From nobody Sat Feb 7 19:45:37 2026 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0902A221555 for ; Sun, 1 Feb 2026 07:32:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769931155; cv=none; b=B+Mw1dM8F5Qpqmk8d+hpnUHwsCqySXXX1QOEUaZTTw1IxeMDWbIqkO5c0Tyb28SODj8HexVlof/R5KgTIHX5pd+Ic+fk1sR2B9djqKOZN6XGFVPLomMMhexPdGWiBtstrU09hc4zC8m2CJy0cRnuLnYFEpcct4dSj7uy+OiFstM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769931155; c=relaxed/simple; bh=39BjO0NVc6MSs2r7OcmEWX0Ne91a2KELR0Mk7Bi96ZU=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=iOrnSyjVVR/uW9x9vEDt167rGxpOAPtlZX6AEo1Sh1RmW4PbNa1MvmVLOu0eZlQDjceEWkHcPwA5gkadi8iejAABB5a7L+oEPqDGZjWnVIpde62adyP86r0PfHqDcgDj7PeQqQ/1XlrkeF6hUeq1dKqqcoO2URmZ9NEFuo67pjw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NlXY0zra; arc=none smtp.client-ip=209.85.214.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NlXY0zra" Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2a77c1d5c3bso15039025ad.0 for ; Sat, 31 Jan 2026 23:32:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769931153; x=1770535953; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=C76A9TzKBzMNSodY+ABhbw648AnFG9JcetNDNoIsqNI=; b=NlXY0zraNlre+fBUxRza7ud/2h14XEG7v9ik/jJ22wW2p20FtDszSB0PcDqMDun62W Qo/rQFjlC8MqkhcLwULcTe95LkerbnbZYugFOUN3hjCdiEXuohfffPRpTOLFIv+HpzKp jGaf8190X7DtpA3raOZeUxpe6fzcFtsT/7H4O8836iZAn8et7QQBf6aglqb+aBA2a4VM oPuExJw9FiZzyMxyYicJ5helF91RZTAL8u7Zx3uPSX7DLTMlrISd26Yf6iaABQYCsrZI Y84hmovsVYa35fJwC/fkj/QLWrv/vjue1nLx5DgKuTIv3TtH/cved5Qpgeff47V245H5 flkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769931153; x=1770535953; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=C76A9TzKBzMNSodY+ABhbw648AnFG9JcetNDNoIsqNI=; b=amzJLcHg/V1jocChtXLZXQEkoRoZDP+O+fQ57omSHGiThVMDynYG4isFj1G/IprWXg zt2DWfziEYIZ/+VVHOtLhPsDOb9Q7L2TjZCqDgFxMKfF6AftG2KGo6jIuUSIXHovYpOF 5ExBulesnk7oxw4BaK/zOs+QO5fh9gvWBWUmBOJa2adFRKjZeOW3nvvvsPcT5CW880lw awkZCk0Gh5+iMKdHWjQDh1sRZMEMqxKKO8xamf9tI3KzrKviuemcqUTFXhx34GqviiqN 8po2msMhDdUsUm87LBgITDluUUnmK8mLOIcuOI0Qh1It48bybwTm6Fqh6kk/XGDu71wL 9cPg== X-Forwarded-Encrypted: i=1; AJvYcCXGmOrRvXZ6j3N9DjDn5DRlp85mZqRr2hO72ZZNdHtFlwn8Y6BJIVRneRaFfhe2Gbvad9FzPJvtN0lyeA8=@vger.kernel.org X-Gm-Message-State: AOJu0YzC7mo2hfBk8X4etdX3O9JtS2JyMRFw4xDPn89kx/VF3FVKJOwS jCcQyXxzFOx1hhI/5a7LWSK1P6Vj0jSfw5zYxOtCdlxuC/wRSlnMFtf2 X-Gm-Gg: AZuq6aKt86JLIBfd3FwlWpn8r5G3+91ZZLzFOHPF0ymEMrR4QqaLZkjeAEZiVM+EQ7D jBOUErhk0kFAYcwT9E1Dwj1qeWeFaH6RpndTO+NscJmyOlKSjfNmlYrWDa9UuKXgXhdMV1MUpvV XRMP9QjkaGPHBQi/kXXmmMop9OUFsh9lxb5cxj8xUUHYwXi13ybDhjh7IN8Djwx2mLdwAEwd59v KNIc1NAYE2eEfdaSOYWgrtHd0pEX+2AhlriI0MXyf9m7OFIoPsKW/8gvUJFBrAq6BZ2z9hdkAeW KCK13oJGoOHw79HC5zvOIdZfZ6eMk1yBcvPtLsT2XSrFlTq+B4fKQJzLtxm1UL8AhGNHjyz0Fnv FDRKY4cavOo12qeVoQYBd1FDCBgWz46hMIS7RQWY+bh6WXXI5m3FjyL5csJJyPeBx0snYO1ixUK qnWrtK9G28rEkS1ClfjapHtTXqPq5q5Kf5MvYq6fovRa/LnKuJqQ== X-Received: by 2002:a17:903:2bcc:b0:2a7:ca82:c198 with SMTP id d9443c01a7336-2a8d9593256mr81213585ad.6.1769931153142; Sat, 31 Jan 2026 23:32:33 -0800 (PST) Received: from Shardul.tailddf38c.ts.net ([223.185.36.73]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a88b5d9a70sm118867425ad.77.2026.01.31.23.32.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 31 Jan 2026 23:32:32 -0800 (PST) From: Shardul Bankar X-Google-Original-From: Shardul Bankar To: viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Cc: janak@mpiricsoftware.com, shardulsb08@gmail.com, slava@dubeyko.com, Shardul Bankar , syzbot+99f6ed51479b86ac4c41@syzkaller.appspotmail.com Subject: [PATCH] fs/super: fix s_fs_info leak when setup_bdev_super() fails Date: Sun, 1 Feb 2026 13:02:26 +0530 Message-Id: <20260201073226.3445853-1-shardul.b@mpiricsoftware.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In get_tree_bdev_flags(), sget_dev() calls sget_fc(), which transfers ownership of fc->s_fs_info to the new superblock (s->s_fs_info) and clears fc->s_fs_info. If setup_bdev_super() then fails, the superblock is torn down via deactivate_locked_super(). However, generic_shutdown_super() only calls the filesystem's ->put_super() when sb->s_root is non-NULL. Since setup_bdev_super() fails before fill_super() runs, sb->s_root is never set, so ->put_super() is never called and the allocated s_fs_info is leaked. Return ownership of s_fs_info to fc when setup_bdev_super() fails so put_fs_context() can free it via the filesystem's ->free() callback. Clear s->s_fs_info to avoid a stale reference. Do this only when setup_bdev_super() fails; when fill_super() fails, it already frees s_fs_info in its own error path. Reported-by: syzbot+99f6ed51479b86ac4c41@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D99f6ed51479b86ac4c41 Signed-off-by: Shardul Bankar --- fs/super.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/super.c b/fs/super.c index 3d85265d1400..1aa8dbd19bb6 100644 --- a/fs/super.c +++ b/fs/super.c @@ -1687,6 +1687,11 @@ int get_tree_bdev_flags(struct fs_context *fc, } } else { error =3D setup_bdev_super(s, fc->sb_flags, fc); + if (error) { + fc->s_fs_info =3D s->s_fs_info; + s->s_fs_info =3D NULL; + } + if (!error) error =3D fill_super(s, fc); if (error) { --=20 2.34.1