[syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=122ae7fa580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7d0fbecb37bff8
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=130e2944580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/28d29c9b5ae2/disk-e7aa5724.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0683244c7a0f/vmlinux-e7aa5724.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cd8cc5cb8b94/bzImage-e7aa5724.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f78f58e821b0/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=10f7165a580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cae780...@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff888113218600 (size 512):
comm "sed", pid 6046, jiffies 4294945902
hex dump (first 32 bytes):
00 8e 13 29 81 88 ff ff 00 12 86 27 81 88 ff ff ...).......'....
00 5a 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 .Z..............
backtrace (crc 49909e19):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_empty_sheaf+0x36/0x50 mm/slub.c:2618
__kfree_rcu_sheaf+0x155/0x210 mm/slub.c:6304
kfree_rcu_sheaf mm/slab_common.c:1631 [inline]
kvfree_call_rcu+0x202/0x3d0 mm/slab_common.c:1981
ma_free_rcu lib/maple_tree.c:208 [inline]
ma_free_rcu+0x29/0x40 lib/maple_tree.c:205
mas_free lib/maple_tree.c:1174 [inline]
mas_replace_node lib/maple_tree.c:1581 [inline]
mas_wr_node_store+0x5fc/0x730 lib/maple_tree.c:3553
mas_wr_store_entry+0x4eb/0x760 lib/maple_tree.c:3764
mas_store_prealloc+0x358/0x740 lib/maple_tree.c:5169
vma_iter_store_overwrite mm/vma.h:544 [inline]
commit_merge+0x28e/0x490 mm/vma.c:763
vma_expand+0x264/0x460 mm/vma.c:1200
vma_merge_new_range+0xe3/0x350 mm/vma.c:1099
__mmap_region+0x54b/0x15b0 mm/vma.c:2747
mmap_region+0xfb/0x1e0 mm/vma.c:2830
do_mmap+0x7ac/0xb80 mm/mmap.c:558
vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604

BUG: memory leak
unreferenced object 0xffff888127861200 (size 512):
comm "udevd", pid 6236, jiffies 4294948784
hex dump (first 32 bytes):
00 86 21 13 81 88 ff ff 18 e0 05 00 81 88 ff ff ..!.............
00 5a 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 .Z..............
backtrace (crc 5b72581e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_empty_sheaf+0x36/0x50 mm/slub.c:2618
__kfree_rcu_sheaf+0x155/0x210 mm/slub.c:6304
kfree_rcu_sheaf mm/slab_common.c:1631 [inline]
kvfree_call_rcu+0x202/0x3d0 mm/slab_common.c:1981
ma_free_rcu lib/maple_tree.c:208 [inline]
ma_free_rcu+0x29/0x40 lib/maple_tree.c:205
mas_topiary_node lib/maple_tree.c:2311 [inline]
mas_topiary_node lib/maple_tree.c:2299 [inline]
mas_topiary_replace+0xb0f/0x1400 lib/maple_tree.c:2410
mas_wmb_replace lib/maple_tree.c:2433 [inline]
mas_spanning_rebalance+0x14e1/0x24b0 lib/maple_tree.c:2738
mas_wr_spanning_store+0x983/0x10d0 lib/maple_tree.c:3479
mas_wr_store_entry+0x4d5/0x760 lib/maple_tree.c:3767
mas_store_gfp+0x341/0x640 lib/maple_tree.c:5138
vma_iter_clear_gfp include/linux/mm.h:1141 [inline]
do_vmi_align_munmap+0x259/0x2d0 mm/vma.c:1574
do_vmi_munmap+0x17c/0x280 mm/vma.c:1627
__vm_munmap+0xec/0x200 mm/vma.c:3247
__do_sys_munmap mm/mmap.c:1077 [inline]
__se_sys_munmap mm/mmap.c:1074 [inline]
__x64_sys_munmap+0x1f/0x30 mm/mmap.c:1074
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88812c458000 (size 4480):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 ................
backtrace (crc ad4af9e6):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x422/0x590 mm/slub.c:5315
alloc_task_struct_node kernel/fork.c:184 [inline]
dup_task_struct kernel/fork.c:915 [inline]
copy_process+0x286/0x2870 kernel/fork.c:2052
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881274a1540 (size 184):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 54e589bc):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270
prepare_creds+0x22/0x600 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x2870 kernel/fork.c:2086
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888109639020 (size 32):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f8 52 86 00 81 88 ff ff 00 00 00 00 00 00 00 00 .R..............
backtrace (crc 336e1c5f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_cred_alloc security/security.c:209 [inline]
security_prepare_creds+0x2d/0x290 security/security.c:2763
prepare_creds+0x395/0x600 kernel/cred.c:215
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x2870 kernel/fork.c:2086
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888126fdbd80 (size 64):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
c0 c3 4e 46 81 88 ff ff 00 00 00 00 00 00 00 00 ..NF............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 508a43e4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_task_alloc security/security.c:244 [inline]
security_task_alloc+0x2a/0x260 security/security.c:2682
copy_process+0xf07/0x2870 kernel/fork.c:2203
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Qing Wang]

#syz test

diff --git a/mm/slub.c b/mm/slub.c
index cdc1e652ec52..387979b89120 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -6307,15 +6307,21 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj)
goto fail;

if (!local_trylock(&s->cpu_sheaves->lock)) {
- barn_put_empty_sheaf(barn, empty);
+ if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES)
+ barn_put_empty_sheaf(barn, empty);
+ else
+ free_empty_sheaf(s, empty);
goto fail;
}

pcs = this_cpu_ptr(s->cpu_sheaves);

- if (unlikely(pcs->rcu_free))
- barn_put_empty_sheaf(barn, empty);
- else
+ if (unlikely(pcs->rcu_free)) {
+ if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES)
+ barn_put_empty_sheaf(barn, empty);
+ else
+ free_empty_sheaf(s, empty);
+ } else
pcs->rcu_free = empty;
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main

BUG: memory leak
unreferenced object 0xffff88810005fa00 (size 512):
comm "swapper/0", pid 0, jiffies 4294937296

hex dump (first 32 bytes):

00 2e c5 05 81 88 ff ff 00 a2 96 0a 81 88 ff ff ................
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc ee49fed0):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1e4/0x260 mm/slub.c:4602
alloc_from_pcs mm/slub.c:4695 [inline]
slab_alloc_node mm/slub.c:4829 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5353
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__irq_domain_alloc_fwnode+0x37/0x140 kernel/irq/irqdomain.c:95
irq_domain_alloc_named_fwnode include/linux/irqdomain.h:271 [inline]
arch_early_irq_init+0x1c/0x70 arch/x86/kernel/apic/vector.c:803
start_kernel+0x931/0xb80 init/main.c:1114
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148

BUG: memory leak
unreferenced object 0xffff8881008f8c00 (size 512):
comm "kthreadd", pid 2, jiffies 4294937339

hex dump (first 32 bytes):

00 d6 04 00 81 88 ff ff 00 92 96 0a 81 88 ff ff ................
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc f2ef5290):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1e4/0x260 mm/slub.c:4602
alloc_from_pcs mm/slub.c:4695 [inline]
slab_alloc_node mm/slub.c:4829 [inline]
__kmalloc_cache_node_noprof+0x3ef/0x4e0 mm/slub.c:5366
kmalloc_node_noprof include/linux/slab.h:1077 [inline]
__get_vm_area_node+0xc6/0x1d0 mm/vmalloc.c:3221
__vmalloc_node_range_noprof+0x1d3/0xe50 mm/vmalloc.c:4024
__vmalloc_node_noprof+0x71/0x90 mm/vmalloc.c:4124
alloc_thread_stack_node kernel/fork.c:355 [inline]
dup_task_struct kernel/fork.c:924 [inline]
copy_process+0x3e5/0x28c0 kernel/fork.c:2050
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:490 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:848
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff888105c53200 (size 512):
comm "kworker/1:0", pid 23, jiffies 4294937917

hex dump (first 32 bytes):

00 a2 96 0a 81 88 ff ff 00 d4 04 00 81 88 ff ff ................
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc d24dd055):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe9/0x2c0 mm/slub.c:5700
free_to_pcs mm/slub.c:5753 [inline]
slab_free mm/slub.c:6154 [inline]
kfree+0x352/0x390 mm/slub.c:6467
vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:467
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff888105c52e00 (size 512):
comm "kworker/u8:5", pid 4440, jiffies 4294937918

hex dump (first 32 bytes):

c8 2c 04 00 81 88 ff ff 00 fa 05 00 81 88 ff ff .,..............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc a68b63de):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe9/0x2c0 mm/slub.c:5700
free_to_pcs mm/slub.c:5753 [inline]
slab_free mm/slub.c:6154 [inline]
kfree+0x352/0x390 mm/slub.c:6467
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810a96a200 (size 512):
comm "udevadm", pid 5177, jiffies 4294938175

hex dump (first 32 bytes):

00 fa 05 00 81 88 ff ff 00 32 c5 05 81 88 ff ff .........2......
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 94107438):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1e4/0x260 mm/slub.c:4602
alloc_from_pcs mm/slub.c:4695 [inline]
slab_alloc_node mm/slub.c:4829 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5353
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
kernfs_get_open_node fs/kernfs/file.c:543 [inline]
kernfs_fop_open+0x4f3/0x580 fs/kernfs/file.c:718
do_dentry_open+0x202/0x8d0 fs/open.c:949
vfs_open+0x3d/0x1b0 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x154d/0x1e20 fs/namei.c:4830
do_file_open+0x121/0x200 fs/namei.c:4859
do_sys_openat2+0xa5/0x140 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x82/0xf0 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888109d58400 (size 512):
comm "udevd", pid 5176, jiffies 4294938222

hex dump (first 32 bytes):

00 12 47 2a 81 88 ff ff 00 ee 46 2a 81 88 ff ff ..G*......F*....
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc af8b5cec):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__kfree_rcu_sheaf+0x164/0x240 mm/slub.c:5887
kfree_rcu_sheaf mm/slab_common.c:1608 [inline]
kvfree_call_rcu+0x1f6/0x3c0 mm/slab_common.c:1957
kernfs_unlink_open_file+0x194/0x1b0 fs/kernfs/file.c:604
kernfs_fop_release+0x55/0x110 fs/kernfs/file.c:783
__fput+0x1b5/0x4f0 fs/file_table.c:469
fput_close_sync+0x67/0x120 fs/file_table.c:574
__do_sys_close fs/open.c:1509 [inline]
__se_sys_close fs/open.c:1494 [inline]
__x64_sys_close+0x4a/0xc0 fs/open.c:1494
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94

entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF

Tested on:

commit: 11439c46 Linux 7.0-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1277a202580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1

dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=13801006580000

[Vlastimil Babka (SUSE)]

I don't think this would fix any leak, and syzbot agrees. It would limit the
empty sheaves in barn more strictly, but they are not leaked.
Hm I don't see any leak in __kfree_rcu_sheaf() or rcu_free_sheaf(). Wonder
if kmemleak lacks visibility into barns or pcs's as roots for searching what
objects are considered referenced, or something?

[Harry Yoo]

[+Cc adding Catalin for kmemleak bits]

Objects that are allocated from slab and percpu allocator should be
properly tracked by kmemleak. But those allocated with
gfpflags_allow_spinning() == false are not tracked by kmemleak.

When barns and sheaves are allocated early (!gfpflags_allow_spinning()
due to gfp_allowed_mask) and it skips kmemleak_alloc_recursive(),
it could produce false positives because from kmemleak's point of view,
the objects are not reachable from the root set (data section, stack,
etc.).

To me it seems kmemleak should gain allow_spin == false support
sooner or later.

--
Cheers,
Harry / Hyeonggon

[Vlastimil Babka (SUSE)]

Good point.

> To me it seems kmemleak should gain allow_spin == false support
> sooner or later.

Or we figure out how to deal with the false allow_spin == false during
boot. Here I'm a bit confused how exactly it happens because AFAICS in
slub we apply gfp_allowed_mask only when allocating a new slab, and in
slab_post_alloc_hook() we apply it to init_mask. That is indeed passed
to kmemleak_alloc_recursive() but not used for the
gfpflags_allow_spinning() decision. kmemleak_alloc_recursive() should
succeed because nobody should be holding any locks that would require
spinning.

Unless it's some interaction with deferred pages like the one fixed by
commit fd3634312a04f33?

[Catalin Marinas]

I don't fully understand what goes on. If kmemleak_alloc_recursive()
failed to allocate for some reason (other than SLAB_NOLEAKTRACE), it
would loudly disable kmemleak altogether and stop reporting leaks. Also
kmemleak doesn't care about allow_spin, it's only the slub code which
avoids calling kmemleak if spinning not allowed (as it takes some locks,
may call back into the slab allocator).

I wonder whether some early kmem_cache_node allocations like the ones in
early_kmem_cache_node_alloc() are not tracked and then kmemleak cannot
find n->barn. I got lost in the slub code, but something like this:

-----------8<-----------------------------------
diff --git a/mm/slub.c b/mm/slub.c
index 0c906fefc31b..401557ff5487 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
slab->freelist = get_freepointer(kmem_cache_node, n);
slab->inuse = 1;
kmem_cache_node->node[node] = n;
+ kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
init_kmem_cache_node(n, NULL);
inc_slabs_node(kmem_cache_node, node, slab->objects);

-------------8<----------------------------------------

Another thing I noticed, not sure it's related but we should probably
ignore an object once it has been passed to kvfree_call_rcu(), similar
to what we do on the main path in this function. Also see commit
5f98fd034ca6 ("rcu: kmemleak: Ignore kmemleak false positives when
RCU-freeing objects") when we added this kmemleak_ignore().

---------8<-----------------------------------
diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();

- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }

// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {
----------------8<-----------------------------------

--
Catalin

[Catalin Marinas]

#syz test

diff --git a/mm/slub.c b/mm/slub.c

[Catalin Marinas]

#syz test

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

memory leak in __pcs_replace_full_main

BUG: memory leak
unreferenced object 0xffff888101d79200 (size 512):
comm "kworker/u8:5", pid 182, jiffies 4294937433

hex dump (first 32 bytes):

e0 22 eb 30 81 88 ff ff b0 b7 ad 81 ff ff ff ff .".0............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 3ee28017):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486

call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888101fa6c00 (size 512):
comm "kworker/1:1", pid 41, jiffies 4294937441

hex dump (first 32 bytes):

b0 1e fc 11 81 88 ff ff b0 b7 ad 81 ff ff ff ff ................

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc a295f059):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486

vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439

kthread+0x14e/0x1a0 kernel/kthread.c:436

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888109d31a00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937949

hex dump (first 32 bytes):

c0 fa 74 29 81 88 ff ff b0 b7 ad 81 ff ff ff ff ..t)............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc e073aa0b):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486

vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439

kthread+0x14e/0x1a0 kernel/kthread.c:436

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888109d3d800 (size 512):
comm "udevadm", pid 5179, jiffies 4294938390

hex dump (first 32 bytes):

88 43 58 27 81 88 ff ff b0 b7 ad 81 ff ff ff ff .CX'............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 37e3920):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]

__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5378

kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
kernfs_get_open_node fs/kernfs/file.c:543 [inline]
kernfs_fop_open+0x4f3/0x580 fs/kernfs/file.c:718
do_dentry_open+0x202/0x8d0 fs/open.c:949
vfs_open+0x3d/0x1b0 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x154d/0x1e20 fs/namei.c:4830
do_file_open+0x121/0x200 fs/namei.c:4859
do_sys_openat2+0xa5/0x140 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x82/0xf0 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak

unreferenced object 0xffff88810b5a5000 (size 512):
comm "udevd", pid 5178, jiffies 4294938454

hex dump (first 32 bytes):

80 c5 8e 2b 81 88 ff ff b0 b7 ad 81 ff ff ff ff ...+............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc bce89c59):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]

__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5378

kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
kernfs_get_open_node fs/kernfs/file.c:543 [inline]
kernfs_fop_open+0x4f3/0x580 fs/kernfs/file.c:718
do_dentry_open+0x202/0x8d0 fs/open.c:949
vfs_open+0x3d/0x1b0 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x154d/0x1e20 fs/namei.c:4830
do_file_open+0x121/0x200 fs/namei.c:4859
do_sys_openat2+0xa5/0x140 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x82/0xf0 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak

unreferenced object 0xffff888109d3ce00 (size 512):
comm "udevd", pid 5189, jiffies 4294938454

hex dump (first 32 bytes):

b0 4e 89 2b 81 88 ff ff b0 b7 ad 81 ff ff ff ff .N.+............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc e7e352bb):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]

__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

tomoyo_encode2+0xd0/0x1e0 security/tomoyo/realpath.c:45
tomoyo_encode+0x29/0x50 security/tomoyo/realpath.c:80
tomoyo_realpath_from_path+0xc4/0x2c0 security/tomoyo/realpath.c:283
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x12c/0x290 security/tomoyo/file.c:827
security_inode_getattr+0xaa/0x200 security/security.c:1869
vfs_getattr fs/stat.c:259 [inline]
vfs_fstat+0x48/0xe0 fs/stat.c:281
__do_sys_newfstat+0x42/0xa0 fs/stat.c:551

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit: c23719ab Merge tag 'x86-urgent-2026-03-08' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1228e75a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=1310e75a580000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

memory leak in __pcs_replace_empty_main

BUG: memory leak
unreferenced object 0xffff88810005f800 (size 512):

comm "swapper/0", pid 0, jiffies 4294937296

hex dump (first 32 bytes):

00 2a 90 00 81 88 ff ff 00 94 30 29 81 88 ff ff .*........0)....
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc a3e5799):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5378
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__irq_domain_alloc_fwnode+0x37/0x140 kernel/irq/irqdomain.c:95
irq_domain_alloc_named_fwnode include/linux/irqdomain.h:271 [inline]
arch_early_irq_init+0x1c/0x70 arch/x86/kernel/apic/vector.c:803
start_kernel+0x931/0xb80 init/main.c:1114
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148

BUG: memory leak
unreferenced object 0xffff8881008f6c00 (size 512):
comm "kthreadd", pid 2, jiffies 4294937344

hex dump (first 32 bytes):

00 94 30 29 81 88 ff ff 00 d6 de 0b 81 88 ff ff ..0)............
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 9181eca5):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]

__kmalloc_cache_node_noprof+0x3ef/0x4e0 mm/slub.c:5391

kmalloc_node_noprof include/linux/slab.h:1077 [inline]
__get_vm_area_node+0xc6/0x1d0 mm/vmalloc.c:3221
__vmalloc_node_range_noprof+0x1d3/0xe50 mm/vmalloc.c:4024
__vmalloc_node_noprof+0x71/0x90 mm/vmalloc.c:4124
alloc_thread_stack_node kernel/fork.c:355 [inline]
dup_task_struct kernel/fork.c:924 [inline]
copy_process+0x3e5/0x28c0 kernel/fork.c:2050
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715

create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff8881008fd600 (size 512):
comm "kworker/u8:6", pid 223, jiffies 4294937434

hex dump (first 32 bytes):

00 c6 8f 00 81 88 ff ff d8 2c 04 00 81 88 ff ff .........,......
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 33698a2f):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff8881008fc600 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937441

hex dump (first 32 bytes):

00 1a 39 10 81 88 ff ff 00 d6 8f 00 81 88 ff ff ..9.............
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc fca1c70a):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888100902a00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937448

hex dump (first 32 bytes):

00 c4 58 09 81 88 ff ff 00 f8 05 00 81 88 ff ff ..X.............
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 8a5f0c0d):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810958c400 (size 512):
comm "kworker/u8:5", pid 4599, jiffies 4294937964

hex dump (first 32 bytes):

00 4c 6a 12 81 88 ff ff 00 2a 90 00 81 88 ff ff .Lj......*......
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 45e572cd):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit: c23719ab Merge tag 'x86-urgent-2026-03-08' of git://gi..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=10027054580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=17682a02580000

[Harry Yoo]

#syz test

diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();

- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }

// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {

diff --git a/mm/slub.c b/mm/slub.c
index 20cb4f3b636d..9e34a9458162 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3014,8 +3014,10 @@ static void pcs_flush_all(struct kmem_cache *s)
free_empty_sheaf(s, spare);
}

- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }

sheaf_flush_main(s);
}
@@ -3035,6 +3037,7 @@ static void __pcs_flush_all_cpu(struct kmem_cache *s, unsigned int cpu)
}

if (pcs->rcu_free) {
+ kmemleak_ignore(pcs->rcu_free);
call_rcu(&pcs->rcu_free->rcu_head, rcu_free_sheaf_nobarn);
pcs->rcu_free = NULL;
}
@@ -4031,8 +4034,10 @@ static void flush_rcu_sheaf(struct work_struct *w)

local_unlock(&s->cpu_sheaves->lock);

- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }
}


@@ -5948,8 +5953,15 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj)
* we flush before local_unlock to make sure a racing
* flush_all_rcu_sheaves() doesn't miss this sheaf
*/
- if (rcu_sheaf)
+ if (rcu_sheaf) {
+ /*
+ * TODO: Ideally this should be undone in rcu_free_sheaf,
+ * when the sheaf is returned to a barn to avoid generating
+ * false negatives.
+ */
+ kmemleak_ignore(rcu_sheaf);
call_rcu(&rcu_sheaf->rcu_head, rcu_free_sheaf);
+ }

local_unlock(&s->cpu_sheaves->lock);


base-commit: c23719abc3308df7ed3ad35650ad211fb2d2003d
--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main

BUG: memory leak

unreferenced object 0xffff8881008bb900 (size 256):
comm "swapper/0", pid 0, jiffies 4294937326

hex dump (first 32 bytes):

00 e8 54 0b 81 88 ff ff 00 55 bf 0f 81 88 ff ff ..T......U......
00 e1 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc e804819c):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]

__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4634
alloc_from_pcs mm/slub.c:4725 [inline]
slab_alloc_node mm/slub.c:4859 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__register_sysctl_table+0x4e/0xa60 fs/proc/proc_sysctl.c:1379
register_sysctl_sz fs/proc/proc_sysctl.c:1436 [inline]
__register_sysctl_init+0x30/0x70 fs/proc/proc_sysctl.c:1465
pagecache_init+0x4e/0x70 mm/filemap.c:1095
start_kernel+0xb33/0xb80 init/main.c:1193

x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148

BUG: memory leak

unreferenced object 0xffff888104417400 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937905

hex dump (first 32 bytes):

00 42 a4 1c 81 88 ff ff 00 06 05 00 81 88 ff ff .B..............
00 16 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc db9a578f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
vfree.part.0+0x1cd/0x4d0 mm/vmalloc.c:3484

vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810ad9d600 (size 512):
comm "syz-executor", pid 5829, jiffies 4294941807

hex dump (first 32 bytes):

00 72 0a 00 81 88 ff ff 00 d2 04 00 81 88 ff ff .r..............
00 af 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 57ea7b83):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]

__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4634
alloc_from_pcs mm/slub.c:4725 [inline]
slab_alloc_node mm/slub.c:4859 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kvmalloc_node_noprof+0x5a7/0x770 mm/slub.c:6767
allocate_hook_entries_size net/netfilter/core.c:58 [inline]
nf_hook_entries_grow+0x178/0x3e0 net/netfilter/core.c:137
__nf_register_net_hook+0xc4/0x2e0 net/netfilter/core.c:432
nf_register_net_hook+0x8a/0x110 net/netfilter/core.c:575
nf_register_net_hooks+0x5d/0xd0 net/netfilter/core.c:591
ipt_register_table+0x15e/0x220 net/ipv4/netfilter/ip_tables.c:1781
iptable_security_table_init+0x40/0x60 net/ipv4/netfilter/iptable_security.c:46
xt_find_table_lock+0x1a3/0x270 net/netfilter/x_tables.c:1260
xt_request_find_table_lock+0x28/0xb0 net/netfilter/x_tables.c:1285
get_info+0x101/0x460 net/ipv4/netfilter/ip_tables.c:963
do_ipt_get_ctl+0x9b/0x5e0 net/ipv4/netfilter/ip_tables.c:1659
nf_getsockopt+0x61/0xa0 net/netfilter/nf_sockopt.c:116
ip_getsockopt+0x10a/0x150 net/ipv4/ip_sockglue.c:1777

BUG: memory leak
unreferenced object 0xffff88810fbf5500 (size 256):
comm "kworker/u8:0", pid 12, jiffies 4294942140

hex dump (first 32 bytes):

00 b9 8b 00 81 88 ff ff 00 72 02 01 81 88 ff ff .........r......
00 e1 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 88397b4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
netif_free_tx_queues net/core/dev.c:11206 [inline]
free_netdev+0x71/0x380 net/core/dev.c:12183
netdev_run_todo+0x5ec/0x770 net/core/dev.c:11726
ops_exit_rtnl_list net/core/net_namespace.c:189 [inline]
ops_undo_list+0x2bd/0x300 net/core/net_namespace.c:248
cleanup_net+0x287/0x570 net/core/net_namespace.c:704

process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810b540200 (size 512):
comm "kworker/u8:2", pid 34, jiffies 4294942151

hex dump (first 32 bytes):

00 8a 51 27 81 88 ff ff 00 2e 7a 2e 81 88 ff ff ..Q'......z.....
00 18 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 8700e7f7):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498

process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888127522c00 (size 512):
comm "kworker/u8:7", pid 1176, jiffies 4294942410

hex dump (first 32 bytes):

00 7a 54 0b 81 88 ff ff 00 e6 b9 0f 81 88 ff ff .zT.............
00 18 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc c4b7e6cc):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498

process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit: 1f318b96 Linux 7.0-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=117b875a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=17b8375a580000

[Harry Yoo]

On Fri, Mar 06, 2026 at 07:35:01PM +0000, Catalin Marinas wrote:

[...snip...]

> I wonder whether some early kmem_cache_node allocations like the ones in
> early_kmem_cache_node_alloc() are not tracked and then kmemleak cannot
> find n->barn. I got lost in the slub code, but something like this:

This sounds plausible. Before sheaves, kmem_cache_node just maintained
a list of slabs. Because struct page (and struct slab overlaying on it)
is not tracked by kmemleak (as Vlastimil pointed out off-list),
not calling kmemleak_alloc() for kmem_cache_node was not a problem.

But now it maintains barns and sheaves,
and they are tracked by kmemleak...

> -----------8<-----------------------------------
> diff --git a/mm/slub.c b/mm/slub.c
> index 0c906fefc31b..401557ff5487 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
> slab->freelist = get_freepointer(kmem_cache_node, n);
> slab->inuse = 1;
> kmem_cache_node->node[node] = n;
> + kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
> init_kmem_cache_node(n, NULL);
> inc_slabs_node(kmem_cache_node, node, slab->objects);

But this function is called for kmem_cache_node cache
(in kmem_cache_init()), even before kmemleak_init()?

kmem_cache and kmalloc caches should call kmemleak_alloc() when
allocating kmem_cache_node structures, but as they are also created
before kmemleak_init(), I doubt that's actually doing its job...

I think we should probably introduce a slab function that kmemleak_init()
calls, which iterates over all slab caches and calls kmemleak_alloc()
for their kmem_cache_node structures?

> -------------8<----------------------------------------
>
> Another thing I noticed, not sure it's related but we should probably
> ignore an object once it has been passed to kvfree_call_rcu(), similar
> to what we do on the main path in this function. Also see commit
> 5f98fd034ca6 ("rcu: kmemleak: Ignore kmemleak false positives when
> RCU-freeing objects") when we added this kmemleak_ignore().
>
> ---------8<-----------------------------------
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index d5a70a831a2a..73f4668d870d 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
> if (!head)
> might_sleep();
>
> - if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
> + if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
> + /*
> + * The object is now queued for deferred freeing via an RCU
> + * sheaf. Tell kmemleak to ignore it.
> + */
> + kmemleak_ignore(ptr);

As Vlastimil pointed out off-list, we need to let kmemleak ignore
sheaves when they are submitted to call_rcu() and ideally undo
kmemleak_ignore() in __kfree_rcu_sheaf() when they are going to be reused.

But looking at mm/kmemleak.c, undoing kmemleak_ignore() doesn't seem to
be a thing.

We could probably send it as a hotfix and fix potential false negatives
later?

I thought this was a more plausible theory and told syzbot to test it [1],
but it still complains :)

[1] https://lore.kernel.org/linux-mm/aa6lBQDAVnqjz_lk@hyeyoo

> return;
> + }
>
> // Queue the object but don't yet schedule the batch.
> if (debug_rcu_head_queue(ptr)) {

[Catalin Marinas]

On Mon, Mar 09, 2026 at 09:17:32PM +0900, Harry Yoo wrote:
> On Fri, Mar 06, 2026 at 07:35:01PM +0000, Catalin Marinas wrote:
>
> [...snip...]
>
> > I wonder whether some early kmem_cache_node allocations like the ones in
> > early_kmem_cache_node_alloc() are not tracked and then kmemleak cannot
> > find n->barn. I got lost in the slub code, but something like this:
>
> This sounds plausible. Before sheaves, kmem_cache_node just maintained
> a list of slabs. Because struct page (and struct slab overlaying on it)
> is not tracked by kmemleak (as Vlastimil pointed out off-list),
> not calling kmemleak_alloc() for kmem_cache_node was not a problem.
>
> But now it maintains barns and sheaves,
> and they are tracked by kmemleak...

We could simply add kmemleak_ignore(), especially as we don't need the
data in these structures to be scanned. We can assume the slab allocator
doesn't leak it's own data structures. But I couldn't figure out why
kmemleak couldn't track down the pointer in the first place and any
random kmemleak_alloc() I added did not solve it.

> > -----------8<-----------------------------------
> > diff --git a/mm/slub.c b/mm/slub.c
> > index 0c906fefc31b..401557ff5487 100644
> > --- a/mm/slub.c
> > +++ b/mm/slub.c
> > @@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
> > slab->freelist = get_freepointer(kmem_cache_node, n);
> > slab->inuse = 1;
> > kmem_cache_node->node[node] = n;
> > + kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
> > init_kmem_cache_node(n, NULL);
> > inc_slabs_node(kmem_cache_node, node, slab->objects);
>
> But this function is called for kmem_cache_node cache
> (in kmem_cache_init()), even before kmemleak_init()?

That's fine, kmemleak starts as enabled by default and tracks early
allocations in a local mem_pool[] array. kmemleak_init() just
initialises its kmem_caches for the long run.

> kmem_cache and kmalloc caches should call kmemleak_alloc() when
> allocating kmem_cache_node structures, but as they are also created
> before kmemleak_init(), I doubt that's actually doing its job...

It does. I just added a kmemleak_alloc() in create_kmalloc_cache() and
kmemleak complained that the object from the kmem_cache_zalloc() is
already registered. Of course, no stack trace saved for these early
allocations but it does track them.

If that's needed, something like below:

----------------------8<---------------------------------
diff --git a/Documentation/dev-tools/kmemleak.rst b/Documentation/dev-tools/kmemleak.rst
index 7d784e03f3f9..da2c849d4735 100644
--- a/Documentation/dev-tools/kmemleak.rst
+++ b/Documentation/dev-tools/kmemleak.rst
@@ -163,6 +163,7 @@ See the include/linux/kmemleak.h header for the functions prototype.
- ``kmemleak_not_leak`` - mark an object as not a leak
- ``kmemleak_transient_leak`` - mark an object as a transient leak
- ``kmemleak_ignore`` - do not scan or report an object as leak
+- ``kmemleak_unignore`` - undo a previous kmemleak_ignore()
- ``kmemleak_scan_area`` - add scan areas inside a memory block
- ``kmemleak_no_scan`` - do not scan a memory block
- ``kmemleak_erase`` - erase an old value in a pointer variable
diff --git a/include/linux/kmemleak.h b/include/linux/kmemleak.h
index fbd424b2abb1..4eec0560be09 100644
--- a/include/linux/kmemleak.h
+++ b/include/linux/kmemleak.h
@@ -28,6 +28,7 @@ extern void kmemleak_update_trace(const void *ptr) __ref;
extern void kmemleak_not_leak(const void *ptr) __ref;
extern void kmemleak_transient_leak(const void *ptr) __ref;
extern void kmemleak_ignore(const void *ptr) __ref;
+extern void kmemleak_unignore(const void *ptr, int min_count) __ref;
extern void kmemleak_ignore_percpu(const void __percpu *ptr) __ref;
extern void kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp) __ref;
extern void kmemleak_no_scan(const void *ptr) __ref;
@@ -104,6 +105,10 @@ static inline void kmemleak_ignore_percpu(const void __percpu *ptr)
static inline void kmemleak_ignore(const void *ptr)
{
}
+
+static inline void kmemleak_unignore(const void *ptr, int min_count)
+{
+}
static inline void kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp)
{
}
diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index d79acf5c5100..99b7ebd03737 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -1292,6 +1292,24 @@ void __ref kmemleak_ignore(const void *ptr)
}
EXPORT_SYMBOL(kmemleak_ignore);

+/**
+ * kmemleak_unignore - undo a previous kmemleak_ignore() on an object
+ * @ptr: pointer to beginning of the object
+ * @min_count: minimum number of references the object must have to be
+ * considered a non-leak (see kmemleak_alloc() for details)
+ *
+ * Calling this function undoes a prior kmemleak_ignore() by restoring the
+ * given min_count, making the object visible to kmemleak again.
+ */
+void __ref kmemleak_unignore(const void *ptr, int min_count)
+{
+ pr_debug("%s(0x%px)\n", __func__, ptr);
+
+ if (kmemleak_enabled && ptr && !IS_ERR(ptr))
+ paint_ptr((unsigned long)ptr, min_count, 0);
+}
+EXPORT_SYMBOL(kmemleak_unignore);
+
/**
* kmemleak_scan_area - limit the range to be scanned in an allocated object
* @ptr: pointer to beginning or inside the object. This also
----------------------8<---------------------------------

--
Catalin