Re: [PATCH] buffer: fix kmemleak false positive in submit_bh_wbc

[Sasha Levin]

On Tue, Feb 24, 2026 at 02:57:35PM -0700, Jens Axboe wrote:
> On 2/24/26 12:06 PM, Sasha Levin wrote:
> > Bios allocated in submit_bh_wbc are properly freed via their end_io
> > handler. Since commit 48f22f80938d, bio_put() caches them in a per-CPU
> > bio cache for reuse rather than freeing them back to the mempool.
> > While cached bios are reachable by kmemleak via the per-CPU cache
> > pointers, once recycled for new I/O they are only referenced by block
> > layer internals that kmemleak does not scan, causing false positive
> > leak reports.
> >
> > Mark the bio allocation with kmemleak_not_leak() to suppress the false
> > positive.
> >
> > Fixes: 48f22f80938d ("block: enable per-cpu bio cache by default")
> > Assisted-by: Claude:claude-opus-4-6
> > Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> > ---
> >  fs/buffer.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/fs/buffer.c b/fs/buffer.c
> > index 22b43642ba574..c298df6c7f8c6 100644
> > --- a/fs/buffer.c
> > +++ b/fs/buffer.c
> > @@ -49,6 +49,7 @@
> >  #include <linux/sched/mm.h>
> >  #include <trace/events/block.h>
> >  #include <linux/fscrypt.h>
> > +#include <linux/kmemleak.h>
> >  #include <linux/fsverity.h>
> >  #include <linux/sched/isolation.h>
> >
> > @@ -2799,6 +2800,7 @@ static void submit_bh_wbc(blk_opf_t opf, struct buffer_head *bh,
> >  		opf |= REQ_PRIO;
> >
> >  	bio = bio_alloc(bh->b_bdev, 1, opf, GFP_NOIO);
> > +	kmemleak_not_leak(bio);
> >
> >  	fscrypt_set_bio_crypt_ctx_bh(bio, bh, GFP_NOIO);
>
> What if they do end up getting leaked? This seems like an odd

I was under the impression that kmemleak doesn't really track much under the
hood of the block layer to begin with, but looking at the code I'm probably
wrong.

> work-around, would be better to ensure the caching side marks them as
> in-use when grabbed and freed when put.

Something like:?

diff --git a/block/bio.c b/block/bio.c
index d80d5d26804e3..45a19de02eca6 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -17,6 +17,7 @@
 #include <linux/cgroup.h>
 #include <linux/highmem.h>
 #include <linux/blk-crypto.h>
+#include <linux/kmemleak.h>
 #include <linux/xarray.h>
 
 #include <trace/events/block.h>
@@ -504,6 +505,9 @@ static struct bio *bio_alloc_percpu_cache(struct block_device *bdev,
        cache->nr--;
        put_cpu();
 
+       kmemleak_alloc((void *)bio - bs->front_pad,
+                      kmem_cache_size(bs->bio_slab), 1, gfp);
+
        if (nr_vecs)
                bio_init_inline(bio, bdev, nr_vecs, opf);
        else
@@ -765,6 +769,9 @@ static int __bio_alloc_cache_prune(struct bio_alloc_cache *cache,
        while ((bio = cache->free_list) != NULL) {
                cache->free_list = bio->bi_next;
                cache->nr--;
+               kmemleak_alloc((void *)bio - bio->bi_pool->front_pad,
+                              kmem_cache_size(bio->bi_pool->bio_slab),
+                              1, GFP_NOWAIT);
                bio_free(bio);
                if (++i == nr)
                        break;
@@ -823,6 +830,7 @@ static inline void bio_put_percpu_cache(struct bio *bio)
 
        if (in_task()) {
                bio_uninit(bio);
+               kmemleak_free((void *)bio - bio->bi_pool->front_pad);
                bio->bi_next = cache->free_list;
                /* Not necessary but helps not to iopoll already freed bios */
                bio->bi_bdev = NULL;
@@ -832,6 +840,7 @@ static inline void bio_put_percpu_cache(struct bio *bio)
                lockdep_assert_irqs_disabled();
 
                bio_uninit(bio);
+               kmemleak_free((void *)bio - bio->bi_pool->front_pad);
                bio->bi_next = cache->free_list_irq;
                cache->free_list_irq = bio;
                cache->nr_irq++;

--
Thanks,
Sasha