* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-06 19:35 ` Catalin Marinas
@ 2026-03-08 11:02 ` Catalin Marinas
2026-03-08 12:31 ` syzbot
2026-03-08 11:04 ` Catalin Marinas
` (3 subsequent siblings)
4 siblings, 1 reply; 35+ messages in thread
From: Catalin Marinas @ 2026-03-08 11:02 UTC (permalink / raw)
To: syzbot+cae7809e9dc1459e4e63
Cc: Vlastimil Babka (SUSE), Harry Yoo, Qing Wang, Liam.Howlett, akpm,
chao, jaegeuk, jannh, linkinjeon, linux-f2fs-devel, linux-fsdevel,
linux-kernel, linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo,
syzkaller-bugs, vbabka, Hao Li
#syz test
diff --git a/mm/slub.c b/mm/slub.c
index 0c906fefc31b..401557ff5487 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
slab->freelist = get_freepointer(kmem_cache_node, n);
slab->inuse = 1;
kmem_cache_node->node[node] = n;
+ kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
init_kmem_cache_node(n, NULL);
inc_slabs_node(kmem_cache_node, node, slab->objects);
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-08 11:02 ` Catalin Marinas
@ 2026-03-08 12:31 ` syzbot
0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2026-03-08 12:31 UTC (permalink / raw)
To: akpm, catalin.marinas, chao, hao.li, harry.yoo, jaegeuk, jannh,
liam.howlett, linkinjeon, linux-f2fs-devel, linux-fsdevel,
linux-kernel, linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo,
syzkaller-bugs, vbabka, vbabka, wangqing7171
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_full_main
BUG: memory leak
unreferenced object 0xffff888101d79200 (size 512):
comm "kworker/u8:5", pid 182, jiffies 4294937433
hex dump (first 32 bytes):
e0 22 eb 30 81 88 ff ff b0 b7 ad 81 ff ff ff ff .".0............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 3ee28017):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888101fa6c00 (size 512):
comm "kworker/1:1", pid 41, jiffies 4294937441
hex dump (first 32 bytes):
b0 1e fc 11 81 88 ff ff b0 b7 ad 81 ff ff ff ff ................
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc a295f059):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888109d31a00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937949
hex dump (first 32 bytes):
c0 fa 74 29 81 88 ff ff b0 b7 ad 81 ff ff ff ff ..t)............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc e073aa0b):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888109d3d800 (size 512):
comm "udevadm", pid 5179, jiffies 4294938390
hex dump (first 32 bytes):
88 43 58 27 81 88 ff ff b0 b7 ad 81 ff ff ff ff .CX'............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 37e3920):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5378
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
kernfs_get_open_node fs/kernfs/file.c:543 [inline]
kernfs_fop_open+0x4f3/0x580 fs/kernfs/file.c:718
do_dentry_open+0x202/0x8d0 fs/open.c:949
vfs_open+0x3d/0x1b0 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x154d/0x1e20 fs/namei.c:4830
do_file_open+0x121/0x200 fs/namei.c:4859
do_sys_openat2+0xa5/0x140 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x82/0xf0 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810b5a5000 (size 512):
comm "udevd", pid 5178, jiffies 4294938454
hex dump (first 32 bytes):
80 c5 8e 2b 81 88 ff ff b0 b7 ad 81 ff ff ff ff ...+............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc bce89c59):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5378
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
kernfs_get_open_node fs/kernfs/file.c:543 [inline]
kernfs_fop_open+0x4f3/0x580 fs/kernfs/file.c:718
do_dentry_open+0x202/0x8d0 fs/open.c:949
vfs_open+0x3d/0x1b0 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x154d/0x1e20 fs/namei.c:4830
do_file_open+0x121/0x200 fs/namei.c:4859
do_sys_openat2+0xa5/0x140 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x82/0xf0 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888109d3ce00 (size 512):
comm "udevd", pid 5189, jiffies 4294938454
hex dump (first 32 bytes):
b0 4e 89 2b 81 88 ff ff b0 b7 ad 81 ff ff ff ff .N.+............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc e7e352bb):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
tomoyo_encode2+0xd0/0x1e0 security/tomoyo/realpath.c:45
tomoyo_encode+0x29/0x50 security/tomoyo/realpath.c:80
tomoyo_realpath_from_path+0xc4/0x2c0 security/tomoyo/realpath.c:283
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x12c/0x290 security/tomoyo/file.c:827
security_inode_getattr+0xaa/0x200 security/security.c:1869
vfs_getattr fs/stat.c:259 [inline]
vfs_fstat+0x48/0xe0 fs/stat.c:281
__do_sys_newfstat+0x42/0xa0 fs/stat.c:551
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: c23719ab Merge tag 'x86-urgent-2026-03-08' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1228e75a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=1310e75a580000
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-06 19:35 ` Catalin Marinas
2026-03-08 11:02 ` Catalin Marinas
@ 2026-03-08 11:04 ` Catalin Marinas
2026-03-08 12:42 ` syzbot
2026-03-09 10:46 ` Harry Yoo
` (2 subsequent siblings)
4 siblings, 1 reply; 35+ messages in thread
From: Catalin Marinas @ 2026-03-08 11:04 UTC (permalink / raw)
To: syzbot+cae7809e9dc1459e4e63
Cc: Vlastimil Babka (SUSE), Harry Yoo, Qing Wang, Liam.Howlett, akpm,
chao, jaegeuk, jannh, linkinjeon, linux-f2fs-devel, linux-fsdevel,
linux-kernel, linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo,
syzkaller-bugs, vbabka, Hao Li
#syz test
diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }
// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-08 11:04 ` Catalin Marinas
@ 2026-03-08 12:42 ` syzbot
0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2026-03-08 12:42 UTC (permalink / raw)
To: akpm, catalin.marinas, chao, hao.li, harry.yoo, jaegeuk, jannh,
liam.howlett, linkinjeon, linux-f2fs-devel, linux-fsdevel,
linux-kernel, linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo,
syzkaller-bugs, vbabka, vbabka, wangqing7171
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main
BUG: memory leak
unreferenced object 0xffff88810005f800 (size 512):
comm "swapper/0", pid 0, jiffies 4294937296
hex dump (first 32 bytes):
00 2a 90 00 81 88 ff ff 00 94 30 29 81 88 ff ff .*........0)....
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc a3e5799):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__kmalloc_cache_noprof+0x3ac/0x480 mm/slub.c:5378
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__irq_domain_alloc_fwnode+0x37/0x140 kernel/irq/irqdomain.c:95
irq_domain_alloc_named_fwnode include/linux/irqdomain.h:271 [inline]
arch_early_irq_init+0x1c/0x70 arch/x86/kernel/apic/vector.c:803
start_kernel+0x931/0xb80 init/main.c:1114
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148
BUG: memory leak
unreferenced object 0xffff8881008f6c00 (size 512):
comm "kthreadd", pid 2, jiffies 4294937344
hex dump (first 32 bytes):
00 94 30 29 81 88 ff ff 00 d6 de 0b 81 88 ff ff ..0)............
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 9181eca5):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4629
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__kmalloc_cache_node_noprof+0x3ef/0x4e0 mm/slub.c:5391
kmalloc_node_noprof include/linux/slab.h:1077 [inline]
__get_vm_area_node+0xc6/0x1d0 mm/vmalloc.c:3221
__vmalloc_node_range_noprof+0x1d3/0xe50 mm/vmalloc.c:4024
__vmalloc_node_noprof+0x71/0x90 mm/vmalloc.c:4124
alloc_thread_stack_node kernel/fork.c:355 [inline]
dup_task_struct kernel/fork.c:924 [inline]
copy_process+0x3e5/0x28c0 kernel/fork.c:2050
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff8881008fd600 (size 512):
comm "kworker/u8:6", pid 223, jiffies 4294937434
hex dump (first 32 bytes):
00 c6 8f 00 81 88 ff ff d8 2c 04 00 81 88 ff ff .........,......
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 33698a2f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff8881008fc600 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937441
hex dump (first 32 bytes):
00 1a 39 10 81 88 ff ff 00 d6 8f 00 81 88 ff ff ..9.............
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc fca1c70a):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888100902a00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937448
hex dump (first 32 bytes):
00 c4 58 09 81 88 ff ff 00 f8 05 00 81 88 ff ff ..X.............
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 8a5f0c0d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
vfree.part.0+0x1d5/0x4d0 mm/vmalloc.c:3485
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810958c400 (size 512):
comm "kworker/u8:5", pid 4599, jiffies 4294937964
hex dump (first 32 bytes):
00 4c 6a 12 81 88 ff ff 00 2a 90 00 81 88 ff ff .Lj......*......
00 12 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 45e572cd):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4547 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5725
free_to_pcs mm/slub.c:5778 [inline]
slab_free mm/slub.c:6173 [inline]
kfree+0x352/0x390 mm/slub.c:6486
call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
call_usermodehelper_exec_async+0x1c7/0x1f0 kernel/umh.c:119
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: c23719ab Merge tag 'x86-urgent-2026-03-08' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10027054580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=17682a02580000
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-06 19:35 ` Catalin Marinas
2026-03-08 11:02 ` Catalin Marinas
2026-03-08 11:04 ` Catalin Marinas
@ 2026-03-09 10:46 ` Harry Yoo
2026-03-09 11:11 ` syzbot
2026-03-09 12:17 ` Harry Yoo
2026-03-10 3:39 ` Harry Yoo
4 siblings, 1 reply; 35+ messages in thread
From: Harry Yoo @ 2026-03-09 10:46 UTC (permalink / raw)
To: Catalin Marinas
Cc: Vlastimil Babka (SUSE), Qing Wang, syzbot+cae7809e9dc1459e4e63,
Liam.Howlett, akpm, chao, jaegeuk, jannh, linkinjeon,
linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
lorenzo.stoakes, pfalcato, sj1557.seo, syzkaller-bugs, vbabka,
Hao Li
#syz test
diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }
// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {
diff --git a/mm/slub.c b/mm/slub.c
index 20cb4f3b636d..9e34a9458162 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3014,8 +3014,10 @@ static void pcs_flush_all(struct kmem_cache *s)
free_empty_sheaf(s, spare);
}
- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }
sheaf_flush_main(s);
}
@@ -3035,6 +3037,7 @@ static void __pcs_flush_all_cpu(struct kmem_cache *s, unsigned int cpu)
}
if (pcs->rcu_free) {
+ kmemleak_ignore(pcs->rcu_free);
call_rcu(&pcs->rcu_free->rcu_head, rcu_free_sheaf_nobarn);
pcs->rcu_free = NULL;
}
@@ -4031,8 +4034,10 @@ static void flush_rcu_sheaf(struct work_struct *w)
local_unlock(&s->cpu_sheaves->lock);
- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }
}
@@ -5948,8 +5953,15 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj)
* we flush before local_unlock to make sure a racing
* flush_all_rcu_sheaves() doesn't miss this sheaf
*/
- if (rcu_sheaf)
+ if (rcu_sheaf) {
+ /*
+ * TODO: Ideally this should be undone in rcu_free_sheaf,
+ * when the sheaf is returned to a barn to avoid generating
+ * false negatives.
+ */
+ kmemleak_ignore(rcu_sheaf);
call_rcu(&rcu_sheaf->rcu_head, rcu_free_sheaf);
+ }
local_unlock(&s->cpu_sheaves->lock);
base-commit: c23719abc3308df7ed3ad35650ad211fb2d2003d
--
2.43.0
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-09 10:46 ` Harry Yoo
@ 2026-03-09 11:11 ` syzbot
0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2026-03-09 11:11 UTC (permalink / raw)
To: akpm, catalin.marinas, chao, hao.li, harry.yoo, jaegeuk, jannh,
liam.howlett, linkinjeon, linux-f2fs-devel, linux-fsdevel,
linux-kernel, linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo,
syzkaller-bugs, vbabka, vbabka, wangqing7171
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main
BUG: memory leak
unreferenced object 0xffff8881008bb900 (size 256):
comm "swapper/0", pid 0, jiffies 4294937326
hex dump (first 32 bytes):
00 e8 54 0b 81 88 ff ff 00 55 bf 0f 81 88 ff ff ..T......U......
00 e1 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc e804819c):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4634
alloc_from_pcs mm/slub.c:4725 [inline]
slab_alloc_node mm/slub.c:4859 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__register_sysctl_table+0x4e/0xa60 fs/proc/proc_sysctl.c:1379
register_sysctl_sz fs/proc/proc_sysctl.c:1436 [inline]
__register_sysctl_init+0x30/0x70 fs/proc/proc_sysctl.c:1465
pagecache_init+0x4e/0x70 mm/filemap.c:1095
start_kernel+0xb33/0xb80 init/main.c:1193
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0xce/0xd0 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148
BUG: memory leak
unreferenced object 0xffff888104417400 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937905
hex dump (first 32 bytes):
00 42 a4 1c 81 88 ff ff 00 06 05 00 81 88 ff ff .B..............
00 16 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc db9a578f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
vfree.part.0+0x1cd/0x4d0 mm/vmalloc.c:3484
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810ad9d600 (size 512):
comm "syz-executor", pid 5829, jiffies 4294941807
hex dump (first 32 bytes):
00 72 0a 00 81 88 ff ff 00 d2 04 00 81 88 ff ff .r..............
00 af 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 57ea7b83):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4634
alloc_from_pcs mm/slub.c:4725 [inline]
slab_alloc_node mm/slub.c:4859 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kvmalloc_node_noprof+0x5a7/0x770 mm/slub.c:6767
allocate_hook_entries_size net/netfilter/core.c:58 [inline]
nf_hook_entries_grow+0x178/0x3e0 net/netfilter/core.c:137
__nf_register_net_hook+0xc4/0x2e0 net/netfilter/core.c:432
nf_register_net_hook+0x8a/0x110 net/netfilter/core.c:575
nf_register_net_hooks+0x5d/0xd0 net/netfilter/core.c:591
ipt_register_table+0x15e/0x220 net/ipv4/netfilter/ip_tables.c:1781
iptable_security_table_init+0x40/0x60 net/ipv4/netfilter/iptable_security.c:46
xt_find_table_lock+0x1a3/0x270 net/netfilter/x_tables.c:1260
xt_request_find_table_lock+0x28/0xb0 net/netfilter/x_tables.c:1285
get_info+0x101/0x460 net/ipv4/netfilter/ip_tables.c:963
do_ipt_get_ctl+0x9b/0x5e0 net/ipv4/netfilter/ip_tables.c:1659
nf_getsockopt+0x61/0xa0 net/netfilter/nf_sockopt.c:116
ip_getsockopt+0x10a/0x150 net/ipv4/ip_sockglue.c:1777
BUG: memory leak
unreferenced object 0xffff88810fbf5500 (size 256):
comm "kworker/u8:0", pid 12, jiffies 4294942140
hex dump (first 32 bytes):
00 b9 8b 00 81 88 ff ff 00 72 02 01 81 88 ff ff .........r......
00 e1 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 88397b4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
netif_free_tx_queues net/core/dev.c:11206 [inline]
free_netdev+0x71/0x380 net/core/dev.c:12183
netdev_run_todo+0x5ec/0x770 net/core/dev.c:11726
ops_exit_rtnl_list net/core/net_namespace.c:189 [inline]
ops_undo_list+0x2bd/0x300 net/core/net_namespace.c:248
cleanup_net+0x287/0x570 net/core/net_namespace.c:704
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810b540200 (size 512):
comm "kworker/u8:2", pid 34, jiffies 4294942151
hex dump (first 32 bytes):
00 8a 51 27 81 88 ff ff 00 2e 7a 2e 81 88 ff ff ..Q'......z.....
00 18 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 8700e7f7):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888127522c00 (size 512):
comm "kworker/u8:7", pid 1176, jiffies 4294942410
hex dump (first 32 bytes):
00 7a 54 0b 81 88 ff ff 00 e6 b9 0f 81 88 ff ff .zT.............
00 18 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc c4b7e6cc):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 1f318b96 Linux 7.0-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=117b875a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=17b8375a580000
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-06 19:35 ` Catalin Marinas
` (2 preceding siblings ...)
2026-03-09 10:46 ` Harry Yoo
@ 2026-03-09 12:17 ` Harry Yoo
2026-03-09 20:31 ` Catalin Marinas
2026-03-10 3:39 ` Harry Yoo
4 siblings, 1 reply; 35+ messages in thread
From: Harry Yoo @ 2026-03-09 12:17 UTC (permalink / raw)
To: Catalin Marinas
Cc: Vlastimil Babka (SUSE), Qing Wang, syzbot+cae7809e9dc1459e4e63,
Liam.Howlett, akpm, chao, jaegeuk, jannh, linkinjeon,
linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
lorenzo.stoakes, pfalcato, sj1557.seo, syzkaller-bugs, vbabka,
Hao Li
On Fri, Mar 06, 2026 at 07:35:01PM +0000, Catalin Marinas wrote:
[...snip...]
> I wonder whether some early kmem_cache_node allocations like the ones in
> early_kmem_cache_node_alloc() are not tracked and then kmemleak cannot
> find n->barn. I got lost in the slub code, but something like this:
This sounds plausible. Before sheaves, kmem_cache_node just maintained
a list of slabs. Because struct page (and struct slab overlaying on it)
is not tracked by kmemleak (as Vlastimil pointed out off-list),
not calling kmemleak_alloc() for kmem_cache_node was not a problem.
But now it maintains barns and sheaves,
and they are tracked by kmemleak...
> -----------8<-----------------------------------
> diff --git a/mm/slub.c b/mm/slub.c
> index 0c906fefc31b..401557ff5487 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
> slab->freelist = get_freepointer(kmem_cache_node, n);
> slab->inuse = 1;
> kmem_cache_node->node[node] = n;
> + kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
> init_kmem_cache_node(n, NULL);
> inc_slabs_node(kmem_cache_node, node, slab->objects);
But this function is called for kmem_cache_node cache
(in kmem_cache_init()), even before kmemleak_init()?
kmem_cache and kmalloc caches should call kmemleak_alloc() when
allocating kmem_cache_node structures, but as they are also created
before kmemleak_init(), I doubt that's actually doing its job...
I think we should probably introduce a slab function that kmemleak_init()
calls, which iterates over all slab caches and calls kmemleak_alloc()
for their kmem_cache_node structures?
> -------------8<----------------------------------------
>
> Another thing I noticed, not sure it's related but we should probably
> ignore an object once it has been passed to kvfree_call_rcu(), similar
> to what we do on the main path in this function. Also see commit
> 5f98fd034ca6 ("rcu: kmemleak: Ignore kmemleak false positives when
> RCU-freeing objects") when we added this kmemleak_ignore().
>
> ---------8<-----------------------------------
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index d5a70a831a2a..73f4668d870d 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
> if (!head)
> might_sleep();
>
> - if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
> + if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
> + /*
> + * The object is now queued for deferred freeing via an RCU
> + * sheaf. Tell kmemleak to ignore it.
> + */
> + kmemleak_ignore(ptr);
As Vlastimil pointed out off-list, we need to let kmemleak ignore
sheaves when they are submitted to call_rcu() and ideally undo
kmemleak_ignore() in __kfree_rcu_sheaf() when they are going to be reused.
But looking at mm/kmemleak.c, undoing kmemleak_ignore() doesn't seem to
be a thing.
We could probably send it as a hotfix and fix potential false negatives
later?
I thought this was a more plausible theory and told syzbot to test it [1],
but it still complains :)
[1] https://lore.kernel.org/linux-mm/aa6lBQDAVnqjz_lk@hyeyoo
> return;
> + }
>
> // Queue the object but don't yet schedule the batch.
> if (debug_rcu_head_queue(ptr)) {
--
Cheers,
Harry / Hyeonggon
^ permalink raw reply [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-09 12:17 ` Harry Yoo
@ 2026-03-09 20:31 ` Catalin Marinas
2026-03-11 3:04 ` Harry Yoo
0 siblings, 1 reply; 35+ messages in thread
From: Catalin Marinas @ 2026-03-09 20:31 UTC (permalink / raw)
To: Harry Yoo
Cc: Vlastimil Babka (SUSE), Qing Wang, syzbot+cae7809e9dc1459e4e63,
Liam.Howlett, akpm, chao, jaegeuk, jannh, linkinjeon,
linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
lorenzo.stoakes, pfalcato, sj1557.seo, syzkaller-bugs, vbabka,
Hao Li
On Mon, Mar 09, 2026 at 09:17:32PM +0900, Harry Yoo wrote:
> On Fri, Mar 06, 2026 at 07:35:01PM +0000, Catalin Marinas wrote:
>
> [...snip...]
>
> > I wonder whether some early kmem_cache_node allocations like the ones in
> > early_kmem_cache_node_alloc() are not tracked and then kmemleak cannot
> > find n->barn. I got lost in the slub code, but something like this:
>
> This sounds plausible. Before sheaves, kmem_cache_node just maintained
> a list of slabs. Because struct page (and struct slab overlaying on it)
> is not tracked by kmemleak (as Vlastimil pointed out off-list),
> not calling kmemleak_alloc() for kmem_cache_node was not a problem.
>
> But now it maintains barns and sheaves,
> and they are tracked by kmemleak...
We could simply add kmemleak_ignore(), especially as we don't need the
data in these structures to be scanned. We can assume the slab allocator
doesn't leak it's own data structures. But I couldn't figure out why
kmemleak couldn't track down the pointer in the first place and any
random kmemleak_alloc() I added did not solve it.
> > -----------8<-----------------------------------
> > diff --git a/mm/slub.c b/mm/slub.c
> > index 0c906fefc31b..401557ff5487 100644
> > --- a/mm/slub.c
> > +++ b/mm/slub.c
> > @@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
> > slab->freelist = get_freepointer(kmem_cache_node, n);
> > slab->inuse = 1;
> > kmem_cache_node->node[node] = n;
> > + kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
> > init_kmem_cache_node(n, NULL);
> > inc_slabs_node(kmem_cache_node, node, slab->objects);
>
> But this function is called for kmem_cache_node cache
> (in kmem_cache_init()), even before kmemleak_init()?
That's fine, kmemleak starts as enabled by default and tracks early
allocations in a local mem_pool[] array. kmemleak_init() just
initialises its kmem_caches for the long run.
> kmem_cache and kmalloc caches should call kmemleak_alloc() when
> allocating kmem_cache_node structures, but as they are also created
> before kmemleak_init(), I doubt that's actually doing its job...
It does. I just added a kmemleak_alloc() in create_kmalloc_cache() and
kmemleak complained that the object from the kmem_cache_zalloc() is
already registered. Of course, no stack trace saved for these early
allocations but it does track them.
> > -------------8<----------------------------------------
> >
> > Another thing I noticed, not sure it's related but we should probably
> > ignore an object once it has been passed to kvfree_call_rcu(), similar
> > to what we do on the main path in this function. Also see commit
> > 5f98fd034ca6 ("rcu: kmemleak: Ignore kmemleak false positives when
> > RCU-freeing objects") when we added this kmemleak_ignore().
> >
> > ---------8<-----------------------------------
> > diff --git a/mm/slab_common.c b/mm/slab_common.c
> > index d5a70a831a2a..73f4668d870d 100644
> > --- a/mm/slab_common.c
> > +++ b/mm/slab_common.c
> > @@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
> > if (!head)
> > might_sleep();
> >
> > - if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
> > + if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
> > + /*
> > + * The object is now queued for deferred freeing via an RCU
> > + * sheaf. Tell kmemleak to ignore it.
> > + */
> > + kmemleak_ignore(ptr);
>
> As Vlastimil pointed out off-list, we need to let kmemleak ignore
> sheaves when they are submitted to call_rcu() and ideally undo
> kmemleak_ignore() in __kfree_rcu_sheaf() when they are going to be reused.
>
> But looking at mm/kmemleak.c, undoing kmemleak_ignore() doesn't seem to
> be a thing.
If that's needed, something like below:
----------------------8<---------------------------------
diff --git a/Documentation/dev-tools/kmemleak.rst b/Documentation/dev-tools/kmemleak.rst
index 7d784e03f3f9..da2c849d4735 100644
--- a/Documentation/dev-tools/kmemleak.rst
+++ b/Documentation/dev-tools/kmemleak.rst
@@ -163,6 +163,7 @@ See the include/linux/kmemleak.h header for the functions prototype.
- ``kmemleak_not_leak`` - mark an object as not a leak
- ``kmemleak_transient_leak`` - mark an object as a transient leak
- ``kmemleak_ignore`` - do not scan or report an object as leak
+- ``kmemleak_unignore`` - undo a previous kmemleak_ignore()
- ``kmemleak_scan_area`` - add scan areas inside a memory block
- ``kmemleak_no_scan`` - do not scan a memory block
- ``kmemleak_erase`` - erase an old value in a pointer variable
diff --git a/include/linux/kmemleak.h b/include/linux/kmemleak.h
index fbd424b2abb1..4eec0560be09 100644
--- a/include/linux/kmemleak.h
+++ b/include/linux/kmemleak.h
@@ -28,6 +28,7 @@ extern void kmemleak_update_trace(const void *ptr) __ref;
extern void kmemleak_not_leak(const void *ptr) __ref;
extern void kmemleak_transient_leak(const void *ptr) __ref;
extern void kmemleak_ignore(const void *ptr) __ref;
+extern void kmemleak_unignore(const void *ptr, int min_count) __ref;
extern void kmemleak_ignore_percpu(const void __percpu *ptr) __ref;
extern void kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp) __ref;
extern void kmemleak_no_scan(const void *ptr) __ref;
@@ -104,6 +105,10 @@ static inline void kmemleak_ignore_percpu(const void __percpu *ptr)
static inline void kmemleak_ignore(const void *ptr)
{
}
+
+static inline void kmemleak_unignore(const void *ptr, int min_count)
+{
+}
static inline void kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp)
{
}
diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index d79acf5c5100..99b7ebd03737 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -1292,6 +1292,24 @@ void __ref kmemleak_ignore(const void *ptr)
}
EXPORT_SYMBOL(kmemleak_ignore);
+/**
+ * kmemleak_unignore - undo a previous kmemleak_ignore() on an object
+ * @ptr: pointer to beginning of the object
+ * @min_count: minimum number of references the object must have to be
+ * considered a non-leak (see kmemleak_alloc() for details)
+ *
+ * Calling this function undoes a prior kmemleak_ignore() by restoring the
+ * given min_count, making the object visible to kmemleak again.
+ */
+void __ref kmemleak_unignore(const void *ptr, int min_count)
+{
+ pr_debug("%s(0x%px)\n", __func__, ptr);
+
+ if (kmemleak_enabled && ptr && !IS_ERR(ptr))
+ paint_ptr((unsigned long)ptr, min_count, 0);
+}
+EXPORT_SYMBOL(kmemleak_unignore);
+
/**
* kmemleak_scan_area - limit the range to be scanned in an allocated object
* @ptr: pointer to beginning or inside the object. This also
----------------------8<---------------------------------
--
Catalin
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-09 20:31 ` Catalin Marinas
@ 2026-03-11 3:04 ` Harry Yoo
2026-03-11 3:20 ` Harry Yoo
0 siblings, 1 reply; 35+ messages in thread
From: Harry Yoo @ 2026-03-11 3:04 UTC (permalink / raw)
To: Catalin Marinas
Cc: Vlastimil Babka (SUSE), Qing Wang, syzbot+cae7809e9dc1459e4e63,
Liam.Howlett, akpm, chao, jaegeuk, jannh, linkinjeon,
linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
lorenzo.stoakes, pfalcato, sj1557.seo, syzkaller-bugs, vbabka,
Hao Li
On Mon, Mar 09, 2026 at 08:31:03PM +0000, Catalin Marinas wrote:
> On Mon, Mar 09, 2026 at 09:17:32PM +0900, Harry Yoo wrote:
> > On Fri, Mar 06, 2026 at 07:35:01PM +0000, Catalin Marinas wrote:
> >
> > [...snip...]
> >
> > > I wonder whether some early kmem_cache_node allocations like the ones in
> > > early_kmem_cache_node_alloc() are not tracked and then kmemleak cannot
> > > find n->barn. I got lost in the slub code, but something like this:
> >
> > This sounds plausible. Before sheaves, kmem_cache_node just maintained
> > a list of slabs. Because struct page (and struct slab overlaying on it)
> > is not tracked by kmemleak (as Vlastimil pointed out off-list),
> > not calling kmemleak_alloc() for kmem_cache_node was not a problem.
> >
> > But now it maintains barns and sheaves,
> > and they are tracked by kmemleak...
>
> We could simply add kmemleak_ignore(), especially as we don't need the
> data in these structures to be scanned. We can assume the slab allocator
> doesn't leak it's own data structures.
Yeah that sounds reasonable to me.
> But I couldn't figure out why
> kmemleak couldn't track down the pointer in the first place and any
> random kmemleak_alloc() I added did not solve it.
Perhaps we're seeing mix of
- kmem_cache_node not being tracked by kmemleak causes false positives
- sheaves submitted to call_rcu() cause false positives
- not calling kmemleak_ignore() on kvfree_rcu'd objects cause
false positives
So I tried both:
1) calling kmemleak_ignore() on kfree_rcu'd objects +
calling kmemleak_ignore() when submitting rcu sheaves to call_rcu() +
calling kmemleak_unignore() when rcu sheaves are reused +
calling kmemleak_alloc() on early kmem_cache_node allocation
https://lore.kernel.org/linux-mm/aa-1-Y3v3D1hzPvL@hyeyoo
2) calling kmemleak_ignore() on kfree_rcu'd objects +
calling kmemleak_ignore() on all sheaves (__alloc_empty_sheaf) +
calling kmemleak_alloc() on early kmem_cache_node allocation
https://lore.kernel.org/linux-mm/aa_R-6SdHYBBkQX-@hyeyoo
They seem to resolve reports for sheaves and kfree_rcu'd objects.
But yeah, there are still a bunch of leak reports
(hopefully not false positives caused by slab anymore?)
I notice that some of those objects are freed in a call_rcu() callback.
If submitting to call_rcu() put objects into rcu data structures
that kmemleak is not aware of, how has kmemleak dealt with that?
(perhaps users need to call kmemleak_ignore() before call_rcu()?)
> > > -----------8<-----------------------------------
> > > diff --git a/mm/slub.c b/mm/slub.c
> > > index 0c906fefc31b..401557ff5487 100644
> > > --- a/mm/slub.c
> > > +++ b/mm/slub.c
> > > @@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
> > > slab->freelist = get_freepointer(kmem_cache_node, n);
> > > slab->inuse = 1;
> > > kmem_cache_node->node[node] = n;
> > > + kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
By the way, this should have been kmem_cache_node->object_size.
Because... the length of kmem_cache_node.node array is not always
MAX_NUMNODES (yeah, that's confusing).
> > > init_kmem_cache_node(n, NULL);
> > > inc_slabs_node(kmem_cache_node, node, slab->objects);
> >
> > But this function is called for kmem_cache_node cache
> > (in kmem_cache_init()), even before kmemleak_init()?
>
> That's fine, kmemleak starts as enabled by default and tracks early
> allocations in a local mem_pool[] array. kmemleak_init() just
> initialises its kmem_caches for the long run.
Ah, right. I totally missed that. Thanks for the correction!
> > kmem_cache and kmalloc caches should call kmemleak_alloc() when
> > allocating kmem_cache_node structures, but as they are also created
> > before kmemleak_init(), I doubt that's actually doing its job...
>
> It does. I just added a kmemleak_alloc() in create_kmalloc_cache() and
> kmemleak complained that the object from the kmem_cache_zalloc() is
> already registered. Of course, no stack trace saved for these early
> allocations but it does track them.
Right!
> > > -------------8<----------------------------------------
> > >
> > > Another thing I noticed, not sure it's related but we should probably
> > > ignore an object once it has been passed to kvfree_call_rcu(), similar
> > > to what we do on the main path in this function. Also see commit
> > > 5f98fd034ca6 ("rcu: kmemleak: Ignore kmemleak false positives when
> > > RCU-freeing objects") when we added this kmemleak_ignore().
> > >
> > > ---------8<-----------------------------------
> > > diff --git a/mm/slab_common.c b/mm/slab_common.c
> > > index d5a70a831a2a..73f4668d870d 100644
> > > --- a/mm/slab_common.c
> > > +++ b/mm/slab_common.c
> > > @@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
> > > if (!head)
> > > might_sleep();
> > >
> > > - if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
> > > + if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
> > > + /*
> > > + * The object is now queued for deferred freeing via an RCU
> > > + * sheaf. Tell kmemleak to ignore it.
> > > + */
> > > + kmemleak_ignore(ptr);
> >
> > As Vlastimil pointed out off-list, we need to let kmemleak ignore
> > sheaves when they are submitted to call_rcu() and ideally undo
> > kmemleak_ignore() in __kfree_rcu_sheaf() when they are going to be reused.
> >
> > But looking at mm/kmemleak.c, undoing kmemleak_ignore() doesn't seem to
> > be a thing.
>
> If that's needed, something like below:
Thanks, that was helpful!
In addition to that - assuming that OBJECT_NO_SCAN should be cleared
when changing the color from black to white, I made that change when
testing it using syzbot.
> ----------------------8<---------------------------------
> diff --git a/Documentation/dev-tools/kmemleak.rst b/Documentation/dev-tools/kmemleak.rst
> index 7d784e03f3f9..da2c849d4735 100644
> --- a/Documentation/dev-tools/kmemleak.rst
> +++ b/Documentation/dev-tools/kmemleak.rst
> @@ -163,6 +163,7 @@ See the include/linux/kmemleak.h header for the functions prototype.
> - ``kmemleak_not_leak`` - mark an object as not a leak
> - ``kmemleak_transient_leak`` - mark an object as a transient leak
> - ``kmemleak_ignore`` - do not scan or report an object as leak
> +- ``kmemleak_unignore`` - undo a previous kmemleak_ignore()
> - ``kmemleak_scan_area`` - add scan areas inside a memory block
> - ``kmemleak_no_scan`` - do not scan a memory block
> - ``kmemleak_erase`` - erase an old value in a pointer variable
> diff --git a/include/linux/kmemleak.h b/include/linux/kmemleak.h
> index fbd424b2abb1..4eec0560be09 100644
> --- a/include/linux/kmemleak.h
> +++ b/include/linux/kmemleak.h
> @@ -28,6 +28,7 @@ extern void kmemleak_update_trace(const void *ptr) __ref;
> extern void kmemleak_not_leak(const void *ptr) __ref;
> extern void kmemleak_transient_leak(const void *ptr) __ref;
> extern void kmemleak_ignore(const void *ptr) __ref;
> +extern void kmemleak_unignore(const void *ptr, int min_count) __ref;
> extern void kmemleak_ignore_percpu(const void __percpu *ptr) __ref;
> extern void kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp) __ref;
> extern void kmemleak_no_scan(const void *ptr) __ref;
> @@ -104,6 +105,10 @@ static inline void kmemleak_ignore_percpu(const void __percpu *ptr)
> static inline void kmemleak_ignore(const void *ptr)
> {
> }
> +
> +static inline void kmemleak_unignore(const void *ptr, int min_count)
> +{
> +}
> static inline void kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp)
> {
> }
> diff --git a/mm/kmemleak.c b/mm/kmemleak.c
> index d79acf5c5100..99b7ebd03737 100644
> --- a/mm/kmemleak.c
> +++ b/mm/kmemleak.c
> @@ -1292,6 +1292,24 @@ void __ref kmemleak_ignore(const void *ptr)
> }
> EXPORT_SYMBOL(kmemleak_ignore);
>
> +/**
> + * kmemleak_unignore - undo a previous kmemleak_ignore() on an object
> + * @ptr: pointer to beginning of the object
> + * @min_count: minimum number of references the object must have to be
> + * considered a non-leak (see kmemleak_alloc() for details)
> + *
> + * Calling this function undoes a prior kmemleak_ignore() by restoring the
> + * given min_count, making the object visible to kmemleak again.
> + */
> +void __ref kmemleak_unignore(const void *ptr, int min_count)
> +{
> + pr_debug("%s(0x%px)\n", __func__, ptr);
> +
> + if (kmemleak_enabled && ptr && !IS_ERR(ptr))
> + paint_ptr((unsigned long)ptr, min_count, 0);
> +}
> +EXPORT_SYMBOL(kmemleak_unignore);
> +
> /**
> * kmemleak_scan_area - limit the range to be scanned in an allocated object
> * @ptr: pointer to beginning or inside the object. This also
> ----------------------8<---------------------------------
>
> --
> Catalin
--
Cheers,
Harry / Hyeonggon
^ permalink raw reply [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-11 3:04 ` Harry Yoo
@ 2026-03-11 3:20 ` Harry Yoo
0 siblings, 0 replies; 35+ messages in thread
From: Harry Yoo @ 2026-03-11 3:20 UTC (permalink / raw)
To: Catalin Marinas
Cc: Vlastimil Babka (SUSE), Qing Wang, syzbot+cae7809e9dc1459e4e63,
Liam.Howlett, akpm, chao, jaegeuk, jannh, linkinjeon,
linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
lorenzo.stoakes, pfalcato, sj1557.seo, syzkaller-bugs, vbabka,
Hao Li
On Wed, Mar 11, 2026 at 12:04:36PM +0900, Harry Yoo wrote:
> > > > -----------8<-----------------------------------
> > > > diff --git a/mm/slub.c b/mm/slub.c
> > > > index 0c906fefc31b..401557ff5487 100644
> > > > --- a/mm/slub.c
> > > > +++ b/mm/slub.c
> > > > @@ -7513,6 +7513,7 @@ static void early_kmem_cache_node_alloc(int node)
> > > > slab->freelist = get_freepointer(kmem_cache_node, n);
> > > > slab->inuse = 1;
> > > > kmem_cache_node->node[node] = n;
> > > > + kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
>
> By the way, this should have been kmem_cache_node->object_size.
> Because... the length of kmem_cache_node.node array is not always
> MAX_NUMNODES (yeah, that's confusing).
Oops, please feel free to ignore this paragraph!
I was totally confused, it's not size of struct kmem_cache.
--
Cheers,
Harry / Hyeonggon
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-06 19:35 ` Catalin Marinas
` (3 preceding siblings ...)
2026-03-09 12:17 ` Harry Yoo
@ 2026-03-10 3:39 ` Harry Yoo
2026-03-10 3:54 ` syzbot
4 siblings, 1 reply; 35+ messages in thread
From: Harry Yoo @ 2026-03-10 3:39 UTC (permalink / raw)
To: Catalin Marinas
Cc: Vlastimil Babka (SUSE), Qing Wang, syzbot+cae7809e9dc1459e4e63,
Liam.Howlett, akpm, chao, jaegeuk, jannh, linkinjeon,
linux-f2fs-devel, linux-fsdevel, linux-kernel, linux-mm,
lorenzo.stoakes, pfalcato, sj1557.seo, syzkaller-bugs, vbabka,
Hao Li
#syz test
diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }
// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {
diff --git a/mm/slub.c b/mm/slub.c
index 20cb4f3b636d..36f613f48bd0 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3014,8 +3014,10 @@ static void pcs_flush_all(struct kmem_cache *s)
free_empty_sheaf(s, spare);
}
- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }
sheaf_flush_main(s);
}
@@ -3035,6 +3037,7 @@ static void __pcs_flush_all_cpu(struct kmem_cache *s, unsigned int cpu)
}
if (pcs->rcu_free) {
+ kmemleak_ignore(pcs->rcu_free);
call_rcu(&pcs->rcu_free->rcu_head, rcu_free_sheaf_nobarn);
pcs->rcu_free = NULL;
}
@@ -4031,8 +4034,10 @@ static void flush_rcu_sheaf(struct work_struct *w)
local_unlock(&s->cpu_sheaves->lock);
- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }
}
@@ -5948,8 +5953,15 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj)
* we flush before local_unlock to make sure a racing
* flush_all_rcu_sheaves() doesn't miss this sheaf
*/
- if (rcu_sheaf)
+ if (rcu_sheaf) {
+ /*
+ * TODO: Ideally this should be undone in rcu_free_sheaf,
+ * when the sheaf is returned to a barn to avoid generating
+ * false negatives.
+ */
+ kmemleak_ignore(rcu_sheaf);
call_rcu(&rcu_sheaf->rcu_head, rcu_free_sheaf);
+ }
local_unlock(&s->cpu_sheaves->lock);
@@ -7538,6 +7550,7 @@ static void early_kmem_cache_node_alloc(int node)
slab->freelist = get_freepointer(kmem_cache_node, n);
slab->inuse = 1;
kmem_cache_node->node[node] = n;
+ kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
init_kmem_cache_node(n, NULL);
inc_slabs_node(kmem_cache_node, node, slab->objects);
base-commit: c23719abc3308df7ed3ad35650ad211fb2d2003d
--
2.43.0
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-10 3:39 ` Harry Yoo
@ 2026-03-10 3:54 ` syzbot
2026-03-10 6:11 ` Harry Yoo
0 siblings, 1 reply; 35+ messages in thread
From: syzbot @ 2026-03-10 3:54 UTC (permalink / raw)
To: akpm, catalin.marinas, chao, hao.li, harry.yoo, jaegeuk, jannh,
liam.howlett, linkinjeon, linux-f2fs-devel, linux-fsdevel,
linux-kernel, linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo,
syzkaller-bugs, vbabka, vbabka, wangqing7171
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main
BUG: memory leak
unreferenced object 0xffff888100b60200 (size 512):
comm "kthreadd", pid 2, jiffies 4294937343
hex dump (first 32 bytes):
00 6c c3 09 81 88 ff ff 00 9a 9d 0a 81 88 ff ff .l..............
00 16 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 8a95531e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
alloc_full_sheaf mm/slub.c:2834 [inline]
__pcs_replace_empty_main+0x1d2/0x260 mm/slub.c:4634
alloc_from_pcs mm/slub.c:4725 [inline]
slab_alloc_node mm/slub.c:4859 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_node_noprof+0x57e/0x5d0 mm/slub.c:5274
kmalloc_node_noprof include/linux/slab.h:1081 [inline]
__vmalloc_area_node mm/vmalloc.c:3855 [inline]
__vmalloc_node_range_noprof+0x284/0xe50 mm/vmalloc.c:4064
__vmalloc_node_noprof+0x71/0x90 mm/vmalloc.c:4124
alloc_thread_stack_node kernel/fork.c:355 [inline]
dup_task_struct kernel/fork.c:924 [inline]
copy_process+0x3e5/0x28c0 kernel/fork.c:2050
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810438c200 (size 512):
comm "swapper/0", pid 1, jiffies 4294937794
hex dump (first 32 bytes):
00 02 10 0e 81 88 ff ff 00 56 c3 09 81 88 ff ff .........V......
00 17 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 3e1bb722):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
v4l2_ctrl_handler_free drivers/media/v4l2-core/v4l2-ctrls-core.c:1756 [inline]
v4l2_ctrl_handler_free+0x92/0x290 drivers/media/v4l2-core/v4l2-ctrls-core.c:1736
vivid_dev_release+0x26/0x90 drivers/media/test-drivers/vivid/vivid-core.c:857
v4l2_device_release drivers/media/v4l2-core/v4l2-device.c:51 [inline]
kref_put include/linux/kref.h:65 [inline]
v4l2_device_put+0x6b/0xa0 drivers/media/v4l2-core/v4l2-device.c:56
vivid_create_instance drivers/media/test-drivers/vivid/vivid-core.c:2070 [inline]
vivid_probe.cold+0x55a/0x386d drivers/media/test-drivers/vivid/vivid-core.c:2095
platform_probe+0x86/0xf0 drivers/base/platform.c:1446
call_driver_probe drivers/base/dd.c:583 [inline]
really_probe+0x12f/0x3a0 drivers/base/dd.c:661
__driver_probe_device+0xc7/0x160 drivers/base/dd.c:803
driver_probe_device+0x2a/0x120 drivers/base/dd.c:833
__driver_attach drivers/base/dd.c:1227 [inline]
__driver_attach+0x10a/0x200 drivers/base/dd.c:1167
bus_for_each_dev+0xb8/0x120 drivers/base/bus.c:383
bus_add_driver+0x122/0x280 drivers/base/bus.c:715
driver_register+0xb1/0x140 drivers/base/driver.c:249
BUG: memory leak
unreferenced object 0xffff888109c35c00 (size 512):
comm "kworker/0:1", pid 10, jiffies 4294937868
hex dump (first 32 bytes):
00 68 d4 09 81 88 ff ff 00 9c de 09 81 88 ff ff .h..............
00 16 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 9ab54a7c):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
vfree.part.0+0x1cd/0x4d0 mm/vmalloc.c:3484
vfree mm/vmalloc.c:3456 [inline]
delayed_vfree_work+0x5b/0x90 mm/vmalloc.c:3398
process_one_work+0x26c/0x5d0 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x243/0x490 kernel/workqueue.c:3439
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810a9d9a00 (size 512):
comm "swapper/0", pid 1, jiffies 4294937887
hex dump (first 32 bytes):
00 02 b6 00 81 88 ff ff 00 98 9d 0a 81 88 ff ff ................
00 16 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc 368f6316):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
slab_sysfs_init+0xce/0xf0 mm/slub.c:9613
do_one_initcall+0x79/0x4c0 init/main.c:1382
do_initcall_level init/main.c:1444 [inline]
do_initcalls init/main.c:1460 [inline]
do_basic_setup init/main.c:1479 [inline]
kernel_init_freeable+0x2a4/0x340 init/main.c:1692
kernel_init+0x1b/0x1d0 init/main.c:1582
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810a9d9600 (size 512):
comm "swapper/0", pid 1, jiffies 4294937887
hex dump (first 32 bytes):
00 b6 34 0a 81 88 ff ff 00 6c c3 09 81 88 ff ff ..4......l......
00 16 04 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace (crc d6fcd7dc):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2771
alloc_empty_sheaf mm/slub.c:2786 [inline]
__pcs_replace_full_main+0xe8/0x300 mm/slub.c:5730
free_to_pcs mm/slub.c:5783 [inline]
slab_free mm/slub.c:6185 [inline]
kfree+0x352/0x390 mm/slub.c:6498
slab_sysfs_init+0xce/0xf0 mm/slub.c:9613
do_one_initcall+0x79/0x4c0 init/main.c:1382
do_initcall_level init/main.c:1444 [inline]
do_initcalls init/main.c:1460 [inline]
do_basic_setup init/main.c:1479 [inline]
kernel_init_freeable+0x2a4/0x340 init/main.c:1692
kernel_init+0x1b/0x1d0 init/main.c:1582
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 1f318b96 Linux 7.0-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17bde806580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=1065375a580000
^ permalink raw reply [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-10 3:54 ` syzbot
@ 2026-03-10 6:11 ` Harry Yoo
2026-03-10 6:29 ` syzbot
0 siblings, 1 reply; 35+ messages in thread
From: Harry Yoo @ 2026-03-10 6:11 UTC (permalink / raw)
To: syzbot
Cc: akpm, catalin.marinas, chao, hao.li, jaegeuk, jannh, liam.howlett,
linkinjeon, linux-f2fs-devel, linux-fsdevel, linux-kernel,
linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo, syzkaller-bugs,
vbabka, vbabka, wangqing7171
#syz test
diff --git a/Documentation/dev-tools/kmemleak.rst b/Documentation/dev-tools/kmemleak.rst
index 7d784e03f3f9..da2c849d4735 100644
--- a/Documentation/dev-tools/kmemleak.rst
+++ b/Documentation/dev-tools/kmemleak.rst
@@ -163,6 +163,7 @@ See the include/linux/kmemleak.h header for the functions prototype.
- ``kmemleak_not_leak`` - mark an object as not a leak
- ``kmemleak_transient_leak`` - mark an object as a transient leak
- ``kmemleak_ignore`` - do not scan or report an object as leak
+- ``kmemleak_unignore`` - undo a previous kmemleak_ignore()
- ``kmemleak_scan_area`` - add scan areas inside a memory block
- ``kmemleak_no_scan`` - do not scan a memory block
- ``kmemleak_erase`` - erase an old value in a pointer variable
diff --git a/include/linux/kmemleak.h b/include/linux/kmemleak.h
index fbd424b2abb1..4eec0560be09 100644
--- a/include/linux/kmemleak.h
+++ b/include/linux/kmemleak.h
@@ -28,6 +28,7 @@ extern void kmemleak_update_trace(const void *ptr) __ref;
extern void kmemleak_not_leak(const void *ptr) __ref;
extern void kmemleak_transient_leak(const void *ptr) __ref;
extern void kmemleak_ignore(const void *ptr) __ref;
+extern void kmemleak_unignore(const void *ptr, int min_count) __ref;
extern void kmemleak_ignore_percpu(const void __percpu *ptr) __ref;
extern void kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp) __ref;
extern void kmemleak_no_scan(const void *ptr) __ref;
@@ -104,6 +105,10 @@ static inline void kmemleak_ignore_percpu(const void __percpu *ptr)
static inline void kmemleak_ignore(const void *ptr)
{
}
+
+static inline void kmemleak_unignore(const void *ptr, int min_count)
+{
+}
static inline void kmemleak_scan_area(const void *ptr, size_t size, gfp_t gfp)
{
}
diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index d79acf5c5100..871e20ba3d7b 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -909,6 +909,8 @@ static void __paint_it(struct kmemleak_object *object, int color)
object->min_count = color;
if (color == KMEMLEAK_BLACK)
object->flags |= OBJECT_NO_SCAN;
+ else
+ object->flags &= ~OBJECT_NO_SCAN;
}
static void paint_it(struct kmemleak_object *object, int color)
@@ -1292,6 +1294,24 @@ void __ref kmemleak_ignore(const void *ptr)
}
EXPORT_SYMBOL(kmemleak_ignore);
+/**
+ * kmemleak_unignore - undo a previous kmemleak_ignore() on an object
+ * @ptr: pointer to beginning of the object
+ * @min_count: minimum number of references the object must have to be
+ * considered a non-leak (see kmemleak_alloc() for details)
+ *
+ * Calling this function undoes a prior kmemleak_ignore() by restoring the
+ * given min_count, making the object visible to kmemleak again.
+ */
+void __ref kmemleak_unignore(const void *ptr, int min_count)
+{
+ pr_debug("%s(0x%px)\n", __func__, ptr);
+
+ if (kmemleak_enabled && ptr && !IS_ERR(ptr))
+ paint_ptr((unsigned long)ptr, min_count, 0);
+}
+EXPORT_SYMBOL(kmemleak_unignore);
+
/**
* kmemleak_scan_area - limit the range to be scanned in an allocated object
* @ptr: pointer to beginning or inside the object. This also
diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }
// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {
diff --git a/mm/slub.c b/mm/slub.c
index 20cb4f3b636d..3bfe113ae326 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3014,8 +3014,10 @@ static void pcs_flush_all(struct kmem_cache *s)
free_empty_sheaf(s, spare);
}
- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }
sheaf_flush_main(s);
}
@@ -3035,6 +3037,7 @@ static void __pcs_flush_all_cpu(struct kmem_cache *s, unsigned int cpu)
}
if (pcs->rcu_free) {
+ kmemleak_ignore(pcs->rcu_free);
call_rcu(&pcs->rcu_free->rcu_head, rcu_free_sheaf_nobarn);
pcs->rcu_free = NULL;
}
@@ -4031,8 +4034,10 @@ static void flush_rcu_sheaf(struct work_struct *w)
local_unlock(&s->cpu_sheaves->lock);
- if (rcu_free)
+ if (rcu_free) {
+ kmemleak_ignore(rcu_free);
call_rcu(&rcu_free->rcu_head, rcu_free_sheaf_nobarn);
+ }
}
@@ -5832,6 +5837,7 @@ static void rcu_free_sheaf(struct rcu_head *head)
if (data_race(barn->nr_full) < MAX_FULL_SHEAVES) {
stat(s, BARN_PUT);
+ kmemleak_unignore(sheaf, 1);
barn_put_full_sheaf(barn, sheaf);
return;
}
@@ -5842,6 +5848,7 @@ static void rcu_free_sheaf(struct rcu_head *head)
empty:
if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES) {
+ kmemleak_unignore(sheaf, 1);
barn_put_empty_sheaf(barn, sheaf);
return;
}
@@ -5948,8 +5955,10 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj)
* we flush before local_unlock to make sure a racing
* flush_all_rcu_sheaves() doesn't miss this sheaf
*/
- if (rcu_sheaf)
+ if (rcu_sheaf) {
+ kmemleak_ignore(rcu_sheaf);
call_rcu(&rcu_sheaf->rcu_head, rcu_free_sheaf);
+ }
local_unlock(&s->cpu_sheaves->lock);
@@ -7538,6 +7547,7 @@ static void early_kmem_cache_node_alloc(int node)
slab->freelist = get_freepointer(kmem_cache_node, n);
slab->inuse = 1;
kmem_cache_node->node[node] = n;
+ kmemleak_alloc(n, kmem_cache_node->size, 1, GFP_NOWAIT);
init_kmem_cache_node(n, NULL);
inc_slabs_node(kmem_cache_node, node, slab->objects);
base-commit: c23719abc3308df7ed3ad35650ad211fb2d2003d
--
2.43.0
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-10 6:11 ` Harry Yoo
@ 2026-03-10 6:29 ` syzbot
2026-03-10 8:10 ` Harry Yoo
0 siblings, 1 reply; 35+ messages in thread
From: syzbot @ 2026-03-10 6:29 UTC (permalink / raw)
To: akpm, catalin.marinas, chao, hao.li, harry.yoo, jaegeuk, jannh,
liam.howlett, linkinjeon, linux-f2fs-devel, linux-fsdevel,
linux-kernel, linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo,
syzkaller-bugs, vbabka, vbabka, wangqing7171
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in copy_process
BUG: memory leak
unreferenced object 0xffff888101799d80 (size 184):
comm "kthreadd", pid 2, jiffies 4294948049
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0a 21 00 00 00 00 00 00 58 78 fd 01 81 88 ff ff .!......Xx......
