* Re: [syzbot] [mm?] [exfat?] [f2fs?] memory leak in __kfree_rcu_sheaf
[not found] <ffd7be2b-8da4-45bd-b8a3-881855815bc6@dev.snart.me>
@ 2026-05-02 12:02 ` syzbot
0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2026-05-02 12:02 UTC (permalink / raw)
To: dxdt, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main
BUG: memory leak
unreferenced object 0xffff88810005f600 (size 512):
comm "swapper/0", pid 0, jiffies 4294937296
hex dump (first 32 bytes):
00 3c e7 2c 81 88 ff ff 00 4c 90 00 81 88 ff ff .<.,.....L......
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 37d70d29):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_empty_main+0x22a/0x2a0 mm/slub.c:4646
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__kmalloc_cache_noprof+0x3a6/0x480 mm/slub.c:5410
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__irq_domain_alloc_fwnode+0x37/0x140 kernel/irq/irqdomain.c:95
irq_domain_alloc_named_fwnode include/linux/irqdomain.h:271 [inline]
arch_early_irq_init+0x1c/0x70 arch/x86/kernel/apic/vector.c:803
start_kernel+0x931/0xb80 init/main.c:1123
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148
BUG: memory leak
unreferenced object 0xffff888100904c00 (size 512):
comm "kthreadd", pid 2, jiffies 4294937342
hex dump (first 32 bytes):
00 f6 05 00 81 88 ff ff 00 ea 3c 04 81 88 ff ff ..........<.....
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 22dd8c01):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_empty_main+0x22a/0x2a0 mm/slub.c:4646
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__kmalloc_cache_node_noprof+0x3e9/0x4d0 mm/slub.c:5423
kmalloc_node_noprof include/linux/slab.h:1077 [inline]
__get_vm_area_node+0xc6/0x1d0 mm/vmalloc.c:3215
__vmalloc_node_range_noprof+0x1bc/0xdf0 mm/vmalloc.c:4024
__vmalloc_node_noprof+0x71/0x90 mm/vmalloc.c:4124
alloc_thread_stack_node kernel/fork.c:357 [inline]
dup_task_struct kernel/fork.c:926 [inline]
copy_process+0x51f/0x2c90 kernel/fork.c:2090
kernel_clone+0xde/0x700 kernel/fork.c:2721
kernel_thread+0x80/0xb0 kernel/fork.c:2782
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810224cc00 (size 512):
comm "kworker/1:1", pid 41, jiffies 4294937440
hex dump (first 32 bytes):
00 18 fd 2c 81 88 ff ff 00 e8 3c 04 81 88 ff ff ...,......<.....
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 254b2b5e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_full_main+0xdf/0x300 mm/slub.c:5757
free_to_pcs mm/slub.c:5810 [inline]
slab_free mm/slub.c:6249 [inline]
kfree+0x361/0x3a0 mm/slub.c:6561
vfree mm/vmalloc.c:3476 [inline]
vfree+0x14d/0x3d0 mm/vmalloc.c:3436
delayed_vfree_work+0x29/0x40 mm/vmalloc.c:3392
process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff8881043cea00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937496
hex dump (first 32 bytes):
00 4c 90 00 81 88 ff ff 00 4a 73 11 81 88 ff ff .L.......Js.....
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc c256e00a):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_full_main+0xdf/0x300 mm/slub.c:5757
free_to_pcs mm/slub.c:5810 [inline]
slab_free mm/slub.c:6249 [inline]
kfree+0x361/0x3a0 mm/slub.c:6561
blk_free_flush_queue+0x28/0x40 block/blk-flush.c:514
srcu_invoke_callbacks+0x11a/0x1c0 kernel/rcu/srcutree.c:1917
process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff8881043ce800 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937496
hex dump (first 32 bytes):
00 cc 24 02 81 88 ff ff 00 d4 48 0b 81 88 ff ff ..$.......H.....
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 98e15bd5):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_full_main+0xdf/0x300 mm/slub.c:5757
free_to_pcs mm/slub.c:5810 [inline]
slab_free mm/slub.c:6249 [inline]
kfree+0x361/0x3a0 mm/slub.c:6561
vfree mm/vmalloc.c:3476 [inline]
vfree+0x14d/0x3d0 mm/vmalloc.c:3436
delayed_vfree_work+0x29/0x40 mm/vmalloc.c:3392
process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810b41a600 (size 512):
comm "udevadm", pid 4977, jiffies 4294938322
hex dump (first 32 bytes):
00 cc 48 0b 81 88 ff ff 00 7e 23 28 81 88 ff ff ..H......~#(....
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc ccf4ae11):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_empty_main+0x22a/0x2a0 mm/slub.c:4646
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__kmalloc_cache_noprof+0x3a6/0x480 mm/slub.c:5410
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
kernfs_get_open_node fs/kernfs/file.c:543 [inline]
kernfs_fop_open+0x4f4/0x580 fs/kernfs/file.c:718
do_dentry_open+0x1fc/0x8c0 fs/open.c:947
vfs_open+0x3d/0x1b0 fs/open.c:1079
do_open fs/namei.c:4699 [inline]
path_openat+0x154d/0x1e20 fs/namei.c:4858
do_file_open+0x121/0x200 fs/namei.c:4887
do_sys_openat2+0xa5/0x140 fs/open.c:1364
do_sys_open fs/open.c:1370 [inline]
__do_sys_openat fs/open.c:1386 [inline]
__se_sys_openat fs/open.c:1381 [inline]
__x64_sys_openat+0x82/0xf0 fs/open.c:1381
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: f1a5e78a Merge tag 'drm-fixes-2026-05-02' of https://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10bff5ba580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=13270a36580000
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
@ 2026-05-03 6:00 David Timber
2026-05-03 7:17 ` [syzbot] [mm?] [exfat?] [f2fs?] " syzbot
0 siblings, 1 reply; 6+ messages in thread
From: David Timber @ 2026-05-03 6:00 UTC (permalink / raw)
To: syzbot
Cc: linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 9 bytes --]
#syz test
[-- Attachment #2: syz-cae7809e9dc1459e4e63.patch --]
[-- Type: text/x-patch, Size: 545 bytes --]
diff --git a/fs/exfat/super.c b/fs/exfat/super.c
index 95d87e2d7717..df10d9a79a29 100644
--- a/fs/exfat/super.c
+++ b/fs/exfat/super.c
@@ -656,6 +656,7 @@ static int __exfat_fill_super(struct super_block *sb,
free_alloc_bitmap:
exfat_free_bitmap(sbi);
free_bh:
+ exfat_free_upcase_table(sbi);
brelse(sbi->boot_bh);
return ret;
}
@@ -752,6 +753,7 @@ static int exfat_get_tree(struct fs_context *fc)
static void exfat_free_sbi(struct exfat_sb_info *sbi)
{
+ exfat_free_upcase_table(sbi);
exfat_free_iocharset(sbi);
kfree(sbi);
}
[-- Attachment #3: syz-cae7809e9dc1459e4e63.f2fs-crippled.patch --]
[-- Type: text/x-patch, Size: 468 bytes --]
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index c4c225e09dc4..fd2499fe156b 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -5388,7 +5388,10 @@ static int f2fs_fill_super(struct super_block *sb, struct fs_context *fc)
static int f2fs_get_tree(struct fs_context *fc)
{
- return get_tree_bdev(fc, f2fs_fill_super);
+ if (true)
+ return -ENOMEM;
+ else
+ return get_tree_bdev(fc, f2fs_fill_super);
}
static int f2fs_reconfigure(struct fs_context *fc)
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [syzbot] [mm?] [exfat?] [f2fs?] memory leak in __kfree_rcu_sheaf
2026-05-03 6:00 [syzbot] [mm?] [f2fs?] [exfat?] " David Timber
