From nobody Thu Dec 18 13:40:50 2025 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5BD92F0C7E for ; Mon, 15 Dec 2025 00:30:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765758610; cv=none; b=kCgKeb/gwsnW2uckPbqkuk58Y99SW5NIYEJYAyJhhUQ/nswr2zsx31Fq90R0TCpRIh52VCWEHmMBvrHUZART1DEZVpHkR/vCfHdsjZg0FtjTLztt3J30cXhH/g47Yr3zOOcMcb4qC5rYmMK0YquBTtdWbJ+Gqu5CfdAmMOoASmE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765758610; c=relaxed/simple; bh=UuAi23Bz7BXygEvFRE5l4i0EJmfD6Kmonsp0nu5n/wA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=M8KMPuRRcOJTDo6uNUUx/dAPiwL1Vadb9cz3HLgNzy7rRs9pkgrgXVSX8EfusVbfdmk6nRoCq8dZ7yNt4Wd6qeblNlqe4TMjJpNPDiFhy/UfcSy26+TsfCvIouMulWgq8qRN//R9TpPpFkn7MSwXVoTyfM2BekHqkn6KPcGtTE8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=US71yglr; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="US71yglr" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-4775ae5684fso12491925e9.1 for ; Sun, 14 Dec 2025 16:30:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765758607; x=1766363407; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M2TsxigQJnXUF8zh9YUO1wBhx8HEJp8RRzu7Ncb060E=; b=US71yglrfkrKdVW2kfMrRXeGGM3rxLQqdjZc/3TmHY8FB0BzWBVQ+OwQBr+qzAHIZq MVlfo3cl8xUcVgegEMBVZ+jr6xXNU0WQoko4EItd0Icrufgbr7EM2xIr5DSL4jcbv8cB uwRKyJ2goEPV8ElBZ77vqrG53E1ylDUbWVSn8M8gDeVLALWnp0j7Nu7ZUPVkWxxFnvi0 LyBbX/QbdenkTJa6pDHku+UQWSGE+5sCNBYZpukmaWvpscjzRWH07wrHdfd8pOUxjXX8 vJcFlY7Ro9VKGg2zFr5Ph3ep0Z7dfVPpNecNIelywuzlm139TiMB8H9KMqSMlRLsud29 imJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765758607; x=1766363407; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=M2TsxigQJnXUF8zh9YUO1wBhx8HEJp8RRzu7Ncb060E=; b=azQ0RyZRb3huSsKkHx/CSrKgR6sre8NLOnNinJpjAblxYHlYYxFIsw/KDyAi+4ncBO TBUxLbZNcAieDHmvT1uiZYxEL9Sb7ntlOsX200DASQEmBBzjUEIPCp61ZKVtBePZm96g yDy5cMiYjKDfOEkyo1H4zlrmpzI4c8k1J8tndYH8Y8OmJpcyt+QChS16mk6N+86dbaea 7nXT8hJyaWfJMzzK0vO7K0BTUy5YqpAcEW9IdhlD5ep0XXJQt1hAttp4hkieF9wbRVr9 HoD2hk2FOQysNdo+YfcMSPcRp3meQx4uevorHttQrrXaTZvNk2b/WHzfH4TbhZZmNNcY Xieg== X-Forwarded-Encrypted: i=1; AJvYcCUNsf3w8UxNOJefbx10HMPc0jckzZH2hzcugplnNLeL5UHqmnx+rU5yfeeKSNKPI/mZcVJ+XOPRuiB+BUE=@vger.kernel.org X-Gm-Message-State: AOJu0Yx+aMgaYjdjhBHOq3i6KWfWxBzj8EENkykJ4fqYWeWGY7LwaHNb /HciSURNwAj3cWMe6B4ap1IIMw8DI3itYgGIamHG1IZWF5ivI9dyJwSY X-Gm-Gg: AY/fxX7VSJivVrSc1/RAsVfa2tz058L0RjRI0c5kCw3aHZCLOs32QzEAOsc/bIobTeh Rl1FvsKCu7t0jc/gVXXkjMUzPWscoUB3jwTIncz16RQmdkausfPbQNCwljWTuZg6hlhsC5EdVLq NEAAydsQqrDjq+J8f27jjE8pDXlmLnges9DHqvWfBwUz2HaAf4uNw/5h/+raXFKeM+yiWaz6J7J CoHr2mcM9xE2gBExEsh2yu/v61cdIJXXO4pAVkr99VkapWXfOkfmZsFzVlnUGLw6EA1BlXIqupI 0GjmRtOMUKCheqkCI6tXfdSsTgbJn6WlvYwR3oKHdKGFeTeLpHnrMMK/t9vhVXz45yFQZUrf100 EeoP8QL2xWxCdpsHENfp34VINrsFjmfrUMdz5w1Mdn4QGDgi7c2/wOSi6HSU3srhJr7X+G8Bo2Y ejGhwwMYQnFOLVaFkRbDcFH4+IQEKhhjjb/Ts3AL/J7vc= X-Google-Smtp-Source: AGHT+IFbp2Jw9RT9K70hnf2MaicUF2ApfvzKt6GrG3uHWNivxnvjvUAas6pQ+q2+9c0oFM7RJYlV9Q== X-Received: by 2002:a05:600c:1994:b0:477:a978:3a7b with SMTP id 5b1f17b1804b1-47a8f905675mr78020235e9.22.1765758607023; Sun, 14 Dec 2025 16:30:07 -0800 (PST) Received: from eray-kasa.. ([2a02:4e0:2d18:46e:3c46:576e:9e04:ff85]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47a8f703efesm56435575e9.16.2025.12.14.16.30.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 14 Dec 2025 16:30:06 -0800 (PST) From: Ahmet Eray Karadag To: akpm@linux-foundation.org Cc: viro@zeniv.linux.org.uk, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, skhan@linuxfoundation.org, david.hunter.linux@gmail.com, Ahmet Eray Karadag , syzbot+1c70732df5fd4f0e4fbb@syzkaller.appspotmail.com Subject: [PATCH v2] adfs: fix memory leak in sb->s_fs_info Date: Mon, 15 Dec 2025 03:22:52 +0300 Message-ID: <20251215002252.158637-2-eraykrdg1@gmail.com> In-Reply-To: <20251213233621.151496-2-eraykrdg1@gmail.com> References: <20251213233621.151496-2-eraykrdg1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Syzbot reported a memory leak in adfs during the mount process. The issue arises because the ownership of the allocated (struct adfs_sb_info) is transferred from the filesystem context to the superblock via sget_fc(). This function sets fc->s_fs_info to NULL after the transfer. The ADFS filesystem previously used the default kill_block_super for superblock destruction. This helper performs generic cleanup but does not free the private sb->s_fs_info data. Since fc->s_fs_info is set to NULL during the transfer, the standard context cleanup (adfs_free_fc) also skips freeing this memory. As a result, if the superblock is destroyed, the allocated struct adfs_sb_info is leaked. Fix this by implementing a custom .kill_sb callback (adfs_kill_sb) that explicitly frees sb->s_fs_info before invoking the generic kill_block_super. Reported-by: syzbot+1c70732df5fd4f0e4fbb@syzkaller.appspotmail.com Fixes: https://syzkaller.appspot.com/bug?extid=3D1c70732df5fd4f0e4fbb Signed-off-by: Ahmet Eray Karadag --- v2: - Remove adfs_put_super - Remove error label in adfs_fill_super - Use kfree_rcu instead kfree - Free map in adfs_kill_sb - Tested with ADFS test images --- fs/adfs/super.c | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/fs/adfs/super.c b/fs/adfs/super.c index fdccdbbfc213..96855f1086cd 100644 --- a/fs/adfs/super.c +++ b/fs/adfs/super.c @@ -90,14 +90,6 @@ static int adfs_checkdiscrecord(struct adfs_discrecord *= dr) return 0; } =20 -static void adfs_put_super(struct super_block *sb) -{ - struct adfs_sb_info *asb =3D ADFS_SB(sb); - - adfs_free_map(sb); - kfree_rcu(asb, rcu); -} - static int adfs_show_options(struct seq_file *seq, struct dentry *root) { struct adfs_sb_info *asb =3D ADFS_SB(root->d_sb); @@ -246,7 +238,6 @@ static const struct super_operations adfs_sops =3D { .free_inode =3D adfs_free_inode, .drop_inode =3D adfs_drop_inode, .write_inode =3D adfs_write_inode, - .put_super =3D adfs_put_super, .statfs =3D adfs_statfs, .show_options =3D adfs_show_options, }; @@ -362,7 +353,7 @@ static int adfs_fill_super(struct super_block *sb, stru= ct fs_context *fc) ret =3D -EINVAL; } if (ret) - goto error; + return ret; =20 /* set up enough so that we can read an inode */ sb->s_op =3D &adfs_sops; @@ -403,15 +394,9 @@ static int adfs_fill_super(struct super_block *sb, str= uct fs_context *fc) if (!sb->s_root) { adfs_free_map(sb); adfs_error(sb, "get root inode failed\n"); - ret =3D -EIO; - goto error; + return -EIO; } return 0; - -error: - sb->s_fs_info =3D NULL; - kfree(asb); - return ret; } =20 static int adfs_get_tree(struct fs_context *fc) @@ -462,10 +447,21 @@ static int adfs_init_fs_context(struct fs_context *fc) return 0; } =20 +static void adfs_kill_sb(struct super_block *sb) +{ + struct adfs_sb_info *asb =3D ADFS_SB(sb); + + kill_block_super(sb); + + adfs_free_map(sb); + + kfree_rcu(asb, rcu); +} + static struct file_system_type adfs_fs_type =3D { .owner =3D THIS_MODULE, .name =3D "adfs", - .kill_sb =3D kill_block_super, + .kill_sb =3D adfs_kill_sb, .fs_flags =3D FS_REQUIRES_DEV, .init_fs_context =3D adfs_init_fs_context, .parameters =3D adfs_param_spec, --=20 2.43.0