From nobody Sat Feb 7 15:12:33 2026 Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2B6F38C1F for ; Sat, 31 Jan 2026 02:38:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769827087; cv=none; b=Rwq/DFLVaM5gsZ0a3m7PCNMhNI0272fu/T4+ePZmI2GCw7SwBM9wBwkJtVhsoYh0FCA/2lwqD+/JNFV1Y97iXtIHbSEj4E8nJevcZE+YdCUiSfsG9uyK4FQrP7fcvq582KgDgga4PtDa5gTKH5iMj7K3zVUnpl9Z3jid3E+sxrA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769827087; c=relaxed/simple; bh=au66WjBcsRplQkINImoexL37dksKDMlB1Op89mjxpZM=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=pC897Mmx0U7ilRABLdBvVdSPyVGYDwfEf9csHxlLfRy2Y0GWx/bMwBVT7beWYTF4wvEp1sFn7JqwbLfBA2nan55AhC1xc7QvwKpZdN58zqZ74kfWYJa2biqxPDWOBEZYI4rcxdPWFNJXoh/L6W1G/Ejv5qsI2ScrYmLBDcwJx/M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-662f738c3bfso10760977eaf.0 for ; Fri, 30 Jan 2026 18:38:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769827085; x=1770431885; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4xMUUtSlwyBpzf38P2PiijVftRmBWdzuEWP0Oz0pTy4=; b=WNZy292vmid8nJGSfpC5WdWuMGZyEugfywo10/tFXgUoDTAqZ6UpyRosx4cCk6CRRa AMusT+syslr0kfdNTABfIGxNI0kSBYhjPt0+SQgc6Nz1eUWQFYTo9go0t8rpxHQ9KjSy RmkKLYjZUew57m/g99Uv9Has0bpqKoXJeLjRwjZbKd1EnQsZNkuh8dGWTBSwdhcJqThe mI3fAdVLJ2fIboD+LREytgwJtk/kv9FicNTyAJwoyEAjDWflVe6+ovoloYaCiYj4mV7t dm7oZXJizxnS4vZQk+1oLBr14ea95oR7HeGeWnDBzvcumSYX2LMwKUKsxLwc888qUXMa vQHQ== X-Gm-Message-State: AOJu0Yx7oEv67wPUSBixzcLk7YAUP23/Lwpmsa1Xznbzp5+YDsgAoS7o oCbseribiwHDYf5Dnslsfzvo4MV/MtpkfyX3itrBuoI4cZyaefGvOiVfASCyi70oziTOUz8G1Vx T7badkUMhOZ0h+WYldZRP4Xv3K1+NmLedeh4ATCnvA2bBUcpFGp6m2ZIfLsM= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:2909:b0:663:3ad:4c27 with SMTP id 006d021491bc7-6630f36f91bmr2846845eaf.42.1769827085034; Fri, 30 Jan 2026 18:38:05 -0800 (PST) Date: Fri, 30 Jan 2026 18:38:05 -0800 In-Reply-To: <697cbeda.050a0220.142e72.0000.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <697d6b0d.050a0220.1d0a41.0001.GAE@google.com> Subject: Forwarded: [PATCH] gfs2: fix memory leaks in gfs2_fill_super error path From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] gfs2: fix memory leaks in gfs2_fill_super error path Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master Fix two memory leaks in the gfs2_fill_super() error handling path when transitioning a filesystem to read-write mode fails. First leak: kthread objects (thread_struct, task_struct, etc.) When gfs2_freeze_lock_shared() fails after init_threads() succeeds, the created kernel threads (logd and quotad) are never destroyed. This occurs because the fail_per_node label doesn't call gfs2_destroy_threads(). Second leak: quota bitmap buffer (8192 bytes) When gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but before other operations complete, the allocated quota bitmap is never freed. The error path destroyed threads but didn't cleanup quota structures. The fix consolidates thread cleanup at the fail_per_node label for all error paths, which is safe because gfs2_destroy_threads() checks for NULL pointers before calling kthread_stop_put(). Quota cleanup is added specifically to the gfs2_make_fs_rw() error path where quota structures were initialized. Syzbot detected these leaks with the following signatures: Thread leak (PATH 3: gfs2_freeze_lock_shared failure): unreferenced object 0xffff88801d7bca80 (size 4480): copy_process+0x3a1/0x4670 kernel/fork.c:2422 kernel_clone+0xf3/0x6e0 kernel/fork.c:2779 kthread_create_on_node+0x100/0x150 kernel/kthread.c:478 init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611 gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265 Quota leak (PATH 4: gfs2_make_fs_rw failure): unreferenced object 0xffff88812de7c000 (size 8192): gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409 gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149 gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275 Reported-by: syzbot+aac438d7a1c44071e04b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Daac438d7a1c44071e04b Signed-off-by: Deepanshu Kartikey --- fs/gfs2/ops_fstype.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index e7a88b717991..fdc70189e4f1 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -1276,7 +1276,7 @@ static int gfs2_fill_super(struct super_block *sb, st= ruct fs_context *fc) =20 if (error) { gfs2_freeze_unlock(sdp); - gfs2_destroy_threads(sdp); + gfs2_quota_cleanup(sdp); fs_err(sdp, "can't make FS RW: %d\n", error); goto fail_per_node; } @@ -1286,6 +1286,8 @@ static int gfs2_fill_super(struct super_block *sb, st= ruct fs_context *fc) =20 fail_per_node: init_per_node(sdp, UNDO); + if (!sb_rdonly(sb)) + gfs2_destroy_threads(sdp); fail_inodes: init_inodes(sdp, UNDO); fail_sb: --=20 2.43.0