From nobody Wed Apr 1 08:15:17 2026 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A935401A02 for ; Tue, 31 Mar 2026 18:08:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774980510; cv=none; b=MhuLFK5TXmBW0wXN0TMQUlst8YVwEHOv9pkFqjrhYiHhCvb44Fjk6yCoxFuq2o0Xyih8pWbirqxHq5D4EvN5PmEktyUopxPum/fZO8IvYo9qhp3kyulHss5EioV6vgUJ8cfMp1CWg60dJwq2j9d2fvIyFQP8cbiXbijx9/0MrZw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774980510; c=relaxed/simple; bh=ETqQ94ON/ipYFYlJIBWkdPNJsVJ9/cSOfF3rtp1oWfs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=paxSxBa550NzYL+EhQoE4ZVRek9sQs3cF5i4demRGlYoRppDE+b+HP1tLHFm5Nx13kSv7VTy6VkSc7ahT9J5+4zZE1/gLXZICIj5Oc4DyMaYVeJFhvxlXowcah0+vwcTIGtbxV3GI5KZYnb6lkvWKWDsM0jBZROD3kzb3PpJnUE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HcdqcIap; arc=none smtp.client-ip=209.85.216.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HcdqcIap" Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-35da9692ec3so2058993a91.1 for ; Tue, 31 Mar 2026 11:08:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774980508; x=1775585308; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=9ixODfTNhyekCgLAxcGK9gRDulyUyJjrmwYIdnfzbC4=; b=HcdqcIap1g6WPKgfu73HXeDHfPWnGxMzgAhMiUO10mmlQI38ALQG1BE7cORsKjJgqj tHSi4vm67S97oTjxZKFMShPMGa61/ruH2o78uNBZ1GiiYI7lZ3oLbUh916MLvfyE9dBR ptluhjLtjJgYPQSy3dpaBH/m1aKmwJ0F3GIGYcOcEC/Gwkn3pmKjKkebW4QhCuB01GjH KYtSHaFooPt14rL+HUMzcIHCPeV8YBSkrbK6JSiW1kNQG6D/AjnL+8nmK6QheAilY7C8 APwofCxrxIyY/sGsyC84H+OLUrvm4uF/hd5cJecQGQbm6vS9mJWd56kAxJAfatf7SB7k xQEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774980508; x=1775585308; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=9ixODfTNhyekCgLAxcGK9gRDulyUyJjrmwYIdnfzbC4=; b=lrXULOsBDKt5T4kd30KuT1hFwBRMFq9pc+T7nZoRcnQvcTEpxsbs///iiO5msL44Nq liXlJ0lPU2cNQha2a7nF5PB+uEpy44xtAVa1hA7WMETQ856lgwdLlvlX2RLXU/Phbsj2 agA1tfDUiEI5sxLpsDjzAEPGiPct7NDycDNpDs1z+/w7ChvfYvwvzFlJLKn+9Mqj1coo z8beuJG7n47hbQ3xFeQR8Eqqtt/E2jZ7MNZ8Dh3g5sUd+pPyKBYHdm8bvGSpZQwsyOaR J7LSPRPzR4Sm9QmwiqBpDefZQoXifmB/s31nrfJaHYl9EN+ugy3zl7JKnT0IRqMcA6CM 1CqA== X-Forwarded-Encrypted: i=1; AJvYcCXaHniy8rBf5qrMR8CeTPeXkK+uEo78Zfn5uVyEP7zzuJvXkBFvy1sZeUtoWtYcOFLlRMk6KYigQHQzYAY=@vger.kernel.org X-Gm-Message-State: AOJu0YwkFtBgjh5z8Lw9nd0v1vwD0QL5YobVhP+QkFwpuLwjyghEsKo7 13QbW8w58ThgBSqTrVGASRqscECsvv2Fd5pGwjydNVC2AkLrUMfH4lpV X-Gm-Gg: ATEYQzzoiggxa7DXhZERk3BgtBFL83QnST3z1ohUFCLc3jhKyAPBs+UxxfKmYkxTKMF aow+fQTu36Lh8hF2jZxwEDwvtoDW8q99ICNwd32N0RcOV1F/nqtZ2cVUrE/nNVpO/iRDJwOvFgA 2+n+J9yB9k5k7WL+L8Ht7+zwqxuNXziLLZOV1lEaloXWA3xQc2rnDqVQIlSGMD6qrlJ3DSXDyCY KIAcnFCdtvY+NZP2tTuSWKU3NTyF30nji0O6hhbsNEcKMoHQgWobtKzmRZElk6gV0LgcoobM7C7 P7/S5PBBGcBGCebBtgO4MTW6WgfiqHAzlm6qLogEJtesu6VRSrpghAqCo9CFoA/nCAF64KN/ErO nZ0ApOjnY5lg1AZDVoDiP4LT98leG99yWEYzx8HTv23vXY29bJ6VX/VEXIlxlHkpDQ7YemQsyTl NPjiL/rghsPi/JMVZp1X5bK0KvQWs8Slsdq2S/d7B2FiClxNFAOKp51QP5Cipf4UaugdSWS9J8 X-Received: by 2002:a17:90a:d888:b0:35d:9d28:e897 with SMTP id 98e67ed59e1d1-35dc6ff670emr260259a91.28.1774980508136; Tue, 31 Mar 2026 11:08:28 -0700 (PDT) Received: from cps-manycore-1.. ([143.248.136.81]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35dbb8932ecsm1263160a91.5.2026.03.31.11.08.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Mar 2026 11:08:27 -0700 (PDT) From: Sechang Lim To: Andrew Morton , "Liam R . Howlett" , Lorenzo Stoakes Cc: Vlastimil Babka , Jann Horn , Pedro Falcato , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Sechang Lim Subject: [PATCH v2] mm/vma: fix memory leak in __mmap_region() Date: Tue, 31 Mar 2026 18:08:11 +0000 Message-ID: <20260331180811.1333348-1-rhkrqnwk98@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" commit 605f6586ecf7 ("mm/vma: do not leak memory when .mmap_prepare swaps the file") handled the success path by skipping get_file() via file_doesnt_need_get, but missed the error path. When /dev/zero is mmap'd with MAP_SHARED, mmap_zero_prepare() calls shmem_zero_setup_desc() which allocates a new shmem file to back the mapping. If __mmap_new_vma() subsequently fails, this replacement file is never fput()'d - the original is released by ksys_mmap_pgoff(), but nobody releases the new one. Add fput() for the swapped file in the error path. Reproducible with fault injection. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 2 UID: 0 PID: 366 Comm: syz.7.14 Not tainted 7.0.0-rc6 #2 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996)= , BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x164/0x1f0 should_fail_ex+0x525/0x650 should_failslab+0xdf/0x140 kmem_cache_alloc_noprof+0x78/0x630 vm_area_alloc+0x24/0x160 __mmap_region+0xf6b/0x2660 mmap_region+0x2eb/0x3a0 do_mmap+0xc79/0x1240 vm_mmap_pgoff+0x252/0x4c0 ksys_mmap_pgoff+0xf8/0x120 __x64_sys_mmap+0x12a/0x190 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x76/0x7e kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) BUG: memory leak unreferenced object 0xffff8881118aca80 (size 360): comm "syz.7.14", pid 366, jiffies 4294913255 hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff c0 28 4d ae ff ff ff ff .........(M..... backtrace (crc db0f53bc): kmem_cache_alloc_noprof+0x3ab/0x630 alloc_empty_file+0x5a/0x1e0 alloc_file_pseudo+0x135/0x220 __shmem_file_setup+0x274/0x420 shmem_zero_setup_desc+0x9c/0x170 mmap_zero_prepare+0x123/0x140 __mmap_region+0xdda/0x2660 mmap_region+0x2eb/0x3a0 do_mmap+0xc79/0x1240 vm_mmap_pgoff+0x252/0x4c0 ksys_mmap_pgoff+0xf8/0x120 __x64_sys_mmap+0x12a/0x190 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x76/0x7e Found by syzkaller. Fixes: 605f6586ecf7 ("mm/vma: do not leak memory when .mmap_prepare swaps t= he file") Reviewed-by: Lorenzo Stoakes (Oracle) Signed-off-by: Sechang Lim ------- v2: - Drop redundant map.file NULL check (Lorenzo) - Add comment explaining the fput() (Lorenzo) v1: https://lore.kernel.org/linux-mm/20260331121906.1301155-1-rhkrqnwk98@gm= ail.com/ mm/vma.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/mm/vma.c b/mm/vma.c index be64f781a3aa..c8df5f561ad7 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -2781,6 +2781,13 @@ static unsigned long __mmap_region(struct file *file= , unsigned long addr, if (map.charged) vm_unacct_memory(map.charged); abort_munmap: + /* + * This indicates that .mmap_prepare has set a new file, differing from + * desc->vm_file. But since we're aborting the operation, only the + * original file will be cleaned up. Ensure we clean up both. + */ + if (map.file_doesnt_need_get) + fput(map.file); vms_abort_munmap_vmas(&map.vms, &map.mas_detach); return error; } --=20 2.43.0