* [syzbot] [fs?] memory leak in __shmem_file_setup
@ 2026-01-12 7:56 syzbot
2026-01-12 13:28 ` Lorenzo Stoakes
0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2026-01-12 7:56 UTC (permalink / raw)
To: brauner, jack, linux-fsdevel, linux-kernel, syzkaller-bugs, viro
Hello,
syzbot found the following issue on:
HEAD commit: f0b9d8eb98df Merge tag 'nfsd-6.19-3' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12ec819a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=bf5de69ebb4bdf86f59f
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec819a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11bcc19a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/aad2d47ff01d/disk-f0b9d8eb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c31e7ae85c07/vmlinux-f0b9d8eb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5525fab81561/bzImage-f0b9d8eb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bf5de69ebb4bdf86f59f@syzkaller.appspotmail.com
2026/01/08 07:49:49 executed programs: 5
BUG: memory leak
unreferenced object 0xffff888112c4b240 (size 184):
comm "syz.0.17", pid 6070, jiffies 4294944898
hex dump (first 32 bytes):
00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff ..........f.....
98 38 89 09 81 88 ff ff 00 00 00 00 00 00 00 00 .8..............
backtrace (crc 987747be):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
alloc_file fs/file_table.c:354 [inline]
alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
__shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
shmem_kernel_file_setup mm/shmem.c:5865 [inline]
__shmem_zero_setup mm/shmem.c:5905 [inline]
shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
vfs_mmap_prepare include/linux/fs.h:2058 [inline]
call_mmap_prepare mm/vma.c:2596 [inline]
__mmap_region+0x8b8/0x13e0 mm/vma.c:2692
mmap_region+0x19f/0x1e0 mm/vma.c:2786
do_mmap+0x6a3/0xb60 mm/mmap.c:558
vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
__x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888101e46ca8 (size 40):
comm "syz.0.17", pid 6070, jiffies 4294944898
hex dump (first 32 bytes):
ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 f8 52 86 00 81 88 ff ff .........R......
backtrace (crc 2d2a393c):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
lsm_file_alloc security/security.c:169 [inline]
security_file_alloc+0x30/0x240 security/security.c:2380
init_file+0x3e/0x160 fs/file_table.c:159
alloc_empty_file+0x6f/0x1a0 fs/file_table.c:241
alloc_file fs/file_table.c:354 [inline]
alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
__shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
shmem_kernel_file_setup mm/shmem.c:5865 [inline]
__shmem_zero_setup mm/shmem.c:5905 [inline]
shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
vfs_mmap_prepare include/linux/fs.h:2058 [inline]
call_mmap_prepare mm/vma.c:2596 [inline]
__mmap_region+0x8b8/0x13e0 mm/vma.c:2692
mmap_region+0x19f/0x1e0 mm/vma.c:2786
do_mmap+0x6a3/0xb60 mm/mmap.c:558
vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
__x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888108f03840 (size 184):
comm "syz-executor", pid 5988, jiffies 4294944899
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 5869ffdf):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
prepare_creds+0x22/0x5e0 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x979/0x2860 kernel/fork.c:2086
kernel_clone+0x119/0x6c0 kernel/fork.c:2651
__do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888109a7b8e0 (size 32):
comm "syz-executor", pid 5988, jiffies 4294944899
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f8 52 86 00 81 88 ff ff 00 00 00 00 00 00 00 00 .R..............
backtrace (crc 336e1c5f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x70 security/security.c:192
lsm_cred_alloc security/security.c:209 [inline]
security_prepare_creds+0x2f/0x270 security/security.c:2763
prepare_creds+0x385/0x5e0 kernel/cred.c:215
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x979/0x2860 kernel/fork.c:2086
kernel_clone+0x119/0x6c0 kernel/fork.c:2651
__do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888109b169c0 (size 184):
comm "syz.0.18", pid 6072, jiffies 4294944899
hex dump (first 32 bytes):
00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff ..........f.....
68 e6 05 0e 81 88 ff ff 00 00 00 00 00 00 00 00 h...............
backtrace (crc 86e9bbaa):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
alloc_file fs/file_table.c:354 [inline]
alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
__shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
shmem_kernel_file_setup mm/shmem.c:5865 [inline]
__shmem_zero_setup mm/shmem.c:5905 [inline]
shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
vfs_mmap_prepare include/linux/fs.h:2058 [inline]
call_mmap_prepare mm/vma.c:2596 [inline]
__mmap_region+0x8b8/0x13e0 mm/vma.c:2692
mmap_region+0x19f/0x1e0 mm/vma.c:2786
do_mmap+0x6a3/0xb60 mm/mmap.c:558
vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
__x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [syzbot] [fs?] memory leak in __shmem_file_setup
2026-01-12 7:56 [syzbot] [fs?] memory leak in __shmem_file_setup syzbot
@ 2026-01-12 13:28 ` Lorenzo Stoakes
2026-01-12 15:10 ` Lorenzo Stoakes
0 siblings, 1 reply; 3+ messages in thread
From: Lorenzo Stoakes @ 2026-01-12 13:28 UTC (permalink / raw)
To: syzbot; +Cc: brauner, jack, linux-fsdevel, linux-kernel, syzkaller-bugs, viro
Hi all,
I have bisected this to commit ab04945f91bc ("mm: update mem char driver to use
mmap_prepare"), i.e. my patch, so apologies for that.
Will figure out what's happening here and come up with a hotfix.
When I saw /dev/zero I did suspect this exact commit, would have saved me some
bisecting had I just tested it first but there we are :P
Cheers, Lorenzo
On Sun, Jan 11, 2026 at 11:56:27PM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: f0b9d8eb98df Merge tag 'nfsd-6.19-3' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12ec819a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
> dashboard link: https://syzkaller.appspot.com/bug?extid=bf5de69ebb4bdf86f59f
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec819a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11bcc19a580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/aad2d47ff01d/disk-f0b9d8eb.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/c31e7ae85c07/vmlinux-f0b9d8eb.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/5525fab81561/bzImage-f0b9d8eb.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+bf5de69ebb4bdf86f59f@syzkaller.appspotmail.com
>
> 2026/01/08 07:49:49 executed programs: 5
> BUG: memory leak
> unreferenced object 0xffff888112c4b240 (size 184):
> comm "syz.0.17", pid 6070, jiffies 4294944898
> hex dump (first 32 bytes):
> 00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff ..........f.....
> 98 38 89 09 81 88 ff ff 00 00 00 00 00 00 00 00 .8..............
> backtrace (crc 987747be):
> kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> slab_post_alloc_hook mm/slub.c:4958 [inline]
> slab_alloc_node mm/slub.c:5263 [inline]
> kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
> alloc_file fs/file_table.c:354 [inline]
> alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
> __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
> shmem_kernel_file_setup mm/shmem.c:5865 [inline]
> __shmem_zero_setup mm/shmem.c:5905 [inline]
> shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
> mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
> vfs_mmap_prepare include/linux/fs.h:2058 [inline]
> call_mmap_prepare mm/vma.c:2596 [inline]
> __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
> mmap_region+0x19f/0x1e0 mm/vma.c:2786
> do_mmap+0x6a3/0xb60 mm/mmap.c:558
> vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
> ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
> __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
> __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
> __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff888101e46ca8 (size 40):
> comm "syz.0.17", pid 6070, jiffies 4294944898
> hex dump (first 32 bytes):
> ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 f8 52 86 00 81 88 ff ff .........R......
> backtrace (crc 2d2a393c):
> kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> slab_post_alloc_hook mm/slub.c:4958 [inline]
> slab_alloc_node mm/slub.c:5263 [inline]
> kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> lsm_file_alloc security/security.c:169 [inline]
> security_file_alloc+0x30/0x240 security/security.c:2380
> init_file+0x3e/0x160 fs/file_table.c:159
> alloc_empty_file+0x6f/0x1a0 fs/file_table.c:241
> alloc_file fs/file_table.c:354 [inline]
> alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
> __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
> shmem_kernel_file_setup mm/shmem.c:5865 [inline]
> __shmem_zero_setup mm/shmem.c:5905 [inline]
> shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
> mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
> vfs_mmap_prepare include/linux/fs.h:2058 [inline]
> call_mmap_prepare mm/vma.c:2596 [inline]
> __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
> mmap_region+0x19f/0x1e0 mm/vma.c:2786
> do_mmap+0x6a3/0xb60 mm/mmap.c:558
> vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
> ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
> __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
> __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
> __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff888108f03840 (size 184):
> comm "syz-executor", pid 5988, jiffies 4294944899
> hex dump (first 32 bytes):
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace (crc 5869ffdf):
> kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> slab_post_alloc_hook mm/slub.c:4958 [inline]
> slab_alloc_node mm/slub.c:5263 [inline]
> kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> prepare_creds+0x22/0x5e0 kernel/cred.c:185
> copy_creds+0x44/0x290 kernel/cred.c:286
> copy_process+0x979/0x2860 kernel/fork.c:2086
> kernel_clone+0x119/0x6c0 kernel/fork.c:2651
> __do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff888109a7b8e0 (size 32):
> comm "syz-executor", pid 5988, jiffies 4294944899
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> f8 52 86 00 81 88 ff ff 00 00 00 00 00 00 00 00 .R..............
> backtrace (crc 336e1c5f):
> kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> slab_post_alloc_hook mm/slub.c:4958 [inline]
> slab_alloc_node mm/slub.c:5263 [inline]
> __do_kmalloc_node mm/slub.c:5656 [inline]
> __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
> kmalloc_noprof include/linux/slab.h:961 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> lsm_blob_alloc+0x4d/0x70 security/security.c:192
> lsm_cred_alloc security/security.c:209 [inline]
> security_prepare_creds+0x2f/0x270 security/security.c:2763
> prepare_creds+0x385/0x5e0 kernel/cred.c:215
> copy_creds+0x44/0x290 kernel/cred.c:286
> copy_process+0x979/0x2860 kernel/fork.c:2086
> kernel_clone+0x119/0x6c0 kernel/fork.c:2651
> __do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> BUG: memory leak
> unreferenced object 0xffff888109b169c0 (size 184):
> comm "syz.0.18", pid 6072, jiffies 4294944899
> hex dump (first 32 bytes):
> 00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff ..........f.....
> 68 e6 05 0e 81 88 ff ff 00 00 00 00 00 00 00 00 h...............
> backtrace (crc 86e9bbaa):
> kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> slab_post_alloc_hook mm/slub.c:4958 [inline]
> slab_alloc_node mm/slub.c:5263 [inline]
> kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
> alloc_file fs/file_table.c:354 [inline]
> alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
> __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
> shmem_kernel_file_setup mm/shmem.c:5865 [inline]
> __shmem_zero_setup mm/shmem.c:5905 [inline]
> shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
> mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
> vfs_mmap_prepare include/linux/fs.h:2058 [inline]
> call_mmap_prepare mm/vma.c:2596 [inline]
> __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
> mmap_region+0x19f/0x1e0 mm/vma.c:2786
> do_mmap+0x6a3/0xb60 mm/mmap.c:558
> vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
> ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
> __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
> __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
> __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [syzbot] [fs?] memory leak in __shmem_file_setup
2026-01-12 13:28 ` Lorenzo Stoakes
@ 2026-01-12 15:10 ` Lorenzo Stoakes
0 siblings, 0 replies; 3+ messages in thread
From: Lorenzo Stoakes @ 2026-01-12 15:10 UTC (permalink / raw)
To: syzbot; +Cc: brauner, jack, linux-fsdevel, linux-kernel, syzkaller-bugs, viro
Analysis below.
On Mon, Jan 12, 2026 at 01:28:17PM +0000, Lorenzo Stoakes wrote:
> Hi all,
>
> I have bisected this to commit ab04945f91bc ("mm: update mem char driver to use
> mmap_prepare"), i.e. my patch, so apologies for that.
>
> Will figure out what's happening here and come up with a hotfix.
>
> When I saw /dev/zero I did suspect this exact commit, would have saved me some
> bisecting had I just tested it first but there we are :P
>
> Cheers, Lorenzo
>
> On Sun, Jan 11, 2026 at 11:56:27PM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: f0b9d8eb98df Merge tag 'nfsd-6.19-3' of git://git.kernel.o..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12ec819a580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
> > dashboard link: https://syzkaller.appspot.com/bug?extid=bf5de69ebb4bdf86f59f
> > compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec819a580000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11bcc19a580000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/aad2d47ff01d/disk-f0b9d8eb.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/c31e7ae85c07/vmlinux-f0b9d8eb.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/5525fab81561/bzImage-f0b9d8eb.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+bf5de69ebb4bdf86f59f@syzkaller.appspotmail.com
> >
> > 2026/01/08 07:49:49 executed programs: 5
> > BUG: memory leak
> > unreferenced object 0xffff888112c4b240 (size 184):
This is just a knock-on from a leaked struct file object.
> > comm "syz.0.17", pid 6070, jiffies 4294944898
> > hex dump (first 32 bytes):
> > 00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff ..........f.....
> > 98 38 89 09 81 88 ff ff 00 00 00 00 00 00 00 00 .8..............
> > backtrace (crc 987747be):
> > kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> > slab_post_alloc_hook mm/slub.c:4958 [inline]
> > slab_alloc_node mm/slub.c:5263 [inline]
> > kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> > alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
> > alloc_file fs/file_table.c:354 [inline]
> > alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
> > __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
> > shmem_kernel_file_setup mm/shmem.c:5865 [inline]
> > __shmem_zero_setup mm/shmem.c:5905 [inline]
> > shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
> > mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
> > vfs_mmap_prepare include/linux/fs.h:2058 [inline]
> > call_mmap_prepare mm/vma.c:2596 [inline]
> > __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
> > mmap_region+0x19f/0x1e0 mm/vma.c:2786
> > do_mmap+0x6a3/0xb60 mm/mmap.c:558
> > vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
> > ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
> > __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
> > __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
> > __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > BUG: memory leak
> > unreferenced object 0xffff888101e46ca8 (size 40):
It's a struct file...
Problem is in __mmap_new_file_vma() we unnecessarily do a get_file() even though
the f_op->mmap_prepare() has provided us a referenced counted file object,
meaning refcount -> 2, and then when we unmap it's 1 and... leak.
Will fix.
> > comm "syz.0.17", pid 6070, jiffies 4294944898
> > hex dump (first 32 bytes):
> > ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 00 00 00 00 00 00 00 00 f8 52 86 00 81 88 ff ff .........R......
> > backtrace (crc 2d2a393c):
> > kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> > slab_post_alloc_hook mm/slub.c:4958 [inline]
> > slab_alloc_node mm/slub.c:5263 [inline]
> > kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> > lsm_file_alloc security/security.c:169 [inline]
> > security_file_alloc+0x30/0x240 security/security.c:2380
> > init_file+0x3e/0x160 fs/file_table.c:159
> > alloc_empty_file+0x6f/0x1a0 fs/file_table.c:241
> > alloc_file fs/file_table.c:354 [inline]
> > alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
> > __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
> > shmem_kernel_file_setup mm/shmem.c:5865 [inline]
> > __shmem_zero_setup mm/shmem.c:5905 [inline]
> > shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
> > mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
> > vfs_mmap_prepare include/linux/fs.h:2058 [inline]
> > call_mmap_prepare mm/vma.c:2596 [inline]
> > __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
> > mmap_region+0x19f/0x1e0 mm/vma.c:2786
> > do_mmap+0x6a3/0xb60 mm/mmap.c:558
> > vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
> > ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
> > __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
> > __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
> > __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > BUG: memory leak
> > unreferenced object 0xffff888108f03840 (size 184):
> > comm "syz-executor", pid 5988, jiffies 4294944899
> > hex dump (first 32 bytes):
> > 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > backtrace (crc 5869ffdf):
> > kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> > slab_post_alloc_hook mm/slub.c:4958 [inline]
> > slab_alloc_node mm/slub.c:5263 [inline]
> > kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> > prepare_creds+0x22/0x5e0 kernel/cred.c:185
> > copy_creds+0x44/0x290 kernel/cred.c:286
> > copy_process+0x979/0x2860 kernel/fork.c:2086
> > kernel_clone+0x119/0x6c0 kernel/fork.c:2651
> > __do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > BUG: memory leak
> > unreferenced object 0xffff888109a7b8e0 (size 32):
> > comm "syz-executor", pid 5988, jiffies 4294944899
> > hex dump (first 32 bytes):
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > f8 52 86 00 81 88 ff ff 00 00 00 00 00 00 00 00 .R..............
> > backtrace (crc 336e1c5f):
> > kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> > slab_post_alloc_hook mm/slub.c:4958 [inline]
> > slab_alloc_node mm/slub.c:5263 [inline]
> > __do_kmalloc_node mm/slub.c:5656 [inline]
> > __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
> > kmalloc_noprof include/linux/slab.h:961 [inline]
> > kzalloc_noprof include/linux/slab.h:1094 [inline]
> > lsm_blob_alloc+0x4d/0x70 security/security.c:192
> > lsm_cred_alloc security/security.c:209 [inline]
> > security_prepare_creds+0x2f/0x270 security/security.c:2763
> > prepare_creds+0x385/0x5e0 kernel/cred.c:215
> > copy_creds+0x44/0x290 kernel/cred.c:286
> > copy_process+0x979/0x2860 kernel/fork.c:2086
> > kernel_clone+0x119/0x6c0 kernel/fork.c:2651
> > __do_sys_clone+0x7b/0xb0 kernel/fork.c:2792
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > BUG: memory leak
> > unreferenced object 0xffff888109b169c0 (size 184):
> > comm "syz.0.18", pid 6072, jiffies 4294944899
> > hex dump (first 32 bytes):
> > 00 00 00 00 07 00 0e 02 00 e4 66 85 ff ff ff ff ..........f.....
> > 68 e6 05 0e 81 88 ff ff 00 00 00 00 00 00 00 00 h...............
> > backtrace (crc 86e9bbaa):
> > kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
> > slab_post_alloc_hook mm/slub.c:4958 [inline]
> > slab_alloc_node mm/slub.c:5263 [inline]
> > kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
> > alloc_empty_file+0x51/0x1a0 fs/file_table.c:237
> > alloc_file fs/file_table.c:354 [inline]
> > alloc_file_pseudo+0xae/0x140 fs/file_table.c:383
> > __shmem_file_setup+0x11a/0x210 mm/shmem.c:5846
> > shmem_kernel_file_setup mm/shmem.c:5865 [inline]
> > __shmem_zero_setup mm/shmem.c:5905 [inline]
> > shmem_zero_setup_desc+0x33/0x90 mm/shmem.c:5936
> > mmap_zero_prepare+0x4e/0x60 drivers/char/mem.c:524
> > vfs_mmap_prepare include/linux/fs.h:2058 [inline]
> > call_mmap_prepare mm/vma.c:2596 [inline]
> > __mmap_region+0x8b8/0x13e0 mm/vma.c:2692
> > mmap_region+0x19f/0x1e0 mm/vma.c:2786
> > do_mmap+0x6a3/0xb60 mm/mmap.c:558
> > vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
> > ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604
> > __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
> > __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
> > __x64_sys_mmap+0x6f/0xa0 arch/x86/kernel/sys_x86_64.c:82
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
> >
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >
> > If the report is already addressed, let syzbot know by replying with:
> > #syz fix: exact-commit-title
> >
> > If you want syzbot to run the reproducer, reply with:
> > #syz test: git://repo/address.git branch-or-commit-hash
> > If you attach or paste a git patch, syzbot will apply it before testing.
> >
> > If you want to overwrite report's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> >
> > If the report is a duplicate of another one, reply with:
> > #syz dup: exact-subject-of-another-report
> >
> > If you want to undo deduplication, reply with:
> > #syz undup
> >
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-01-12 15:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-12 7:56 [syzbot] [fs?] memory leak in __shmem_file_setup syzbot
2026-01-12 13:28 ` Lorenzo Stoakes
2026-01-12 15:10 ` Lorenzo Stoakes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox