From nobody Mon Feb  9 08:54:16 2026
Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com
 [209.85.210.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A1D241EDA0F
	for <linux-kernel@vger.kernel.org>; Sat, 31 Jan 2026 06:25:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769840719; cv=none;
 b=sss3wK+kihxsZReRxy5we+Xq7m6sI2KifXj6Ge7HXPiyxfyyNudkm76IxfT22Vp9lxo8nwFbAjuINB+4oDli8kNPjULJMmC9LwiMolWj5l99e4qrjkVUFSyJqfwGruSlxdVsnSc7uPBT+ZE4qYZhH+HB9fpUBWfkX1x0nz8WYDo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769840719; c=relaxed/simple;
	bh=OnRpWAwLOyGrpUWVetx1PF7N03UnDjKCqSp2an0V4hc=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=bdcAzbz0lccDL3TtO8FR3X2yD56m1Y8yhN58GTJTJ3gYnqdqL3BXqDvb+WS9eMtxIxA3hPQhhiEev8eiWuaxYGfXNrhRIXzwKOKV1jD5SjubMHVvvXTKMo7w5lbfECQKzC8UO+K69UnizO0mR56IA1dMu4g8N2tkZ55cnOK8pT0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=CgeIk/pV; arc=none smtp.client-ip=209.85.210.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="CgeIk/pV"
Received: by mail-pf1-f176.google.com with SMTP id
 d2e1a72fcca58-81dbc0a99d2so1408406b3a.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 30 Jan 2026 22:25:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769840717; x=1770445517;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=of/jk6w1rGgtFqkJD/eLgqCF5bATtfFhSRr/rVMr3d8=;
        b=CgeIk/pVj4WXZTD05pcj9xrYk/wYePj2N3SHmzulXaXtnV+HVu/fOPuR2HpX0zV3+D
         xaAkzmwjleXbmmAhniVforx6b4IBQTKO4TlIYL+5hUjRZmxNjg5xpRLAFPTzpvM9iEGR
         HxJ9REfXwXJdmDch8g//4Wqj6bIErn/XLnf28MpgYW1tIJzKmyk5/UL4lfC29EhK/zE8
         dFjxcKTnFnBAbx5pYKKUA0zVtCbxknzgVkc17o5eiR+gnTxLelbx3aThfA1K17Kzt8Lr
         WL/Y6G6zBUzuYGQ6UpHrST8og0oPlwZbyPDTv4wdflU22VbQxpKkBJ/7spP1M1cI99KG
         1m5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769840717; x=1770445517;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=of/jk6w1rGgtFqkJD/eLgqCF5bATtfFhSRr/rVMr3d8=;
        b=pHWeq5G7K7QaeiUFsr8Na7N33Ru2EeYwNeP1TwTf2OQKyo4AnCl6H6AJb6WRWUuQRJ
         N29YrRfrOvRLG4Ys+ia3vKYZU0C3YPiL76YPhI0a4cfUBzwVJ9cudOe72e5hE+FFI87P
         zI0aFtgVAs6Ek6repz8R7iNgA6M8kAavhf1H8lyLCPe1Z+PGnDuYGSsZRCvQnPUsA/Tn
         u5ihU5ExrRksxJ9eXC/AXBqhbHjo0Nma+AIDx0t6ovoWz42SA+Pl7B39yGSHnTFmsMxf
         aCbOw0d/MZFUUB2bn3l276ww3gSYLNIXl+mjKT1hLBMaVvRlDNSoRt4TrV05pWGBlwb0
         yT2w==
X-Forwarded-Encrypted: i=1;
 AJvYcCUm0DIg2GUjANu5XX6Mt2BY9MfWpstwc/fKca0ze11SaqSLnRsBpvGEAJWJz6CXgWcJRVkvo0eVrraA4es=@vger.kernel.org
X-Gm-Message-State: AOJu0YwC7ScLlvbVJa2pHJxwEHJ9sjqmgAXdTotn0y71ILASb4X3kNkR
	XYsQUH60NjHkB2hVGniohGZjPjZ05z3wUOIpzfg4sCvhF8njEMTA/txa
X-Gm-Gg: AZuq6aIfWEHFx4slgeb0sKEqCrQ41Negye51qlMbUl4708Z01vjIsDr9B784U36vuxM
	uT3V2N/CG0itcNEbSFRMCoq4prB0j4/TvSEYWD9nMiTRF8dykxulfhHtPsNykbDPUpJYhlrGL/L
	HKau04DGsFkuxHm/1HTeLuhtUwMj3AZqMk7YMq2IRgShxAc/IJr2TWizRKSdxPYOfyrGfCxSWfp
	6VfGR/V1X1/w9LOl6nRIKw37nlG1900+YUV1ksAmXkRIlkIU9Ie1oMpVsoh4JPdJf7yTNQfknRE
	V/ntcbWyT02WwmkD/FPp9GkRhqayizAGPKfzhz4z7/sJX7WovZMIfN9WZPQ+qvM/4kplF5qkuK4
	7vetRrBQo9TeBt4RNAYj1z8fp7yNCl2+Akn0Ps3sTCP5t1jg68xQwWe9RHn0QdgUTVXjGkecb23
	JPylXT5cdpw07YctcIJWDv7BJi+ePelATMEHcXWmGJhFVmYwQ5D0NocLrfK+k9hKQ5nTgXgwKOk
	DLbYA==
X-Received: by 2002:a05:6a00:1249:b0:81f:473e:e8d7 with SMTP id
 d2e1a72fcca58-823ab749811mr5105864b3a.54.1769840716959;
        Fri, 30 Jan 2026 22:25:16 -0800 (PST)
Received: from deepanshu-kernel-hacker..
 ([2405:201:682f:389d:2e0d:61f1:f4e0:f787])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82379bfcab8sm9174062b3a.36.2026.01.30.22.25.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 30 Jan 2026 22:25:15 -0800 (PST)
From: Deepanshu Kartikey <kartikey406@gmail.com>
To: agruenba@redhat.com
Cc: gfs2@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	Deepanshu Kartikey <kartikey406@gmail.com>,
	syzbot+aac438d7a1c44071e04b@syzkaller.appspotmail.com,
	Deepanshu Kartikey <Kartikey406@gmail.com>
Subject: [PATCH] gfs2: fix memory leaks in gfs2_fill_super error path
Date: Sat, 31 Jan 2026 11:55:09 +0530
Message-ID: <20260131062509.77974-1-kartikey406@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Fix two memory leaks in the gfs2_fill_super() error handling path when
transitioning a filesystem to read-write mode fails.

First leak: kthread objects (thread_struct, task_struct, etc.)
When gfs2_freeze_lock_shared() fails after init_threads() succeeds,
the created kernel threads (logd and quotad) are never destroyed.
This occurs because the fail_per_node label doesn't call
gfs2_destroy_threads().

Second leak: quota bitmap buffer (8192 bytes)
When gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but
before other operations complete, the allocated quota bitmap is never
freed. The error path destroyed threads but didn't cleanup quota
structures.

The fix consolidates thread cleanup at the fail_per_node label for all
error paths, which is safe because gfs2_destroy_threads() checks for
NULL pointers before calling kthread_stop_put(). Quota cleanup is added
specifically to the gfs2_make_fs_rw() error path where quota structures
were initialized.

Syzbot detected these leaks with the following signatures:

Thread leak (PATH 3: gfs2_freeze_lock_shared failure):
  unreferenced object 0xffff88801d7bca80 (size 4480):
    copy_process+0x3a1/0x4670 kernel/fork.c:2422
    kernel_clone+0xf3/0x6e0 kernel/fork.c:2779
    kthread_create_on_node+0x100/0x150 kernel/kthread.c:478
    init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611
    gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265

Quota leak (PATH 4: gfs2_make_fs_rw failure):
  unreferenced object 0xffff88812de7c000 (size 8192):
    gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409
    gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149
    gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275

Reported-by: syzbot+aac438d7a1c44071e04b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Daac438d7a1c44071e04b
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/gfs2/ops_fstype.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index e7a88b717991..fdc70189e4f1 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -1276,7 +1276,7 @@ static int gfs2_fill_super(struct super_block *sb, st=
ruct fs_context *fc)
=20
 	if (error) {
 		gfs2_freeze_unlock(sdp);
-		gfs2_destroy_threads(sdp);
+		gfs2_quota_cleanup(sdp);
 		fs_err(sdp, "can't make FS RW: %d\n", error);
 		goto fail_per_node;
 	}
@@ -1286,6 +1286,8 @@ static int gfs2_fill_super(struct super_block *sb, st=
ruct fs_context *fc)
=20
 fail_per_node:
 	init_per_node(sdp, UNDO);
+	if (!sb_rdonly(sb))
+		gfs2_destroy_threads(sdp);
 fail_inodes:
 	init_inodes(sdp, UNDO);
 fail_sb:
--=20
2.43.0