[syzbot] [mm?] [usb?] memory leak in new_inode (2)
From: syzbot
Date: Sun Jun 04 2023 - 05:21:14 EST
Hello,
syzbot found the following issue on:
HEAD commit: afead42fdfca Merge tag 'perf-tools-fixes-for-v6.4-2-2023-0..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13acfcd1280000
kernel config: https://syzkaller.appspot.com/x/.config?x=21fde9f7601f218f
dashboard link: https://syzkaller.appspot.com/bug?extid=ea01ee90cdba474c187b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15160fb9280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b5acaa3b8518/disk-afead42f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/041db64527a2/vmlinux-afead42f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cd4f6f1744e4/bzImage-afead42f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ea01ee90cdba474c187b@xxxxxxxxxxxxxxxxxxxxxxxxx
BUG: memory leak
unreferenced object 0xffff88810a5cd958 (size 776):
comm "syslogd", pid 4424, jiffies 4294938531 (age 1177.910s)
hex dump (first 32 bytes):
00 00 00 00 01 00 00 00 00 00 20 00 00 00 00 00 .......... .....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8152a817>] alloc_inode_sb include/linux/fs.h:2705 [inline]
[<ffffffff8152a817>] shmem_alloc_inode+0x27/0x50 mm/shmem.c:3907
[<ffffffff8168f979>] alloc_inode+0x29/0x110 fs/inode.c:260
[<ffffffff8168fa87>] new_inode_pseudo fs/inode.c:1018 [inline]
[<ffffffff8168fa87>] new_inode+0x27/0xf0 fs/inode.c:1046
[<ffffffff8152b944>] shmem_get_inode+0xd4/0x560 mm/shmem.c:2370
[<ffffffff8152bf12>] shmem_mknod+0x42/0x150 mm/shmem.c:2942
[<ffffffff81676fd5>] lookup_open fs/namei.c:3492 [inline]
[<ffffffff81676fd5>] open_last_lookups fs/namei.c:3560 [inline]
[<ffffffff81676fd5>] path_openat+0x1725/0x1b10 fs/namei.c:3788
[<ffffffff81679175>] do_filp_open+0xc5/0x1b0 fs/namei.c:3818
[<ffffffff81653dbd>] do_sys_openat2+0xed/0x260 fs/open.c:1356
[<ffffffff81654863>] do_sys_open fs/open.c:1372 [inline]
[<ffffffff81654863>] __do_sys_openat fs/open.c:1388 [inline]
[<ffffffff81654863>] __se_sys_openat fs/open.c:1383 [inline]
[<ffffffff81654863>] __x64_sys_openat+0x83/0xe0 fs/open.c:1383
[<ffffffff84a15749>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84a15749>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff888109473080 (size 32):
comm "syslogd", pid 4424, jiffies 4294938531 (age 1177.910s)
hex dump (first 32 bytes):
18 db 5c 0a 81 88 ff ff b0 65 2d 82 ff ff ff ff ..\......e-.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff822d7cae>] kmem_cache_zalloc include/linux/slab.h:670 [inline]
[<ffffffff822d7cae>] lsm_inode_alloc security/security.c:632 [inline]
[<ffffffff822d7cae>] security_inode_alloc+0x2e/0xb0 security/security.c:1479
[<ffffffff8168cfa8>] inode_init_always+0x1f8/0x240 fs/inode.c:231
[<ffffffff8168f996>] alloc_inode+0x46/0x110 fs/inode.c:267
[<ffffffff8168fa87>] new_inode_pseudo fs/inode.c:1018 [inline]
[<ffffffff8168fa87>] new_inode+0x27/0xf0 fs/inode.c:1046
[<ffffffff8152b944>] shmem_get_inode+0xd4/0x560 mm/shmem.c:2370
[<ffffffff8152bf12>] shmem_mknod+0x42/0x150 mm/shmem.c:2942
[<ffffffff81676fd5>] lookup_open fs/namei.c:3492 [inline]
[<ffffffff81676fd5>] open_last_lookups fs/namei.c:3560 [inline]
[<ffffffff81676fd5>] path_openat+0x1725/0x1b10 fs/namei.c:3788
[<ffffffff81679175>] do_filp_open+0xc5/0x1b0 fs/namei.c:3818
[<ffffffff81653dbd>] do_sys_openat2+0xed/0x260 fs/open.c:1356
[<ffffffff81654863>] do_sys_open fs/open.c:1372 [inline]
[<ffffffff81654863>] __do_sys_openat fs/open.c:1388 [inline]
[<ffffffff81654863>] __se_sys_openat fs/open.c:1383 [inline]
[<ffffffff81654863>] __x64_sys_openat+0x83/0xe0 fs/open.c:1383
[<ffffffff84a15749>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84a15749>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff88810e027d80 (size 576):
comm "syslogd", pid 4424, jiffies 4294939014 (age 1173.100s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 00 80 30 47 09 81 88 ff ff .........0G.....
backtrace:
[<ffffffff84a0a6d6>] xas_alloc+0xf6/0x120 lib/xarray.c:377
[<ffffffff84a0d10d>] xas_expand lib/xarray.c:584 [inline]
[<ffffffff84a0d10d>] xas_create+0x13d/0x800 lib/xarray.c:655
[<ffffffff84a0dbcb>] xas_store+0x7b/0xbd0 lib/xarray.c:789
[<ffffffff8152ce89>] shmem_add_to_page_cache+0x2c9/0x500 mm/shmem.c:735
[<ffffffff81530785>] shmem_get_folio_gfp+0x3a5/0xcf0 mm/shmem.c:1978
[<ffffffff81531ba8>] shmem_get_folio mm/shmem.c:2079 [inline]
[<ffffffff81531ba8>] shmem_write_begin+0x88/0x1a0 mm/shmem.c:2573
[<ffffffff814eefb3>] generic_perform_write+0x103/0x2b0 mm/filemap.c:3923
[<ffffffff814f3bd3>] __generic_file_write_iter+0x173/0x290 mm/filemap.c:4051
[<ffffffff814f3d72>] generic_file_write_iter+0x82/0x160 mm/filemap.c:4083
[<ffffffff81658e33>] call_write_iter include/linux/fs.h:1868 [inline]
[<ffffffff81658e33>] new_sync_write fs/read_write.c:491 [inline]
[<ffffffff81658e33>] vfs_write+0x413/0x530 fs/read_write.c:584
[<ffffffff81659191>] ksys_write+0xa1/0x160 fs/read_write.c:637
[<ffffffff84a15749>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84a15749>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff888103efe280 (size 128):
comm "syz-execprog", pid 5049, jiffies 4295044860 (age 114.650s)
hex dump (first 32 bytes):
f0 7b 88 0d 81 88 ff ff 70 7d 6e 81 ff ff ff ff .{......p}n.....
00 eb 6d 0a 81 88 ff ff 98 e2 ef 03 81 88 ff ff ..m.............
backtrace:
[<ffffffff816ea897>] kmem_cache_zalloc include/linux/slab.h:670 [inline]
[<ffffffff816ea897>] ep_insert fs/eventpoll.c:1504 [inline]
[<ffffffff816ea897>] do_epoll_ctl+0x5c7/0x1220 fs/eventpoll.c:2223
[<ffffffff816eb57a>] __do_sys_epoll_ctl fs/eventpoll.c:2280 [inline]
[<ffffffff816eb57a>] __se_sys_epoll_ctl fs/eventpoll.c:2271 [inline]
[<ffffffff816eb57a>] __x64_sys_epoll_ctl+0x8a/0xd0 fs/eventpoll.c:2271
[<ffffffff84a15749>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84a15749>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff8881052da600 (size 128):
comm "syz-execprog", pid 5049, jiffies 4295044862 (age 114.630s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff812b4e5a>] alloc_pid+0x6a/0x550 kernel/pid.c:180
[<ffffffff81277c3b>] copy_process+0x18fb/0x26c0 kernel/fork.c:2526
[<ffffffff81278b87>] kernel_clone+0xf7/0x610 kernel/fork.c:2918
[<ffffffff8127911c>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:3061
[<ffffffff84a15749>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84a15749>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup