[syzbot] [hfs?] memory leak in __hfs_bnode

public inbox for linux-fsdevel@vger.kernel.org
 help / color / mirror / Atom feed

* [syzbot] [hfs?] memory leak in __hfs_bnode_create
@ 2026-04-17  1:56 syzbot
  2026-04-17  6:58 ` [PATCH] hfsplus: Supports freeing newly created tree head Edward Adam Davis
  0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2026-04-17  1:56 UTC (permalink / raw)
  To: frank.li, glaubitz, linux-fsdevel, linux-kernel, slava,
	syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    508fed679541 Merge tag 'ras_core_for_v7.1_rc1' of git://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1481bb16580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c7349847759051f
dashboard link: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1281bb16580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=107938ce580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/36836f0baa65/disk-508fed67.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ab35bf742ab5/vmlinux-508fed67.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5fbf86a0b4d3/bzImage-508fed67.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d2ddc5d747a0/mount_4.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+98547b0428b6a6a3467c@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff88811cabc840 (size 96):
  comm "syz.0.18", pid 6071, jiffies 4294943951
  hex dump (first 32 bytes):
    00 f0 54 15 81 88 ff ff 00 00 00 00 00 00 00 00  ..T.............
    00 00 00 00 00 00 00 00 03 00 7f 00 00 00 00 00  ................
  backtrace (crc 3e2dadb7):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4543 [inline]
    slab_alloc_node mm/slub.c:4866 [inline]
    __do_kmalloc_node mm/slub.c:5259 [inline]
    __kmalloc_noprof+0x3b7/0x550 mm/slub.c:5272
    kmalloc_noprof include/linux/slab.h:954 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    __hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
    hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547
    hfsplus_btree_open+0x2fa/0x6d0 fs/hfsplus/btree.c:382
    hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548
    get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1694
    vfs_get_tree+0x30/0x120 fs/super.c:1754
    fc_mount fs/namespace.c:1193 [inline]
    do_new_mount_fc fs/namespace.c:3763 [inline]
    do_new_mount fs/namespace.c:3839 [inline]
    path_mount+0x5a9/0x1360 fs/namespace.c:4159
    do_mount fs/namespace.c:4172 [inline]
    __do_sys_mount fs/namespace.c:4361 [inline]
    __se_sys_mount fs/namespace.c:4338 [inline]
    __x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4338
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88812c724d80 (size 96):
  comm "syz.0.19", pid 6082, jiffies 4294943963
  hex dump (first 32 bytes):
    00 90 e5 13 81 88 ff ff 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 03 00 7f 00 00 00 00 00  ................
  backtrace (crc 289d56ee):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4543 [inline]
    slab_alloc_node mm/slub.c:4866 [inline]
    __do_kmalloc_node mm/slub.c:5259 [inline]
    __kmalloc_noprof+0x3b7/0x550 mm/slub.c:5272
    kmalloc_noprof include/linux/slab.h:954 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    __hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
    hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547
    hfsplus_btree_open+0x2fa/0x6d0 fs/hfsplus/btree.c:382
    hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548
    get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1694
    vfs_get_tree+0x30/0x120 fs/super.c:1754
    fc_mount fs/namespace.c:1193 [inline]
    do_new_mount_fc fs/namespace.c:3763 [inline]
    do_new_mount fs/namespace.c:3839 [inline]
    path_mount+0x5a9/0x1360 fs/namespace.c:4159
    do_mount fs/namespace.c:4172 [inline]
    __do_sys_mount fs/namespace.c:4361 [inline]
    __se_sys_mount fs/namespace.c:4338 [inline]
    __x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4338
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH] hfsplus: Supports freeing newly created tree head
  2026-04-17  1:56 [syzbot] [hfs?] memory leak in __hfs_bnode_create syzbot
@ 2026-04-17  6:58 ` Edward Adam Davis
  2026-04-17 22:03   ` Viacheslav Dubeyko
  0 siblings, 1 reply; 3+ messages in thread
From: Edward Adam Davis @ 2026-04-17  6:58 UTC (permalink / raw)
  To: syzbot+98547b0428b6a6a3467c
  Cc: frank.li, glaubitz, linux-fsdevel, linux-kernel, slava,
	syzkaller-bugs

hfs_bnode_put() does not support deallocating a newly created btree
head node; therefore, regardless of whether hfsplus_bnode_find() succeeds
or fails, it cannot effectively reclaim the memory allocated for a newly
created head node.

When finding a head node, if the node is a newly created one, we can use
hfs_bnode_free() to reclaim its memory.

[1]
BUG: memory leak
unreferenced object 0xffff88811cabc840 (size 96):
  backtrace (crc 3e2dadb7):
    __hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
    hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547
    hfsplus_btree_open+0x2fa/0x6d0 fs/hfsplus/btree.c:382
    hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548

Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
Reported-by: syzbot+98547b0428b6a6a3467c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
Tested-by: syzbot+98547b0428b6a6a3467c@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/hfsplus/bnode.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index f8b5a8ae58ff..65902104882a 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -598,14 +598,18 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)
 		if (key_size >= entry_size || key_size & 1)
 			goto node_error;
 	}
-	clear_bit(HFS_BNODE_NEW, &node->flags);
-	wake_up(&node->lock_wq);
+	if (num != HFSPLUS_TREE_HEAD) {
+		clear_bit(HFS_BNODE_NEW, &node->flags);
+		wake_up(&node->lock_wq);
+	}
 	return node;
 
 node_error:
 	set_bit(HFS_BNODE_ERROR, &node->flags);
-	clear_bit(HFS_BNODE_NEW, &node->flags);
-	wake_up(&node->lock_wq);
+	if (num != HFSPLUS_TREE_HEAD) {
+		clear_bit(HFS_BNODE_NEW, &node->flags);
+		wake_up(&node->lock_wq);
+	}
 	hfs_bnode_put(node);
 	return ERR_PTR(-EIO);
 }
@@ -694,6 +698,10 @@ void hfs_bnode_put(struct hfs_bnode *node)
 			hfs_bnode_free(node);
 			return;
 		}
+		if (test_bit(HFS_BNODE_NEW, &node->flags)) {
+			hfs_bnode_unhash(node);
+			hfs_bnode_free(node);
+		}
 		spin_unlock(&tree->hash_lock);
 	}
 }
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] hfsplus: Supports freeing newly created tree head
  2026-04-17  6:58 ` [PATCH] hfsplus: Supports freeing newly created tree head Edward Adam Davis
@ 2026-04-17 22:03   ` Viacheslav Dubeyko
  0 siblings, 0 replies; 3+ messages in thread
From: Viacheslav Dubeyko @ 2026-04-17 22:03 UTC (permalink / raw)
  To: Edward Adam Davis, syzbot+98547b0428b6a6a3467c
  Cc: frank.li, glaubitz, linux-fsdevel, linux-kernel, slava,
	syzkaller-bugs

On Fri, 2026-04-17 at 14:58 +0800, Edward Adam Davis wrote:
> hfs_bnode_put() does not support deallocating a newly created btree
> head node; therefore, regardless of whether hfsplus_bnode_find() succeeds
> or fails, it cannot effectively reclaim the memory allocated for a newly
> created head node.
> 
> When finding a head node, if the node is a newly created one, we can use
> hfs_bnode_free() to reclaim its memory.
> 
> [1]
> BUG: memory leak
> unreferenced object 0xffff88811cabc840 (size 96):
>   backtrace (crc 3e2dadb7):
>     __hfs_bnode_create+0x59/0x310 fs/hfsplus/bnode.c:469
>     hfsplus_bnode_find+0x13e/0x580 fs/hfsplus/bnode.c:547
>     hfsplus_btree_open+0x2fa/0x6d0 fs/hfsplus/btree.c:382
>     hfsplus_fill_super+0x272/0x880 fs/hfsplus/super.c:548

I need slightly more detailed and clear explanation how the issue has been
happened and why we need to fix it in a such way. Currently, I don't have the
complete picture how this happened. I am sure that you have the complete
picture. :) Could you please share what you have in your mind? :) Don't hide the
wisdom. ;)

Thanks,
Slava.

> 
> Fixes: 8ad2c6a36ac4 ("hfsplus: validate b-tree node 0 bitmap at mount time")
> Reported-by: syzbot+98547b0428b6a6a3467c@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=98547b0428b6a6a3467c
> Tested-by: syzbot+98547b0428b6a6a3467c@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  fs/hfsplus/bnode.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
> index f8b5a8ae58ff..65902104882a 100644
> --- a/fs/hfsplus/bnode.c
> +++ b/fs/hfsplus/bnode.c
> @@ -598,14 +598,18 @@ struct hfs_bnode *hfs_bnode_find(struct hfs_btree *tree, u32 num)
>  		if (key_size >= entry_size || key_size & 1)
>  			goto node_error;
>  	}
> -	clear_bit(HFS_BNODE_NEW, &node->flags);
> -	wake_up(&node->lock_wq);
> +	if (num != HFSPLUS_TREE_HEAD) {
> +		clear_bit(HFS_BNODE_NEW, &node->flags);
> +		wake_up(&node->lock_wq);
> +	}
>  	return node;
>  
>  node_error:
>  	set_bit(HFS_BNODE_ERROR, &node->flags);
> -	clear_bit(HFS_BNODE_NEW, &node->flags);
> -	wake_up(&node->lock_wq);
> +	if (num != HFSPLUS_TREE_HEAD) {
> +		clear_bit(HFS_BNODE_NEW, &node->flags);
> +		wake_up(&node->lock_wq);
> +	}
>  	hfs_bnode_put(node);
>  	return ERR_PTR(-EIO);
>  }
> @@ -694,6 +698,10 @@ void hfs_bnode_put(struct hfs_bnode *node)
>  			hfs_bnode_free(node);
>  			return;
>  		}
> +		if (test_bit(HFS_BNODE_NEW, &node->flags)) {
> +			hfs_bnode_unhash(node);
> +			hfs_bnode_free(node);
> +		}
>  		spin_unlock(&tree->hash_lock);
>  	}
>  }


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-17 22:03 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17  1:56 [syzbot] [hfs?] memory leak in __hfs_bnode_create syzbot
2026-04-17  6:58 ` [PATCH] hfsplus: Supports freeing newly created tree head Edward Adam Davis
2026-04-17 22:03   ` Viacheslav Dubeyko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox