From nobody Wed Apr 1 09:45:13 2026 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DDF7E1A6826 for ; Tue, 31 Mar 2026 12:19:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774959555; cv=none; b=J2qauzmX+Z/m6974ViKx8EEOS0aKgqnkAAmOG+s3LJ71ml2iAC1G7FftwVscqT+dV4mBEmtyD8eLtedsfhONKTokxaBLhCqy6DKZtvk3oLFhcLfrASY5sLGi66igyb3+lpb5APFXdcB/Qy1H3/eDrV6i/5TTLacMqpc4TLwwXAQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774959555; c=relaxed/simple; bh=5J2yP6Xnk8U6uYlnmg3FT0XVQRjxYPBqWqohWpWNuIw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=tyGvuHQhBs8Gi+Z+NZD8qlqMv7heMI0qoFAMtSZSSAhZU4+ZIENNr+HCNhGMhEqhKulDwcijRQilHMkACzvWuPsCTg1yk5zPHCmacSrQzXwZxlqwQfFTb93scqeK8ubS9yJs7urivxE39o6hp5j7v3/qFkIv9SVaCLbBWMp6H30= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=r0kveyWW; arc=none smtp.client-ip=209.85.210.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="r0kveyWW" Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-82c28f0a4ecso3934518b3a.3 for ; Tue, 31 Mar 2026 05:19:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774959553; x=1775564353; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=BtAjvvyWXMliCL6lUIkd5Xn2L7jgh7Ti0JdeQLLXF8Q=; b=r0kveyWWNffaQGj0dkQg2c1q5VY8p95bkSKPmLbqIjufTQIt/5FS0kBDdWEwI27qNZ 1UoTB3CA8gPiABOZfjvzb4wW2qePkZW6gfFLOrYiKI1NXB5X0r57NHcLQapYQItXU7/9 gTSZ2cCIt9hXQM6Ef9Id7wBwvjcGswPBng/VEbziLpxV5RnTMDPjX3s2OEE6UMoKDmpP nZewlyWJFtwKBPmp4C0H+IwTLTnhlHlBx1hbxpnegXJW+Wxd8Xo7BUjpWUArZHj5s6Eb VRZBIcDHYtxldPH5elc5r9QbzDS+LnZv9myRZZZzuxqWEC8Ma0yS9wc2p/vWMAdaPYlz 9y/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774959553; x=1775564353; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=BtAjvvyWXMliCL6lUIkd5Xn2L7jgh7Ti0JdeQLLXF8Q=; b=BBtPklO8Llx8HI5DdA96nmpDnPGRQn0+NP8mLbl/drSrSAW3TiifAqrRucFVpC5Wuw 9PMVMNnQfDm2VETPW94O0nzqdTk1C62jFh+EWJ0UMtka2iE0QepUQk5/S4yEY6E0Cm+g UIII2fDychMiIvofGW5PZUfCi3GcNt/q4Yf8OWN8WDcLCXp5Wobe+LO1xuIgxeqGdimh 5ezIh4GwrX1/RLHaz67Tw5t8GP42EVc36E7hGA2H1ikzoqEGmpoQpQ92Vo9ak4mVNpo7 qoFSXRde1Rkp7VCIb9j+GhNEg2mn1BgrT2654aBDNCEX3+29e/DCtr/fsmu51FQ/fyY+ G3lA== X-Forwarded-Encrypted: i=1; AJvYcCUY9Nx0+B0KnUxVwwiUl9p0hVdJmIasCGIgxwyXSHp0pfaT5N0Q1jtapgnM3EFbdx4qK7ZbH1/HQ3nRhnI=@vger.kernel.org X-Gm-Message-State: AOJu0YzFqAoMnPa+z6LyQmCXtB7pNU7SShMFdibHRN1b8H7KsQHY7oZC o7xN0ZQaZkBsR4xLwbG1YReBkzIIywoZ4PZD6N0OLJq282N+VaprvoLVrhNvTbH1 X-Gm-Gg: ATEYQzzZLb5RVU7LEeWTOHkGsJvk61YrM552IExVen1n+SUD8hxWNFxRntQDRNrxZoJ dOvjtZ33vwkTDiSlEkPuUCAtwenY9RzWDhvHTH1MGuzCQ6sgFDI0Cryih2z7ve0ZHoGCtUKP6fy 41PNmSLhbaUVIEJ4Xkv9uUBat5WZ43zAUZyo1EZaKonTkxcDyj8CmG9yr4M15vpjIOKs/Tt5JDc qVcu433TztZFju4Tet+F4Pf6NqTQKQEc+sDG3CAhoUNRQG6YXkvytho0WRSBns3uYXss4Sv6Bky f2jH9XVzc3kh7BJyh6OvAdR9XULI6p/5k4xYQc3NgHoeFbZzdVK+mokGPnAmcpw3hUL6T20+i85 KO/Lmy1tJLqI1LDI7wSWYGmIVmC9r9kD+ksuMEQQWA7+7SSKfNJQALxZbuvz/Ekikgo1+wQ5H8q 1bkxl2Xf/xfPQG0LV8d8Grkc5PahGxg5QAi5rj+udmSkIRp/s6wL9vL3CJcw8lhQ== X-Received: by 2002:a05:6a00:9517:b0:82c:20ba:1570 with SMTP id d2e1a72fcca58-82c95ed90fdmr16398547b3a.29.1774959553169; Tue, 31 Mar 2026 05:19:13 -0700 (PDT) Received: from cps-manycore-1.. ([143.248.136.81]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82ca85eeea8sm10126828b3a.41.2026.03.31.05.19.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Mar 2026 05:19:12 -0700 (PDT) From: Sechang Lim To: Andrew Morton , "Liam R . Howlett" , Lorenzo Stoakes Cc: Vlastimil Babka , Jann Horn , Pedro Falcato , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Sechang Lim Subject: [PATCH] mm/vma: fix memory leak in __mmap_region() Date: Tue, 31 Mar 2026 12:19:06 +0000 Message-ID: <20260331121906.1301155-1-rhkrqnwk98@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" commit 605f6586ecf7 ("mm/vma: do not leak memory when .mmap_prepare swaps the file") handled the success path by skipping get_file() via file_doesnt_need_get, but missed the error path. When /dev/zero is mmap'd with MAP_SHARED, mmap_zero_prepare() calls shmem_zero_setup_desc() which allocates a new shmem file to back the mapping. If __mmap_new_vma() subsequently fails, this replacement file is never fput()'d - the original is released by ksys_mmap_pgoff(), but nobody releases the new one. Add fput() for the swapped file in the error path. Reproducible with fault injection. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 2 UID: 0 PID: 366 Comm: syz.7.14 Not tainted 7.0.0-rc6 #2 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996)= , BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x164/0x1f0 should_fail_ex+0x525/0x650 should_failslab+0xdf/0x140 kmem_cache_alloc_noprof+0x78/0x630 vm_area_alloc+0x24/0x160 __mmap_region+0xf6b/0x2660 mmap_region+0x2eb/0x3a0 do_mmap+0xc79/0x1240 vm_mmap_pgoff+0x252/0x4c0 ksys_mmap_pgoff+0xf8/0x120 __x64_sys_mmap+0x12a/0x190 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x76/0x7e kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) BUG: memory leak unreferenced object 0xffff8881118aca80 (size 360): comm "syz.7.14", pid 366, jiffies 4294913255 hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff c0 28 4d ae ff ff ff ff .........(M..... backtrace (crc db0f53bc): kmem_cache_alloc_noprof+0x3ab/0x630 alloc_empty_file+0x5a/0x1e0 alloc_file_pseudo+0x135/0x220 __shmem_file_setup+0x274/0x420 shmem_zero_setup_desc+0x9c/0x170 mmap_zero_prepare+0x123/0x140 __mmap_region+0xdda/0x2660 mmap_region+0x2eb/0x3a0 do_mmap+0xc79/0x1240 vm_mmap_pgoff+0x252/0x4c0 ksys_mmap_pgoff+0xf8/0x120 __x64_sys_mmap+0x12a/0x190 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x76/0x7e Found by syzkaller. Fixes: 605f6586ecf7 ("mm/vma: do not leak memory when .mmap_prepare swaps t= he file") Signed-off-by: Sechang Lim Reviewed-by: Lorenzo Stoakes (Oracle) --- mm/vma.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/vma.c b/mm/vma.c index be64f781a3aa..89073980de46 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -2781,6 +2781,8 @@ static unsigned long __mmap_region(struct file *file,= unsigned long addr, if (map.charged) vm_unacct_memory(map.charged); abort_munmap: + if (map.file_doesnt_need_get && map.file) + fput(map.file); vms_abort_munmap_vmas(&map.vms, &map.mas_detach); return error; } --=20 2.43.0