Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Harry Yoo <harry.yoo@oracle.com>
To: "Vlastimil Babka (SUSE)" <vbabka@kernel.org>
Cc: Qing Wang <wangqing7171@gmail.com>,
	syzbot+cae7809e9dc1459e4e63@syzkaller.appspotmail.com,
	Liam.Howlett@oracle.com, akpm@linux-foundation.org,
	chao@kernel.org, jaegeuk@kernel.org, jannh@google.com,
	linkinjeon@kernel.org, linux-f2fs-devel@lists.sourceforge.net,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, lorenzo.stoakes@oracle.com, pfalcato@suse.de,
	sj1557.seo@samsung.com, syzkaller-bugs@googlegroups.com,
	vbabka@suse.cz, Hao Li <hao.li@linux.dev>,
	Catalin Marinas <catalin.marinas@arm.com>
Subject: Re: [syzbot] [mm?] [f2fs?] [exfat?] memory leak in __kfree_rcu_sheaf
Date: Wed, 4 Mar 2026 10:30:55 +0900	[thread overview]
Message-ID: <aaeLT8mnMMj_kPJc@hyeyoo> (raw)
In-Reply-To: <20df8dd1-a32c-489d-8345-085d424a2f12@kernel.org>

[+Cc adding Catalin for kmemleak bits]

On Mon, Mar 02, 2026 at 09:39:48AM +0100, Vlastimil Babka (SUSE) wrote:
> On 3/2/26 04:41, Qing Wang wrote:
> > #syz test
> > 
> > diff --git a/mm/slub.c b/mm/slub.c
> > index cdc1e652ec52..387979b89120 100644
> > --- a/mm/slub.c
> > +++ b/mm/slub.c
> > @@ -6307,15 +6307,21 @@ bool __kfree_rcu_sheaf(struct kmem_cache *s, void *obj)
> >  			goto fail;
> >  
> >  		if (!local_trylock(&s->cpu_sheaves->lock)) {
> > -			barn_put_empty_sheaf(barn, empty);
> > +			if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES)
> > +				barn_put_empty_sheaf(barn, empty);
> > +			else
> > +				free_empty_sheaf(s, empty);
> >  			goto fail;
> >  		}
> >  
> >  		pcs = this_cpu_ptr(s->cpu_sheaves);
> >  
> > -		if (unlikely(pcs->rcu_free))
> > -			barn_put_empty_sheaf(barn, empty);
> > -		else
> > +		if (unlikely(pcs->rcu_free)) {
> > +			if (barn && data_race(barn->nr_empty) < MAX_EMPTY_SHEAVES)
> > +				barn_put_empty_sheaf(barn, empty);
> > +			else
> > +				free_empty_sheaf(s, empty);
> > +		} else
> >  			pcs->rcu_free = empty;
> >  	}
> 
> I don't think this would fix any leak, and syzbot agrees. It would limit the
> empty sheaves in barn more strictly, but they are not leaked.
> Hm I don't see any leak in __kfree_rcu_sheaf() or rcu_free_sheaf(). Wonder
> if kmemleak lacks visibility into barns or pcs's as roots for searching what
> objects are considered referenced, or something?

Objects that are allocated from slab and percpu allocator should be
properly tracked by kmemleak. But those allocated with
gfpflags_allow_spinning() == false are not tracked by kmemleak.

When barns and sheaves are allocated early (!gfpflags_allow_spinning()
due to gfp_allowed_mask) and it skips kmemleak_alloc_recursive(), 
it could produce false positives because from kmemleak's point of view,
the objects are not reachable from the root set (data section, stack,
etc.).

To me it seems kmemleak should gain allow_spin == false support
sooner or later.

-- 
Cheers,
Harry / Hyeonggon

     prev parent reply	other threads:[~2026-03-04  1:31 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-09 18:26 syzbot
2026-03-02  3:41 ` Qing Wang
2026-03-02  3:57   ` syzbot
2026-03-02  8:39   ` Vlastimil Babka (SUSE)
2026-03-04  1:30     ` Harry Yoo [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aaeLT8mnMMj_kPJc@hyeyoo \
    --to=harry.yoo@oracle.com \
    --cc=Liam.Howlett@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=catalin.marinas@arm.com \
    --cc=chao@kernel.org \
    --cc=hao.li@linux.dev \
    --cc=jaegeuk@kernel.org \
    --cc=jannh@google.com \
    --cc=linkinjeon@kernel.org \
    --cc=linux-f2fs-devel@lists.sourceforge.net \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=lorenzo.stoakes@oracle.com \
    --cc=pfalcato@suse.de \
    --cc=sj1557.seo@samsung.com \
    --cc=syzbot+cae7809e9dc1459e4e63@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=vbabka@kernel.org \
    --cc=vbabka@suse.cz \
    --cc=wangqing7171@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox