For WQ_UNBOUND workqueues, alloc_and_link_pwqs() allocates wq->cpu_pwq
via alloc_percpu() and then calls apply_workqueue_attrs_locked(). On
failure it returns the error directly, bypassing the enomem: label
which holds the only free_percpu(wq->cpu_pwq) in this function.

The caller's error path kfree()s wq without touching wq->cpu_pwq,
leaking one percpu pointer table (nr_cpu_ids * sizeof(void *) bytes) per
failed call.

If kmemleak is enabled, we can see:

  unreferenced object (percpu) 0xc0fffa5b121048 (size 8):
    comm "insmod", pid 776, jiffies 4294682844
    backtrace (crc 0):
      pcpu_alloc_noprof+0x665/0xac0
      __alloc_workqueue+0x33f/0xa20
      alloc_workqueue_noprof+0x60/0x100

Route the error through the existing enomem: cleanup and any error
before this one.

Cc: stable@kernel.org
Fixes: 636b927eba5b ("workqueue: Make unbound workqueues to use per-cpu pool_workqueues")
Signed-off-by: Breno Leitao <leitao@debian.org>
---
 kernel/workqueue.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 3d2e3b2ec5283..3b839ddf2fdd2 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -5642,7 +5642,9 @@ static int alloc_and_link_pwqs(struct workqueue_struct *wq)
 		ret = apply_workqueue_attrs_locked(wq, unbound_std_wq_attrs[highpri]);
 	}
 
-	return ret;
+	if (ret)
+		goto enomem;
+	return 0;
 
 enomem:
 	if (wq->cpu_pwq) {

---
base-commit: fcee7d82f27d6a8b1ddc5bbefda59b4e441e9bc0
change-id: 20260508-wq_leak-6c48e722bdc2

Best regards,
--  
Breno Leitao <leitao@debian.org>

Hello,

On Fri, 08 May 2026 09:22:03 -0700, Breno Leitao wrote:
> For WQ_UNBOUND workqueues, alloc_and_link_pwqs() allocates wq->cpu_pwq
> via alloc_percpu() and then calls apply_workqueue_attrs_locked(). On
> failure it returns the error directly, bypassing the enomem: label
> which holds the only free_percpu(wq->cpu_pwq) in this function.
>
> [...]

Applied to wq/for-7.1-fixes (capitalized the first word of the
subject).

Thanks.

--
tejun