From nobody Tue Apr  7 22:01:08 2026
Received: from mail-pj1-f67.google.com (mail-pj1-f67.google.com
 [209.85.216.67])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 772A42D7D3A
	for <linux-kernel@vger.kernel.org>; Wed, 11 Mar 2026 09:36:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.67
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773221790; cv=none;
 b=KylZA3i6nltTRhTTMBWee1WaxA1bfxPtoKaDwOIlp6bCXl9ICJy9hYyfDoDBiHtiqm6vXJuyIw4TO0dEGxoQtuHiTWCmBHkX44MMuWuzEqRvA+KobMvYUoUKiMaX5JTk55bo/OcxaxXe/UTUP/+oHH7Frkbyf5hU6lu9ldAsN+0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773221790; c=relaxed/simple;
	bh=++Eb5YLhXNMcVSWdc5T+JHp4mObq0zTSc5j5GmGb1NE=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=hi2Bbze8TskKLKXe/39hep08B4550qAO0Q+rzRPDgQEN84UbT+HzxxhVCnjizJHLz/rA6xp+TxZV9za0nvLzL1Ok5m2y46V596OQwAAZY0+k27CvqcWfWxQQaIbqFjJlj/TkTBhnkb16vHNicaN1uMiQBHOUDCFJBcF2ndn5GXo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=PxaSBizc; arc=none smtp.client-ip=209.85.216.67
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="PxaSBizc"
Received: by mail-pj1-f67.google.com with SMTP id
 98e67ed59e1d1-3599019ae92so5817172a91.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 11 Mar 2026 02:36:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1773221789; x=1773826589;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=yyDGZmMomOHesfPo9XrMzUnXt0EI+izxgF0flTBDkq0=;
        b=PxaSBizci9N4BmpUQAPYsZgD44MDzo35eKyblE7/z0AHaRXzOUmxNl2s4y6XsPI0C6
         JKxLmx+VGCTbi7s1h4lMU5WF1d1jv3genLFKpNROaAPyqznm8DyAwi8vy4yK9FrUXUGG
         +i8cLu6+jkPkkA2a4CNu6NtWFpUXx6zBrdQOh1cFWXh5gXiyaePqQmbosdub/5awA12n
         s/ThoPVrU2mLhuJMc3NespLciUmcl2PKnW6yNOa1VukGKMPsmuz12+WVX75HLqg+GsxZ
         YDcB148IGtsQEsAQq5jtJQVG+7Y5JBjpGW+N3+aWVi1djP/w1txH9rA/eaHSrP79KtmS
         61TQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1773221789; x=1773826589;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=yyDGZmMomOHesfPo9XrMzUnXt0EI+izxgF0flTBDkq0=;
        b=JQ95QqAcGAje+TNVjx7O0OwxI9XeLIL8324riNqWswxtmUW40RaxpDkRyGuizeuVA1
         KmEmF0V89OFMESGHDjLGizJJxUdRhtM1dJYp1hwVI98QFf3qMRtKtdoI/nPaNeBnurKB
         2Fn6XOG5ooN7rtkZgwvc6vNHtyqQ2c/NshnBv8kb0iFIMig73ZTu3Ra6mpbY9Ta+bCJC
         Z+CpYq3EvfttU+IF6js73fg0Y8BywHm7SUELJoC4lZ+KqSEw1JoDYLA5s1zTTMh24bdP
         BZ8MNK8N29mQTadAUeTs3v6ICOj6Ac2gHjygHgwP4srUxcUHBXIEt6rpmR6iAaEvz6DP
         9e7A==
X-Forwarded-Encrypted: i=1;
 AJvYcCU4wnmCZtMH1MV0Lw0IYCrYoIsZGxKFM+bqrtmYwJTgcfs2ZQhPvF9wsJWzB+RmhFuo6GBqNHXRzWY3aFc=@vger.kernel.org
X-Gm-Message-State: AOJu0YwHZGfSton/tPwa4jLWfcvCgBNaxg4nDoQ3EHHoPkVsY8lm/pdd
	D1+x+iw/TFd8SmQHKPrhyeJGedq/ow+X9eIotgAqoks4jK4Y4w6Eo0lF
X-Gm-Gg: ATEYQzxa0RNEvfAJleg5zPVrXmYifnlmNk8Bd/kL+YeWoqAWWgZgNr/2eBjmaE4jd97
	50rRO9I/+x1/VvWC2mVFn7VBcm8L6S1TNoTEKtI2uGC0gbLL9ylW5dURaTPIbHZQg+Z1Uh/7NzU
	iixe/97UoBNp6RapB47A7KQI/aTyfwEl4qW0I+4IxYAi3MVJh85Vgwu72iLz/xdKMe0t5vgmTPP
	Gja2r3w48/m/mLIrRojsKJz993wgKr3QryQcbwjE4RSGsNtnpd7kmHsEBzwdUsHcHnISqtSHrpR
	yPqXAjFZV7YlfxMZjImut1kEI1o7612g9JLcI0MmzkCzGN5jsaGIFNDdSL1gSedEh0nbgYaHUzm
	oxE1nCkJ9mJVNZSAZi4vZHxNDlN6/4KE6kngsd5C6k/CXr5c9uOO2v0rZYgcGd3Zo0PGCgCHJ2s