@ 2026-05-03 7:17 ` syzbot
0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2026-05-03 7:17 UTC (permalink / raw)
To: dxdt, linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main
BUG: memory leak
unreferenced object 0xffff88810005f600 (size 512):
comm "swapper/0", pid 0, jiffies 4294937296
hex dump (first 32 bytes):
e0 e2 ee 2c 81 88 ff ff a0 13 ad 81 ff ff ff ff ...,............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 2486057c):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_empty_main+0x22a/0x2a0 mm/slub.c:4646
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__kmalloc_cache_noprof+0x3a6/0x480 mm/slub.c:5410
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__irq_domain_alloc_fwnode+0x37/0x140 kernel/irq/irqdomain.c:95
irq_domain_alloc_named_fwnode include/linux/irqdomain.h:271 [inline]
arch_early_irq_init+0x1c/0x70 arch/x86/kernel/apic/vector.c:803
start_kernel+0x931/0xb80 init/main.c:1123
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148
BUG: memory leak
unreferenced object 0xffff888101d04e00 (size 512):
comm "kworker/u8:5", pid 311, jiffies 4294937428
hex dump (first 32 bytes):
b8 1c b8 28 81 88 ff ff a0 13 ad 81 ff ff ff ff ...(............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 1d48d83d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_full_main+0xdf/0x300 mm/slub.c:5757
free_to_pcs mm/slub.c:5810 [inline]
slab_free mm/slub.c:6249 [inline]
kfree+0x361/0x3a0 mm/slub.c:6561
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888101d18800 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937813
hex dump (first 32 bytes):
00 c8 ec 0b 81 88 ff ff 00 18 d3 0b 81 88 ff ff ................
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 307f46be):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_full_main+0xdf/0x300 mm/slub.c:5757
free_to_pcs mm/slub.c:5810 [inline]
slab_free mm/slub.c:6249 [inline]
kfree+0x361/0x3a0 mm/slub.c:6561
vfree mm/vmalloc.c:3476 [inline]
vfree+0x14d/0x3d0 mm/vmalloc.c:3436
delayed_vfree_work+0x29/0x40 mm/vmalloc.c:3392
process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888101d2be00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937856
hex dump (first 32 bytes):
c8 2c 04 00 81 88 ff ff 00 90 b7 2a 81 88 ff ff .,.........*....
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 9ff75ca2):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_full_main+0xdf/0x300 mm/slub.c:5757
free_to_pcs mm/slub.c:5810 [inline]
slab_free mm/slub.c:6249 [inline]
kfree+0x361/0x3a0 mm/slub.c:6561
vfree mm/vmalloc.c:3476 [inline]
vfree+0x14d/0x3d0 mm/vmalloc.c:3436
delayed_vfree_work+0x29/0x40 mm/vmalloc.c:3392
process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888101d2b000 (size 512):
comm "kworker/u8:9", pid 4643, jiffies 4294937873
hex dump (first 32 bytes):
00 72 5a 03 81 88 ff ff c8 2c 04 00 81 88 ff ff .rZ......,......
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc bcccad5b):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_full_main+0xdf/0x300 mm/slub.c:5757
free_to_pcs mm/slub.c:5810 [inline]
slab_free mm/slub.c:6249 [inline]
kfree+0x361/0x3a0 mm/slub.c:6561
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff8881035a7400 (size 512):
comm "udevadm", pid 4981, jiffies 4294938333
hex dump (first 32 bytes):
00 88 b7 2a 81 88 ff ff 00 4e d0 01 81 88 ff ff ...*.....N......
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 82d289ee):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_empty_main+0x22a/0x2a0 mm/slub.c:4646
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__kmalloc_cache_noprof+0x3a6/0x480 mm/slub.c:5410
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
kernfs_get_open_node fs/kernfs/file.c:543 [inline]
kernfs_fop_open+0x4f4/0x580 fs/kernfs/file.c:718
do_dentry_open+0x1fc/0x8c0 fs/open.c:947
vfs_open+0x3d/0x1b0 fs/open.c:1079
do_open fs/namei.c:4699 [inline]
path_openat+0x154d/0x1e20 fs/namei.c:4858
do_file_open+0x121/0x200 fs/namei.c:4887
do_sys_openat2+0xa5/0x140 fs/open.c:1364
do_sys_open fs/open.c:1370 [inline]
__do_sys_openat fs/open.c:1386 [inline]
__se_sys_openat fs/open.c:1381 [inline]
__x64_sys_openat+0x82/0xf0 fs/open.c:1381
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 66edb901 Merge tag 'v7.1-p3' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13db0ad2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=153b7ece580000
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
@ 2026-05-03 6:05 David Timber
2026-05-03 7:27 ` [syzbot] [mm?] [exfat?] [f2fs?] " syzbot
0 siblings, 1 reply; 6+ messages in thread
From: David Timber @ 2026-05-03 6:05 UTC (permalink / raw)
To: syzbot
Cc: linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 9 bytes --]
#syz test
[-- Attachment #2: syz-cae7809e9dc1459e4e63.f2fs-crippled.patch --]
[-- Type: text/x-patch, Size: 468 bytes --]
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index c4c225e09dc4..fd2499fe156b 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -5388,7 +5388,10 @@ static int f2fs_fill_super(struct super_block *sb, struct fs_context *fc)
static int f2fs_get_tree(struct fs_context *fc)
{
- return get_tree_bdev(fc, f2fs_fill_super);
+ if (true)
+ return -ENOMEM;
+ else
+ return get_tree_bdev(fc, f2fs_fill_super);
}
static int f2fs_reconfigure(struct fs_context *fc)
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [syzbot] [mm?] [exfat?] [f2fs?] memory leak in __kfree_rcu_sheaf
2026-05-03 6:05 [syzbot] [mm?] [f2fs?] [exfat?] " David Timber
@ 2026-05-03 7:27 ` syzbot
2026-05-03 7:41 ` David Timber
0 siblings, 1 reply; 6+ messages in thread
From: syzbot @ 2026-05-03 7:27 UTC (permalink / raw)
To: dxdt, linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+cae7809e9dc1459e4e63@syzkaller.appspotmail.com
Tested-by: syzbot+cae7809e9dc1459e4e63@syzkaller.appspotmail.com
Tested on:
commit: 66edb901 Merge tag 'v7.1-p3' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11fb7082580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=17f2f326580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [mm?] [exfat?] [f2fs?] memory leak in __kfree_rcu_sheaf
2026-05-03 7:27 ` [syzbot] [mm?] [exfat?] [f2fs?] " syzbot
@ 2026-05-03 7:41 ` David Timber
0 siblings, 0 replies; 6+ messages in thread
From: David Timber @ 2026-05-03 7:41 UTC (permalink / raw)
To: syzbot, Liam.Howlett, akpm, chao, jaegeuk, jannh, linkinjeon,
linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
lorenzo.stoakes, pfalcato, sj1557.seo, syzkaller-bugs, vbabka
On 5/3/26 16:27, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+cae7809e9dc1459e4e63@syzkaller.appspotmail.com
> Tested-by: syzbot+cae7809e9dc1459e4e63@syzkaller.appspotmail.com
>
> Tested on:
>
> commit: 66edb901 Merge tag 'v7.1-p3' of git://git.kernel.org/p..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11fb7082580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
> dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
> compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> patch: https://syzkaller.appspot.com/x/patch.diff?x=17f2f326580000
>
> Note: testing is done by a robot and is best-effort only.
The error message might be misleading.
1. the report is done after f2fs attempted to mount the corrupt image,
not before
2. f2fs exhibits undefined behaviour, evident from the fs attempting to
do I/O out of blockdev bounds
This might have been cause by f2fs corrupting memory in which case the
leak report is invalid.
Davo
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
@ 2026-05-04 20:17 David Timber
2026-05-04 20:51 ` [syzbot] [mm?] [exfat?] [f2fs?] " syzbot
0 siblings, 1 reply; 6+ messages in thread
From: David Timber @ 2026-05-04 20:17 UTC (permalink / raw)
To: syzbot
Cc: linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 9 bytes --]
#syz test
[-- Attachment #2: syz-cae7809e9dc1459e4e63.f2fs-use-after-free.patch --]
[-- Type: text/x-patch, Size: 1476 bytes --]
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index c4c225e09dc4..5a38b74757ca 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4595,6 +4595,8 @@ void f2fs_handle_error(struct f2fs_sb_info *sbi, unsigned char error)
return;
if (!test_bit(error, (unsigned long *)sbi->errors))
return;
+
+ f2fs_notice(sbi, "s_error_work scheduled in f2fs_handle_error() by sbi at %p", sbi);
schedule_work(&sbi->s_error_work);
}
@@ -4621,6 +4623,7 @@ void f2fs_handle_critical_error(struct f2fs_sb_info *sbi, unsigned char reason)
* in order to avoid potential deadlock when running into
* f2fs_record_stop_reason() synchronously.
*/
+ f2fs_notice(sbi, "s_error_work scheduled in f2fs_handle_critical_error() by sbi at %p", sbi);
schedule_work(&sbi->s_error_work);
}
@@ -4666,6 +4669,10 @@ static void f2fs_record_error_work(struct work_struct *work)
struct f2fs_sb_info *sbi = container_of(work,
struct f2fs_sb_info, s_error_work);
+ f2fs_notice(sbi, "f2fs_record_error_work()");
+ if (unlikely(is_sbi_flag_set(sbi, SBI_IS_CLOSE)))
+ panic("!!! sbi at %p used after freeing !!!", sbi);
+
f2fs_record_stop_reason(sbi);
}
@@ -5454,6 +5461,7 @@ static void kill_f2fs_super(struct super_block *sb)
kill_block_super(sb);
/* Release block devices last, after fscrypt_destroy_keyring(). */
if (sbi) {
+ f2fs_notice(sbi, "freeing sbi at %px in kill_f2fs_super()", sbi);
destroy_device_list(sbi);
kfree(sbi);
sb->s_fs_info = NULL;
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [syzbot] [mm?] [exfat?] [f2fs?] memory leak in __kfree_rcu_sheaf
2026-05-04 20:17 [syzbot] [mm?] [f2fs?] [exfat?] " David Timber
@ 2026-05-04 20:51 ` syzbot
0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2026-05-04 20:51 UTC (permalink / raw)
To: dxdt, linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel panic: !!! sbi at ADDR used after freeing !!!
F2FS-fs (loop1): f2fs_record_error_work()
Kernel panic - not syncing: !!! sbi at ffff888129322000 used after freeing !!!
CPU: 1 UID: 0 PID: 6598 Comm: kworker/1:5 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: events f2fs_record_error_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x97/0xe0 lib/dump_stack.c:120
vpanic+0x383/0x6d0 kernel/panic.c:650
panic+0x6e/0x70 kernel/panic.c:787
f2fs_record_error_work.cold+0x14/0x14 fs/f2fs/super.c:4747
process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Kernel Offset: disabled
Tested on:
commit: 6d35786d Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17a63a36580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=172b8ad2580000
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
@ 2026-05-04 20:26 David Timber
2026-05-04 21:12 ` [syzbot] [mm?] [exfat?] [f2fs?] " syzbot
0 siblings, 1 reply; 6+ messages in thread
From: David Timber @ 2026-05-04 20:26 UTC (permalink / raw)
To: syzbot
Cc: linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 9 bytes --]
#syz test
[-- Attachment #2: syz-cae7809e9dc1459e4e63.f2fs-dont-use-after-free.patch --]
[-- Type: text/x-patch, Size: 914 bytes --]
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index c4c225e09dc4..7aba99e1f93f 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4595,6 +4595,12 @@ void f2fs_handle_error(struct f2fs_sb_info *sbi, unsigned char error)
return;
if (!test_bit(error, (unsigned long *)sbi->errors))
return;
+
+ if (unlikely(is_sbi_flag_set(sbi, SBI_IS_CLOSE))) {
+ f2fs_warn(sbi, "f2fs_handle_error() called upon sb_put");
+ return;
+ }
+
schedule_work(&sbi->s_error_work);
}
@@ -4621,7 +4627,10 @@ void f2fs_handle_critical_error(struct f2fs_sb_info *sbi, unsigned char reason)
* in order to avoid potential deadlock when running into
* f2fs_record_stop_reason() synchronously.
*/
- schedule_work(&sbi->s_error_work);
+ if (unlikely(is_sbi_flag_set(sbi, SBI_IS_CLOSE)))
+ f2fs_warn(sbi, "f2fs_handle_critical_error() called upon sb_put");
+ else
+ schedule_work(&sbi->s_error_work);
}
/*
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [syzbot] [mm?] [exfat?] [f2fs?] memory leak in __kfree_rcu_sheaf
2026-05-04 20:26 [syzbot] [mm?] [f2fs?] [exfat?] " David Timber
@ 2026-05-04 21:12 ` syzbot
0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2026-05-04 21:12 UTC (permalink / raw)
To: dxdt, linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main
BUG: memory leak
unreferenced object 0xffff88810005f600 (size 512):
comm "swapper/0", pid 0, jiffies 4294937296
hex dump (first 32 bytes):
40 a0 ce 2f 81 88 ff ff e0 13 ad 81 ff ff ff ff @../............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 6fa78c59):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_empty_main+0x22a/0x2a0 mm/slub.c:4646
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__kmalloc_cache_noprof+0x3a6/0x480 mm/slub.c:5414
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__irq_domain_alloc_fwnode+0x37/0x140 kernel/irq/irqdomain.c:95
irq_domain_alloc_named_fwnode include/linux/irqdomain.h:271 [inline]
arch_early_irq_init+0x1c/0x70 arch/x86/kernel/apic/vector.c:803
start_kernel+0x931/0xb80 init/main.c:1123
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148
BUG: memory leak
unreferenced object 0xffff888100902c00 (size 512):
comm "kthreadd", pid 2, jiffies 4294937340
hex dump (first 32 bytes):
70 09 2a 29 81 88 ff ff e0 13 ad 81 ff ff ff ff p.*)............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 638a9d9a):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_empty_main+0x22a/0x2a0 mm/slub.c:4646
alloc_from_pcs mm/slub.c:4749 [inline]
slab_alloc_node mm/slub.c:4883 [inline]
__kmalloc_cache_node_noprof+0x3e9/0x4d0 mm/slub.c:5427
kmalloc_node_noprof include/linux/slab.h:1077 [inline]
__get_vm_area_node+0xc6/0x1d0 mm/vmalloc.c:3215
__vmalloc_node_range_noprof+0x1bc/0xdf0 mm/vmalloc.c:4024
__vmalloc_node_noprof+0x71/0x90 mm/vmalloc.c:4124
alloc_thread_stack_node kernel/fork.c:357 [inline]
dup_task_struct kernel/fork.c:926 [inline]
copy_process+0x51f/0x2c90 kernel/fork.c:2090
kernel_clone+0xde/0x700 kernel/fork.c:2721
kernel_thread+0x80/0xb0 kernel/fork.c:2782
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888100f8fa00 (size 512):
comm "kworker/1:1", pid 41, jiffies 4294937424
hex dump (first 32 bytes):
38 42 0d 30 81 88 ff ff e0 13 ad 81 ff ff ff ff 8B.0............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 185e046f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_full_main+0xdf/0x300 mm/slub.c:5761
free_to_pcs mm/slub.c:5814 [inline]
slab_free mm/slub.c:6253 [inline]
kfree+0x361/0x3a0 mm/slub.c:6565
vfree mm/vmalloc.c:3476 [inline]
vfree+0x14d/0x3d0 mm/vmalloc.c:3436
delayed_vfree_work+0x29/0x40 mm/vmalloc.c:3392
process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810255bc00 (size 512):
comm "kworker/u8:2", pid 498, jiffies 4294937434
hex dump (first 32 bytes):
80 35 67 2e 81 88 ff ff e0 13 ad 81 ff ff ff ff .5g.............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 804b7261):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_full_main+0xdf/0x300 mm/slub.c:5761
free_to_pcs mm/slub.c:5814 [inline]
slab_free mm/slub.c:6253 [inline]
kfree+0x361/0x3a0 mm/slub.c:6565
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810256da00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937506
hex dump (first 32 bytes):
40 40 38 2d 81 88 ff ff e0 13 ad 81 ff ff ff ff @@8-............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc e83216dd):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_full_main+0xdf/0x300 mm/slub.c:5761
free_to_pcs mm/slub.c:5814 [inline]
slab_free mm/slub.c:6253 [inline]
kfree+0x361/0x3a0 mm/slub.c:6565
blk_free_flush_queue+0x28/0x40 block/blk-flush.c:514
srcu_invoke_callbacks+0x11a/0x1c0 kernel/rcu/srcutree.c:1917
process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff8881069d1400 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937917
hex dump (first 32 bytes):
78 b7 d0 2f 81 88 ff ff e0 13 ad 81 ff ff ff ff x../............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 927c2de1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__do_kmalloc_node mm/slub.c:5294 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2768
alloc_empty_sheaf mm/slub.c:2783 [inline]
__pcs_replace_full_main+0xdf/0x300 mm/slub.c:5761
free_to_pcs mm/slub.c:5814 [inline]
slab_free mm/slub.c:6253 [inline]
kfree+0x361/0x3a0 mm/slub.c:6565
vfree mm/vmalloc.c:3476 [inline]
vfree+0x14d/0x3d0 mm/vmalloc.c:3436
delayed_vfree_work+0x29/0x40 mm/vmalloc.c:3392
process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: c7e4e4d5 Merge tag 'for-linus-7.1-2' of https://github..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16963a36580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=1650eb26580000
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-05-04 21:12 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <ffd7be2b-8da4-45bd-b8a3-881855815bc6@dev.snart.me>
2026-05-02 12:02 ` [syzbot] [mm?] [exfat?] [f2fs?] memory leak in __kfree_rcu_sheaf syzbot
2026-05-03 6:00 [syzbot] [mm?] [f2fs?] [exfat?] " David Timber
2026-05-03 7:17 ` [syzbot] [mm?] [exfat?] [f2fs?] " syzbot
-- strict thread matches above, loose matches on Subject: below --
2026-05-03 6:05 [syzbot] [mm?] [f2fs?] [exfat?] " David Timber
2026-05-03 7:27 ` [syzbot] [mm?] [exfat?] [f2fs?] " syzbot
2026-05-03 7:41 ` David Timber
2026-05-04 20:17 [syzbot] [mm?] [f2fs?] [exfat?] " David Timber
2026-05-04 20:51 ` [syzbot] [mm?] [exfat?] [f2fs?] " syzbot
2026-05-04 20:26 [syzbot] [mm?] [f2fs?] [exfat?] " David Timber
2026-05-04 21:12 ` [syzbot] [mm?] [exfat?] [f2fs?] " syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox