[syzbot] [ntfs3?] memory leak in ni_add

public inbox for ntfs3@lists.linux.dev
 help / color / mirror / Atom feed

* [syzbot] [ntfs3?] memory leak in ni_add_subrecord
@ 2025-11-10 18:10 syzbot
  2025-11-11 11:05 ` [PATCH 1/2] fs/ntfs3: Prevent memory leaks in add sub record Edward Adam Davis
  2025-11-11 11:13 ` [PATCH 2/2] fs/ntfs3: out1 also needs to put mi Edward Adam Davis
  0 siblings, 2 replies; 3+ messages in thread
From: syzbot @ 2025-11-10 18:10 UTC (permalink / raw)
  To: almaz.alexandrovich, linux-kernel, ntfs3, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    e811c33b1f13 Merge tag 'drm-fixes-2025-11-08' of https://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1590ea58580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
dashboard link: https://syzkaller.appspot.com/bug?extid=3932ccb896e06f7414c9
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1431bbcd980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16250412580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cc3290299f36/disk-e811c33b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/987fe9401d05/vmlinux-e811c33b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/23be5a0e8ba6/bzImage-e811c33b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a2535f9cc9c1/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3932ccb896e06f7414c9@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff888110bef280 (size 128):
  comm "syz.0.17", pid 6082, jiffies 4294944677
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 48 37 28 81 88 ff ff  .........H7(....
  backtrace (crc 126a088f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4979 [inline]
    slab_alloc_node mm/slub.c:5284 [inline]
    __kmalloc_cache_noprof+0x3a6/0x5b0 mm/slub.c:5762
    kmalloc_noprof include/linux/slab.h:957 [inline]
    kzalloc_noprof include/linux/slab.h:1094 [inline]
    ni_add_subrecord+0x31/0x180 fs/ntfs3/frecord.c:317
    ntfs_look_free_mft+0xf0/0x790 fs/ntfs3/fsntfs.c:715
    ni_ins_attr_ext+0x40c/0x6a0 fs/ntfs3/frecord.c:988
    ni_insert_attr+0x1d1/0x480 fs/ntfs3/frecord.c:1091
    ni_insert_resident+0x85/0x140 fs/ntfs3/frecord.c:1475
    ni_add_name+0x15b/0x2e0 fs/ntfs3/frecord.c:2987
    ni_rename+0x4c/0x100 fs/ntfs3/frecord.c:3026
    ntfs_rename+0x46c/0x5d0 fs/ntfs3/namei.c:332
    vfs_rename+0x94b/0x1340 fs/namei.c:5216
    do_renameat2+0x5f5/0x870 fs/namei.c:5364
    __do_sys_rename fs/namei.c:5411 [inline]
    __se_sys_rename fs/namei.c:5409 [inline]
    __x64_sys_rename+0x42/0x50 fs/namei.c:5409
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888109093400 (size 1024):
  comm "syz.0.17", pid 6082, jiffies 4294944677
  hex dump (first 32 bytes):
    46 49 4c 45 2a 00 03 00 00 00 00 00 00 00 00 00  FILE*...........
    03 00 00 00 30 00 01 00 88 02 00 00 00 04 00 00  ....0...........
  backtrace (crc 7197c55e):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4979 [inline]
    slab_alloc_node mm/slub.c:5284 [inline]
    __do_kmalloc_node mm/slub.c:5645 [inline]
    __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
    kmalloc_noprof include/linux/slab.h:961 [inline]
    mi_init+0x2b/0x50 fs/ntfs3/record.c:105
    mi_format_new+0x40/0x220 fs/ntfs3/record.c:422
    ni_add_subrecord+0x6b/0x180 fs/ntfs3/frecord.c:321
    ntfs_look_free_mft+0xf0/0x790 fs/ntfs3/fsntfs.c:715
    ni_ins_attr_ext+0x40c/0x6a0 fs/ntfs3/frecord.c:988
    ni_insert_attr+0x1d1/0x480 fs/ntfs3/frecord.c:1091
    ni_insert_resident+0x85/0x140 fs/ntfs3/frecord.c:1475
    ni_add_name+0x15b/0x2e0 fs/ntfs3/frecord.c:2987
    ni_rename+0x4c/0x100 fs/ntfs3/frecord.c:3026
    ntfs_rename+0x46c/0x5d0 fs/ntfs3/namei.c:332
    vfs_rename+0x94b/0x1340 fs/namei.c:5216
    do_renameat2+0x5f5/0x870 fs/namei.c:5364
    __do_sys_rename fs/namei.c:5411 [inline]
    __se_sys_rename fs/namei.c:5409 [inline]
    __x64_sys_rename+0x42/0x50 fs/namei.c:5409
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888110bef680 (size 128):
  comm "syz.0.18", pid 6093, jiffies 4294944686
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 48 37 28 81 88 ff ff  .........H7(....
  backtrace (crc ada06205):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4979 [inline]
    slab_alloc_node mm/slub.c:5284 [inline]
    __kmalloc_cache_noprof+0x3a6/0x5b0 mm/slub.c:5762
    kmalloc_noprof include/linux/slab.h:957 [inline]
    kzalloc_noprof include/linux/slab.h:1094 [inline]
    ni_add_subrecord+0x31/0x180 fs/ntfs3/frecord.c:317
    ntfs_look_free_mft+0xf0/0x790 fs/ntfs3/fsntfs.c:715
    ni_ins_attr_ext+0x40c/0x6a0 fs/ntfs3/frecord.c:988
    ni_insert_attr+0x1d1/0x480 fs/ntfs3/frecord.c:1091
    ni_insert_resident+0x85/0x140 fs/ntfs3/frecord.c:1475
    ni_add_name+0x15b/0x2e0 fs/ntfs3/frecord.c:2987
    ni_rename+0x4c/0x100 fs/ntfs3/frecord.c:3026
    ntfs_rename+0x46c/0x5d0 fs/ntfs3/namei.c:332
    vfs_rename+0x94b/0x1340 fs/namei.c:5216
    do_renameat2+0x5f5/0x870 fs/namei.c:5364
    __do_sys_rename fs/namei.c:5411 [inline]
    __se_sys_rename fs/namei.c:5409 [inline]
    __x64_sys_rename+0x42/0x50 fs/namei.c:5409
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881135d2000 (size 1024):
  comm "syz.0.18", pid 6093, jiffies 4294944686
  hex dump (first 32 bytes):
    46 49 4c 45 2a 00 03 00 00 00 00 00 00 00 00 00  FILE*...........
    03 00 00 00 30 00 01 00 88 02 00 00 00 04 00 00  ....0...........
  backtrace (crc 7197c55e):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4979 [inline]
    slab_alloc_node mm/slub.c:5284 [inline]
    __do_kmalloc_node mm/slub.c:5645 [inline]
    __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
    kmalloc_noprof include/linux/slab.h:961 [inline]
    mi_init+0x2b/0x50 fs/ntfs3/record.c:105
    mi_format_new+0x40/0x220 fs/ntfs3/record.c:422
    ni_add_subrecord+0x6b/0x180 fs/ntfs3/frecord.c:321
    ntfs_look_free_mft+0xf0/0x790 fs/ntfs3/fsntfs.c:715
    ni_ins_attr_ext+0x40c/0x6a0 fs/ntfs3/frecord.c:988
    ni_insert_attr+0x1d1/0x480 fs/ntfs3/frecord.c:1091
    ni_insert_resident+0x85/0x140 fs/ntfs3/frecord.c:1475
    ni_add_name+0x15b/0x2e0 fs/ntfs3/frecord.c:2987
    ni_rename+0x4c/0x100 fs/ntfs3/frecord.c:3026
    ntfs_rename+0x46c/0x5d0 fs/ntfs3/namei.c:332
    vfs_rename+0x94b/0x1340 fs/namei.c:5216
    do_renameat2+0x5f5/0x870 fs/namei.c:5364
    __do_sys_rename fs/namei.c:5411 [inline]
    __se_sys_rename fs/namei.c:5409 [inline]
    __x64_sys_rename+0x42/0x50 fs/namei.c:5409
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888110bef780 (size 128):
  comm "syz.0.19", pid 6099, jiffies 4294944695
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 30 25 0f 81 88 ff ff  .........0%.....
  backtrace (crc 6428af85):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4979 [inline]
    slab_alloc_node mm/slub.c:5284 [inline]
    __kmalloc_cache_noprof+0x3a6/0x5b0 mm/slub.c:5762
    kmalloc_noprof include/linux/slab.h:957 [inline]
    kzalloc_noprof include/linux/slab.h:1094 [inline]
    ni_add_subrecord+0x31/0x180 fs/ntfs3/frecord.c:317
    ntfs_look_free_mft+0xf0/0x790 fs/ntfs3/fsntfs.c:715
    ni_ins_attr_ext+0x40c/0x6a0 fs/ntfs3/frecord.c:988
    ni_insert_attr+0x1d1/0x480 fs/ntfs3/frecord.c:1091
    ni_insert_resident+0x85/0x140 fs/ntfs3/frecord.c:1475
    ni_add_name+0x15b/0x2e0 fs/ntfs3/frecord.c:2987
    ni_rename+0x4c/0x100 fs/ntfs3/frecord.c:3026
    ntfs_rename+0x46c/0x5d0 fs/ntfs3/namei.c:332
    vfs_rename+0x94b/0x1340 fs/namei.c:5216
    do_renameat2+0x5f5/0x870 fs/namei.c:5364
    __do_sys_rename fs/namei.c:5411 [inline]
    __se_sys_rename fs/namei.c:5409 [inline]
    __x64_sys_rename+0x42/0x50 fs/namei.c:5409
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 1/2] fs/ntfs3: Prevent memory leaks in add sub record
  2025-11-10 18:10 [syzbot] [ntfs3?] memory leak in ni_add_subrecord syzbot
@ 2025-11-11 11:05 ` Edward Adam Davis
  2025-11-11 11:13 ` [PATCH 2/2] fs/ntfs3: out1 also needs to put mi Edward Adam Davis
  1 sibling, 0 replies; 3+ messages in thread
From: Edward Adam Davis @ 2025-11-11 11:05 UTC (permalink / raw)
  To: syzbot+3932ccb896e06f7414c9
  Cc: almaz.alexandrovich, linux-kernel, ntfs3, syzkaller-bugs

If a rb node with the same ino already exists in the rb tree, the newly
alloced mft_inode in ni_add_subrecord() will not have its memory cleaned
up, which leads to the memory leak issue reported by syzbot.

The best option to avoid this issue is to put the newly alloced mft node
when a rb node with the same ino already exists in the rb tree and return
the rb node found in the rb tree to the parent layer.

syzbot reported:
BUG: memory leak
unreferenced object 0xffff888110bef280 (size 128):
  backtrace (crc 126a088f):
    ni_add_subrecord+0x31/0x180 fs/ntfs3/frecord.c:317
    ntfs_look_free_mft+0xf0/0x790 fs/ntfs3/fsntfs.c:715

BUG: memory leak
unreferenced object 0xffff888109093400 (size 1024):
  backtrace (crc 7197c55e):
    mi_init+0x2b/0x50 fs/ntfs3/record.c:105
    mi_format_new+0x40/0x220 fs/ntfs3/record.c:422

Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation")
Reported-by: syzbot+3932ccb896e06f7414c9@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/ntfs3/frecord.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index 8f9fe1d7a690..b6cbc1fc3455 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -325,8 +325,10 @@ bool ni_add_subrecord(struct ntfs_inode *ni, CLST rno, struct mft_inode **mi)
 
 	mi_get_ref(&ni->mi, &m->mrec->parent_ref);
 
-	ni_add_mi(ni, m);
-	*mi = m;
+	*mi = ni_ins_mi(ni, &ni->mi_tree, m->rno, &m->node);
+	if (*mi != m)
+		mi_put(m);
+
 	return true;
 }
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH 2/2] fs/ntfs3: out1 also needs to put mi
  2025-11-10 18:10 [syzbot] [ntfs3?] memory leak in ni_add_subrecord syzbot
  2025-11-11 11:05 ` [PATCH 1/2] fs/ntfs3: Prevent memory leaks in add sub record Edward Adam Davis
@ 2025-11-11 11:13 ` Edward Adam Davis
  1 sibling, 0 replies; 3+ messages in thread
From: Edward Adam Davis @ 2025-11-11 11:13 UTC (permalink / raw)
  To: syzbot+3932ccb896e06f7414c9
  Cc: almaz.alexandrovich, linux-kernel, ntfs3, syzkaller-bugs

After ntfs_look_free_mft() executes successfully, all subsequent code
that fails to execute must put mi.

Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation")
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/ntfs3/frecord.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index b6cbc1fc3455..e5a005d216f3 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -1017,9 +1017,9 @@ static int ni_ins_attr_ext(struct ntfs_inode *ni, struct ATTR_LIST_ENTRY *le,
 
 out2:
 	ni_remove_mi(ni, mi);
-	mi_put(mi);
 
 out1:
+	mi_put(mi);
 	ntfs_mark_rec_free(sbi, rno, is_mft);
 
 out:
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-11-11 11:14 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-10 18:10 [syzbot] [ntfs3?] memory leak in ni_add_subrecord syzbot
2025-11-11 11:05 ` [PATCH 1/2] fs/ntfs3: Prevent memory leaks in add sub record Edward Adam Davis
2025-11-11 11:13 ` [PATCH 2/2] fs/ntfs3: out1 also needs to put mi Edward Adam Davis

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox