memory leak in path

memory leak in path_openat (3)

Status: upstream: reported C repro on 2026/06/13 01:28
Subsystems: io-uring
Labels: prio:high
[Documentation on labels]
Reported-by: syzbot+2cd473471e77bda12b0e@syzkaller.appspotmail.com
Fix commit: io_uring/nop: fix file reference leak with IOSQE_FIXED_FILE
Patched on: [ci-upstream-linux-next-kasan-gce-root], missing on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 6d20h, last: 6d20h

▶ ▼ ✨ AI Jobs (1)

ID	Workflow	Result	Correct	Bug	Created	Started	Finished	Revision	Error
e82fbda9-33e4-40f2-8dce-e4594e1e27c9	assessment-security	DenialOfService: ✅ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ✅ UserNamespace: ✅ VMGuestTrigger: ❌ VMHostTrigger: ❌	❓	memory leak in path_openat (3)	2026/06/12 21:59	2026/06/12 21:59	2026/06/12 22:48	1d2f35898f2e0325486423250d5303b6bc05adcd

▶ ▼ Discussions (2)

Title	Replies (including bot)	Last reply
[syzbot] [fs?] memory leak in path_openat (3)	1 (2)	2026/06/17 13:43
[PATCH] io_uring/nop: fix file reference leak with IOSQE_FIXED_FILE	1 (1)	2026/06/15 14:45

▶ ▼ Similar bugs (2)

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	memory leak in path_openat fs	3	C			1	2364d	2360d	0/29	closed as invalid on 2020/03/07 22:28
upstream	memory leak in path_openat (2) fs	3	C			5	922d	1948d	0/29	auto-obsoleted due to no activity on 2025/08/18 09:36

Sample crash report:

BUG: memory leak
unreferenced object 0xffff88810ac98000 (size 176):
  comm "syz.0.19", pid 5920, jiffies 4294944647
  hex dump (first 32 bytes):
    00 00 00 00 1b 00 0e 04 60 7e a7 85 ff ff ff ff  ........`~......
    70 15 3e 06 81 88 ff ff 80 61 3c 2b 81 88 ff ff  p.>......a<+....
  backtrace (crc df7849cb):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4575 [inline]
    slab_alloc_node mm/slub.c:4899 [inline]
    kmem_cache_alloc_noprof+0x36c/0x480 mm/slub.c:4906
    alloc_empty_file+0x57/0x180 fs/file_table.c:262
    path_openat+0x44/0x1e20 fs/namei.c:4844
    do_file_open+0x121/0x200 fs/namei.c:4887
    do_sys_openat2+0xa5/0x140 fs/open.c:1364
    do_sys_open fs/open.c:1370 [inline]
    __do_sys_openat fs/open.c:1386 [inline]
    __se_sys_openat fs/open.c:1381 [inline]
    __x64_sys_openat+0x82/0xf0 fs/open.c:1381
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xf8/0x610 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF

Crashes (1):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2026/06/12 21:59	upstream	2b414a95b8f7	1d2f3589	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci-upstream-gce-leak	memory leak in path_openat

* ~~Struck through~~ repros no longer work on HEAD.