slab: fix memory leak when refill_sheaf() fails

Qing Wang · Vlastimil Babka (SUSE) · commit 464b1c115852 · 2026-03-11T17:55:26.000+01:00
When refill_sheaf() partially fills one sheaf (e.g., fills 5 objects but need to fill 10), it will update sheaf->size and return -ENOMEM. However, the callers (alloc_full_sheaf() and __pcs_replace_empty_main()) directly call free_empty_sheaf() on failure, which only does kfree(sheaf), causing the partially allocated objects memory in sheaf->objects[] leaked. Fix this by calling sheaf_flush_unused() before free_empty_sheaf() to free objects of sheaf->objects[]. And also add a WARN_ON() in free_empty_sheaf() to catch any future cases where a non-empty sheaf is being freed. Fixes: ed30c4a ("slab: add optimized sheaf refill from partial list") Signed-off-by: Qing Wang <wangqing7171@gmail.com> Link: https://patch.msgid.link/20260311093617.4155965-1-wangqing7171@gmail.com Reviewed-by: Harry Yoo <harry.yoo@oracle.com> Reviewed-by: Hao Li <hao.li@linux.dev> Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
diff --git a/mm/slub.c b/mm/slub.c
@@ -2790,6 +2790,7 @@ static void free_empty_sheaf(struct kmem_cache *s, struct slab_sheaf *sheaf)
 	if (s->flags & SLAB_KMALLOC)
 		mark_obj_codetag_empty(sheaf);
 
+	VM_WARN_ON_ONCE(sheaf->size > 0);
 	kfree(sheaf);
 
 	stat(s, SHEAF_FREE);
@@ -2821,6 +2822,7 @@ static int refill_sheaf(struct kmem_cache *s, struct slab_sheaf *sheaf,
 	return 0;
 }
 
+static void sheaf_flush_unused(struct kmem_cache *s, struct slab_sheaf *sheaf);
 
 static struct slab_sheaf *alloc_full_sheaf(struct kmem_cache *s, gfp_t gfp)
 {
@@ -2830,6 +2832,7 @@ static struct slab_sheaf *alloc_full_sheaf(struct kmem_cache *s, gfp_t gfp)
 		return NULL;
 
 	if (refill_sheaf(s, sheaf, gfp | __GFP_NOMEMALLOC | __GFP_NOWARN)) {
+		sheaf_flush_unused(s, sheaf);
 		free_empty_sheaf(s, sheaf);
 		return NULL;
 	}
@@ -4616,6 +4619,7 @@ __pcs_replace_empty_main(struct kmem_cache *s, struct slub_percpu_sheaves *pcs,
 			 * we must be very low on memory so don't bother
 			 * with the barn
 			 */
+			sheaf_flush_unused(s, empty);
 			free_empty_sheaf(s, empty);
 		}
 	} else {

Original file line number	Diff line number	Diff line change
`@@ -2790,6 +2790,7 @@ static void free_empty_sheaf(struct kmem_cache s, struct slab_sheaf sheaf)`
`2790`	`2790`	`if (s->flags & SLAB_KMALLOC)`
`2791`	`2791`	`mark_obj_codetag_empty(sheaf);`
`2792`	`2792`
	`2793`	`+ VM_WARN_ON_ONCE(sheaf->size > 0);`
`2793`	`2794`	`kfree(sheaf);`
`2794`	`2795`
`2795`	`2796`	`stat(s, SHEAF_FREE);`
`@@ -2821,6 +2822,7 @@ static int refill_sheaf(struct kmem_cache s, struct slab_sheaf sheaf,`
`2821`	`2822`	`return 0;`
`2822`	`2823`	`}`
`2823`	`2824`
	`2825`	`+static void sheaf_flush_unused(struct kmem_cache s, struct slab_sheaf sheaf);`
`2824`	`2826`
`2825`	`2827`	`static struct slab_sheaf alloc_full_sheaf(struct kmem_cache s, gfp_t gfp)`
`2826`	`2828`	`{`
`@@ -2830,6 +2832,7 @@ static struct slab_sheaf alloc_full_sheaf(struct kmem_cache s, gfp_t gfp)`
`2830`	`2832`	`return NULL;`
`2831`	`2833`
`2832`	`2834`	`if (refill_sheaf(s, sheaf, gfp \| __GFP_NOMEMALLOC \| __GFP_NOWARN)) {`
	`2835`	`+ sheaf_flush_unused(s, sheaf);`
`2833`	`2836`	`free_empty_sheaf(s, sheaf);`
`2834`	`2837`	`return NULL;`
`2835`	`2838`	`}`
`@@ -4616,6 +4619,7 @@ __pcs_replace_empty_main(struct kmem_cache s, struct slub_percpu_sheaves pcs,`
`4616`	`4619`	`* we must be very low on memory so don't bother`
`4617`	`4620`	`* with the barn`
`4618`	`4621`	`*/`
	`4622`	`+ sheaf_flush_unused(s, empty);`
`4619`	`4623`	`free_empty_sheaf(s, empty);`
`4620`	`4624`	`}`
`4621`	`4625`	`} else {`