backtrace (crc e9f8bd9):
kmemleak_alloc_recursive include/linux/kmemleak.h:45 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
kmem_cache_alloc_noprof+0x372/0x480 mm/slub.c:4881
alloc_pid+0xe4/0x850 kernel/pid.c:189
copy_process+0x1a97/0x28c0 kernel/fork.c:2239
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810b0d7b40 (size 184):
comm "kthreadd", pid 2, jiffies 4294948049
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc ddb1bc35):
kmemleak_alloc_recursive include/linux/kmemleak.h:45 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
kmem_cache_alloc_noprof+0x372/0x480 mm/slub.c:4881
prepare_creds+0x22/0x600 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x28c0 kernel/fork.c:2084
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810b91e4a0 (size 32):
comm "kthreadd", pid 2, jiffies 4294948049
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f8 6e 0a 00 81 88 ff ff 00 00 00 00 00 00 00 00 .n..............
backtrace (crc 13ba6aa5):
kmemleak_alloc_recursive include/linux/kmemleak.h:45 [inline]
slab_post_alloc_hook mm/slub.c:4552 [inline]
slab_alloc_node mm/slub.c:4874 [inline]
__do_kmalloc_node mm/slub.c:5267 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5280
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_cred_alloc security/security.c:209 [inline]
security_prepare_creds+0x2d/0x290 security/security.c:2763
prepare_creds+0x395/0x600 kernel/cred.c:215
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x28c0 kernel/fork.c:2084
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 1f318b96 Linux 7.0-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1224694a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=110faf5a580000
^ permalink raw reply [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-10 6:29 ` syzbot
@ 2026-03-10 8:10 ` Harry Yoo
2026-03-10 9:40 ` syzbot
` (2 more replies)
0 siblings, 3 replies; 35+ messages in thread
From: Harry Yoo @ 2026-03-10 8:10 UTC (permalink / raw)
To: syzbot
Cc: akpm, catalin.marinas, chao, hao.li, jaegeuk, jannh, liam.howlett,
linkinjeon, linux-f2fs-devel, linux-fsdevel, linux-kernel,
linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo, syzkaller-bugs,
vbabka, vbabka, wangqing7171
#syz test
diff --git a/mm/slab_common.c b/mm/slab_common.c
index d5a70a831a2a..73f4668d870d 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1954,8 +1954,14 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr)
if (!head)
might_sleep();
- if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr))
+ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && kfree_rcu_sheaf(ptr)) {
+ /*
+ * The object is now queued for deferred freeing via an RCU
+ * sheaf. Tell kmemleak to ignore it.
+ */
+ kmemleak_ignore(ptr);
return;
+ }
// Queue the object but don't yet schedule the batch.
if (debug_rcu_head_queue(ptr)) {
diff --git a/mm/slub.c b/mm/slub.c
index 20cb4f3b636d..2f2228d3e8b2 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2776,6 +2776,7 @@ static struct slab_sheaf *__alloc_empty_sheaf(struct kmem_cache *s, gfp_t gfp,
sheaf->cache = s;
stat(s, SHEAF_ALLOC);
+ kmemleak_ignore(sheaf);
return sheaf;
}
@@ -7538,6 +7539,7 @@ static void early_kmem_cache_node_alloc(int node)
slab->freelist = get_freepointer(kmem_cache_node, n);
slab->inuse = 1;
kmem_cache_node->node[node] = n;
+ kmemleak_alloc(n, kmem_cache_node->object_size, 1, GFP_NOWAIT);
init_kmem_cache_node(n, NULL);
inc_slabs_node(kmem_cache_node, node, slab->objects);
base-commit: c23719abc3308df7ed3ad35650ad211fb2d2003d
--
2.43.0
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-10 8:10 ` Harry Yoo
@ 2026-03-10 9:40 ` syzbot
2026-03-18 2:34 ` Harry Yoo
2026-03-18 4:10 ` Harry Yoo
2 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2026-03-10 9:40 UTC (permalink / raw)
To: akpm, catalin.marinas, chao, hao.li, harry.yoo, jaegeuk, jannh,
liam.howlett, linkinjeon, linux-f2fs-devel, linux-fsdevel,
linux-kernel, linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo,
syzkaller-bugs, vbabka, vbabka, wangqing7171
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __kthread_create_on_node
BUG: memory leak
unreferenced object 0xffff88811351d1b0 (size 16):
comm "syz.0.38", pid 7021, jiffies 4294948268
hex dump (first 16 bytes):
66 32 66 73 5f 66 6c 75 73 68 2d 37 3a 30 00 00 f2fs_flush-7:0..
backtrace (crc 73f9c04e):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
__do_kmalloc_node mm/slub.c:5263 [inline]
__kmalloc_node_track_caller_noprof+0x3e0/0x5d0 mm/slub.c:5372
kvasprintf+0x6e/0xf0 lib/kasprintf.c:25
__kthread_create_on_node+0x9e/0x1c0 kernel/kthread.c:491
kthread_create_on_node+0x73/0xa0 kernel/kthread.c:559
f2fs_create_flush_cmd_control+0x178/0x200 fs/f2fs/segment.c:707
f2fs_build_segment_manager+0x212/0x3630 fs/f2fs/segment.c:5734
f2fs_fill_super+0x14b1/0x3c20 fs/f2fs/super.c:5140
get_tree_bdev_flags+0x1c0/0x290 fs/super.c:1694
vfs_get_tree+0x30/0x120 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3763 [inline]
do_new_mount fs/namespace.c:3839 [inline]
path_mount+0x5a9/0x1360 fs/namespace.c:4159
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount fs/namespace.c:4338 [inline]
__x64_sys_mount+0x1a3/0x1e0 fs/namespace.c:4338
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810b6a4700 (size 4544):
comm "kthreadd", pid 2, jiffies 4294948268
hex dump (first 32 bytes):
04 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 01 00 00 00 80 00 00 00 00 00 00 00 ................
backtrace (crc 71339aaa):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
kmem_cache_alloc_node_noprof+0x373/0x4d0 mm/slub.c:4922
alloc_task_struct_node kernel/fork.c:185 [inline]
dup_task_struct kernel/fork.c:916 [inline]
copy_process+0x286/0x28c0 kernel/fork.c:2050
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888109f45f00 (size 184):
comm "kthreadd", pid 2, jiffies 4294948268
hex dump (first 32 bytes):
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 5ee6cb00):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
kmem_cache_alloc_noprof+0x372/0x480 mm/slub.c:4877
prepare_creds+0x22/0x600 kernel/cred.c:185
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x28c0 kernel/fork.c:2084
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff8881096f8240 (size 32):
comm "kthreadd", pid 2, jiffies 4294948268
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f8 6e 0a 00 81 88 ff ff 00 00 00 00 00 00 00 00 .n..............
backtrace (crc 13ba6aa5):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
__do_kmalloc_node mm/slub.c:5263 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5276
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_cred_alloc security/security.c:209 [inline]
security_prepare_creds+0x2d/0x290 security/security.c:2763
prepare_creds+0x395/0x600 kernel/cred.c:215
copy_creds+0x44/0x290 kernel/cred.c:286
copy_process+0x7a7/0x28c0 kernel/fork.c:2084
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888125626e40 (size 192):
comm "kthreadd", pid 2, jiffies 4294948268
hex dump (first 32 bytes):
02 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ................
01 00 00 00 00 00 00 00 60 4a 8a 82 ff ff ff ff ........`J......
backtrace (crc 3a1ec858):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
__kmalloc_cache_noprof+0x377/0x480 mm/slub.c:5379
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
set_kthread_struct+0x58/0x150 kernel/kthread.c:107
copy_process+0x15b8/0x28c0 kernel/fork.c:2152
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88812cb53700 (size 64):
comm "kthreadd", pid 2, jiffies 4294948268
hex dump (first 32 bytes):
20 09 d5 89 ff ff ff ff 00 00 00 00 00 00 00 00 ...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc e7a33bad):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
__do_kmalloc_node mm/slub.c:5263 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5276
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
lsm_blob_alloc+0x4d/0x80 security/security.c:192
lsm_task_alloc security/security.c:244 [inline]
security_task_alloc+0x2a/0x260 security/security.c:2682
copy_process+0xedf/0x28c0 kernel/fork.c:2205
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810b507180 (size 1152):
comm "kthreadd", pid 2, jiffies 4294948268
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
90 71 50 0b 81 88 ff ff 90 71 50 0b 81 88 ff ff .qP......qP.....
backtrace (crc ef1916d7):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4548 [inline]
slab_alloc_node mm/slub.c:4870 [inline]
kmem_cache_alloc_noprof+0x372/0x480 mm/slub.c:4877
copy_signal kernel/fork.c:1700 [inline]
copy_process+0x10da/0x28c0 kernel/fork.c:2220
kernel_clone+0xac/0x6e0 kernel/fork.c:2654
kernel_thread+0x80/0xb0 kernel/fork.c:2715
create_kthread kernel/kthread.c:459 [inline]
kthreadd+0x186/0x250 kernel/kthread.c:817
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 1f318b96 Linux 7.0-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1751f8d6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c6ad6fefffa76b1
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=10def8d6580000
^ permalink raw reply [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-10 8:10 ` Harry Yoo
2026-03-10 9:40 ` syzbot
@ 2026-03-18 2:34 ` Harry Yoo
2026-03-18 3:08 ` syzbot
2026-03-18 4:10 ` Harry Yoo
2 siblings, 1 reply; 35+ messages in thread
From: Harry Yoo @ 2026-03-18 2:34 UTC (permalink / raw)
To: syzbot
Cc: akpm, catalin.marinas, chao, hao.li, jaegeuk, jannh, liam.howlett,
linkinjeon, linux-f2fs-devel, linux-fsdevel, linux-kernel,
linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo, syzkaller-bugs,
vbabka, vbabka, wangqing7171
#syz test
diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index d79acf5c5100..b7be2cc1efc3 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -50,8 +50,8 @@
*
* The kmemleak_object structures have a use_count incremented or decremented
* using the get_object()/put_object() functions. When the use_count becomes
- * 0, this count can no longer be incremented and put_object() schedules the
- * kmemleak_object freeing via an RCU callback. All calls to the get_object()
+ * 0, this count can no longer be incremented and put_object() adds the
+ * kmemleak_object to a deferred free list. All calls to the get_object()
* function must be protected by rcu_read_lock() to avoid accessing a freed
* structure.
*/
@@ -93,6 +93,7 @@
#include <linux/mm.h>
#include <linux/workqueue.h>
#include <linux/crc32.h>
+#include <linux/llist.h>
#include <asm/sections.h>
#include <asm/processor.h>
@@ -138,7 +139,7 @@ struct kmemleak_object {
struct list_head object_list;
struct list_head gray_list;
struct rb_node rb_node;
- struct rcu_head rcu; /* object_list lockless traversal */
+ struct llist_node free_node; /* deferred freeing */
/* object usage count; object freed when use_count == 0 */
atomic_t use_count;
unsigned int del_state; /* deletion state */
@@ -209,6 +210,13 @@ static DEFINE_RAW_SPINLOCK(kmemleak_lock);
static struct kmem_cache *object_cache;
static struct kmem_cache *scan_area_cache;
+/* objects pending RCU-deferred freeing */
+static LLIST_HEAD(objects_to_free);
+static atomic_long_t objects_to_free_count;
+static void flush_deferred_frees_work(struct work_struct *work);
+static DECLARE_WORK(deferred_free_work, flush_deferred_frees_work);
+#define DEFERRED_FREE_BATCH 256
+
/* set if tracing memory operations is enabled */
static int kmemleak_enabled __read_mostly = 1;
/* same as above but only for the kmemleak_free() callback */
@@ -522,14 +530,12 @@ static void mem_pool_free(struct kmemleak_object *object)
}
/*
- * RCU callback to free a kmemleak_object.
+ * Free a kmemleak_object and its associated scan areas.
*/
-static void free_object_rcu(struct rcu_head *rcu)
+static void free_object(struct kmemleak_object *object)
{
struct hlist_node *tmp;
struct kmemleak_scan_area *area;
- struct kmemleak_object *object =
- container_of(rcu, struct kmemleak_object, rcu);
/*
* Once use_count is 0 (guaranteed by put_object), there is no other
@@ -543,11 +549,19 @@ static void free_object_rcu(struct rcu_head *rcu)
}
/*
- * Decrement the object use_count. Once the count is 0, free the object using
- * an RCU callback. Since put_object() may be called via the kmemleak_free() ->
- * delete_object() path, the delayed RCU freeing ensures that there is no
- * recursive call to the kernel allocator. Lock-less RCU object_list traversal
- * is also possible.
+ * Decrement the object use_count. Once the count is 0, add the object to the
+ * deferred free list. Since put_object() may be called via the
+ * kmemleak_free() -> delete_object() path, the deferred freeing ensures that
+ * there is no recursive call to the kernel allocator. Lock-less RCU
+ * object_list traversal is also possible. The actual freeing happens after
+ * an RCU grace period in flush_deferred_frees().
+ *
+ * Unlike the previous call_rcu()-based approach, this avoids embedding
+ * rcu_head in kmemleak_object. Objects from SLAB_NOLEAKTRACE caches (like
+ * kmemleak's own object_cache) are not tracked by kmemleak. When such
+ * objects were linked in the call_rcu callback chain via rcu_head->next,
+ * kmemleak could not scan through them, breaking the chain and causing
+ * false positive leak reports for objects queued after them.
*/
static void put_object(struct kmemleak_object *object)
{
@@ -558,14 +572,46 @@ static void put_object(struct kmemleak_object *object)
WARN_ON(object->flags & OBJECT_ALLOCATED);
/*
- * It may be too early for the RCU callbacks, however, there is no
+ * It may be too early for deferred freeing, however, there is no
* concurrent object_list traversal when !object_cache and all objects
* came from the memory pool. Free the object directly.
*/
- if (object_cache)
- call_rcu(&object->rcu, free_object_rcu);
- else
- free_object_rcu(&object->rcu);
+ if (object_cache) {
+ llist_add(&object->free_node, &objects_to_free);
+ if (atomic_long_inc_return(&objects_to_free_count) >=
+ DEFERRED_FREE_BATCH)
+ schedule_work(&deferred_free_work);
+ } else {
+ free_object(object);
+ }
+}
+
+/*
+ * Flush all deferred object frees after an RCU grace period. This must be
+ * called from a context that can block.
+ */
+static void flush_deferred_frees(void)
+{
+ struct llist_node *list;
+ struct kmemleak_object *object, *tmp;
+ long count = 0;
+
+ list = llist_del_all(&objects_to_free);
+ if (!list)
+ return;
+
+ synchronize_rcu();
+
+ llist_for_each_entry_safe(object, tmp, list, free_node) {
+ free_object(object);
+ count++;
+ }
+ atomic_long_sub(count, &objects_to_free_count);
+}
+
+static void flush_deferred_frees_work(struct work_struct *work)
+{
+ flush_deferred_frees();
}
/*
@@ -809,7 +855,7 @@ static void create_object_percpu(unsigned long ptr, size_t size,
}
/*
- * Mark the object as not allocated and schedule RCU freeing via put_object().
+ * Mark the object as not allocated and schedule deferred freeing via put_object().
*/
static void __delete_object(struct kmemleak_object *object)
{
@@ -2209,6 +2255,7 @@ static void __kmemleak_do_cleanup(void)
if (!(++cnt & 0x3f))
cond_resched();
}
+ flush_deferred_frees();
}
/*
base-commit: fda995dadf2960405545e5002aaa85207aa758cf
--
2.43.0
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-18 2:34 ` Harry Yoo
@ 2026-03-18 3:08 ` syzbot
0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2026-03-18 3:08 UTC (permalink / raw)
To: akpm, catalin.marinas, chao, hao.li, harry.yoo, jaegeuk, jannh,
liam.howlett, linkinjeon, linux-f2fs-devel, linux-fsdevel,
linux-kernel, linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo,
syzkaller-bugs, vbabka, vbabka, wangqing7171
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main
BUG: memory leak
unreferenced object 0xffff88810e983c00 (size 512):
comm "softirq", pid 0, jiffies 4294948614
hex dump (first 32 bytes):
c8 2c 04 00 81 88 ff ff 00 a4 98 0e 81 88 ff ff .,..............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 8f5c2bf9):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]
alloc_full_sheaf mm/slub.c:2829 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4626
alloc_from_pcs mm/slub.c:4717 [inline]
slab_alloc_node mm/slub.c:4851 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
cfg80211_inform_single_bss_data+0x21d/0xa70 net/wireless/scan.c:2344
cfg80211_inform_bss_data+0x13f/0x1dc0 net/wireless/scan.c:3226
cfg80211_inform_bss_frame_data+0x108/0x340 net/wireless/scan.c:3317
ieee80211_bss_info_update+0x13a/0x320 net/mac80211/scan.c:230
ieee80211_scan_rx+0x269/0x3b0 net/mac80211/scan.c:364
__ieee80211_rx_handle_packet net/mac80211/rx.c:5305 [inline]
ieee80211_rx_list+0x111b/0x1850 net/mac80211/rx.c:5588
ieee80211_rx_napi+0x50/0x110 net/mac80211/rx.c:5611
ieee80211_rx include/net/mac80211.h:5267 [inline]
ieee80211_handle_queued_frames+0x9c/0xf0 net/mac80211/main.c:452
tasklet_action_common+0xb7/0x270 kernel/softirq.c:925
handle_softirqs+0xdf/0x2c0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x91/0xb0 kernel/softirq.c:723
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x73/0x80 arch/x86/kernel/apic/apic.c:1056
BUG: memory leak
unreferenced object 0xffff88810e98a400 (size 512):
comm "kworker/u8:7", pid 1022, jiffies 4294952987
hex dump (first 32 bytes):
00 3c 98 0e 81 88 ff ff 00 68 cd 2a 81 88 ff ff .<.......h.*....
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc b6e2f12f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]
alloc_full_sheaf mm/slub.c:2829 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4626
alloc_from_pcs mm/slub.c:4717 [inline]
slab_alloc_node mm/slub.c:4851 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
cfg80211_inform_single_bss_data+0x21d/0xa70 net/wireless/scan.c:2344
cfg80211_inform_bss_data+0x13f/0x1dc0 net/wireless/scan.c:3226
cfg80211_inform_bss_frame_data+0x108/0x340 net/wireless/scan.c:3317
ieee80211_bss_info_update+0x13a/0x320 net/mac80211/scan.c:230
ieee80211_rx_bss_info net/mac80211/ibss.c:1094 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1575 [inline]
ieee80211_ibss_rx_queued_mgmt+0xb75/0x1230 net/mac80211/ibss.c:1602
ieee80211_iface_process_skb net/mac80211/iface.c:1748 [inline]
ieee80211_iface_work+0x6af/0x9b0 net/mac80211/iface.c:1802
cfg80211_wiphy_work+0x1db/0x280 net/wireless/core.c:440
process_one_work+0x277/0x5f0 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3440
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: a989fde7 Merge tag 'libnvdimm-fixes-7.0-rc5' of git://..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1005f8da580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e2bba615ee79faa5
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=1405b406580000
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-10 8:10 ` Harry Yoo
2026-03-10 9:40 ` syzbot
2026-03-18 2:34 ` Harry Yoo
@ 2026-03-18 4:10 ` Harry Yoo
2026-03-18 5:02 ` syzbot
2 siblings, 1 reply; 35+ messages in thread
From: Harry Yoo @ 2026-03-18 4:10 UTC (permalink / raw)
To: syzbot
Cc: akpm, catalin.marinas, chao, hao.li, jaegeuk, jannh, liam.howlett,
linkinjeon, linux-f2fs-devel, linux-fsdevel, linux-kernel,
linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo, syzkaller-bugs,
vbabka, vbabka, wangqing7171
#syz test
diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index d79acf5c5100..b7be2cc1efc3 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -50,8 +50,8 @@
*
* The kmemleak_object structures have a use_count incremented or decremented
* using the get_object()/put_object() functions. When the use_count becomes
- * 0, this count can no longer be incremented and put_object() schedules the
- * kmemleak_object freeing via an RCU callback. All calls to the get_object()
+ * 0, this count can no longer be incremented and put_object() adds the
+ * kmemleak_object to a deferred free list. All calls to the get_object()
* function must be protected by rcu_read_lock() to avoid accessing a freed
* structure.
