From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.sourceforge.net (lists.sourceforge.net [216.105.38.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D22C2EF8FEA for ; Wed, 4 Mar 2026 13:40:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: Reply-To:From:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Subject:In-Reply-To:References:To:MIME-Version:Date: Message-ID:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=YhiY6dFnwLv5LCvfwQF/j9gqb+Nay7wnZCMpo1PGQc8=; b=dIV6RsCVWUOr5W8IAeRqEaqREk 6b/VX1dmkFdiJVd7jfINE34FrWLRPhyidIPL2c6ezRxwGbdg3G8USUa5n7U1sNh+S5e+J5G1lQizO 3N9LTMiNSwOz8s0+aWDLHoqt9yD+VD5ypEdWVCjOVPcC2yLYuP+8269M7ssDs7ekFWZA=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vxmSL-00014v-Jm; Wed, 04 Mar 2026 13:40:05 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vxmSK-00014p-B4 for linux-f2fs-devel@lists.sourceforge.net; Wed, 04 Mar 2026 13:40:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: From:References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gQIxw/Z/MQdGpERM5wxCSHfUwJz5mLloHMNRL2tJ/vM=; b=nFhxdC6GhA4YhxGgu3EyVsbBwP W/ygoUk93dYyfH5r8bxryES/0rcxVTYlwS1yAguf2EM4x7H6h5sv7RhQU/v2rACcN7j6PnjydyMEE xqwj2LxDq87MuI8dOxbPnGYjXtBmhXlrHs11WG1uxTu0F4PDzsYqAKTfA6qU3JMBgCko=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From:References:Cc:To: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=gQIxw/Z/MQdGpERM5wxCSHfUwJz5mLloHMNRL2tJ/vM=; b=ZkNSxuyejtwKm3roYkaVWdHKP6 eXyyzwj58zeB4P2rIxK+qGLFojfH7TSNrtA351ApHuad8nj6TMyDvturVsevkEQGOf7X/RYYKeNfG oMHmKHsmD5S1bVQ/fM+mMA8Zp0eMEjR+oboQDYq4yzkquVoy3nTY0SFdaY8MWjOjV4tM=; Received: from sea.source.kernel.org ([172.234.252.31]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vxmSJ-0002r4-OG for linux-f2fs-devel@lists.sourceforge.net; Wed, 04 Mar 2026 13:40:04 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 4145D437E1; Wed, 4 Mar 2026 13:39:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 33ECAC19423; Wed, 4 Mar 2026 13:39:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772631593; bh=tBg/hfXGbB8kC2UwsbFj4SllrfktIr46ew/BFF078eA=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=OmVfd74fEjgnoLPP+YJzeIx2IjGp7V0GPXUHue1QkmLdIDIJNgfvesZsuVutlPBPW +yQiwp2wzAl2OLloNNG3I2H2o37SlIBQSx1Rsr77wESVy6yIsEI0BXcjm757AwgLvk cCNHhAxwddyuzkM8oL9xzu7pls0y/+yGaISktJWKXtdvuanO2ssGqIDXLs1BXwxqMR mh5dRFdKmFHHrG7CGzHxpkANcEmqQ5quTPgCDxT9g7elPNd+JeTHPAMdILHfdhzBi+ ryjJRBLNPlFp77s7IDc7SvOxX9exg6SGTVH4daWRSbgz7J/oiu3Qby6/Q4O3Xy10qU +7EkbTJUJjvqQ== Message-ID: <925a916a-6dfb-48c0-985c-0bdfb96ebd26@kernel.org> Date: Wed, 4 Mar 2026 14:39:47 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Harry Yoo References: <698a26d3.050a0220.3b3015.007e.GAE@google.com> <20260302034102.3145719-1-wangqing7171@gmail.com> <20df8dd1-a32c-489d-8345-085d424a2f12@kernel.org> Content-Language: en-US In-Reply-To: X-Headers-End: 1vxmSJ-0002r4-OG Subject: Re: [f2fs-dev] [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf X-BeenThere: linux-f2fs-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: "Vlastimil Babka \(SUSE\) via Linux-f2fs-devel" Reply-To: "Vlastimil Babka \(SUSE\)" Cc: Qing Wang , Hao Li , lorenzo.stoakes@oracle.com, jannh@google.com, Catalin Marinas , syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org, Liam.Howlett@oracle.com, syzbot+cae7809e9dc1459e4e63@syzkaller.appspotmail.com, linux-mm@kvack.org, sj1557.seo@samsung.com, pfalcato@suse.de, linux-fsdevel@vger.kernel.org, jaegeuk@kernel.org, akpm@linux-foundation.org, linux-f2fs-devel@lists.sourceforge.net, linkinjeon@kernel.org, vbabka@suse.cz Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net On 3/4/26 2:30 AM, Harry Yoo wrote: > [+Cc adding Catalin for kmemleak bits] > > On Mon, Mar 02, 2026 at 09:39:48AM +0100, Vlastimil Babka (SUSE) wrote: >> On 3/2/26 04:41, Qing Wang wrote: >>> #syz test >>> >>> diff --git a/mm/slub.c b/mm/slub.c >>> index cdc1e652ec52..387979b89120 100644 >>> --- a/mm/slub.c >>> +++ b/mm/slub.c >>> @@ -6307,15 +6307,21 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj) >>> goto fail; >>> >>> if (!local_trylock(&s->cpu_sheaves->lock)) { >>> - barn_put_empty_sheaf(barn, empty); >>> + if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES) >>> + barn_put_empty_sheaf(barn, empty); >>> + else >>> + free_empty_sheaf(s, empty); >>> goto fail; >>> } >>> >>> pcs = this_cpu_ptr(s->cpu_sheaves); >>> >>> - if (unlikely(pcs->rcu_free)) >>> - barn_put_empty_sheaf(barn, empty); >>> - else >>> + if (unlikely(pcs->rcu_free)) { >>> + if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES) >>> + barn_put_empty_sheaf(barn, empty); >>> + else >>> + free_empty_sheaf(s, empty); >>> + } else >>> pcs->rcu_free = empty; >>> } >> >> I don't think this would fix any leak, and syzbot agrees. It would limit the >> empty sheaves in barn more strictly, but they are not leaked. >> Hm I don't see any leak in __kfree_rcu_sheaf() or rcu_free_sheaf(). Wonder >> if kmemleak lacks visibility into barns or pcs's as roots for searching what >> objects are considered referenced, or something? > > Objects that are allocated from slab and percpu allocator should be > properly tracked by kmemleak. But those allocated with > gfpflags_allow_spinning() == false are not tracked by kmemleak. > > When barns and sheaves are allocated early (!gfpflags_allow_spinning() > due to gfp_allowed_mask) and it skips kmemleak_alloc_recursive(), > it could produce false positives because from kmemleak's point of view, > the objects are not reachable from the root set (data section, stack, > etc.). Good point. > To me it seems kmemleak should gain allow_spin == false support > sooner or later. Or we figure out how to deal with the false allow_spin == false during boot. Here I'm a bit confused how exactly it happens because AFAICS in slub we apply gfp_allowed_mask only when allocating a new slab, and in slab_post_alloc_hook() we apply it to init_mask. That is indeed passed to kmemleak_alloc_recursive() but not used for the gfpflags_allow_spinning() decision. kmemleak_alloc_recursive() should succeed because nobody should be holding any locks that would require spinning. Unless it's some interaction with deferred pages like the one fixed by commit fd3634312a04f33? _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6FAE534CFC6; Wed, 4 Mar 2026 13:39:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772631593; cv=none; b=JUaF3Kso1jiah5dchVVjOp1YTfxX2sHzpcf47vzjDDiSfv4TJ2bRBK3BQPPs4beYetn1hJJlxSATTxccNlTGTB+q+p6rFODDDuXOEYqTC0IeKI1EZge46e/c9/Ew1wgJFfrNUPYYCmDq7aPPPfiy4PPlIAcCFKhamN7qiQHhOr0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772631593; c=relaxed/simple; bh=tBg/hfXGbB8kC2UwsbFj4SllrfktIr46ew/BFF078eA=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Zs7bPPk2+sYrwRE0CGuJlZn48Pf83OIu0vr0KAWbBTeGZL04QRvaXXDxyKLSL4tjDY07Mp6w5IxV2C/uf/3CJYkitmTq1fssAlG+Afc5vFOPOAb3keHckHzRrTq1kLUWL8F+9vt2EZo64nBzw/Xj/ngEC+fFQM4VT4MK8cXB41g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=OmVfd74f; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="OmVfd74f" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 33ECAC19423; Wed, 4 Mar 2026 13:39:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772631593; bh=tBg/hfXGbB8kC2UwsbFj4SllrfktIr46ew/BFF078eA=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=OmVfd74fEjgnoLPP+YJzeIx2IjGp7V0GPXUHue1QkmLdIDIJNgfvesZsuVutlPBPW +yQiwp2wzAl2OLloNNG3I2H2o37SlIBQSx1Rsr77wESVy6yIsEI0BXcjm757AwgLvk cCNHhAxwddyuzkM8oL9xzu7pls0y/+yGaISktJWKXtdvuanO2ssGqIDXLs1BXwxqMR mh5dRFdKmFHHrG7CGzHxpkANcEmqQ5quTPgCDxT9g7elPNd+JeTHPAMdILHfdhzBi+ ryjJRBLNPlFp77s7IDc7SvOxX9exg6SGTVH4daWRSbgz7J/oiu3Qby6/Q4O3Xy10qU +7EkbTJUJjvqQ== Message-ID: <925a916a-6dfb-48c0-985c-0bdfb96ebd26@kernel.org> Date: Wed, 4 Mar 2026 14:39:47 +0100 Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf To: Harry Yoo Cc: Qing Wang , syzbot+cae7809e9dc1459e4e63@syzkaller.appspotmail.com, Liam.Howlett@oracle.com, akpm@linux-foundation.org, chao@kernel.org, jaegeuk@kernel.org, jannh@google.com, linkinjeon@kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, pfalcato@suse.de, sj1557.seo@samsung.com, syzkaller-bugs@googlegroups.com, vbabka@suse.cz, Hao Li , Catalin Marinas References: <698a26d3.050a0220.3b3015.007e.GAE@google.com> <20260302034102.3145719-1-wangqing7171@gmail.com> <20df8dd1-a32c-489d-8345-085d424a2f12@kernel.org> From: "Vlastimil Babka (SUSE)" Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 3/4/26 2:30 AM, Harry Yoo wrote: > [+Cc adding Catalin for kmemleak bits] > > On Mon, Mar 02, 2026 at 09:39:48AM +0100, Vlastimil Babka (SUSE) wrote: >> On 3/2/26 04:41, Qing Wang wrote: >>> #syz test >>> >>> diff --git a/mm/slub.c b/mm/slub.c >>> index cdc1e652ec52..387979b89120 100644 >>> --- a/mm/slub.c >>> +++ b/mm/slub.c >>> @@ -6307,15 +6307,21 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj) >>> goto fail; >>> >>> if (!local_trylock(&s->cpu_sheaves->lock)) { >>> - barn_put_empty_sheaf(barn, empty); >>> + if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES) >>> + barn_put_empty_sheaf(barn, empty); >>> + else >>> + free_empty_sheaf(s, empty); >>> goto fail; >>> } >>> >>> pcs = this_cpu_ptr(s->cpu_sheaves); >>> >>> - if (unlikely(pcs->rcu_free)) >>> - barn_put_empty_sheaf(barn, empty); >>> - else >>> + if (unlikely(pcs->rcu_free)) { >>> + if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES) >>> + barn_put_empty_sheaf(barn, empty); >>> + else >>> + free_empty_sheaf(s, empty); >>> + } else >>> pcs->rcu_free = empty; >>> } >> >> I don't think this would fix any leak, and syzbot agrees. It would limit the >> empty sheaves in barn more strictly, but they are not leaked. >> Hm I don't see any leak in __kfree_rcu_sheaf() or rcu_free_sheaf(). Wonder >> if kmemleak lacks visibility into barns or pcs's as roots for searching what >> objects are considered referenced, or something? > > Objects that are allocated from slab and percpu allocator should be > properly tracked by kmemleak. But those allocated with > gfpflags_allow_spinning() == false are not tracked by kmemleak. > > When barns and sheaves are allocated early (!gfpflags_allow_spinning() > due to gfp_allowed_mask) and it skips kmemleak_alloc_recursive(), > it could produce false positives because from kmemleak's point of view, > the objects are not reachable from the root set (data section, stack, > etc.). Good point. > To me it seems kmemleak should gain allow_spin == false support > sooner or later. Or we figure out how to deal with the false allow_spin == false during boot. Here I'm a bit confused how exactly it happens because AFAICS in slub we apply gfp_allowed_mask only when allocating a new slab, and in slab_post_alloc_hook() we apply it to init_mask. That is indeed passed to kmemleak_alloc_recursive() but not used for the gfpflags_allow_spinning() decision. kmemleak_alloc_recursive() should succeed because nobody should be holding any locks that would require spinning. Unless it's some interaction with deferred pages like the one fixed by commit fd3634312a04f33?