How does kmemleak in Linux detect the unreferenced memory?

I am working on an embedded Linux system (kernel-5.10.24), and I am trying to understand how does kmemleak work. According to the document, the kmemleak scan the data section to check if there is unreferenced memory, and the kernel code is as follows, kmemleak_scan()

/*
	 * Struct page scanning for each node.
	 */
	get_online_mems();
	for_each_populated_zone(zone) {
		unsigned long start_pfn = zone->zone_start_pfn;
		unsigned long end_pfn = zone_end_pfn(zone);
		unsigned long pfn;

		for (pfn = start_pfn; pfn = max_addr)
			continue;

		/*
		 * No need for get_object() here since we hold kmemleak_lock.
		 * object->use_count cannot be dropped to 0 while the object
		 * is still present in object_tree_root and object_list
		 * (with updates protected by kmemleak_lock).
		 */
		object = lookup_object(pointer, 1);

The pointer to struct page is casted to unsigned long *, and de-referenced the unsigned long * to get the pointer as the memory address to check. My puzzlement comes from the _de-reference_ the pointer to struct page, which is a structure to describe the PFN. Why de-referencing it can get the memory address, instead of the structure page? In my system, the size of struct page is 32 bytes, so the page+1 is only page+0x20 instead of being increased by page_size (0x1000).