*/
@@ -93,6 +93,7 @@
#include <linux/mm.h>
#include <linux/workqueue.h>
#include <linux/crc32.h>
+#include <linux/llist.h>
#include <asm/sections.h>
#include <asm/processor.h>
@@ -138,7 +139,7 @@ struct kmemleak_object {
struct list_head object_list;
struct list_head gray_list;
struct rb_node rb_node;
- struct rcu_head rcu; /* object_list lockless traversal */
+ struct llist_node free_node; /* deferred freeing */
/* object usage count; object freed when use_count == 0 */
atomic_t use_count;
unsigned int del_state; /* deletion state */
@@ -209,6 +210,13 @@ static DEFINE_RAW_SPINLOCK(kmemleak_lock);
static struct kmem_cache *object_cache;
static struct kmem_cache *scan_area_cache;
+/* objects pending RCU-deferred freeing */
+static LLIST_HEAD(objects_to_free);
+static atomic_long_t objects_to_free_count;
+static void flush_deferred_frees_work(struct work_struct *work);
+static DECLARE_WORK(deferred_free_work, flush_deferred_frees_work);
+#define DEFERRED_FREE_BATCH 256
+
/* set if tracing memory operations is enabled */
static int kmemleak_enabled __read_mostly = 1;
/* same as above but only for the kmemleak_free() callback */
@@ -522,14 +530,12 @@ static void mem_pool_free(struct kmemleak_object *object)
}
/*
- * RCU callback to free a kmemleak_object.
+ * Free a kmemleak_object and its associated scan areas.
*/
-static void free_object_rcu(struct rcu_head *rcu)
+static void free_object(struct kmemleak_object *object)
{
struct hlist_node *tmp;
struct kmemleak_scan_area *area;
- struct kmemleak_object *object =
- container_of(rcu, struct kmemleak_object, rcu);
/*
* Once use_count is 0 (guaranteed by put_object), there is no other
@@ -543,11 +549,19 @@ static void free_object_rcu(struct rcu_head *rcu)
}
/*
- * Decrement the object use_count. Once the count is 0, free the object using
- * an RCU callback. Since put_object() may be called via the kmemleak_free() ->
- * delete_object() path, the delayed RCU freeing ensures that there is no
- * recursive call to the kernel allocator. Lock-less RCU object_list traversal
- * is also possible.
+ * Decrement the object use_count. Once the count is 0, add the object to the
+ * deferred free list. Since put_object() may be called via the
+ * kmemleak_free() -> delete_object() path, the deferred freeing ensures that
+ * there is no recursive call to the kernel allocator. Lock-less RCU
+ * object_list traversal is also possible. The actual freeing happens after
+ * an RCU grace period in flush_deferred_frees().
+ *
+ * Unlike the previous call_rcu()-based approach, this avoids embedding
+ * rcu_head in kmemleak_object. Objects from SLAB_NOLEAKTRACE caches (like
+ * kmemleak's own object_cache) are not tracked by kmemleak. When such
+ * objects were linked in the call_rcu callback chain via rcu_head->next,
+ * kmemleak could not scan through them, breaking the chain and causing
+ * false positive leak reports for objects queued after them.
*/
static void put_object(struct kmemleak_object *object)
{
@@ -558,14 +572,46 @@ static void put_object(struct kmemleak_object *object)
WARN_ON(object->flags & OBJECT_ALLOCATED);
/*
- * It may be too early for the RCU callbacks, however, there is no
+ * It may be too early for deferred freeing, however, there is no
* concurrent object_list traversal when !object_cache and all objects
* came from the memory pool. Free the object directly.
*/
- if (object_cache)
- call_rcu(&object->rcu, free_object_rcu);
- else
- free_object_rcu(&object->rcu);
+ if (object_cache) {
+ llist_add(&object->free_node, &objects_to_free);
+ if (atomic_long_inc_return(&objects_to_free_count) >=
+ DEFERRED_FREE_BATCH)
+ schedule_work(&deferred_free_work);
+ } else {
+ free_object(object);
+ }
+}
+
+/*
+ * Flush all deferred object frees after an RCU grace period. This must be
+ * called from a context that can block.
+ */
+static void flush_deferred_frees(void)
+{
+ struct llist_node *list;
+ struct kmemleak_object *object, *tmp;
+ long count = 0;
+
+ list = llist_del_all(&objects_to_free);
+ if (!list)
+ return;
+
+ synchronize_rcu();
+
+ llist_for_each_entry_safe(object, tmp, list, free_node) {
+ free_object(object);
+ count++;
+ }
+ atomic_long_sub(count, &objects_to_free_count);
+}
+
+static void flush_deferred_frees_work(struct work_struct *work)
+{
+ flush_deferred_frees();
}
/*
@@ -809,7 +855,7 @@ static void create_object_percpu(unsigned long ptr, size_t size,
}
/*
- * Mark the object as not allocated and schedule RCU freeing via put_object().
+ * Mark the object as not allocated and schedule deferred freeing via put_object().
*/
static void __delete_object(struct kmemleak_object *object)
{
@@ -2209,6 +2255,7 @@ static void __kmemleak_do_cleanup(void)
if (!(++cnt & 0x3f))
cond_resched();
}
+ flush_deferred_frees();
}
/*
diff --git a/mm/slub.c b/mm/slub.c
index 20cb4f3b636d..6bdf409d427e 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -7537,6 +7537,7 @@ static void early_kmem_cache_node_alloc(int node)
n = kasan_slab_alloc(kmem_cache_node, n, GFP_KERNEL, false);
slab->freelist = get_freepointer(kmem_cache_node, n);
slab->inuse = 1;
+ kmemleak_alloc(n, sizeof(*n), 1, GFP_NOWAIT);
kmem_cache_node->node[node] = n;
init_kmem_cache_node(n, NULL);
inc_slabs_node(kmem_cache_node, node, slab->objects);
--
2.43.0
^ permalink raw reply related [flat|nested] 35+ messages in thread* Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
2026-03-18 4:10 ` Harry Yoo
@ 2026-03-18 5:02 ` syzbot
0 siblings, 0 replies; 35+ messages in thread
From: syzbot @ 2026-03-18 5:02 UTC (permalink / raw)
To: akpm, catalin.marinas, chao, hao.li, harry.yoo, jaegeuk, jannh,
liam.howlett, linkinjeon, linux-f2fs-devel, linux-fsdevel,
linux-kernel, linux-mm, lorenzo.stoakes, pfalcato, sj1557.seo,
syzkaller-bugs, vbabka, vbabka, wangqing7171
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __pcs_replace_empty_main
BUG: memory leak
unreferenced object 0xffff888129413800 (size 512):
comm "kworker/u8:3", pid 58, jiffies 4294947638
hex dump (first 32 bytes):
00 ac 98 1c 81 88 ff ff 00 18 6b 0a 81 88 ff ff ..........k.....
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 10da2a4f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]
alloc_full_sheaf mm/slub.c:2829 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4626
alloc_from_pcs mm/slub.c:4717 [inline]
slab_alloc_node mm/slub.c:4851 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
cfg80211_inform_single_bss_data+0x21d/0xa70 net/wireless/scan.c:2344
cfg80211_inform_bss_data+0x13f/0x1dc0 net/wireless/scan.c:3226
cfg80211_inform_bss_frame_data+0x108/0x340 net/wireless/scan.c:3317
ieee80211_bss_info_update+0x13a/0x320 net/mac80211/scan.c:230
ieee80211_rx_bss_info net/mac80211/ibss.c:1094 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1575 [inline]
ieee80211_ibss_rx_queued_mgmt+0xb75/0x1230 net/mac80211/ibss.c:1602
ieee80211_iface_process_skb net/mac80211/iface.c:1748 [inline]
ieee80211_iface_work+0x6af/0x9b0 net/mac80211/iface.c:1802
cfg80211_wiphy_work+0x1db/0x280 net/wireless/core.c:440
process_one_work+0x277/0x5f0 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3440
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88812a621a00 (size 512):
comm "kworker/u8:3", pid 58, jiffies 4294950606
hex dump (first 32 bytes):
00 18 62 2a 81 88 ff ff 00 d6 04 00 81 88 ff ff ..b*............
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 231cde90):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]
alloc_full_sheaf mm/slub.c:2829 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4626
alloc_from_pcs mm/slub.c:4717 [inline]
slab_alloc_node mm/slub.c:4851 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
cfg80211_inform_single_bss_data+0x21d/0xa70 net/wireless/scan.c:2344
cfg80211_inform_bss_data+0x13f/0x1dc0 net/wireless/scan.c:3226
cfg80211_inform_bss_frame_data+0x108/0x340 net/wireless/scan.c:3317
ieee80211_bss_info_update+0x13a/0x320 net/mac80211/scan.c:230
ieee80211_rx_bss_info net/mac80211/ibss.c:1094 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1575 [inline]
ieee80211_ibss_rx_queued_mgmt+0xb75/0x1230 net/mac80211/ibss.c:1602
ieee80211_iface_process_skb net/mac80211/iface.c:1748 [inline]
ieee80211_iface_work+0x6af/0x9b0 net/mac80211/iface.c:1802
cfg80211_wiphy_work+0x1db/0x280 net/wireless/core.c:440
process_one_work+0x277/0x5f0 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3440
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88812a621800 (size 512):
comm "kworker/u8:6", pid 932, jiffies 4294950638
hex dump (first 32 bytes):
00 18 6b 0a 81 88 ff ff 00 1a 62 2a 81 88 ff ff ..k.......b*....
00 12 04 00 81 88 ff ff 3c 00 00 00 00 00 00 00 ........<.......
backtrace (crc 9a0f4a55):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__alloc_empty_sheaf+0x35/0x50 mm/slub.c:2764
alloc_empty_sheaf mm/slub.c:2779 [inline]
alloc_full_sheaf mm/slub.c:2829 [inline]
__pcs_replace_empty_main+0x1e0/0x2f0 mm/slub.c:4626
alloc_from_pcs mm/slub.c:4717 [inline]
slab_alloc_node mm/slub.c:4851 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_noprof+0x4c5/0x560 mm/slub.c:5272
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
cfg80211_inform_single_bss_data+0x21d/0xa70 net/wireless/scan.c:2344
cfg80211_inform_bss_data+0x13f/0x1dc0 net/wireless/scan.c:3226
cfg80211_inform_bss_frame_data+0x108/0x340 net/wireless/scan.c:3317
ieee80211_bss_info_update+0x13a/0x320 net/mac80211/scan.c:230
ieee80211_rx_bss_info net/mac80211/ibss.c:1094 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1575 [inline]
ieee80211_ibss_rx_queued_mgmt+0xb75/0x1230 net/mac80211/ibss.c:1602
ieee80211_iface_process_skb net/mac80211/iface.c:1748 [inline]
ieee80211_iface_work+0x6af/0x9b0 net/mac80211/iface.c:1802
cfg80211_wiphy_work+0x1db/0x280 net/wireless/core.c:440
process_one_work+0x277/0x5f0 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x255/0x4a0 kernel/workqueue.c:3440
kthread+0x14e/0x1a0 kernel/kthread.c:436
ret_from_fork+0x23c/0x4b0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: a989fde7 Merge tag 'libnvdimm-fixes-7.0-rc5' of git://..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15c4974a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e2bba615ee79faa5
dashboard link: https://syzkaller.appspot.com/bug?extid=cae7809e9dc1459e4e63
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=178fc216580000
^ permalink raw reply [flat|nested] 35+ messages in thread