[BUG] WARNING in alloc_slab_obj_exts triggered by __d_alloc

From: Zw Tang

Date: Sun Mar 08 2026 - 23:15:37 EST

Hi,

I encountered a WARNING in alloc_slab_obj_exts() while running a
syzkaller-generated reproducer on Linux 7.0-rc2.

The warning is triggered during dentry allocation (__d_alloc) after
mounting a crafted ext4 filesystem image.

Kernel
git tree: torvalds/linux
commit： 0031c06807cfa8aa51a759ff8aa09e1aa48149af
kernel version:Linux 7.0.0-rc2-00057-g0031c06807cf
hardware: QEMU Ubuntu 24.10

I was able to reproduce this issue reliably using the attached
reproducer.

Reproducer：
C reproducer: https://pastebin.com/raw/eHjm2Aw6
console output: https://pastebin.com/raw/FQAhquTy
kernel config: pastebin.com/raw/CnHdTQNm

The warning originates from:

mm/slub.c:2189

Call trace:

WARNING: mm/slub.c:2189 at alloc_slab_obj_exts+0x132/0x180
CPU: 0 UID: 0 PID: 699 Comm: syz.0.118

Call Trace:
<TASK>
__memcg_slab_post_alloc_hook+0x130/0x460 mm/memcontrol.c:3234
memcg_slab_post_alloc_hook mm/slub.c:2464 [inline]
slab_post_alloc_hook.constprop.0+0x9c/0xf0 mm/slub.c:4526
slab_alloc_node.constprop.0+0xaa/0x160 mm/slub.c:4844
__do_kmalloc_node mm/slub.c:5237 [inline]
__kmalloc_noprof+0x82/0x200 mm/slub.c:5250
kmalloc_noprof include/linux/slab.h:954 [inline]
__d_alloc+0x235/0x2f0 fs/dcache.c:1757
d_alloc_pseudo+0x1d/0x70 fs/dcache.c:1871
alloc_path_pseudo fs/file_table.c:364 [inline]
alloc_file_pseudo+0x64/0x140 fs/file_table.c:380
__shmem_file_setup+0x136/0x270 mm/shmem.c:5863
memfd_alloc_file+0x81/0x240 mm/memfd.c:471
__do_sys_memfd_create mm/memfd.c:522 [inline]
__se_sys_memfd_create mm/memfd.c:505 [inline]
__x64_sys_memfd_create+0x205/0x440 mm/memfd.c:505
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x11d/0x5a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x4b/0x53

The issue happens after mounting an ext4 filesystem image via a loop
device created from a compressed image in the reproducer.

Relevant kernel messages:

EXT4-fs (loop0): mounted filesystem
00000000-0000-0000-0000-000000000000 r/w without journal.
EXT4-fs (loop3): Delayed block allocation failed for inode 18 at
logical offset 768 with max blocks 2 with error 28
EXT4-fs (loop3): This should not happen!! Data will be lost

The WARNING occurs in alloc_slab_obj_exts(), which is related to slab
object extension allocation.

This may indicate a slab metadata inconsistency triggered by the
filesystem state.

Please let me know if additional debugging information would help.

Thanks.
Zw Tang