	Cyml65l38dSBhmggqIAZF1Fybzi87AhCGgOmAgs7eyXlzU/hJGaA==
X-Received: by 2002:a17:90b:1b4a:b0:359:1063:6aed with SMTP id
 98e67ed59e1d1-35a0138144bmr1861802a91.22.1773221788643;
        Wed, 11 Mar 2026 02:36:28 -0700 (PDT)
Received: from lima-ubuntu.hz.ali.com ([47.246.98.213])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-35a02191f97sm915489a91.3.2026.03.11.02.36.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Mar 2026 02:36:27 -0700 (PDT)
From: Qing Wang <wangqing7171@gmail.com>
To: Vlastimil Babka <vbabka@kernel.org>,
	Harry Yoo <harry.yoo@oracle.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Hao Li <hao.li@linux.dev>,
	Christoph Lameter <cl@gentwo.org>,
	David Rientjes <rientjes@google.com>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Suren Baghdasaryan <surenb@google.com>
Cc: linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Qing Wang <wangqing7171@gmail.com>
Subject: [PATCH] slab: fix memory leak when refill_sheaf() fails
Date: Wed, 11 Mar 2026 17:36:17 +0800
Message-Id: <20260311093617.4155965-1-wangqing7171@gmail.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When refill_sheaf() partially fills one sheaf (e.g., fills 5 objects
but need to fill 10), it will update sheaf->size and return -ENOMEM.
However, the callers (alloc_full_sheaf() and __pcs_replace_empty_main())
directly call free_empty_sheaf() on failure, which only does kfree(sheaf),
causing the partially allocated objects memory in sheaf->objects[] leaked.

Fix this by calling sheaf_flush_unused() before free_empty_sheaf() to
free objects of sheaf->objects[]. And also add a WARN_ON() in
free_empty_sheaf() to catch any future cases where a non-empty sheaf is
being freed.

Fixes: 2d517aa09bbc ("slab: add opt-in caching layer of percpu sheaves")
Signed-off-by: Qing Wang <wangqing7171@gmail.com>
Reviewed-by: Hao Li <hao.li@linux.dev>
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
---
 mm/slub.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/mm/slub.c b/mm/slub.c
index 20cb4f3b636d..73b2cfd0e123 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -2797,6 +2797,7 @@ static void free_empty_sheaf(struct kmem_cache *s, st=
ruct slab_sheaf *sheaf)
 	if (s->flags & SLAB_KMALLOC)
 		mark_obj_codetag_empty(sheaf);
=20
+	WARN_ON(sheaf->size > 0);
 	kfree(sheaf);
=20
 	stat(s, SHEAF_FREE);
@@ -2828,6 +2829,7 @@ static int refill_sheaf(struct kmem_cache *s, struct =
slab_sheaf *sheaf,
 	return 0;
 }
=20
+static void sheaf_flush_unused(struct kmem_cache *s, struct slab_sheaf *sh=
eaf);
=20
 static struct slab_sheaf *alloc_full_sheaf(struct kmem_cache *s, gfp_t gfp)
 {
@@ -2837,6 +2839,7 @@ static struct slab_sheaf *alloc_full_sheaf(struct kme=
m_cache *s, gfp_t gfp)
 		return NULL;
=20
 	if (refill_sheaf(s, sheaf, gfp | __GFP_NOMEMALLOC | __GFP_NOWARN)) {
+		sheaf_flush_unused(s, sheaf);
 		free_empty_sheaf(s, sheaf);
 		return NULL;
 	}
@@ -4623,6 +4626,7 @@ __pcs_replace_empty_main(struct kmem_cache *s, struct=
 slub_percpu_sheaves *pcs,
 			 * we must be very low on memory so don't bother
 			 * with the barn
 			 */
+			sheaf_flush_unused(s, empty);
 			free_empty_sheaf(s, empty);
 		}
 	} else {
--=20
2.34.1