[linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt

[kernel test robot]

Hello,

kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:

commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master

[test failed on linus/master ec714e371f22f716a04e6ecb2a24988c92b26911]
[test failed on linux-next/master 0b2f041c47acb45db82b4e847af6e17eb66cd32d]
[test failed on fix commit 83d59d81b20c09c256099d1c15d7da21969581bd]

in testcase: trinity
version: trinity-i386-abe9de86-1_20230429
with following parameters:

runtime: 300s
group: group-01
nr_groups: 5



config: i386-randconfig-012-20251004
compiler: gcc-14
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <olive...@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202510101652...@intel.com


[ 66.142496][ C0] =============================================================================
[ 66.146355][ C0] BUG kmalloc-96 (Not tainted): Freepointer corrupt
[ 66.147370][ C0] -----------------------------------------------------------------------------
[ 66.147370][ C0]
[ 66.149155][ C0] Allocated in alloc_slab_obj_exts+0x33c/0x460 age=7 cpu=0 pid=3651
[ 66.150496][ C0] kmalloc_nolock_noprof (mm/slub.c:4798 mm/slub.c:5658)
[ 66.151371][ C0] alloc_slab_obj_exts (mm/slub.c:2102 (discriminator 3))
[ 66.152250][ C0] __alloc_tagging_slab_alloc_hook (mm/slub.c:2208 (discriminator 1) mm/slub.c:2224 (discriminator 1))
[ 66.153248][ C0] __kmalloc_cache_noprof (mm/slub.c:5698)
[ 66.154093][ C0] set_mm_walk (include/linux/slab.h:953 include/linux/slab.h:1090 mm/vmscan.c:3852)
[ 66.154810][ C0] try_to_inc_max_seq (mm/vmscan.c:4077)
[ 66.155627][ C0] try_to_shrink_lruvec (mm/vmscan.c:4860 mm/vmscan.c:4903)
[ 66.156512][ C0] shrink_node (mm/vmscan.c:4952 mm/vmscan.c:5091 mm/vmscan.c:6078)
[ 66.157363][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
[ 66.158233][ C0] try_to_free_pages (mm/vmscan.c:6644)
[ 66.159023][ C0] __alloc_pages_slowpath+0x28b/0x6e0
[ 66.159977][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
[ 66.160941][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
[ 66.161739][ C0] shmem_alloc_and_add_folio+0x40/0x200
[ 66.162752][ C0] shmem_get_folio_gfp+0x30b/0x880
[ 66.163649][ C0] shmem_fallocate (mm/shmem.c:3813)
[ 66.164498][ C0] Freed in kmem_cache_free_bulk+0x1b/0x50 age=89 cpu=1 pid=248
[ 66.169568][ C0] kmem_cache_free_bulk (mm/slub.c:4875 (discriminator 3) mm/slub.c:5197 (discriminator 3) mm/slub.c:5228 (discriminator 3))
[ 66.170518][ C0] kmem_cache_free_bulk (mm/slub.c:7226)
[ 66.171368][ C0] kvfree_rcu_bulk (include/linux/slab.h:827 mm/slab_common.c:1522)
[ 66.172133][ C0] kfree_rcu_monitor (mm/slab_common.c:1728 (discriminator 3) mm/slab_common.c:1802 (discriminator 3))
[ 66.173002][ C0] kfree_rcu_shrink_scan (mm/slab_common.c:2155)
[ 66.173852][ C0] do_shrink_slab (mm/shrinker.c:438)
[ 66.174640][ C0] shrink_slab (mm/shrinker.c:665)
[ 66.175446][ C0] shrink_node (mm/vmscan.c:338 (discriminator 1) mm/vmscan.c:4960 (discriminator 1) mm/vmscan.c:5091 (discriminator 1) mm/vmscan.c:6078 (discriminator 1))
[ 66.176205][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
[ 66.177017][ C0] try_to_free_pages (mm/vmscan.c:6644)
[ 66.177808][ C0] __alloc_pages_slowpath+0x28b/0x6e0
[ 66.178851][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
[ 66.179753][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
[ 66.180583][ C0] folio_prealloc+0x36/0x160
[ 66.181430][ C0] do_anonymous_page (mm/memory.c:4997 mm/memory.c:5054)
[ 66.182288][ C0] do_pte_missing (mm/memory.c:4232)
[ 66.183062][ C0] Slab 0xe41bfb28 objects=21 used=17 fp=0xedf89320 flags=0x40000200(workingset|zone=1)
[ 66.184609][ C0] Object 0xedf89b60 @offset=2912 fp=0xeac7a8b4
[ 66.184609][ C0]
[ 66.185960][ C0] Redzone edf89b40: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
[ 66.187388][ C0] Redzone edf89b50: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
[ 66.189695][ C0] Object edf89b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.191175][ C0] Object edf89b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.192701][ C0] Object edf89b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.194259][ C0] Object edf89b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.195753][ C0] Object edf89ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.196836][ T248] sed invoked oom-killer: gfp_mask=0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), order=0, oom_score_adj=-1000
[ 66.197239][ C0] Object edf89bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.197395][ C0] Redzone edf89bc0: cc cc cc cc ....
[ 66.197402][ C0] Padding edf89bf4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
[ 66.197406][ C0] Disabling lock debugging due to kernel taint
[ 66.203107][ T248] CPU: 1 UID: 0 PID: 248 Comm: sed Not tainted 6.17.0-rc3-00014-gaf92793e52c3 #1 PREEMPTLAZY 2cffa6c1ad8b595a5f5738a3e143d70494d8da79
[ 66.203119][ T248] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 66.203122][ T248] Call Trace:
[ 66.203125][ T248] ? show_stack (arch/x86/kernel/dumpstack.c:319)
[ 66.203139][ T248] dump_stack_lvl (lib/dump_stack.c:122)
[ 66.203148][ T248] dump_stack (lib/dump_stack.c:130)
[ 66.203153][ T248] dump_header (mm/oom_kill.c:468 (discriminator 1))
[ 66.203165][ T248] oom_kill_process.cold (mm/oom_kill.c:450 (discriminator 1) mm/oom_kill.c:1041 (discriminator 1))
[ 66.203174][ T248] out_of_memory (mm/oom_kill.c:1180)
[ 66.203184][ T248] __alloc_pages_may_oom (mm/page_alloc.c:4026)
[ 66.203199][ T248] __alloc_pages_slowpath+0x39d/0x6e0
[ 66.203210][ T248] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
[ 66.203221][ T248] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
[ 66.203227][ T248] folio_prealloc+0x36/0x160
[ 66.203234][ T248] do_anonymous_page (mm/memory.c:4997 mm/memory.c:5054)
[ 66.203239][ T248] ? handle_pte_fault (include/linux/rcupdate.h:341 include/linux/rcupdate.h:871 include/linux/pgtable.h:136 mm/memory.c:6046)
[ 66.203244][ T248] ? handle_pte_fault (include/linux/spinlock.h:391 mm/memory.c:6092)
[ 66.203249][ T248] ? rcu_is_watching (kernel/rcu/tree.c:752 (discriminator 4))
[ 66.203256][ T248] do_pte_missing (mm/memory.c:4232)
[ 66.203260][ T248] ? handle_pte_fault (arch/x86/include/asm/preempt.h:104 (discriminator 1) include/linux/rcupdate.h:100 (discriminator 1) include/linux/rcupdate.h:873 (discriminator 1) include/linux/pgtable.h:136 (discriminator 1) mm/memory.c:6046 (discriminator 1))
[ 66.203267][ T248] handle_pte_fault (mm/memory.c:6052)
[ 66.203275][ T248] handle_mm_fault (mm/memory.c:6195 mm/memory.c:6364)
[ 66.203289][ T248] do_user_addr_fault (include/linux/sched/signal.h:423 (discriminator 1) arch/x86/mm/fault.c:1389 (discriminator 1))
[ 66.203301][ T248] exc_page_fault (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:109 arch/x86/include/asm/irqflags.h:151 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532)
[ 66.203310][ T248] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1489)
[ 66.203316][ T248] handle_exception (arch/x86/entry/entry_32.S:1055)
[ 66.203319][ T248] EIP: 0xb7d730cf
[ 66.203325][ T248] Code: 8d 04 33 8d 92 40 07 00 00 89 45 38 39 d5 ba 00 00 00 00 0f 44 fa 83 c9 01 09 f7 89 fa 8d 7b 08 83 ca 01 89 53 04 8b 54 24 04 <89> 48 04 89 f8 e8 a7 cb ff ff e9 93 f7 ff ff 8b 44 24 08 8b 74 24
All code
========
0: 8d 04 33 lea (%rbx,%rsi,1),%eax
3: 8d 92 40 07 00 00 lea 0x740(%rdx),%edx
9: 89 45 38 mov %eax,0x38(%rbp)
c: 39 d5 cmp %edx,%ebp
e: ba 00 00 00 00 mov $0x0,%edx
13: 0f 44 fa cmove %edx,%edi
16: 83 c9 01 or $0x1,%ecx
19: 09 f7 or %esi,%edi
1b: 89 fa mov %edi,%edx
1d: 8d 7b 08 lea 0x8(%rbx),%edi
20: 83 ca 01 or $0x1,%edx
23: 89 53 04 mov %edx,0x4(%rbx)
26: 8b 54 24 04 mov 0x4(%rsp),%edx
2a:* 89 48 04 mov %ecx,0x4(%rax) <-- trapping instruction
2d: 89 f8 mov %edi,%eax
2f: e8 a7 cb ff ff call 0xffffffffffffcbdb
34: e9 93 f7 ff ff jmp 0xfffffffffffff7cc
39: 8b 44 24 08 mov 0x8(%rsp),%eax
3d: 8b .byte 0x8b
3e: 74 24 je 0x64

Code starting with the faulting instruction
===========================================
0: 89 48 04 mov %ecx,0x4(%rax)
3: 89 f8 mov %edi,%eax
5: e8 a7 cb ff ff call 0xffffffffffffcbb1
a: e9 93 f7 ff ff jmp 0xfffffffffffff7a2
f: 8b 44 24 08 mov 0x8(%rsp),%eax
13: 8b .byte 0x8b
14: 74 24 je 0x3a


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20251010/202510101652...@intel.com



--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

[Harry Yoo]

On Fri, Oct 10, 2025 at 04:39:12PM +0800, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:
>
> commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
>

So here we are freeing an object that is allocated via kmalloc_nolock().
(And before being allocated via kmalloc_nolock(), it was freed via
kfree_rcu()).

> [ 66.183062][ C0] Slab 0xe41bfb28 objects=21 used=17 fp=0xedf89320 flags=0x40000200(workingset|zone=1)
> [ 66.184609][ C0] Object 0xedf89b60 @offset=2912 fp=0xeac7a8b4

fp=0xeac7a8b4

the address of the object is: 0xedf89b60.

0xedf89b60 - 0xeac7a8b4 = 0x330f2ac

If FP was not corrupted, the object pointed to by FP is
too far away for them to be in the same slab.

That may suggest that some code built a list of free objects
across multiple slabs/caches. That's what deferred free does!

But in free_deferred_objects(), we have:
> /*
> * In PREEMPT_RT irq_work runs in per-cpu kthread, so it's safe
> * to take sleeping spin_locks from __slab_free() and deactivate_slab().
> * In !PREEMPT_RT irq_work will run after local_unlock_irqrestore().
> */
> static void free_deferred_objects(struct irq_work *work)
> {
> struct defer_free *df = container_of(work, struct defer_free, work);
> struct llist_head *objs = &df->objects;
> struct llist_head *slabs = &df->slabs;
> struct llist_node *llnode, *pos, *t;
>
> if (llist_empty(objs) && llist_empty(slabs))
> return;
>
> llnode = llist_del_all(objs);
> llist_for_each_safe(pos, t, llnode) {
> struct kmem_cache *s;
> struct slab *slab;
> void *x = pos;
>
> slab = virt_to_slab(x);
> s = slab->slab_cache;
>
> /*
> * We used freepointer in 'x' to link 'x' into df->objects.
> * Clear it to NULL to avoid false positive detection
> * of "Freepointer corruption".
> */
> *(void **)x = NULL;
>
> /* Point 'x' back to the beginning of allocated object */
> x -= s->offset;
> __slab_free(s, slab, x, x, 1, _THIS_IP_);
> }
>

This should have cleared the FP before freeing it.

Oh wait, there are more in the dmesg:
> [ 67.073014][ C1] ------------[ cut here ]------------
> [ 67.074039][ C1] WARNING: CPU: 1 PID: 3894 at mm/slub.c:1209 object_err+0x4d/0x6d
> [ 67.075394][ C1] Modules linked in: evdev serio_raw tiny_power_button fuse drm drm_panel_orientation_quirks stm_p_basic
> [ 67.077222][ C1] CPU: 1 UID: 0 PID: 3894 Comm: sed Tainted: G B W 6.17.0-rc3-00014-gaf92793e52c3 #1 PREEMPTLAZY 2cffa6c1ad8b595a5f5738a3e143d70494d8da79
> [ 67.079495][ C1] Tainted: [B]=BAD_PAGE, [W]=WARN
> [ 67.080303][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [ 67.085915][ C1] EIP: object_err+0x4d/0x6d
> [ 67.086691][ C1] Code: 8b 45 fc e8 95 fe ff ff ba 01 00 00 00 b8 05 00 00 00 e8 46 1e 12 00 6a 01 31 c9 ba 01 00 00 00 b8 f8 84 76 db e8 b3 e1 2b 00 <0f> 0b 6a 01 31 c9 ba 01 00 00 00 b8 e0 84 76 db e8 9e e1 2b 00 83
> [ 67.089537][ C1] EAX: 00000000 EBX: c10012c0 ECX: 00000000 EDX: 00000000
> [ 67.090581][ C1] ESI: aacfa894 EDI: edf89320 EBP: ed7477b8 ESP: ed7477a0
> [ 67.091578][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010046
> [ 67.092767][ C1] CR0: 80050033 CR2: b7fa58c8 CR3: 01b5b000 CR4: 000406d0
> [ 67.093840][ C1] Call Trace:
> [ 67.094450][ C1] check_object.cold+0x11/0x17
> [ 67.095280][ C1] free_debug_processing+0x111/0x300
> [ 67.096076][ C1] free_to_partial_list+0x62/0x440
> [ 67.101664][ C1] ? free_deferred_objects+0x3e/0x110
> [ 67.104785][ C1] __slab_free+0x2b7/0x5d0
> [ 67.105539][ C1] ? free_deferred_objects+0x3e/0x110
> [ 67.106362][ C1] ? rcu_is_watching+0x3f/0x80
> [ 67.107090][ C1] free_deferred_objects+0x4d/0x110

Hmm... did we somehow clear wrong FP or is the freepointer set again
after we cleared it?

--
Cheers,
Harry / Hyeonggon

> [ 67.107872][ C1] ? free_deferred_objects+0x3e/0x110
> [ 67.108728][ C1] irq_work_single+0x65/0xa0
> [ 67.109517][ C1] ? exc_nmi_kvm_vmx+0x10/0x10
> [ 67.110312][ C1] irq_work_run_list+0x49/0x70
> [ 67.111598][ C1] irq_work_run+0x13/0x30
> [ 67.112335][ C1] __sysvec_irq_work+0x31/0x180
> [ 67.113193][ C1] sysvec_irq_work+0x20/0x40
> [ 67.113929][ C1] handle_exception+0x130/0x130
> [ 67.114690][ C1] EIP: default_send_IPI_self+0x46/0x90
> [ 67.115541][ C1] Code: 10 74 14 90 f3 90 8b 0d 44 12 21 db 8b 91 00 d3 ff ff 80 e6 10 75 ed 0d 00 00 04 00 8b 1d 44 12 21 db 8d 93 00 d3 ff ff 89 02 <5b> 5d 31 c0 31 d2 31 c9 c3 90 bb e8 03 00 00 eb 1d 2e 8d b4 26 00
> [ 67.118357][ C1] EAX: 000400f6 EBX: fffff000 ECX: 00000000 EDX: ffffc300
> [ 67.119453][ C1] ESI: e3a744b4 EDI: 00000000 EBP: ed74798c ESP: ed747988
> [ 67.120512][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00000206
> [ 67.122323][ C1] ? exc_nmi_kvm_vmx+0x10/0x10
> [ 67.123079][ C1] ? exc_nmi_kvm_vmx+0x10/0x10
> [ 67.123844][ C1] ? default_send_IPI_self+0x46/0x90
> [ 67.124887][ C1] arch_irq_work_raise+0x2d/0x40
> [ 67.136148][ C1] __irq_work_queue_local+0x7d/0xf0
> [ 67.137164][ C1] irq_work_queue+0x31/0x80
> [ 67.137861][ C1] defer_free+0x88/0xc0
> [ 67.138648][ C1] kfree_nolock+0x28e/0x310
> [ 67.139653][ C1] __free_slab+0x255/0x270
> [ 67.140674][ C1] free_slab+0x3f/0xe0
> [ 67.141574][ C1] free_to_partial_list+0x1df/0x440
> [ 67.142787][ C1] __slab_free+0x2b7/0x5d0
> [ 67.147520][ C1] ? shrink_node+0x2a7/0x310
> [ 67.149260][ C1] ? shrink_slab+0x266/0x4a0
> [ 67.151002][ C1] ? shrink_slab+0x266/0x4a0
> [ 67.151677][ C1] ? shrink_node+0x2a7/0x310
> [ 67.153337][ C1] kfree+0x6e8/0x7c0
> [ 67.154927][ C1] ? shrink_node+0x2a7/0x310
> [ 67.155561][ C1] ? shrink_node+0x2a7/0x310
> [ 67.157219][ C1] shrink_node+0x2a7/0x310
> [ 67.158828][ C1] do_try_to_free_pages+0xdc/0x460
> [ 67.159562][ C1] try_to_free_pages+0xf5/0x150
> [ 67.161292][ C1] __alloc_pages_slowpath+0x28b/0x6e0
> [ 67.163233][ C1] __alloc_frozen_pages_noprof+0x311/0x360
> [ 67.165155][ C1] __folio_alloc_noprof+0x15/0x30
> [ 67.166890][ C1] folio_prealloc+0xa9/0x160
> [ 67.167616][ C1] ? __vmf_anon_prepare+0x70/0x100
> [ 67.169438][ C1] do_cow_fault+0x4b/0x1f0
> [ 67.171212][ C1] ? rcu_is_watching+0x3f/0x80
> [ 67.172994][ C1] do_pte_missing+0xe5/0x380
> [ 67.173688][ C1] ? mt_find+0x154/0x370
> [ 67.175381][ C1] handle_pte_fault+0x20a/0x360
> [ 67.177160][ C1] handle_mm_fault+0x1a4/0x440
> [ 67.178905][ C1] do_user_addr_fault+0x1e3/0x440
> [ 67.179640][ C1] exc_page_fault+0x59/0x1e0
> [ 67.182691][ C1] ? pvclock_clocksource_read_nowd+0x190/0x190
> [ 67.183626][ C1] handle_exception+0x130/0x130
> [ 67.185384][ C1] EIP: clear_user+0x64/0xb0
> [ 67.187106][ C1] Code: 00 00 b8 50 2b 87 db e8 0a 7b fe fe ba 42 00 00 00 b8 53 61 13 db e8 9b 1f 16 ff 89 da 83 e2 03 c1 eb 02 89 d9 31 c0 8d 76 00 <f3> ab 89 d1 f3 aa 8d 76 00 5a 89 c8 8d 65 f8 5b 5f 5d 31 d2 31 c9
> [ 67.192838][ C1] EAX: 00000000 EBX: 000001ce ECX: 000001ce EDX: 00000000
> [ 67.194893][ C1] ESI: ebb68e60 EDI: b7fa58c8 EBP: ed747e40 ESP: ed747e34
> [ 67.196892][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010246
> [ 67.199084][ C1] ? pvclock_clocksource_read_nowd+0x190/0x190
> [ 67.201015][ C1] ? pvclock_clocksource_read_nowd+0x190/0x190
> [ 67.202993][ C1] ? clear_user+0x64/0xb0
> [ 67.203649][ C1] elf_load+0x1e1/0x210
> [ 67.205361][ C1] load_elf_interp+0x358/0x400
> [ 67.207199][ C1] load_elf_binary+0xaac/0xdf0
> [ 67.209031][ C1] ? _raw_read_unlock+0x58/0x90
> [ 67.210775][ C1] exec_binprm+0x18b/0x3d0
> [ 67.211490][ C1] bprm_execve+0xc7/0x1b0
> [ 67.213251][ C1] do_execveat_common+0x1b8/0x1f0
> [ 67.215058][ C1] __ia32_sys_execve+0x2a/0x40
> [ 67.216813][ C1] ia32_sys_call+0xf28/0xf90
> [ 67.217503][ C1] do_int80_syscall_32+0x53/0x2c0
> [ 67.219303][ C1] entry_INT80_32+0xf0/0xf0
> [ 67.221070][ C1] EIP: 0xb7fba092
> [ 67.221648][ C1] Code: Unable to access opcode bytes at 0xb7fba068.
> [ 67.223619][ C1] EAX: ffffffda EBX: 02380764 ECX: 023884c8 EDX: 02388504
> [ 67.226356][ C1] ESI: 02380764 EDI: 023884c8 EBP: bfe2b794 ESP: bfe2b674
> [ 67.229021][ C1] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 007b EFLAGS: 00000292
> [ 67.235135][ C1] irq event stamp: 0
> [ 67.235815][ C1] hardirqs last enabled at (0): [<00000000>] 0x0
> [ 67.236788][ C1] hardirqs last disabled at (0): [<d973f5a4>] copy_process+0x6f4/0x18d0
> [ 67.239586][ C1] softirqs last enabled at (0): [<d973f5ae>] copy_process+0x6fe/0x18d0
> [ 67.241811][ C1] softirqs last disabled at (0): [<00000000>] 0x0
> [ 67.243308][ C1] ---[ end trace 0000000000000000 ]---
> [ 67.244517][ C1] FIX kmalloc-96: Object at 0xedf89320 not freed

[Vlastimil Babka]

Oh wait, isn't it just the case that this is not using set_freepointer() and
with CONFIG_SLAB_FREELIST_HARDENED even the NULL is encoded as a non-NULL?

[Vlastimil Babka]

On 10/10/25 10:39, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:
>
> commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
>
> [test failed on linus/master ec714e371f22f716a04e6ecb2a24988c92b26911]
> [test failed on linux-next/master 0b2f041c47acb45db82b4e847af6e17eb66cd32d]
> [test failed on fix commit 83d59d81b20c09c256099d1c15d7da21969581bd]
>
> in testcase: trinity
> version: trinity-i386-abe9de86-1_20230429
> with following parameters:
>
> runtime: 300s
> group: group-01
> nr_groups: 5
>
>
>
> config: i386-randconfig-012-20251004
> compiler: gcc-14
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <olive...@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202510101652...@intel.com

Does this fix it?
----8<----
From 5f467c4e630a7a8e5ba024d31065413bddf22cec Mon Sep 17 00:00:00 2001
From: Vlastimil Babka <vba...@suse.cz>
Date: Mon, 13 Oct 2025 16:56:28 +0200
Subject: [PATCH] slab: fix clearing freelist in free_deferred_objects()

Signed-off-by: Vlastimil Babka <vba...@suse.cz>
---
mm/slub.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/mm/slub.c b/mm/slub.c
index f9f7f3942074..080d27fe253f 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -6377,15 +6377,16 @@ static void free_deferred_objects(struct irq_work *work)

slab = virt_to_slab(x);
s = slab->slab_cache;

+
+ /* Point 'x' back to the beginning of allocated object */
+ x -= s->offset;

/*
* We used freepointer in 'x' to link 'x' into df->objects.
* Clear it to NULL to avoid false positive detection
* of "Freepointer corruption".
*/

- *(void **)x = NULL;
+ set_freepointer(s, x, NULL);

- /* Point 'x' back to the beginning of allocated object */
- x -= s->offset;

__slab_free(s, slab, x, x, 1, _THIS_IP_);
}

--
2.51.0

[Harry Yoo]

Oh, great observation! Obviously it should be fixed.
The fix posted in the other email looks great to me.

--
Cheers,
Harry / Hyeonggon

> >>

[Alexei Starovoitov]

Thanks for the fix!
Acked-by: Alexei Starovoitov <a...@kernel.org>

The bot spotted it with CONFIG_SLAB_FREELIST_HARDENED=y.
It wasn't part of my tests. Sorry.