock (ditto) *OR* it may create and return a new superblock.
> In that case fc->s_fs_info is no more - it's been moved over to
> sb->s_fs_info. NULL is left behind. From that point on the
> responsibility for that sucker is with the filesystem; nothing in
> VFS has any idea where to find it.
>
In this case, it doesn create a new superblock which transferes the
ownership of the pointer. But as i said the problem is that in the error
path of setup_bdev_super(), there is no freeing of such memory and since
the pointer has already been transfered and it's the responsibility is
with the filesystem, put_fs_context() calling hfs_free_fc() doesn't free
the allocated memory too.
> Again, there is no such thing as transferring it back to fc - once
> fill_super() has been called, there might be any number of additional
> things that need to be undone.
>
As I said above, fill_super isn't even called in this case.
> For HFS I would expect that hfs_fill_super() would call hfs_mdb_put(sb)
> on all failures and have it called from subsequent ->put_super() if
> we succeed and later unmount the filesystem. That seems to be where
> ->s_fs_info is taken out of superblock and freed.
>
> What do you observe getting leaked and in which case does that happen?
>
Exactly in bdev_file_open_by_dev() in the setup_bdev_super call
mentionned above is what triggers the error path that doesn't free the
hfs_sb_info since hfs_free_fc calls kfree on a NULL pointer..
^ permalink raw reply [flat|nested] 34+ messages in thread
* Re: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
2025-11-14 16:52 [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure Mehdi Ben Hadj Khelifa
2025-11-18 14:59 ` Al Viro
@ 2025-11-26 14:01 ` kernel test robot
1 sibling, 0 replies; 34+ messages in thread
From: kernel test robot @ 2025-11-26 14:01 UTC (permalink / raw)
To: Mehdi Ben Hadj Khelifa
Cc: oe-lkp, lkp, linux-fsdevel, viro, brauner, jack,
syzbot+ad45f827c88778ff7df6, frank.li, glaubitz, linux-kernel,
slava, syzkaller-bugs, skhan, david.hunter.linux, khalid,
linux-kernel-mentees, Mehdi Ben Hadj Khelifa, oliver.sang
Hello,
kernel test robot noticed "Oops:general_protection_fault,probably_for_non-canonical_address#:#[##]SMP_KASAN_PTI" on:
commit: 45f3d9974e382495db777e0290a32ba0cd6f454b ("[PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure")
url: https://github.com/intel-lab-lkp/linux/commits/Mehdi-Ben-Hadj-Khelifa/fs-super-fix-memory-leak-of-s_fs_info-on-setup_bdev_super-failure/20251115-001149
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 6da43bbeb6918164f7287269881a5f861ae09d7e
patch link: https://lore.kernel.org/all/20251114165255.101361-1-mehdi.benhadjkhelifa@gmail.com/
patch subject: [PATCH] fs/super: fix memory leak of s_fs_info on setup_bdev_super failure
in testcase: nvml
version: nvml-x86_64-4cbe1fd37-1_20251013
with following parameters:
test: non-pmem
group: util
config: x86_64-rhel-9.4-func
compiler: gcc-14
test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (Haswell) with 8G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202511262155.f86d1a5f-lkp@intel.com
[ 164.783048][T42994] EXT4-fs (loop0): VFS: Can't find ext4 filesystem
[ 164.792057][T42994] EXT4-fs (loop0): VFS: Can't find ext4 filesystem
[ 164.798663][T42994] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
[ 164.810433][T42994] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 164.818722][T42994] CPU: 3 UID: 0 PID: 42994 Comm: mount Tainted: G S 6.18.0-rc5-00215-g45f3d9974e38 #1 PREEMPT(voluntary)
[ 164.831362][T42994] Tainted: [S]=CPU_OUT_OF_SPEC
[ 164.835992][T42994] Hardware name: Dell Inc. OptiPlex 9020/0DNKMN, BIOS A05 12/05/2013
[ 164.843927][T42994] RIP: 0010:fuse_kill_sb_blk (kbuild/src/consumer/fs/fuse/inode.c:2126 kbuild/src/consumer/fs/fuse/inode.c:2153) fuse
[ 164.850056][T42994] Code: 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 6a 48 8b 9b 90 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 75 60 48 8b 3b e8 ec f8 ff ff 48 85 db 74 1a 48 83 c4
All code
========
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 00 fc add %bh,%ah
6: ff lcall (bad)
7: df 48 c1 fisttps -0x3f(%rax)
a: ea (bad)
b: 03 80 3c 02 00 75 add 0x7500023c(%rax),%eax
11: 6a 48 push $0x48
13: 8b 9b 90 03 00 00 mov 0x390(%rbx),%ebx
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 da mov %rbx,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 75 60 jne 0x90
30: 48 8b 3b mov (%rbx),%rdi
33: e8 ec f8 ff ff call 0xfffffffffffff924
38: 48 85 db test %rbx,%rbx
3b: 74 1a je 0x57
3d: 48 rex.W
3e: 83 .byte 0x83
3f: c4 .byte 0xc4
Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 75 60 jne 0x66
6: 48 8b 3b mov (%rbx),%rdi
9: e8 ec f8 ff ff call 0xfffffffffffff8fa
e: 48 85 db test %rbx,%rbx
11: 74 1a je 0x2d
13: 48 rex.W
14: 83 .byte 0x83
15: c4 .byte 0xc4
[ 164.869568][T42994] RSP: 0018:ffffc900022dfbc8 EFLAGS: 00010246
[ 164.875504][T42994] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff81580d23
[ 164.883352][T42994] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8882004c8014
[ 164.891213][T42994] RBP: ffffffffc020dba0 R08: 0000000000000001 R09: ffffed1040099000
[ 164.899068][T42994] R10: ffff8882004c8007 R11: ffffffff81e792d8 R12: 00000000ffffffea
[ 164.906921][T42994] R13: ffff88810dc18390 R14: ffffffffc0446ab0 R15: 00000000ffffffea
[ 164.914770][T42994] FS: 00007ff3e6309840(0000) GS:ffff88821483e000(0000) knlGS:0000000000000000
[ 164.923579][T42994] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 164.930038][T42994] CR2: 000055c480d92328 CR3: 00000001ec872005 CR4: 00000000001726f0
[ 164.937888][T42994] Call Trace:
[ 164.941038][T42994] <TASK>
[ 164.943841][T42994] ? __pfx_fuse_fill_super (kbuild/src/consumer/fs/fuse/inode.c:1939) fuse
[ 164.949619][T42994] deactivate_locked_super (kbuild/src/consumer/fs/super.c:434 kbuild/src/consumer/fs/super.c:475)
[ 164.954861][T42994] get_tree_bdev_flags (kbuild/src/consumer/fs/super.c:1699)
[ 164.959839][T42994] ? __pfx_get_tree_bdev_flags (kbuild/src/consumer/fs/super.c:1662)
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20251126/202511262155.f86d1a5f-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 34+ messages in thread