Re: [linux-next:master] [mm/slab] 4fad56bdb6: BUG_kmalloc-#:Padding_overwritten.#-#@offset=

[Harry Yoo <harry.yoo@oracle.com>]

On Fri, Jan 23, 2026 at 03:21:19PM +0800, kernel test robot wrote:
> 
> 
> Hello,
> 
> kernel test robot noticed "BUG_kmalloc-#:Padding_overwritten.#-#@offset=" on:
> 
> commit: 4fad56bdb6b4c4bc0ea2d919df1ae4eef7b69919 ("mm/slab: save memory by allocating slabobj_ext array from leftover")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git
> 
> [test failed on linux-next/master e3b32dcb9f23e3c3927ef3eec6a5842a988fb574]
> 
> in testcase: boot
> 
> config: x86_64-randconfig-012-20260121
> compiler: clang-20
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G
> 
> (please refer to attached dmesg/kmsg for entire log/backtrace)
> 
> 
> 
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202601231457.f7b31e09-lkp@intel.com
> 
> 
> 
> [    3.646661][    T0] **   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **
> [    3.647660][    T0] **********************************************************
> [    3.648834][    T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
> [    3.651537][    T0] Kernel/User page tables isolation: enabled
> [    3.653242][    T0] =============================================================================
> [    3.655191][    T0] BUG kmalloc-192 (Tainted: G                T  ): Padding overwritten. 0xffff88810006c028-0xffff88810006bfff @offset=8232
> [    3.657925][    T0] -----------------------------------------------------------------------------
> [    3.657925][    T0]
> [    3.660319][    T0] Padding ffff88810006c028: 00 00 00 00 00 00 00 00 30 c0 06 00 81 88 ff ff  ........0.......
> [    3.662476][    T0] Padding ffff88810006c038: 30 c0 06 00 81 88 ff ff 00 00 00 00 00 00 00 00  0...............
> [    3.664649][    T0] Padding ffff88810006c048: 48 c0 06 00 81 88 ff ff 48 c0 06 00 81 88 ff ff  H.......H.......
> 
> 
> The kernel config and materials to reproduce are available at:
> https://download.01.org/0day-ci/archive/20260123/202601231457.f7b31e09-lkp@intel.com

Thanks for the report! It was very helpful to reproduce the bug.
after some printk() debugging, I discovered that the slab being reported
allocated the slabobj_ext array via kmalloc.

So I added a warning to confirm that the array was allocated
from the same slab we're allocating the array for:

@@ -2145,6 +2164,12 @@ int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s,
                return -ENOMEM;
        }

+       unsigned long start = (unsigned long)slab_address(slab);
+       unsigned long end = start + slab_size(slab);
+       unsigned long val = (unsigned long)vec;
+
+       WARN_ON_ONCE(val >= start && val < end);

and it was hit:

WARNING: mm/slub.c:2171 at alloc_slab_obj_exts+0x18a/0x1e0, CPU#0: swapper/0
[...]
Call Trace:
 <TASK>
 __alloc_tagging_slab_alloc_hook+0xac/0x220
 __kmalloc_cache_noprof+0x196/0x470
 ? __kmalloc_cache_noprof+0x200/0x470
 ? shrinker_alloc+0xa9/0x3b0
 shrinker_alloc+0xa9/0x3b0
 vmalloc_init+0x616/0x8f0
[...]

I sent a fix to prevent this and confirmed that the fix resolved
the reported issue.

https://lore.kernel.org/linux-mm/20260124104614.9739-1-harry.yoo@oracle.com/

Thanks!

-- 
Cheers,
Harry / Hyeonggon