From: Zw Tang <shicenci@gmail.com>
To: Vlastimil Babka <vbabka@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org,
cgroups@vger.kernel.org, Johannes Weiner <hannes@cmpxchg.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Andreas Dilger <adilger.kernel@dilger.ca>
Subject: [BUG] WARNING in alloc_slab_obj_exts triggered by __d_alloc
Date: Mon, 9 Mar 2026 11:14:58 +0800 [thread overview]
Message-ID: <CAPHJ_VKuMKSke8b11AZQw1PTSFN4n2C0gFxC6xGOG0ZLHgPmnA@mail.gmail.com> (raw)
Hi,
I encountered a WARNING in alloc_slab_obj_exts() while running a
syzkaller-generated reproducer on Linux 7.0-rc2.
The warning is triggered during dentry allocation (__d_alloc) after
mounting a crafted ext4 filesystem image.
Kernel
git tree: torvalds/linux
commit: 0031c06807cfa8aa51a759ff8aa09e1aa48149af
kernel version:Linux 7.0.0-rc2-00057-g0031c06807cf
hardware: QEMU Ubuntu 24.10
I was able to reproduce this issue reliably using the attached
reproducer.
Reproducer:
C reproducer: https://pastebin.com/raw/eHjm2Aw6
console output: https://pastebin.com/raw/FQAhquTy
kernel config: pastebin.com/raw/CnHdTQNm
The warning originates from:
mm/slub.c:2189
Call trace:
WARNING: mm/slub.c:2189 at alloc_slab_obj_exts+0x132/0x180
CPU: 0 UID: 0 PID: 699 Comm: syz.0.118
Call Trace:
<TASK>
__memcg_slab_post_alloc_hook+0x130/0x460 mm/memcontrol.c:3234
memcg_slab_post_alloc_hook mm/slub.c:2464 [inline]
slab_post_alloc_hook.constprop.0+0x9c/0xf0 mm/slub.c:4526
slab_alloc_node.constprop.0+0xaa/0x160 mm/slub.c:4844
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x82/0x200 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
__d_alloc+0x235/0x2f0 fs/dcache.c:1757
d_alloc_pseudo+0x1d/0x70 fs/dcache.c:1871
alloc_path_pseudo fs/file_table.c:364 [inline]
alloc_file_pseudo+0x64/0x140 fs/file_table.c:380
__shmem_file_setup+0x136/0x270 mm/shmem.c:5863
memfd_alloc_file+0x81/0x240 mm/memfd.c:471
__do_sys_memfd_create mm/memfd.c:522 [inline]
__se_sys_memfd_create mm/memfd.c:505 [inline]
__x64_sys_memfd_create+0x205/0x440 mm/memfd.c:505
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x11d/0x5a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x4b/0x53
The issue happens after mounting an ext4 filesystem image via a loop
device created from a compressed image in the reproducer.
Relevant kernel messages:
EXT4-fs (loop0): mounted filesystem
00000000-0000-0000-0000-000000000000 r/w without journal.
EXT4-fs (loop3): Delayed block allocation failed for inode 18 at
logical offset 768 with max blocks 2 with error 28
EXT4-fs (loop3): This should not happen!! Data will be lost
The WARNING occurs in alloc_slab_obj_exts(), which is related to slab
object extension allocation.
This may indicate a slab metadata inconsistency triggered by the
filesystem state.
Please let me know if additional debugging information would help.
Thanks.
Zw Tang
next reply other threads:[~2026-03-09 3:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 3:14 Zw Tang [this message]
2026-03-09 4:33 ` Harry Yoo
2026-03-09 7:22 ` [PATCH] mm/slab: fix an incorrect check in obj_exts_alloc_size() Harry Yoo
2026-03-09 14:00 ` vbabka
2026-03-10 3:25 ` Harry Yoo
2026-03-10 10:06 ` vbabka
2026-03-10 3:29 ` Harry Yoo
2026-03-10 3:40 ` Zw Tang
2026-03-10 10:02 ` vbabka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPHJ_VKuMKSke8b11AZQw1PTSFN4n2C0gFxC6xGOG0ZLHgPmnA@mail.gmail.com \
--to=shicenci@gmail.com \
--cc=adilger.kernel@dilger.ca \
--cc=akpm@linux-foundation.org \
--cc=cgroups@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=vbabka@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox