From: Shengming Hu The deferred-freelist path allocates the first object from a fresh slab before building the freelist for the remaining objects. Unlike the old path, the selected object is no longer the head of a pre-built freelist, so its freepointer remains uninitialized. alloc_debug_processing() still checks its freepointer. As a result, boot can report: BUG kmem_cache (Tainted: G B W T ): Freepointer corrupt Restore the old invariant by storing a valid freepointer in the selected object before alloc_debug_processing() runs. The pointer is the head of the leftover freelist, matching what the old pre-built freelist path would have left in the allocated object. Fixes: 895272864130 ("mm/slub: defer freelist construction until after bulk allocation from a new slab") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202604301428.e2b8d3dd-lkp@intel.com Signed-off-by: Shengming Hu --- mm/slub.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/mm/slub.c b/mm/slub.c index f96bac36229c..af942753d495 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -3690,6 +3690,15 @@ static void *alloc_single_from_new_slab(struct kmem_cache *s, struct slab *slab, needs_add_partial = (slab->objects > 1); build_slab_freelist(s, slab, &iter); + /* + * alloc_debug_processing() still checks @object as a free object + * before returning it to the caller. Since @object was emitted + * directly from a fresh slab and skipped by build_slab_freelist(), give + * it the same next pointer it would have had in the old prebuilt + * freelist path. + */ + set_freepointer(s, object, slab->freelist); + if (!alloc_debug_processing(s, slab, object, orig_size)) { /* * It's not really expected that this would fail on a -- 2.25.1