[syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=122ae7fa580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7d0fbecb37bff8
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=130e2944580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/28d29c9b5ae2/disk-e7aa5724.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0683244c7a0f/vmlinux-e7aa5724.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cd8cc5cb8b94/bzImage-e7aa5724.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f78f58e821b0/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=10f7165a580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cae780...@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff888113218600 (size 512):
comm "sed", pid 6046, jiffies 4294945902
hex dump (first 32 bytes):
00 8e 13 29 81 88 ff ff 00 12 86 27 81 88 ff ff ...).......'....
00 5a 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 .Z..............
backtrace (crc 49909e19):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_empty_sheaf+0x36/0x50 mm/slub.c:2618
__kfree_rcu_sheaf+0x155/0x210 mm/slub.c:6304
kfree_rcu_sheaf mm/slab_common.c:1631 [inline]
kvfree_call_rcu+0x202/0x3d0 mm/slab_common.c:1981
ma_free_rcu lib/maple_tree.c:208 [inline]
ma_free_rcu+0x29/0x40 lib/maple_tree.c:205
mas_free lib/maple_tree.c:1174 [inline]
mas_replace_node lib/maple_tree.c:1581 [inline]
mas_wr_node_store+0x5fc/0x730 lib/maple_tree.c:3553
mas_wr_store_entry+0x4eb/0x760 lib/maple_tree.c:3764
mas_store_prealloc+0x358/0x740 lib/maple_tree.c:5169
vma_iter_store_overwrite mm/vma.h:544 [inline]
commit_merge+0x28e/0x490 mm/vma.c:763
vma_expand+0x264/0x460 mm/vma.c:1200
vma_merge_new_range+0xe3/0x350 mm/vma.c:1099
__mmap_region+0x54b/0x15b0 mm/vma.c:2747
mmap_region+0xfb/0x1e0 mm/vma.c:2830
do_mmap+0x7ac/0xb80 mm/mmap.c:558
vm_mmap_pgoff+0x1a6/0x2d0 mm/util.c:581
ksys_mmap_pgoff+0x233/0x2d0 mm/mmap.c:604

BUG: memory leak
unreferenced object 0xffff888127861200 (size 512):
comm "udevd", pid 6236, jiffies 4294948784
hex dump (first 32 bytes):
00 86 21 13 81 88 ff ff 18 e0 05 00 81 88 ff ff ..!.............
00 5a 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 .Z..............
backtrace (crc 5b72581e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
alloc_empty_sheaf+0x36/0x50 mm/slub.c:2618
__kfree_rcu_sheaf+0x155/0x210 mm/slub.c:6304
kfree_rcu_sheaf mm/slab_common.c:1631 [inline]
kvfree_call_rcu+0x202/0x3d0 mm/slab_common.c:1981
ma_free_rcu lib/maple_tree.c:208 [inline]
ma_free_rcu+0x29/0x40 lib/maple_tree.c:205
mas_topiary_node lib/maple_tree.c:2311 [inline]
mas_topiary_node lib/maple_tree.c:2299 [inline]
mas_topiary_replace+0xb0f/0x1400 lib/maple_tree.c:2410
mas_wmb_replace lib/maple_tree.c:2433 [inline]
mas_spanning_rebalance+0x14e1/0x24b0 lib/maple_tree.c:2738
mas_wr_spanning_store+0x983/0x10d0 lib/maple_tree.c:3479
mas_wr_store_entry+0x4d5/0x760 lib/maple_tree.c:3767
mas_store_gfp+0x341/0x640 lib/maple_tree.c:5138
vma_iter_clear_gfp include/linux/mm.h:1141 [inline]
do_vmi_align_munmap+0x259/0x2d0 mm/vma.c:1574
do_vmi_munmap+0x17c/0x280 mm/vma.c:1627
__vm_munmap+0xec/0x200 mm/vma.c:3247
__do_sys_munmap mm/mmap.c:1077 [inline]
__se_sys_munmap mm/mmap.c:1074 [inline]
__x64_sys_munmap+0x1f/0x30 mm/mmap.c:1074
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88812c458000 (size 4480):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 ................
backtrace (crc ad4af9e6):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x422/0x590 mm/slub.c:5315
alloc_task_struct_node kernel/fork.c:184 [inline]
dup_task_struct kernel/fork.c:915 [inline]
copy_process+0x286/0x2870 kernel/fork.c:2052
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881274a1540 (size 184):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 54e589bc):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270
prepare_creds+0x22/0x600 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x2870 kernel/fork.c:2086
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888109639020 (size 32):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f8 52 86 00 81 88 ff ff 00 00 00 00 00 00 00 00 .R..............
backtrace (crc 336e1c5f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_cred_alloc security/security.c:209 [inline]
security_prepare_creds+0x2d/0x290 security/security.c:2763
prepare_creds+0x395/0x600 kernel/cred.c:215
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x2870 kernel/fork.c:2086
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888126fdbd80 (size 64):
comm "udevd", pid 5181, jiffies 4294950983
hex dump (first 32 bytes):
c0 c3 4e 46 81 88 ff ff 00 00 00 00 00 00 00 00 ..NF............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 508a43e4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_task_alloc security/security.c:244 [inline]
security_task_alloc+0x2a/0x260 security/security.c:2682
copy_process+0xf07/0x2870 kernel/fork.c:2203
kernel_clone+0xac/0x6e0 kernel/fork.c:2651
__do_sys_clone+0x7f/0xb0 kernel/fork.c:2792
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Qing Wang]

#syz test

diff --git a/mm/slub.c b/mm/slub.c
index cdc1e652ec52..387979b89120 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -6307,15 +6307,21 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj)
goto fail;

if (!local_trylock(&s->cpu_sheaves->lock)) {
- barn_put_empty_sheaf(barn, empty);
+ if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES)
+ barn_put_empty_sheaf(barn, empty);
+ else
+ free_empty_sheaf(s, empty);
goto fail;
}

pcs = this_cpu_ptr(s->cpu_sheaves);

- if (unlikely(pcs->rcu_free))
- barn_put_empty_sheaf(barn, empty);
- else
+ if (unlikely(pcs->rcu_free)) {
+ if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES)
+ barn_put_empty_sheaf(barn, empty);
+ else
+ free_empty_sheaf(s, empty);
+ } else
pcs->rcu_free = empty;
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main

BUG: memory leak
unreferenced object 0xffff88810005fa00 (size 512):
comm "swapper/0", pid 0, jiffies 4294937296

hex dump (first 32 bytes):

00 2e c5 05 81 88 ff ff 00 a2 96 0a 81 88 ff ff ................
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc ee49fed0):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1e4/0x260 mm/slub.c:4602
alloc_from_pcs mm/slub.c:4695 [inline]
slab_alloc_node mm/slub.c:4829 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5353
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__irq_domain_alloc_fwnode+0x37/0x140 kernel/irq/irqdomain.c:95
irq_domain_alloc_named_fwnode include/linux/irqdomain.h:271 [inline]
arch_early_irq_init+0x1c/0x70 arch/x86/kernel/apic/vector.c:803
start_kernel+0x931/0xb80 init/main.c:1114
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148

BUG: memory leak
unreferenced object 0xffff8881008f8c00 (size 512):
comm "kthreadd", pid 2, jiffies 4294937339

hex dump (first 32 bytes):

00 d6 04 00 81 88 ff ff 00 92 96 0a 81 88 ff ff ................
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc f2ef5290):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1e4/0x260 mm/slub.c:4602
alloc_from_pcs mm/slub.c:4695 [inline]
slab_alloc_node mm/slub.c:4829 [inline]
__kmalloc_cache_node_noprof+0x3ef/0x4e0 mm/slub.c:5366
kmalloc_node_noprof include/linux/slab.h:1077 [inline]
__get_vm_area_node+0xc6/0x1d0 mm/vmalloc.c:3221
__vmalloc_node_range_noprof+0x1d3/0xe50 mm/vmalloc.c:4024
__vmalloc_node_noprof+0x71/0x90 mm/vmalloc.c:4124
alloc_thread_stack_node kernel/fork.c:355 [inline]
dup_task_struct kernel/fork.c:924 [inline]
copy_process+0x3e5/0x28c0 kernel/fork.c:2050
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:490 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:848
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff888105c53200 (size 512):
comm "kworker/1:0", pid 23, jiffies 4294937917

hex dump (first 32 bytes):

00 a2 96 0a 81 88 ff ff 00 d4 04 00 81 88 ff ff ................
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc d24dd055):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe9/0x2c0 mm/slub.c:5700
free_to_pcs mm/slub.c:5753 [inline]
slab_free mm/slub.c:6154 [inline]
kfree+0x352/0x390 mm/slub.c:6467
vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:467
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff888105c52e00 (size 512):
comm "kworker/u8:5", pid 4440, jiffies 4294937918

hex dump (first 32 bytes):

c8 2c 04 00 81 88 ff ff 00 fa 05 00 81 88 ff ff .,..............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc a68b63de):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe9/0x2c0 mm/slub.c:5700
free_to_pcs mm/slub.c:5753 [inline]
slab_free mm/slub.c:6154 [inline]
kfree+0x352/0x390 mm/slub.c:6467
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810a96a200 (size 512):
comm "udevadm", pid 5177, jiffies 4294938175

hex dump (first 32 bytes):

00 fa 05 00 81 88 ff ff 00 32 c5 05 81 88 ff ff .........2......
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 94107438):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1e4/0x260 mm/slub.c:4602
alloc_from_pcs mm/slub.c:4695 [inline]
slab_alloc_node mm/slub.c:4829 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5353
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
kernfs_get_open_node fs/kernfs/file.c:543 [inline]
kernfs_fop_open+0x4f3/0x580 fs/kernfs/file.c:718
do_dentry_open+0x202/0x8d0 fs/open.c:949
vfs_open+0x3d/0x1b0 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x154d/0x1e20 fs/namei.c:4830
do_file_open+0x121/0x200 fs/namei.c:4859
do_sys_openat2+0xa5/0x140 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x82/0xf0 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888109d58400 (size 512):
comm "udevd", pid 5176, jiffies 4294938222

hex dump (first 32 bytes):

00 12 47 2a 81 88 ff ff 00 ee 46 2a 81 88 ff ff ..G*......F*....
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc af8b5cec):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4520 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__kfree_rcu_sheaf+0x164/0x240 mm/slub.c:5887
kfree_rcu_sheaf mm/slab_common.c:1608 [inline]
kvfree_call_rcu+0x1f6/0x3c0 mm/slab_common.c:1957
kernfs_unlink_open_file+0x194/0x1b0 fs/kernfs/file.c:604
kernfs_fop_release+0x55/0x110 fs/kernfs/file.c:783
__fput+0x1b5/0x4f0 fs/file_table.c:469
fput_close_sync+0x67/0x120 fs/file_table.c:574
__do_sys_close fs/open.c:1509 [inline]
__se_sys_close fs/open.c:1494 [inline]
__x64_sys_close+0x4a/0xc0 fs/open.c:1494
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94

entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF

Tested on:

commit: 11439c46 Linux 7.0-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1277a202580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1

dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=13801006580000

[Vlastimil Babka (SUSE)]

I don't think this would fix any leak, and syzbot agrees. It would limit the
empty sheaves in barn more strictly, but they are not leaked.
Hm I don't see any leak in __kfree_rcu_sheaf() or rcu_free_sheaf(). Wonder
if kmemleak lacks visibility into barns or pcs's as roots for searching what
objects are considered referenced, or something?

[Harry Yoo]

[+Cc adding Catalin for kmemleak bits]

Objects that are allocated from slab and percpu allocator should be
properly tracked by kmemleak. But those allocated with
gfpflags_allow_spinning() == false are not tracked by kmemleak.

When barns and sheaves are allocated early (!gfpflags_allow_spinning()
due to gfp_allowed_mask) and it skips kmemleak_alloc_recursive(),
it could produce false positives because from kmemleak's point of view,
the objects are not reachable from the root set (data section, stack,
etc.).

To me it seems kmemleak should gain allow_spin == false support
sooner or later.

--
Cheers,
Harry / Hyeonggon

[Vlastimil Babka (SUSE)]

Good point.

> To me it seems kmemleak should gain allow_spin == false support
> sooner or later.

Or we figure out how to deal with the false allow_spin == false during
boot. Here I'm a bit confused how exactly it happens because AFAICS in
slub we apply gfp_allowed_mask only when allocating a new slab, and in
slab_post_alloc_hook() we apply it to init_mask. That is indeed passed
to kmemleak_alloc_recursive() but not used for the
gfpflags_allow_spinning() decision. kmemleak_alloc_recursive() should
succeed because nobody should be holding any locks that would require
spinning.

Unless it's some interaction with deferred pages like the one fixed by
commit fd3634312a04f33?

[Catalin Marinas]

I don't fully understand what goes on. If kmemleak_alloc_recursive()
failed to allocate for some reason (other than SLAB_NOLEAKTRACE), it
would loudly disable kmemleak altogether and stop reporting leaks. Also
kmemleak doesn't care about allow_spin, it's only the slub code which
avoids calling kmemleak if spinning not allowed (as it takes some locks,
may call back into the slab allocator).

I wonder whether some early kmem_cache_node allocations like the ones in
early_kmem_cache_node_alloc() are not tracked and then kmemleak cannot
find n->barn. I got lost in the slub code, but something like this:

-----------8<-----------------------------------
diff --git a/mm/slub.c b/mm/slub.c
index 0c906fefc31b..401557ff5487 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
slab->freelist = get_freepointer(kmem_cache_node, n);
slab->inuse = 1;
kmem_cache_node->node[node] = n;
+ kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
init_kmem_cache_node(n, NULL);
inc_slabs_node(kmem_cache_node, node, slab->objects);

-------------8<----------------------------------------

Another thing I noticed, not sure it's related but we should probably
ignore an object once it has been passed to kvfree_call_rcu(), similar
to what we do on the main path in this function. Also see commit
5f98fd034ca6 ("rcu: kmemleak: Ignore kmemleak false positives when
RCU-freeing objects") when we added this kmemleak_ignore().

---------8<-----------------------------------
diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();

- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }

// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {
----------------8<-----------------------------------

--
Catalin

[Catalin Marinas]

#syz test

diff --git a/mm/slub.c b/mm/slub.c

[Catalin Marinas]

#syz test

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

memory leak in __pcs_replace_full_main

BUG: memory leak
unreferenced object 0xffff888101d79200 (size 512):
comm "kworker/u8:5", pid 182, jiffies 4294937433

hex dump (first 32 bytes):

e0 22 eb 30 81 88 ff ff b0 b7 ad 81 ff ff ff ff .".0............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 3ee28017):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486

call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888101fa6c00 (size 512):
comm "kworker/1:1", pid 41, jiffies 4294937441

hex dump (first 32 bytes):

b0 1e fc 11 81 88 ff ff b0 b7 ad 81 ff ff ff ff ................

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc a295f059):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486

vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439

kthread+0x14e/0x1a0 kernel/kthread.c:436

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888109d31a00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937949

hex dump (first 32 bytes):

c0 fa 74 29 81 88 ff ff b0 b7 ad 81 ff ff ff ff ..t)............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc e073aa0b):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486

vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439

kthread+0x14e/0x1a0 kernel/kthread.c:436

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888109d3d800 (size 512):
comm "udevadm", pid 5179, jiffies 4294938390

hex dump (first 32 bytes):

88 43 58 27 81 88 ff ff b0 b7 ad 81 ff ff ff ff .CX'............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 37e3920):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]

__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5378

kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
kernfs_get_open_node fs/kernfs/file.c:543 [inline]
kernfs_fop_open+0x4f3/0x580 fs/kernfs/file.c:718
do_dentry_open+0x202/0x8d0 fs/open.c:949
vfs_open+0x3d/0x1b0 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x154d/0x1e20 fs/namei.c:4830
do_file_open+0x121/0x200 fs/namei.c:4859
do_sys_openat2+0xa5/0x140 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x82/0xf0 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak

unreferenced object 0xffff88810b5a5000 (size 512):
comm "udevd", pid 5178, jiffies 4294938454

hex dump (first 32 bytes):

80 c5 8e 2b 81 88 ff ff b0 b7 ad 81 ff ff ff ff ...+............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc bce89c59):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]

__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5378

kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
kernfs_get_open_node fs/kernfs/file.c:543 [inline]
kernfs_fop_open+0x4f3/0x580 fs/kernfs/file.c:718
do_dentry_open+0x202/0x8d0 fs/open.c:949
vfs_open+0x3d/0x1b0 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x154d/0x1e20 fs/namei.c:4830
do_file_open+0x121/0x200 fs/namei.c:4859
do_sys_openat2+0xa5/0x140 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x82/0xf0 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak

unreferenced object 0xffff888109d3ce00 (size 512):
comm "udevd", pid 5189, jiffies 4294938454

hex dump (first 32 bytes):

b0 4e 89 2b 81 88 ff ff b0 b7 ad 81 ff ff ff ff .N.+............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc e7e352bb):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]

__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5275

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

tomoyo_encode2+0xd0/0x1e0 security/tomoyo/realpath.c:45
tomoyo_encode+0x29/0x50 security/tomoyo/realpath.c:80
tomoyo_realpath_from_path+0xc4/0x2c0 security/tomoyo/realpath.c:283
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x12c/0x290 security/tomoyo/file.c:827
security_inode_getattr+0xaa/0x200 security/security.c:1869
vfs_getattr fs/stat.c:259 [inline]
vfs_fstat+0x48/0xe0 fs/stat.c:281
__do_sys_newfstat+0x42/0xa0 fs/stat.c:551

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit: c23719ab Merge tag 'x86-urgent-2026-03-08' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1228e75a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=1310e75a580000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

memory leak in __pcs_replace_empty_main

BUG: memory leak
unreferenced object 0xffff88810005f800 (size 512):

comm "swapper/0", pid 0, jiffies 4294937296

hex dump (first 32 bytes):

00 2a 90 00 81 88 ff ff 00 94 30 29 81 88 ff ff .*........0)....
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc a3e5799):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5378
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__irq_domain_alloc_fwnode+0x37/0x140 kernel/irq/irqdomain.c:95
irq_domain_alloc_named_fwnode include/linux/irqdomain.h:271 [inline]
arch_early_irq_init+0x1c/0x70 arch/x86/kernel/apic/vector.c:803
start_kernel+0x931/0xb80 init/main.c:1114
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148

BUG: memory leak
unreferenced object 0xffff8881008f6c00 (size 512):
comm "kthreadd", pid 2, jiffies 4294937344

hex dump (first 32 bytes):

00 94 30 29 81 88 ff ff 00 d6 de 0b 81 88 ff ff ..0)............
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 9181eca5):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]

__kmalloc_cache_node_noprof+0x3ef/0x4e0 mm/slub.c:5391

kmalloc_node_noprof include/linux/slab.h:1077 [inline]
__get_vm_area_node+0xc6/0x1d0 mm/vmalloc.c:3221
__vmalloc_node_range_noprof+0x1d3/0xe50 mm/vmalloc.c:4024
__vmalloc_node_noprof+0x71/0x90 mm/vmalloc.c:4124
alloc_thread_stack_node kernel/fork.c:355 [inline]
dup_task_struct kernel/fork.c:924 [inline]
copy_process+0x3e5/0x28c0 kernel/fork.c:2050
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715

create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff8881008fd600 (size 512):
comm "kworker/u8:6", pid 223, jiffies 4294937434

hex dump (first 32 bytes):

00 c6 8f 00 81 88 ff ff d8 2c 04 00 81 88 ff ff .........,......
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 33698a2f):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff8881008fc600 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937441

hex dump (first 32 bytes):

00 1a 39 10 81 88 ff ff 00 d6 8f 00 81 88 ff ff ..9.............
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc fca1c70a):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888100902a00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937448

hex dump (first 32 bytes):

00 c4 58 09 81 88 ff ff 00 f8 05 00 81 88 ff ff ..X.............
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 8a5f0c0d):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810958c400 (size 512):
comm "kworker/u8:5", pid 4599, jiffies 4294937964

hex dump (first 32 bytes):

00 4c 6a 12 81 88 ff ff 00 2a 90 00 81 88 ff ff .Lj......*......
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 45e572cd):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit: c23719ab Merge tag 'x86-urgent-2026-03-08' of git://gi..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=10027054580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=17682a02580000

[Harry Yoo]

#syz test

diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();

- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }

// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {

diff --git a/mm/slub.c b/mm/slub.c
index 20cb4f3b636d..9e34a9458162 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3014,8 +3014,10 @@ static void pcs_flush_all(struct kmem_cache *s)
free_empty_sheaf(s, spare);
}

- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }

sheaf_flush_main(s);
}
@@ -3035,6 +3037,7 @@ static void __pcs_flush_all_cpu(struct kmem_cache *s, unsigned int cpu)
}

if (pcs->rcu_free) {
+ kmemleak_ignore(pcs->rcu_free);
call_rcu(&pcs->rcu_free->rcu_head, rcu_free_sheaf_nobarn);
pcs->rcu_free = NULL;
}
@@ -4031,8 +4034,10 @@ static void flush_rcu_sheaf(struct work_struct *w)

local_unlock(&s->cpu_sheaves->lock);

- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }
}


@@ -5948,8 +5953,15 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj)
* we flush before local_unlock to make sure a racing
* flush_all_rcu_sheaves() doesn't miss this sheaf
*/
- if (rcu_sheaf)
+ if (rcu_sheaf) {
+ /*
+ * TODO: Ideally this should be undone in rcu_free_sheaf,
+ * when the sheaf is returned to a barn to avoid generating
+ * false negatives.
+ */
+ kmemleak_ignore(rcu_sheaf);
call_rcu(&rcu_sheaf->rcu_head, rcu_free_sheaf);
+ }

local_unlock(&s->cpu_sheaves->lock);


base-commit: c23719abc3308df7ed3ad35650ad211fb2d2003d
--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main

BUG: memory leak

unreferenced object 0xffff8881008bb900 (size 256):
comm "swapper/0", pid 0, jiffies 4294937326

hex dump (first 32 bytes):

00 e8 54 0b 81 88 ff ff 00 55 bf 0f 81 88 ff ff ..T......U......
00 e1 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc e804819c):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]

__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4634
alloc_from_pcs mm/slub.c:4725 [inline]
slab_alloc_node mm/slub.c:4859 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__register_sysctl_table+0x4e/0xa60 fs/proc/proc_sysctl.c:1379
register_sysctl_sz fs/proc/proc_sysctl.c:1436 [inline]
__register_sysctl_init+0x30/0x70 fs/proc/proc_sysctl.c:1465
pagecache_init+0x4e/0x70 mm/filemap.c:1095
start_kernel+0xb33/0xb80 init/main.c:1193

x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148

BUG: memory leak

unreferenced object 0xffff888104417400 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937905

hex dump (first 32 bytes):

00 42 a4 1c 81 88 ff ff 00 06 05 00 81 88 ff ff .B..............
00 16 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc db9a578f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
vfree.part.0+0x1cd/0x4d0 mm/vmalloc.c:3484

vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810ad9d600 (size 512):
comm "syz-executor", pid 5829, jiffies 4294941807

hex dump (first 32 bytes):

00 72 0a 00 81 88 ff ff 00 d2 04 00 81 88 ff ff .r..............
00 af 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 57ea7b83):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]

__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4634
alloc_from_pcs mm/slub.c:4725 [inline]
slab_alloc_node mm/slub.c:4859 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kvmalloc_node_noprof+0x5a7/0x770 mm/slub.c:6767
allocate_hook_entries_size net/netfilter/core.c:58 [inline]
nf_hook_entries_grow+0x178/0x3e0 net/netfilter/core.c:137
__nf_register_net_hook+0xc4/0x2e0 net/netfilter/core.c:432
nf_register_net_hook+0x8a/0x110 net/netfilter/core.c:575
nf_register_net_hooks+0x5d/0xd0 net/netfilter/core.c:591
ipt_register_table+0x15e/0x220 net/ipv4/netfilter/ip_tables.c:1781
iptable_security_table_init+0x40/0x60 net/ipv4/netfilter/iptable_security.c:46
xt_find_table_lock+0x1a3/0x270 net/netfilter/x_tables.c:1260
xt_request_find_table_lock+0x28/0xb0 net/netfilter/x_tables.c:1285
get_info+0x101/0x460 net/ipv4/netfilter/ip_tables.c:963
do_ipt_get_ctl+0x9b/0x5e0 net/ipv4/netfilter/ip_tables.c:1659
nf_getsockopt+0x61/0xa0 net/netfilter/nf_sockopt.c:116
ip_getsockopt+0x10a/0x150 net/ipv4/ip_sockglue.c:1777

BUG: memory leak
unreferenced object 0xffff88810fbf5500 (size 256):
comm "kworker/u8:0", pid 12, jiffies 4294942140

hex dump (first 32 bytes):

00 b9 8b 00 81 88 ff ff 00 72 02 01 81 88 ff ff .........r......
00 e1 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 88397b4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
netif_free_tx_queues net/core/dev.c:11206 [inline]
free_netdev+0x71/0x380 net/core/dev.c:12183
netdev_run_todo+0x5ec/0x770 net/core/dev.c:11726
ops_exit_rtnl_list net/core/net_namespace.c:189 [inline]
ops_undo_list+0x2bd/0x300 net/core/net_namespace.c:248
cleanup_net+0x287/0x570 net/core/net_namespace.c:704

process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810b540200 (size 512):
comm "kworker/u8:2", pid 34, jiffies 4294942151

hex dump (first 32 bytes):

00 8a 51 27 81 88 ff ff 00 2e 7a 2e 81 88 ff ff ..Q'......z.....
00 18 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 8700e7f7):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498

process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888127522c00 (size 512):
comm "kworker/u8:7", pid 1176, jiffies 4294942410

hex dump (first 32 bytes):

00 7a 54 0b 81 88 ff ff 00 e6 b9 0f 81 88 ff ff .zT.............
00 18 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc c4b7e6cc):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498

process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit: 1f318b96 Linux 7.0-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=117b875a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=17b8375a580000

[Harry Yoo]

On Fri, Mar 06, 2026 at 07:35:01PM +0000, Catalin Marinas wrote:

[...snip...]

> I wonder whether some early kmem_cache_node allocations like the ones in
> early_kmem_cache_node_alloc() are not tracked and then kmemleak cannot
> find n->barn. I got lost in the slub code, but something like this:

This sounds plausible. Before sheaves, kmem_cache_node just maintained
a list of slabs. Because struct page (and struct slab overlaying on it)
is not tracked by kmemleak (as Vlastimil pointed out off-list),
not calling kmemleak_alloc() for kmem_cache_node was not a problem.

But now it maintains barns and sheaves,
and they are tracked by kmemleak...

> -----------8<-----------------------------------
> diff --git a/mm/slub.c b/mm/slub.c
> index 0c906fefc31b..401557ff5487 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
> slab->freelist = get_freepointer(kmem_cache_node, n);
> slab->inuse = 1;
> kmem_cache_node->node[node] = n;
> + kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
> init_kmem_cache_node(n, NULL);
> inc_slabs_node(kmem_cache_node, node, slab->objects);

But this function is called for kmem_cache_node cache
(in kmem_cache_init()), even before kmemleak_init()?

kmem_cache and kmalloc caches should call kmemleak_alloc() when
allocating kmem_cache_node structures, but as they are also created
before kmemleak_init(), I doubt that's actually doing its job...

I think we should probably introduce a slab function that kmemleak_init()
calls, which iterates over all slab caches and calls kmemleak_alloc()
for their kmem_cache_node structures?

> -------------8<----------------------------------------
>
> Another thing I noticed, not sure it's related but we should probably
> ignore an object once it has been passed to kvfree_call_rcu(), similar
> to what we do on the main path in this function. Also see commit
> 5f98fd034ca6 ("rcu: kmemleak: Ignore kmemleak false positives when
> RCU-freeing objects") when we added this kmemleak_ignore().
>
> ---------8<-----------------------------------
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index d5a70a831a2a..73f4668d870d 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
> if (!head)
> might_sleep();
>
> - if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
> + if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
> + /*
> + * The object is now queued for deferred freeing via an RCU
> + * sheaf. Tell kmemleak to ignore it.
> + */
> + kmemleak_ignore(ptr);

As Vlastimil pointed out off-list, we need to let kmemleak ignore
sheaves when they are submitted to call_rcu() and ideally undo
kmemleak_ignore() in __kfree_rcu_sheaf() when they are going to be reused.

But looking at mm/kmemleak.c, undoing kmemleak_ignore() doesn't seem to
be a thing.

We could probably send it as a hotfix and fix potential false negatives
later?

I thought this was a more plausible theory and told syzbot to test it [1],
but it still complains :)

[1] https://lore.kernel.org/linux-mm/aa6lBQDAVnqjz_lk@hyeyoo

> return;
> + }
>
> // Queue the object but don't yet schedule the batch.
> if (debug_rcu_head_queue(ptr)) {

[Catalin Marinas]

On Mon, Mar 09, 2026 at 09:17:32PM +0900, Harry Yoo wrote:
> On Fri, Mar 06, 2026 at 07:35:01PM +0000, Catalin Marinas wrote:
>
> [...snip...]
>
> > I wonder whether some early kmem_cache_node allocations like the ones in
> > early_kmem_cache_node_alloc() are not tracked and then kmemleak cannot
> > find n->barn. I got lost in the slub code, but something like this:
>
> This sounds plausible. Before sheaves, kmem_cache_node just maintained
> a list of slabs. Because struct page (and struct slab overlaying on it)
> is not tracked by kmemleak (as Vlastimil pointed out off-list),
> not calling kmemleak_alloc() for kmem_cache_node was not a problem.
>
> But now it maintains barns and sheaves,
> and they are tracked by kmemleak...

We could simply add kmemleak_ignore(), especially as we don't need the
data in these structures to be scanned. We can assume the slab allocator
doesn't leak it's own data structures. But I couldn't figure out why
kmemleak couldn't track down the pointer in the first place and any
random kmemleak_alloc() I added did not solve it.

> > -----------8<-----------------------------------
> > diff --git a/mm/slub.c b/mm/slub.c
> > index 0c906fefc31b..401557ff5487 100644
> > --- a/mm/slub.c
> > +++ b/mm/slub.c
> > @@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
> > slab->freelist = get_freepointer(kmem_cache_node, n);
> > slab->inuse = 1;
> > kmem_cache_node->node[node] = n;
> > + kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
> > init_kmem_cache_node(n, NULL);
> > inc_slabs_node(kmem_cache_node, node, slab->objects);
>
> But this function is called for kmem_cache_node cache
> (in kmem_cache_init()), even before kmemleak_init()?

That's fine, kmemleak starts as enabled by default and tracks early
allocations in a local mem_pool[] array. kmemleak_init() just
initialises its kmem_caches for the long run.

> kmem_cache and kmalloc caches should call kmemleak_alloc() when
> allocating kmem_cache_node structures, but as they are also created
> before kmemleak_init(), I doubt that's actually doing its job...

It does. I just added a kmemleak_alloc() in create_kmalloc_cache() and
kmemleak complained that the object from the kmem_cache_zalloc() is
already registered. Of course, no stack trace saved for these early
allocations but it does track them.

If that's needed, something like below:

----------------------8<---------------------------------
diff --git a/Documentation/dev-tools/kmemleak.rst b/Documentation/dev-tools/kmemleak.rst
index 7d784e03f3f9..da2c849d4735 100644
--- a/Documentation/dev-tools/kmemleak.rst
+++ b/Documentation/dev-tools/kmemleak.rst
@@ -163,6 +163,7 @@ See the include/linux/kmemleak.h header for the functions prototype.
- ``kmemleak_not_leak`` - mark an object as not a leak
- ``kmemleak_transient_leak`` - mark an object as a transient leak
- ``kmemleak_ignore`` - do not scan or report an object as leak
+- ``kmemleak_unignore`` - undo a previous kmemleak_ignore()
- ``kmemleak_scan_area`` - add scan areas inside a memory block
- ``kmemleak_no_scan`` - do not scan a memory block
- ``kmemleak_erase`` - erase an old value in a pointer variable
diff --git a/include/linux/kmemleak.h b/include/linux/kmemleak.h
index fbd424b2abb1..4eec0560be09 100644
--- a/include/linux/kmemleak.h
+++ b/include/linux/kmemleak.h
@@ -28,6 +28,7 @@ extern void kmemleak_update_trace(const void *ptr) __ref;
extern void kmemleak_not_leak(const void *ptr) __ref;
extern void kmemleak_transient_leak(const void *ptr) __ref;
extern void kmemleak_ignore(const void *ptr) __ref;
+extern void kmemleak_unignore(const void *ptr, int min_count) __ref;
extern void kmemleak_ignore_percpu(const void __percpu *ptr) __ref;
extern void kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp) __ref;
extern void kmemleak_no_scan(const void *ptr) __ref;
@@ -104,6 +105,10 @@ static inline void kmemleak_ignore_percpu(const void __percpu *ptr)
static inline void kmemleak_ignore(const void *ptr)
{
}
+
+static inline void kmemleak_unignore(const void *ptr, int min_count)
+{
+}
static inline void kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp)
{
}
diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index d79acf5c5100..99b7ebd03737 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -1292,6 +1292,24 @@ void __ref kmemleak_ignore(const void *ptr)
}
EXPORT_SYMBOL(kmemleak_ignore);

+/**
+ * kmemleak_unignore - undo a previous kmemleak_ignore() on an object
+ * @ptr: pointer to beginning of the object
+ * @min_count: minimum number of references the object must have to be
+ * considered a non-leak (see kmemleak_alloc() for details)
+ *
+ * Calling this function undoes a prior kmemleak_ignore() by restoring the
+ * given min_count, making the object visible to kmemleak again.
+ */
+void __ref kmemleak_unignore(const void *ptr, int min_count)
+{
+ pr_debug("%s(0x%px)\n", __func__, ptr);
+
+ if (kmemleak_enabled && ptr && !IS_ERR(ptr))
+ paint_ptr((unsigned long)ptr, min_count, 0);
+}
+EXPORT_SYMBOL(kmemleak_unignore);
+
/**
* kmemleak_scan_area - limit the range to be scanned in an allocated object
* @ptr: pointer to beginning or inside the object. This also
----------------------8<---------------------------------

--
Catalin

[Harry Yoo]

#syz test

diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();

- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }

// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {

diff --git a/mm/slub.c b/mm/slub.c
index 20cb4f3b636d..36f613f48bd0 100644
--- a/mm/slub.c
+++ b/mm/slub.c

@@ -7538,6 +7550,7 @@ static void early_kmem_cache_node_alloc(int node)

slab->freelist = get_freepointer(kmem_cache_node, n);
slab->inuse = 1;
kmem_cache_node->node[node] = n;
+ kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
init_kmem_cache_node(n, NULL);
inc_slabs_node(kmem_cache_node, node, slab->objects);

base-commit: c23719abc3308df7ed3ad35650ad211fb2d2003d
--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main

BUG: memory leak

unreferenced object 0xffff888100b60200 (size 512):
comm "kthreadd", pid 2, jiffies 4294937343

hex dump (first 32 bytes):

00 6c c3 09 81 88 ff ff 00 9a 9d 0a 81 88 ff ff .l..............

00 16 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................

backtrace (crc 8a95531e):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4634
alloc_from_pcs mm/slub.c:4725 [inline]
slab_alloc_node mm/slub.c:4859 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]

__kmalloc_node_noprof+0x57e/0x5d0 mm/slub.c:5274
kmalloc_node_noprof include/linux/slab.h:1081 [inline]
__vmalloc_area_node mm/vmalloc.c:3855 [inline]
__vmalloc_node_range_noprof+0x284/0xe50 mm/vmalloc.c:4064

__vmalloc_node_noprof+0x71/0x90 mm/vmalloc.c:4124
alloc_thread_stack_node kernel/fork.c:355 [inline]
dup_task_struct kernel/fork.c:924 [inline]
copy_process+0x3e5/0x28c0 kernel/fork.c:2050
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810438c200 (size 512):
comm "swapper/0", pid 1, jiffies 4294937794

hex dump (first 32 bytes):

00 02 10 0e 81 88 ff ff 00 56 c3 09 81 88 ff ff .........V......
00 17 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 3e1bb722):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498

v4l2_ctrl_handler_free drivers/media/v4l2-core/v4l2-ctrls-core.c:1756 [inline]
v4l2_ctrl_handler_free+0x92/0x290 drivers/media/v4l2-core/v4l2-ctrls-core.c:1736
vivid_dev_release+0x26/0x90 drivers/media/test-drivers/vivid/vivid-core.c:857
v4l2_device_release drivers/media/v4l2-core/v4l2-device.c:51 [inline]
kref_put include/linux/kref.h:65 [inline]
v4l2_device_put+0x6b/0xa0 drivers/media/v4l2-core/v4l2-device.c:56
vivid_create_instance drivers/media/test-drivers/vivid/vivid-core.c:2070 [inline]
vivid_probe.cold+0x55a/0x386d drivers/media/test-drivers/vivid/vivid-core.c:2095
platform_probe+0x86/0xf0 drivers/base/platform.c:1446
call_driver_probe drivers/base/dd.c:583 [inline]
really_probe+0x12f/0x3a0 drivers/base/dd.c:661
__driver_probe_device+0xc7/0x160 drivers/base/dd.c:803
driver_probe_device+0x2a/0x120 drivers/base/dd.c:833
__driver_attach drivers/base/dd.c:1227 [inline]
__driver_attach+0x10a/0x200 drivers/base/dd.c:1167
bus_for_each_dev+0xb8/0x120 drivers/base/bus.c:383
bus_add_driver+0x122/0x280 drivers/base/bus.c:715
driver_register+0xb1/0x140 drivers/base/driver.c:249

BUG: memory leak
unreferenced object 0xffff888109c35c00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937868

hex dump (first 32 bytes):

00 68 d4 09 81 88 ff ff 00 9c de 09 81 88 ff ff .h..............

00 16 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................

backtrace (crc 9ab54a7c):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
vfree.part.0+0x1cd/0x4d0 mm/vmalloc.c:3484
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810a9d9a00 (size 512):
comm "swapper/0", pid 1, jiffies 4294937887

hex dump (first 32 bytes):

00 02 b6 00 81 88 ff ff 00 98 9d 0a 81 88 ff ff ................

00 16 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................

backtrace (crc 368f6316):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498

slab_sysfs_init+0xce/0xf0 mm/slub.c:9613
do_one_initcall+0x79/0x4c0 init/main.c:1382
do_initcall_level init/main.c:1444 [inline]
do_initcalls init/main.c:1460 [inline]
do_basic_setup init/main.c:1479 [inline]
kernel_init_freeable+0x2a4/0x340 init/main.c:1692
kernel_init+0x1b/0x1d0 init/main.c:1582

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810a9d9600 (size 512):
comm "swapper/0", pid 1, jiffies 4294937887

hex dump (first 32 bytes):

00 b6 34 0a 81 88 ff ff 00 6c c3 09 81 88 ff ff ..4......l......

00 16 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................

backtrace (crc d6fcd7dc):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498

slab_sysfs_init+0xce/0xf0 mm/slub.c:9613
do_one_initcall+0x79/0x4c0 init/main.c:1382
do_initcall_level init/main.c:1444 [inline]
do_initcalls init/main.c:1460 [inline]
do_basic_setup init/main.c:1479 [inline]
kernel_init_freeable+0x2a4/0x340 init/main.c:1692
kernel_init+0x1b/0x1d0 init/main.c:1582

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit: 1f318b96 Linux 7.0-rc3
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=17bde806580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=1065375a580000

[Harry Yoo]

#syz test

index d79acf5c5100..871e20ba3d7b 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -909,6 +909,8 @@ static void __paint_it(struct kmemleak_object *object, int color)
object->min_count = color;
if (color == KMEMLEAK_BLACK)
object->flags |= OBJECT_NO_SCAN;
+ else
+ object->flags &= ~OBJECT_NO_SCAN;
}

static void paint_it(struct kmemleak_object *object, int color)
@@ -1292,6 +1294,24 @@ void __ref kmemleak_ignore(const void *ptr)

}
EXPORT_SYMBOL(kmemleak_ignore);

+/**
+ * kmemleak_unignore - undo a previous kmemleak_ignore() on an object
+ * @ptr: pointer to beginning of the object
+ * @min_count: minimum number of references the object must have to be
+ * considered a non-leak (see kmemleak_alloc() for details)
+ *
+ * Calling this function undoes a prior kmemleak_ignore() by restoring the
+ * given min_count, making the object visible to kmemleak again.
+ */
+void __ref kmemleak_unignore(const void *ptr, int min_count)
+{
+ pr_debug("%s(0x%px)\n", __func__, ptr);
+
+ if (kmemleak_enabled && ptr && !IS_ERR(ptr))
+ paint_ptr((unsigned long)ptr, min_count, 0);
+}
+EXPORT_SYMBOL(kmemleak_unignore);
+
/**
* kmemleak_scan_area - limit the range to be scanned in an allocated object
* @ptr: pointer to beginning or inside the object. This also

diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();

- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }

// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {
diff --git a/mm/slub.c b/mm/slub.c

index 20cb4f3b636d..3bfe113ae326 100644

--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3014,8 +3014,10 @@ static void pcs_flush_all(struct kmem_cache *s)
free_empty_sheaf(s, spare);
}

- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }

sheaf_flush_main(s);
}
@@ -3035,6 +3037,7 @@ static void __pcs_flush_all_cpu(struct kmem_cache *s, unsigned int cpu)
}

if (pcs->rcu_free) {
+ kmemleak_ignore(pcs->rcu_free);
call_rcu(&pcs->rcu_free->rcu_head, rcu_free_sheaf_nobarn);
pcs->rcu_free = NULL;
}
@@ -4031,8 +4034,10 @@ static void flush_rcu_sheaf(struct work_struct *w)

local_unlock(&s->cpu_sheaves->lock);

- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }
}

@@ -5832,6 +5837,7 @@ static void rcu_free_sheaf(struct rcu_head *head)

if (data_race(barn->nr_full) < MAX_FULL_SHEAVES) {
stat(s, BARN_PUT);
+ kmemleak_unignore(sheaf, 1);
barn_put_full_sheaf(barn, sheaf);
return;
}
@@ -5842,6 +5848,7 @@ static void rcu_free_sheaf(struct rcu_head *head)

empty:

if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES) {

+ kmemleak_unignore(sheaf, 1);
barn_put_empty_sheaf(barn, sheaf);
return;
}
@@ -5948,8 +5955,10 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj)

* we flush before local_unlock to make sure a racing
* flush_all_rcu_sheaves() doesn't miss this sheaf
*/
- if (rcu_sheaf)
+ if (rcu_sheaf) {

+ kmemleak_ignore(rcu_sheaf);
call_rcu(&rcu_sheaf->rcu_head, rcu_free_sheaf);
+ }

local_unlock(&s->cpu_sheaves->lock);

@@ -7538,6 +7547,7 @@ static void early_kmem_cache_node_alloc(int node)

slab->freelist = get_freepointer(kmem_cache_node, n);
slab->inuse = 1;
kmem_cache_node->node[node] = n;

+ kmemleak_alloc(n, kmem_cache_node->size, 1, GFP_NOWAIT);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

memory leak in copy_process

BUG: memory leak
unreferenced object 0xffff888101799d80 (size 184):
comm "kthreadd", pid 2, jiffies 4294948049

hex dump (first 32 bytes):

01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0a 21 00 00 00 00 00 00 58 78 fd 01 81 88 ff ff .!......Xx......
backtrace (crc e9f8bd9):
kmemleak_alloc_recursive include/linux/kmemleak.h:45 [inline]

slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]

kmem_cache_alloc_noprof+0x372/0x480 mm/slub.c:4881
alloc_pid+0xe4/0x850 kernel/pid.c:189
copy_process+0x1a97/0x28c0 kernel/fork.c:2239

kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810b0d7b40 (size 184):
comm "kthreadd", pid 2, jiffies 4294948049

hex dump (first 32 bytes):

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc ddb1bc35):
kmemleak_alloc_recursive include/linux/kmemleak.h:45 [inline]

slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]

kmem_cache_alloc_noprof+0x372/0x480 mm/slub.c:4881

prepare_creds+0x22/0x600 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286

copy_process+0x7a7/0x28c0 kernel/fork.c:2084

kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810b91e4a0 (size 32):
comm "kthreadd", pid 2, jiffies 4294948049

hex dump (first 32 bytes):

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f8 6e 0a 00 81 88 ff ff 00 00 00 00 00 00 00 00 .n..............
backtrace (crc 13ba6aa5):
kmemleak_alloc_recursive include/linux/kmemleak.h:45 [inline]

slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_cred_alloc security/security.c:209 [inline]
security_prepare_creds+0x2d/0x290 security/security.c:2763
prepare_creds+0x395/0x600 kernel/cred.c:215
copy_creds+0x44/0x290 kernel/cred.c:286

copy_process+0x7a7/0x28c0 kernel/fork.c:2084

kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit: 1f318b96 Linux 7.0-rc3
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=1224694a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=110faf5a580000

[Harry Yoo]

#syz test

diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();

- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }

// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {
diff --git a/mm/slub.c b/mm/slub.c

index 20cb4f3b636d..2f2228d3e8b2 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2776,6 +2776,7 @@ static struct slab_sheaf *__alloc_empty_sheaf(struct kmem_cache *s, gfp_t gfp,
sheaf->cache = s;

stat(s, SHEAF_ALLOC);
+ kmemleak_ignore(sheaf);

return sheaf;
}
@@ -7538,6 +7539,7 @@ static void early_kmem_cache_node_alloc(int node)

slab->freelist = get_freepointer(kmem_cache_node, n);
slab->inuse = 1;
kmem_cache_node->node[node] = n;

+ kmemleak_alloc(n, kmem_cache_node->object_size, 1, GFP_NOWAIT);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

memory leak in __kthread_create_on_node

BUG: memory leak
unreferenced object 0xffff88811351d1b0 (size 16):
comm "syz.0.38", pid 7021, jiffies 4294948268
hex dump (first 16 bytes):
66 32 66 73 5f 66 6c 75 73 68 2d 37 3a 30 00 00 f2fs_flush-7:0..
backtrace (crc 73f9c04e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
__do_kmalloc_node mm/slub.c:5263 [inline]
__kmalloc_node_track_caller_noprof+0x3e0/0x5d0 mm/slub.c:5372
kvasprintf+0x6e/0xf0 lib/kasprintf.c:25
__kthread_create_on_node+0x9e/0x1c0 kernel/kthread.c:491
kthread_create_on_node+0x73/0xa0 kernel/kthread.c:559
f2fs_create_flush_cmd_control+0x178/0x200 fs/f2fs/segment.c:707
f2fs_build_segment_manager+0x212/0x3630 fs/f2fs/segment.c:5734
f2fs_fill_super+0x14b1/0x3c20 fs/f2fs/super.c:5140
get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1694
vfs_get_tree+0x30/0x120 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3763 [inline]
do_new_mount fs/namespace.c:3839 [inline]
path_mount+0x5a9/0x1360 fs/namespace.c:4159
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount fs/namespace.c:4338 [inline]
__x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4338

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88810b6a4700 (size 4544):
comm "kthreadd", pid 2, jiffies 4294948268

hex dump (first 32 bytes):

04 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 01 00 00 00 80 00 00 00 00 00 00 00 ................
backtrace (crc 71339aaa):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
kmem_cache_alloc_node_noprof+0x373/0x4d0 mm/slub.c:4922
alloc_task_struct_node kernel/fork.c:185 [inline]
dup_task_struct kernel/fork.c:916 [inline]
copy_process+0x286/0x28c0 kernel/fork.c:2050

kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888109f45f00 (size 184):
comm "kthreadd", pid 2, jiffies 4294948268

hex dump (first 32 bytes):

02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

backtrace (crc 5ee6cb00):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
kmem_cache_alloc_noprof+0x372/0x480 mm/slub.c:4877

prepare_creds+0x22/0x600 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x28c0 kernel/fork.c:2084
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff8881096f8240 (size 32):
comm "kthreadd", pid 2, jiffies 4294948268

hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f8 6e 0a 00 81 88 ff ff 00 00 00 00 00 00 00 00 .n..............
backtrace (crc 13ba6aa5):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
__do_kmalloc_node mm/slub.c:5263 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5276

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_cred_alloc security/security.c:209 [inline]
security_prepare_creds+0x2d/0x290 security/security.c:2763
prepare_creds+0x395/0x600 kernel/cred.c:215
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x28c0 kernel/fork.c:2084
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff888125626e40 (size 192):
comm "kthreadd", pid 2, jiffies 4294948268

hex dump (first 32 bytes):

02 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ................
01 00 00 00 00 00 00 00 60 4a 8a 82 ff ff ff ff ........`J......
backtrace (crc 3a1ec858):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
__kmalloc_cache_noprof+0x377/0x480 mm/slub.c:5379
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
set_kthread_struct+0x58/0x150 kernel/kthread.c:107
copy_process+0x15b8/0x28c0 kernel/fork.c:2152

kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88812cb53700 (size 64):
comm "kthreadd", pid 2, jiffies 4294948268

hex dump (first 32 bytes):

20 09 d5 89 ff ff ff ff 00 00 00 00 00 00 00 00 ...............

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

backtrace (crc e7a33bad):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
__do_kmalloc_node mm/slub.c:5263 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5276

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192

lsm_task_alloc security/security.c:244 [inline]
security_task_alloc+0x2a/0x260 security/security.c:2682

copy_process+0xedf/0x28c0 kernel/fork.c:2205

kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff88810b507180 (size 1152):
comm "kthreadd", pid 2, jiffies 4294948268

hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

90 71 50 0b 81 88 ff ff 90 71 50 0b 81 88 ff ff .qP......qP.....
backtrace (crc ef1916d7):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
kmem_cache_alloc_noprof+0x372/0x480 mm/slub.c:4877
copy_signal kernel/fork.c:1700 [inline]
copy_process+0x10da/0x28c0 kernel/fork.c:2220

kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit: 1f318b96 Linux 7.0-rc3
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=1751f8d6580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=10def8d6580000

[Harry Yoo]

On Mon, Mar 09, 2026 at 08:31:03PM +0000, Catalin Marinas wrote:
> On Mon, Mar 09, 2026 at 09:17:32PM +0900, Harry Yoo wrote:
> > On Fri, Mar 06, 2026 at 07:35:01PM +0000, Catalin Marinas wrote:
> >
> > [...snip...]
> >
> > > I wonder whether some early kmem_cache_node allocations like the ones in
> > > early_kmem_cache_node_alloc() are not tracked and then kmemleak cannot
> > > find n->barn. I got lost in the slub code, but something like this:
> >
> > This sounds plausible. Before sheaves, kmem_cache_node just maintained
> > a list of slabs. Because struct page (and struct slab overlaying on it)
> > is not tracked by kmemleak (as Vlastimil pointed out off-list),
> > not calling kmemleak_alloc() for kmem_cache_node was not a problem.
> >
> > But now it maintains barns and sheaves,
> > and they are tracked by kmemleak...
>
> We could simply add kmemleak_ignore(), especially as we don't need the
> data in these structures to be scanned. We can assume the slab allocator
> doesn't leak it's own data structures.

Yeah that sounds reasonable to me.

> But I couldn't figure out why
> kmemleak couldn't track down the pointer in the first place and any
> random kmemleak_alloc() I added did not solve it.

Perhaps we're seeing mix of

- kmem_cache_node not being tracked by kmemleak causes false positives
- sheaves submitted to call_rcu() cause false positives
- not calling kmemleak_ignore() on kvfree_rcu'd objects cause
false positives

So I tried both:

1) calling kmemleak_ignore() on kfree_rcu'd objects +
calling kmemleak_ignore() when submitting rcu sheaves to call_rcu() +
calling kmemleak_unignore() when rcu sheaves are reused +
calling kmemleak_alloc() on early kmem_cache_node allocation

https://lore.kernel.org/linux-mm/aa-1-Y3v3D1hzPvL@hyeyoo

2) calling kmemleak_ignore() on kfree_rcu'd objects +
calling kmemleak_ignore() on all sheaves (__alloc_empty_sheaf) +
calling kmemleak_alloc() on early kmem_cache_node allocation

https://lore.kernel.org/linux-mm/aa_R-6SdHYBBkQX-@hyeyoo

They seem to resolve reports for sheaves and kfree_rcu'd objects.

But yeah, there are still a bunch of leak reports
(hopefully not false positives caused by slab anymore?)

I notice that some of those objects are freed in a call_rcu() callback.

If submitting to call_rcu() put objects into rcu data structures
that kmemleak is not aware of, how has kmemleak dealt with that?
(perhaps users need to call kmemleak_ignore() before call_rcu()?)

> > > -----------8<-----------------------------------
> > > diff --git a/mm/slub.c b/mm/slub.c
> > > index 0c906fefc31b..401557ff5487 100644
> > > --- a/mm/slub.c
> > > +++ b/mm/slub.c
> > > @@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
> > > slab->freelist = get_freepointer(kmem_cache_node, n);
> > > slab->inuse = 1;
> > > kmem_cache_node->node[node] = n;
> > > + kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);

By the way, this should have been kmem_cache_node->object_size.
Because... the length of kmem_cache_node.node array is not always
MAX_NUMNODES (yeah, that's confusing).

> > > init_kmem_cache_node(n, NULL);
> > > inc_slabs_node(kmem_cache_node, node, slab->objects);
> >
> > But this function is called for kmem_cache_node cache
> > (in kmem_cache_init()), even before kmemleak_init()?
>
> That's fine, kmemleak starts as enabled by default and tracks early
> allocations in a local mem_pool[] array. kmemleak_init() just
> initialises its kmem_caches for the long run.

Ah, right. I totally missed that. Thanks for the correction!

> > kmem_cache and kmalloc caches should call kmemleak_alloc() when
> > allocating kmem_cache_node structures, but as they are also created
> > before kmemleak_init(), I doubt that's actually doing its job...
>
> It does. I just added a kmemleak_alloc() in create_kmalloc_cache() and
> kmemleak complained that the object from the kmem_cache_zalloc() is
> already registered. Of course, no stack trace saved for these early
> allocations but it does track them.

Right!

Thanks, that was helpful!

In addition to that - assuming that OBJECT_NO_SCAN should be cleared
when changing the color from black to white, I made that change when
testing it using syzbot.

[Harry Yoo]

On Wed, Mar 11, 2026 at 12:04:36PM +0900, Harry Yoo wrote:
> > > > -----------8<-----------------------------------
> > > > diff --git a/mm/slub.c b/mm/slub.c
> > > > index 0c906fefc31b..401557ff5487 100644
> > > > --- a/mm/slub.c
> > > > +++ b/mm/slub.c
> > > > @@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
> > > > slab->freelist = get_freepointer(kmem_cache_node, n);
> > > > slab->inuse = 1;
> > > > kmem_cache_node->node[node] = n;
> > > > + kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
>
> By the way, this should have been kmem_cache_node->object_size.
> Because... the length of kmem_cache_node.node array is not always
> MAX_NUMNODES (yeah, that's confusing).

Oops, please feel free to ignore this paragraph!
I was totally confused, it's not size of struct kmem_cache.

[Qing Wang]

#syz test

diff --git a/mm/slub.c b/mm/slub.c
index cdc1e652ec52..f029003e7368 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2629,6 +2629,7 @@ static struct slab_sheaf *alloc_empty_sheaf(struct kmem_cache *s, gfp_t gfp)

static void free_empty_sheaf(struct kmem_cache *s, struct slab_sheaf *sheaf)
{
+ WARN_ON(sheaf->size > 0);
kfree(sheaf);

stat(s, SHEAF_FREE);
@@ -2660,6 +2661,7 @@ static int refill_sheaf(struct kmem_cache *s, struct slab_sheaf *sheaf,
return 0;
}

+static void sheaf_flush_unused(struct kmem_cache *s, struct slab_sheaf *sheaf);

static struct slab_sheaf *alloc_full_sheaf(struct kmem_cache *s, gfp_t gfp)
{
@@ -2669,6 +2671,7 @@ static struct slab_sheaf *alloc_full_sheaf(struct kmem_cache *s, gfp_t gfp)
return NULL;

if (refill_sheaf(s, sheaf, gfp | __GFP_NOMEMALLOC)) {
+ sheaf_flush_unused(s, sheaf);
free_empty_sheaf(s, sheaf);
return NULL;
}
@@ -5027,6 +5030,7 @@ __pcs_replace_empty_main(struct kmem_cache *s, struct slub_percpu_sheaves *pcs,
* we must be very low on memory so don't bother
* with the barn
*/
+ sheaf_flush_unused(s, empty);
free_empty_sheaf(s, empty);
}
} else {

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file mm/slub.c
Hunk #1 FAILED at 2629.
Hunk #2 succeeded at 2828 (offset 168 lines).
Hunk #3 FAILED at 2670.
Hunk #4 succeeded at 4624 (offset -404 lines).
2 out of 4 hunks FAILED



Tested on:

commit: b29fb882 Merge tag 'v7.0-rc3-ksmbd-server-fixes' of gi..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7d0fbecb37bff8

dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=14156f5a580000

[Qing Wang]

#syz test

diff --git a/mm/slub.c b/mm/slub.c

index 20cb4f3b636d..73b2cfd0e123 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2797,6 +2797,7 @@ static void free_empty_sheaf(struct kmem_cache *s, struct slab_sheaf *sheaf)
if (s->flags & SLAB_KMALLOC)
mark_obj_codetag_empty(sheaf);

+ WARN_ON(sheaf->size > 0);
kfree(sheaf);

stat(s, SHEAF_FREE);

@@ -2828,6 +2829,7 @@ static int refill_sheaf(struct kmem_cache *s, struct slab_sheaf *sheaf,

return 0;
}

+static void sheaf_flush_unused(struct kmem_cache *s, struct slab_sheaf *sheaf);

static struct slab_sheaf *alloc_full_sheaf(struct kmem_cache *s, gfp_t gfp)
{

@@ -2837,6 +2839,7 @@ static struct slab_sheaf *alloc_full_sheaf(struct kmem_cache *s, gfp_t gfp)
return NULL;

if (refill_sheaf(s, sheaf, gfp | __GFP_NOMEMALLOC | __GFP_NOWARN)) {

+ sheaf_flush_unused(s, sheaf);
free_empty_sheaf(s, sheaf);
return NULL;
}

@@ -4623,6 +4626,7 @@ __pcs_replace_empty_main(struct kmem_cache *s, struct slub_percpu_sheaves *pcs,

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

memory leak in __pcs_replace_empty_main

BUG: memory leak
unreferenced object 0xffff88810005f800 (size 512):
comm "swapper/0", pid 0, jiffies 4294937296

hex dump (first 32 bytes):

18 ca 17 2e 81 88 ff ff 00 b6 ad 81 ff ff ff ff ................
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 9b7d1e76):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4550 [inline]
slab_alloc_node mm/slub.c:4873 [inline]
__do_kmalloc_node mm/slub.c:5266 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5279

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

alloc_full_sheaf mm/slub.c:2836 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4633
alloc_from_pcs mm/slub.c:4724 [inline]
slab_alloc_node mm/slub.c:4858 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5382

kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__irq_domain_alloc_fwnode+0x37/0x140 kernel/irq/irqdomain.c:95
irq_domain_alloc_named_fwnode include/linux/irqdomain.h:271 [inline]
arch_early_irq_init+0x1c/0x70 arch/x86/kernel/apic/vector.c:803
start_kernel+0x931/0xb80 init/main.c:1114

x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148

BUG: memory leak
unreferenced object 0xffff8881008f6c00 (size 512):
comm "kthreadd", pid 2, jiffies 4294937344

hex dump (first 32 bytes):

08 5e e1 28 81 88 ff ff 00 b6 ad 81 ff ff ff ff .^.(............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 89324f2):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4550 [inline]
slab_alloc_node mm/slub.c:4873 [inline]
__do_kmalloc_node mm/slub.c:5266 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5279

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

alloc_full_sheaf mm/slub.c:2836 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4633
alloc_from_pcs mm/slub.c:4724 [inline]
slab_alloc_node mm/slub.c:4858 [inline]
__kmalloc_cache_node_noprof+0x3ef/0x4e0 mm/slub.c:5395

kmalloc_node_noprof include/linux/slab.h:1077 [inline]
__get_vm_area_node+0xc6/0x1d0 mm/vmalloc.c:3221
__vmalloc_node_range_noprof+0x1d3/0xe50 mm/vmalloc.c:4024

__vmalloc_node_noprof+0x71/0x90 mm/vmalloc.c:4124
alloc_thread_stack_node kernel/fork.c:355 [inline]
dup_task_struct kernel/fork.c:924 [inline]

copy_process+0x3e5/0x28c0 kernel/fork.c:2050

kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff8881023c6800 (size 512):
comm "kworker/u8:3", pid 829, jiffies 4294937473

hex dump (first 32 bytes):

00 56 0a 2b 81 88 ff ff 00 fe 03 2b 81 88 ff ff .V.+.......+....
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 175b82b9):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4550 [inline]
slab_alloc_node mm/slub.c:4873 [inline]
__do_kmalloc_node mm/slub.c:5266 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5279

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5729
free_to_pcs mm/slub.c:5782 [inline]
slab_free mm/slub.c:6177 [inline]
kfree+0x352/0x390 mm/slub.c:6490

call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff8881023e9000 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937519

hex dump (first 32 bytes):

e0 52 f6 28 81 88 ff ff 00 b6 ad 81 ff ff ff ff .R.(............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc d8ec9e0d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4550 [inline]
slab_alloc_node mm/slub.c:4873 [inline]
__do_kmalloc_node mm/slub.c:5266 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5279

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5729
free_to_pcs mm/slub.c:5782 [inline]
slab_free mm/slub.c:6177 [inline]
kfree+0x352/0x390 mm/slub.c:6490
blk_free_flush_queue+0x28/0x40 block/blk-flush.c:514
srcu_invoke_callbacks+0x11a/0x1c0 kernel/rcu/srcutree.c:1941

process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888104850a00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937528

hex dump (first 32 bytes):

00 6c 8f 00 81 88 ff ff 00 10 0a 2b 81 88 ff ff .l.........+....
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc c75772dc):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4550 [inline]
slab_alloc_node mm/slub.c:4873 [inline]
__do_kmalloc_node mm/slub.c:5266 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5279

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5729
free_to_pcs mm/slub.c:5782 [inline]
slab_free mm/slub.c:6177 [inline]
kfree+0x352/0x390 mm/slub.c:6490
blk_free_flush_queue+0x28/0x40 block/blk-flush.c:514
srcu_invoke_callbacks+0x11a/0x1c0 kernel/rcu/srcutree.c:1941

process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888104850800 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937528

hex dump (first 32 bytes):

18 6a 89 26 81 88 ff ff 00 b6 ad 81 ff ff ff ff .j.&............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 1ece07b3):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4550 [inline]
slab_alloc_node mm/slub.c:4873 [inline]
__do_kmalloc_node mm/slub.c:5266 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5279

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5729
free_to_pcs mm/slub.c:5782 [inline]
slab_free mm/slub.c:6177 [inline]
kfree+0x352/0x390 mm/slub.c:6490
vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485

vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF

Tested on:

commit: b29fb882 Merge tag 'v7.0-rc3-ksmbd-server-fixes' of gi..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=13fb694a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63

compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=14023016580000

[Harry Yoo]

This won't fix any kmemleak reports because kmemleak couldn't detect this
in the first place. kmemleak doesn't know that those objects exist
until they are allocated and kmemleak_alloc() is called for them.

[Harry Yoo]

#syz test

diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index d79acf5c5100..b7be2cc1efc3 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -50,8 +50,8 @@
*
* The kmemleak_object structures have a use_count incremented or decremented
* using the get_object()/put_object() functions. When the use_count becomes
- * 0, this count can no longer be incremented and put_object() schedules the
- * kmemleak_object freeing via an RCU callback. All calls to the get_object()
+ * 0, this count can no longer be incremented and put_object() adds the
+ * kmemleak_object to a deferred free list. All calls to the get_object()
* function must be protected by rcu_read_lock() to avoid accessing a freed
* structure.
*/
@@ -93,6 +93,7 @@
#include <linux/mm.h>
#include <linux/workqueue.h>
#include <linux/crc32.h>
+#include <linux/llist.h>

#include <asm/sections.h>
#include <asm/processor.h>
@@ -138,7 +139,7 @@ struct kmemleak_object {
struct list_head object_list;
struct list_head gray_list;
struct rb_node rb_node;
- struct rcu_head rcu; /* object_list lockless traversal */
+ struct llist_node free_node; /* deferred freeing */
/* object usage count; object freed when use_count == 0 */
atomic_t use_count;
unsigned int del_state; /* deletion state */
@@ -209,6 +210,13 @@ static DEFINE_RAW_SPINLOCK(kmemleak_lock);
static struct kmem_cache *object_cache;
static struct kmem_cache *scan_area_cache;

+/* objects pending RCU-deferred freeing */
+static LLIST_HEAD(objects_to_free);
+static atomic_long_t objects_to_free_count;
+static void flush_deferred_frees_work(struct work_struct *work);
+static DECLARE_WORK(deferred_free_work, flush_deferred_frees_work);
+#define DEFERRED_FREE_BATCH 256
+
/* set if tracing memory operations is enabled */
static int kmemleak_enabled __read_mostly = 1;
/* same as above but only for the kmemleak_free() callback */
@@ -522,14 +530,12 @@ static void mem_pool_free(struct kmemleak_object *object)
}

/*
- * RCU callback to free a kmemleak_object.
+ * Free a kmemleak_object and its associated scan areas.
*/
-static void free_object_rcu(struct rcu_head *rcu)
+static void free_object(struct kmemleak_object *object)
{
struct hlist_node *tmp;
struct kmemleak_scan_area *area;
- struct kmemleak_object *object =
- container_of(rcu, struct kmemleak_object, rcu);

/*
* Once use_count is 0 (guaranteed by put_object), there is no other
@@ -543,11 +549,19 @@ static void free_object_rcu(struct rcu_head *rcu)
}

/*
- * Decrement the object use_count. Once the count is 0, free the object using
- * an RCU callback. Since put_object() may be called via the kmemleak_free() ->
- * delete_object() path, the delayed RCU freeing ensures that there is no
- * recursive call to the kernel allocator. Lock-less RCU object_list traversal
- * is also possible.
+ * Decrement the object use_count. Once the count is 0, add the object to the
+ * deferred free list. Since put_object() may be called via the
+ * kmemleak_free() -> delete_object() path, the deferred freeing ensures that
+ * there is no recursive call to the kernel allocator. Lock-less RCU
+ * object_list traversal is also possible. The actual freeing happens after
+ * an RCU grace period in flush_deferred_frees().
+ *
+ * Unlike the previous call_rcu()-based approach, this avoids embedding
+ * rcu_head in kmemleak_object. Objects from SLAB_NOLEAKTRACE caches (like
+ * kmemleak's own object_cache) are not tracked by kmemleak. When such
+ * objects were linked in the call_rcu callback chain via rcu_head->next,
+ * kmemleak could not scan through them, breaking the chain and causing
+ * false positive leak reports for objects queued after them.
*/
static void put_object(struct kmemleak_object *object)
{
@@ -558,14 +572,46 @@ static void put_object(struct kmemleak_object *object)
WARN_ON(object->flags & OBJECT_ALLOCATED);

/*
- * It may be too early for the RCU callbacks, however, there is no
+ * It may be too early for deferred freeing, however, there is no
* concurrent object_list traversal when !object_cache and all objects
* came from the memory pool. Free the object directly.
*/
- if (object_cache)
- call_rcu(&object->rcu, free_object_rcu);
- else
- free_object_rcu(&object->rcu);
+ if (object_cache) {
+ llist_add(&object->free_node, &objects_to_free);
+ if (atomic_long_inc_return(&objects_to_free_count) >=
+ DEFERRED_FREE_BATCH)
+ schedule_work(&deferred_free_work);
+ } else {
+ free_object(object);
+ }
+}
+
+/*
+ * Flush all deferred object frees after an RCU grace period. This must be
+ * called from a context that can block.
+ */
+static void flush_deferred_frees(void)
+{
+ struct llist_node *list;
+ struct kmemleak_object *object, *tmp;
+ long count = 0;
+
+ list = llist_del_all(&objects_to_free);
+ if (!list)
+ return;
+
+ synchronize_rcu();
+
+ llist_for_each_entry_safe(object, tmp, list, free_node) {
+ free_object(object);
+ count++;
+ }
+ atomic_long_sub(count, &objects_to_free_count);
+}
+
+static void flush_deferred_frees_work(struct work_struct *work)
+{
+ flush_deferred_frees();
}

/*
@@ -809,7 +855,7 @@ static void create_object_percpu(unsigned long ptr, size_t size,
}

/*
- * Mark the object as not allocated and schedule RCU freeing via put_object().
+ * Mark the object as not allocated and schedule deferred freeing via put_object().
*/
static void __delete_object(struct kmemleak_object *object)
{
@@ -2209,6 +2255,7 @@ static void __kmemleak_do_cleanup(void)
if (!(++cnt & 0x3f))
cond_resched();
}
+ flush_deferred_frees();
}

/*

base-commit: fda995dadf2960405545e5002aaa85207aa758cf
--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main

BUG: memory leak

unreferenced object 0xffff88810e983c00 (size 512):
comm "softirq", pid 0, jiffies 4294948614

hex dump (first 32 bytes):

c8 2c 04 00 81 88 ff ff 00 a4 98 0e 81 88 ff ff .,..............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 8f5c2bf9):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]
alloc_full_sheaf mm/slub.c:2829 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4626
alloc_from_pcs mm/slub.c:4717 [inline]
slab_alloc_node mm/slub.c:4851 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5272

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

cfg80211_inform_single_bss_data+0x21d/0xa70 net/wireless/scan.c:2344
cfg80211_inform_bss_data+0x13f/0x1dc0 net/wireless/scan.c:3226
cfg80211_inform_bss_frame_data+0x108/0x340 net/wireless/scan.c:3317
ieee80211_bss_info_update+0x13a/0x320 net/mac80211/scan.c:230
ieee80211_scan_rx+0x269/0x3b0 net/mac80211/scan.c:364
__ieee80211_rx_handle_packet net/mac80211/rx.c:5305 [inline]
ieee80211_rx_list+0x111b/0x1850 net/mac80211/rx.c:5588
ieee80211_rx_napi+0x50/0x110 net/mac80211/rx.c:5611
ieee80211_rx include/net/mac80211.h:5267 [inline]
ieee80211_handle_queued_frames+0x9c/0xf0 net/mac80211/main.c:452
tasklet_action_common+0xb7/0x270 kernel/softirq.c:925
handle_softirqs+0xdf/0x2c0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x91/0xb0 kernel/softirq.c:723
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x73/0x80 arch/x86/kernel/apic/apic.c:1056

BUG: memory leak
unreferenced object 0xffff88810e98a400 (size 512):
comm "kworker/u8:7", pid 1022, jiffies 4294952987

hex dump (first 32 bytes):

00 3c 98 0e 81 88 ff ff 00 68 cd 2a 81 88 ff ff .<.......h.*....

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc b6e2f12f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]
alloc_full_sheaf mm/slub.c:2829 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4626
alloc_from_pcs mm/slub.c:4717 [inline]
slab_alloc_node mm/slub.c:4851 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5272

kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

cfg80211_inform_single_bss_data+0x21d/0xa70 net/wireless/scan.c:2344
cfg80211_inform_bss_data+0x13f/0x1dc0 net/wireless/scan.c:3226
cfg80211_inform_bss_frame_data+0x108/0x340 net/wireless/scan.c:3317
ieee80211_bss_info_update+0x13a/0x320 net/mac80211/scan.c:230
ieee80211_rx_bss_info net/mac80211/ibss.c:1094 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1575 [inline]
ieee80211_ibss_rx_queued_mgmt+0xb75/0x1230 net/mac80211/ibss.c:1602
ieee80211_iface_process_skb net/mac80211/iface.c:1748 [inline]
ieee80211_iface_work+0x6af/0x9b0 net/mac80211/iface.c:1802
cfg80211_wiphy_work+0x1db/0x280 net/wireless/core.c:440
process_one_work+0x277/0x5f0 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3440

kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit: a989fde7 Merge tag 'libnvdimm-fixes-7.0-rc5' of git://..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1005f8da580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e2bba615ee79faa5

dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=1405b406580000

[Harry Yoo]

#syz test

diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index d79acf5c5100..b7be2cc1efc3 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c

diff --git a/mm/slub.c b/mm/slub.c
index 20cb4f3b636d..6bdf409d427e 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -7537,6 +7537,7 @@ static void early_kmem_cache_node_alloc(int node)
n = kasan_slab_alloc(kmem_cache_node, n, GFP_KERNEL, false);

slab->freelist = get_freepointer(kmem_cache_node, n);
slab->inuse = 1;

+ kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);

kmem_cache_node->node[node] = n;

init_kmem_cache_node(n, NULL);
inc_slabs_node(kmem_cache_node, node, slab->objects);

--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main

BUG: memory leak

unreferenced object 0xffff888129413800 (size 512):
comm "kworker/u8:3", pid 58, jiffies 4294947638

hex dump (first 32 bytes):

00 ac 98 1c 81 88 ff ff 00 18 6b 0a 81 88 ff ff ..........k.....

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 10da2a4f):

BUG: memory leak
unreferenced object 0xffff88812a621a00 (size 512):
comm "kworker/u8:3", pid 58, jiffies 4294950606

hex dump (first 32 bytes):

00 18 62 2a 81 88 ff ff 00 d6 04 00 81 88 ff ff ..b*............

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 231cde90):

BUG: memory leak
unreferenced object 0xffff88812a621800 (size 512):
comm "kworker/u8:6", pid 932, jiffies 4294950638

hex dump (first 32 bytes):

00 18 6b 0a 81 88 ff ff 00 1a 62 2a 81 88 ff ff ..k.......b*....

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 9a0f4a55):

console output: https://syzkaller.appspot.com/x/log.txt?x=15c4974a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=e2bba615ee79faa5
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=178fc216580000

[Harry Yoo]

#syz test

diff --git a/mm/kmemleak.c b/mm/kmemleak.c

index d79acf5c5100..b401954f72a4 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -107,7 +107,7 @@
* Kmemleak configuration and common defines.
*/
#define MAX_TRACE 16 /* stack trace length */
-#define MSECS_MIN_AGE 5000 /* minimum object age for reporting */
+#define MSECS_MIN_AGE 30000 /* minimum object age for reporting */
#define SECS_FIRST_SCAN 60 /* delay before the first scan */
#define SECS_SCAN_WAIT 600 /* subsequent auto scanning delay */
#define MAX_SCAN_SIZE 4096 /* maximum size of a scanned block */

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main

BUG: memory leak

unreferenced object 0xffff88810005f800 (size 512):
comm "swapper/0", pid 0, jiffies 4294937296

hex dump (first 32 bytes):

60 bd 2a 2f 81 88 ff ff 30 ba ad 81 ff ff ff ff `.*/....0.......

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 81834c79):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]
alloc_full_sheaf mm/slub.c:2829 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4626
alloc_from_pcs mm/slub.c:4717 [inline]
slab_alloc_node mm/slub.c:4851 [inline]

__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5375
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]

__irq_domain_alloc_fwnode+0x37/0x140 kernel/irq/irqdomain.c:95
irq_domain_alloc_named_fwnode include/linux/irqdomain.h:271 [inline]
arch_early_irq_init+0x1c/0x70 arch/x86/kernel/apic/vector.c:803
start_kernel+0x931/0xb80 init/main.c:1114
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148

BUG: memory leak

unreferenced object 0xffff8881008f6c00 (size 512):

comm "kthreadd", pid 2, jiffies 4294937342

hex dump (first 32 bytes):

d0 16 c9 29 81 88 ff ff 30 ba ad 81 ff ff ff ff ...)....0.......

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 38b48d73):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]
alloc_full_sheaf mm/slub.c:2829 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4626
alloc_from_pcs mm/slub.c:4717 [inline]
slab_alloc_node mm/slub.c:4851 [inline]

__kmalloc_cache_node_noprof+0x3ef/0x4e0 mm/slub.c:5388

kmalloc_node_noprof include/linux/slab.h:1077 [inline]
__get_vm_area_node+0xc6/0x1d0 mm/vmalloc.c:3221
__vmalloc_node_range_noprof+0x1d3/0xe50 mm/vmalloc.c:4024
__vmalloc_node_noprof+0x71/0x90 mm/vmalloc.c:4124
alloc_thread_stack_node kernel/fork.c:355 [inline]
dup_task_struct kernel/fork.c:924 [inline]
copy_process+0x3e5/0x28c0 kernel/fork.c:2050

kernel_clone+0xac/0x6e0 kernel/fork.c:2653
kernel_thread+0x80/0xb0 kernel/fork.c:2714

create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888102011400 (size 512):
comm "kworker/u8:1", pid 274, jiffies 4294937433

hex dump (first 32 bytes):

28 f6 7b 31 81 88 ff ff 30 ba ad 81 ff ff ff ff (.{1....0.......

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc c5ce2dfb):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5722
free_to_pcs mm/slub.c:5775 [inline]
slab_free mm/slub.c:6170 [inline]
kfree+0x352/0x390 mm/slub.c:6483

call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888102010600 (size 512):
comm "kworker/1:1", pid 41, jiffies 4294937437

hex dump (first 32 bytes):

88 c3 c4 29 81 88 ff ff 30 ba ad 81 ff ff ff ff ...)....0.......

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 5d48f1c0):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5722
free_to_pcs mm/slub.c:5775 [inline]
slab_free mm/slub.c:6170 [inline]
kfree+0x352/0x390 mm/slub.c:6483

vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398

process_one_work+0x277/0x5f0 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3440
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff888102010400 (size 512):
comm "kworker/u8:1", pid 443, jiffies 4294937439

hex dump (first 32 bytes):

e8 50 dd 31 81 88 ff ff 30 ba ad 81 ff ff ff ff .P.1....0.......

00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......

backtrace (crc 11032afc):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]

__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5722
free_to_pcs mm/slub.c:5775 [inline]
slab_free mm/slub.c:6170 [inline]
kfree+0x352/0x390 mm/slub.c:6483

call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak

unreferenced object 0xffff8881095d5a00 (size 256):
comm "swapper/0", pid 1, jiffies 4294937857

hex dump (first 32 bytes):

00 d4 9c 1d 81 88 ff ff 88 fc 04 00 81 88 ff ff ................
00 1a 04 00 81 88 ff ff 1c 00 00 00 00 00 00 00 ................
backtrace (crc deebd371):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]
alloc_full_sheaf mm/slub.c:2829 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4626
alloc_from_pcs mm/slub.c:4717 [inline]
slab_alloc_node mm/slub.c:4851 [inline]

__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5375
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
init_srcu_struct_fields+0x29d/0x320 kernel/rcu/srcutree.c:241
rtnl_link_register+0x81/0x1c0 net/core/rtnetlink.c:615
ipgre_init+0x10d/0x1a0 net/ipv4/ip_gre.c:1828

do_one_initcall+0x79/0x4c0 init/main.c:1382
do_initcall_level init/main.c:1444 [inline]
do_initcalls init/main.c:1460 [inline]
do_basic_setup init/main.c:1479 [inline]
kernel_init_freeable+0x2a4/0x340 init/main.c:1692
kernel_init+0x1b/0x1d0 init/main.c:1582

ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit: 0e4f8f1a Merge tag 'parisc-for-7.0-rc5' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13b18cba580000

kernel config: https://syzkaller.appspot.com/x/.config?x=e2bba615ee79faa5
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

patch: https://syzkaller.appspot.com/x/patch.diff?x=12608cba580000

[Harry Yoo]

diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();

- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);

return;
+ }

// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {