From: Kevin Lourenco <klourencodev@gmail.com>

This is documented in the function comment as "...and sets their
slots in @elems to NULL.", but it was not followed.

We need to follow the NULL assignment, because elements newly returned
to the pool must not be touched under any circumstances by the user.

Signed-off-by: Kevin Lourenco <klourencodev@gmail.com>
---
 mm/mempool.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/mm/mempool.c b/mm/mempool.c
index c290e5261b47..1a2060304fd4 100644
--- a/mm/mempool.c
+++ b/mm/mempool.c
@@ -674,7 +674,8 @@ unsigned int mempool_free_bulk(struct mempool *pool, void **elems,
 	if (unlikely(READ_ONCE(pool->curr_nr) < pool->min_nr)) {
 		spin_lock_irqsave(&pool->lock, flags);
 		while (pool->curr_nr < pool->min_nr && freed < count) {
-			add_element(pool, elems[freed++]);
+			add_element(pool, elems[freed]);
+			elems[freed++] = NULL;
 			added = true;
 		}
 		spin_unlock_irqrestore(&pool->lock, flags);
@@ -683,7 +684,8 @@ unsigned int mempool_free_bulk(struct mempool *pool, void **elems,
 		/* Handle the min_nr = 0 edge case: */
 		spin_lock_irqsave(&pool->lock, flags);
 		if (likely(pool->curr_nr == 0)) {
-			add_element(pool, elems[freed++]);
+			add_element(pool, elems[freed]);
+			elems[freed++] = NULL;
 			added = true;
 		}
 		spin_unlock_irqrestore(&pool->lock, flags);
-- 
2.47.3