* [linux-next:master] [mm/slub] 8952728641: BUG_kmem_cache:Freepointer_corrupt
@ 2026-04-30 6:16 kernel test robot
2026-04-30 8:12 ` Harry Yoo (Oracle)
0 siblings, 1 reply; 3+ messages in thread
From: kernel test robot @ 2026-04-30 6:16 UTC (permalink / raw)
To: Shengming Hu
Cc: oe-lkp, lkp, Vlastimil Babka, Harry Yoo, Hao Li, linux-mm,
oliver.sang
Hello,
kernel test robot noticed "BUG_kmem_cache:Freepointer_corrupt" on:
commit: 8952728641305ebcd03e80f79b8d31bb41d6d95f ("mm/slub: defer freelist construction until after bulk allocation from a new slab")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
[test failed on linux-next/master 9974969c14031a097d6b45bcb7a06bb4aa525c40]
in testcase: boot
config: x86_64-randconfig-001-20251114
compiler: gcc-14
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202604301428.e2b8d3dd-lkp@intel.com
[ 53.929047][ T0] =============================================================================
[ 53.931786][ T0] BUG kmem_cache (Tainted: G T ): Freepointer corrupt
[ 53.934858][ T0] -----------------------------------------------------------------------------
[ 53.934858][ T0]
[ 53.934858][ T0] -----------------------------------------------------------------------------
[ 53.934858][ T0]
[ 53.939608][ T0] Slab 0xffffea0004001040 objects=9 used=1 fp=0xffff888100041200 flags=0x4000000000000000(zone=2)
[ 53.944008][ T0] Object 0xffff888100041040 @offset=64 fp=0x64ae22a70baa83ae
[ 53.944008][ T0]
[ 53.944008][ T0] Object 0xffff888100041040 @offset=64 fp=0x64ae22a70baa83ae
[ 53.944008][ T0]
[ 53.950913][ T0] Redzone ffff888100041000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 53.954703][ T0] Redzone ffff888100041010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 53.957662][ T0] Redzone ffff888100041020: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 53.960527][ T0] Redzone ffff888100041030: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 53.963607][ T0] Object ffff888100041040: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.966785][ T0] Object ffff888100041050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.969753][ T0] Object ffff888100041060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.972621][ T0] Object ffff888100041070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.975559][ T0] Object ffff888100041080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.978756][ T0] Object ffff888100041090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.981898][ T0] Object ffff8881000410a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.985140][ T0] Object ffff8881000410b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.988289][ T0] Object ffff8881000410c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.991279][ T0] Object ffff8881000410d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.993987][ T0] Object ffff8881000410e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.996539][ T0] Object ffff8881000410f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 53.999493][ T0] Object ffff888100041100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.002253][ T0] Object ffff888100041110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
[ 54.005170][ T0] Redzone ffff888100041120: bb bb bb bb bb bb bb bb ........
[ 54.007879][ T0] Padding ffff888100041180: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 54.010661][ T0] Padding ffff888100041190: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 54.013403][ T0] Padding ffff8881000411a0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 54.016151][ T0] Padding ffff8881000411b0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 54.019282][ T0] Disabling lock debugging due to kernel taint
[ 54.021208][ T0] ------------[ cut here ]------------
[ 54.022797][ T0] WARNING: mm/slub.c:1231 at object_err+0x6c/0x7f, CPU#0: swapper/0
[ 54.025237][ T0] Modules linked in:
[ 54.026745][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G B T 7.1.0-rc1-00001-g895272864130 #1 PREEMPT(undef)
[ 54.030461][ T0] Tainted: [B]=BAD_PAGE, [T]=RANDSTRUCT
[ 54.032017][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 54.036374][ T0] RIP: 0010:object_err+0x6c/0x7f
[ 54.039295][ T0] Code: c7 c7 1f 95 42 85 e8 b3 1a fe ff eb 0e 48 89 da 4c 89 ee 4c 89 e7 e8 13 fe ff ff be 01 00 00 00 bf 05 00 00 00 e8 c4 f7 2f 00 <0f> 0b 5b 41 5c 41 5d 5d 31 c0 31 d2 31 c9 31 f6 31 ff c3 be 00 10
[ 54.049629][ T0] RSP: 0000:ffffffff85607c40 EFLAGS: 00010046
[ 54.051811][ T0] RAX: 0000000000000000 RBX: ffff888100041040 RCX: 0000000000000000
[ 54.054369][ T0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 54.056862][ T0] RBP: ffffffff85607c58 R08: 0000000000000000 R09: 0000000000000000
[ 54.059766][ T0] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff86ad8f20
[ 54.062963][ T0] R13: ffffea0004001040 R14: 00000000000000bb R15: 0000000000000001
[ 54.066945][ T0] FS: 0000000000000000(0000) GS:0000000000000000(0000) knlGS:0000000000000000
[ 54.070095][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 54.072475][ T0] CR2: ffff88883ffff000 CR3: 00000000056ba000 CR4: 00000000000000b0
[ 54.076829][ T0] Call Trace:
[ 54.077963][ T0] <TASK>
[ 54.079139][ T0] check_object.cold+0x4b/0x50
[ 54.080583][ T0] alloc_debug_processing+0x9b/0x180
[ 54.082495][ T0] alloc_single_from_new_slab+0x82/0x200
[ 54.084323][ T0] ? alloc_slab_obj_exts_early+0x5/0x2c0
[ 54.086455][ T0] ? allocate_slab+0x11b/0x380
[ 54.087892][ T0] ___slab_alloc+0x1ad/0x340
[ 54.089129][ T0] ? bootstrap+0x20/0xb0
[ 54.090520][ T0] kmem_cache_alloc_noprof+0x30b/0x540
[ 54.092010][ T0] ? bootstrap+0x20/0xb0
[ 54.093328][ T0] bootstrap+0x20/0xb0
[ 54.094484][ T0] kmem_cache_init+0xbb/0x330
[ 54.095786][ T0] ? preallocate_vmalloc_pages+0x1a4/0x2b0
[ 54.097485][ T0] mm_core_init+0x12b/0x170
[ 54.098935][ T0] start_kernel+0x173/0x370
[ 54.100291][ T0] x86_64_start_reservations+0x28/0x30
[ 54.101912][ T0] x86_64_start_kernel+0x131/0x140
[ 54.103325][ T0] common_startup_64+0xbd/0xc8
[ 54.104692][ T0] RIP: 2e66:0x841f0f
[ 54.105837][ T0] Code: Unable to access opcode bytes at 0x841ee5.
[ 54.107636][ T0] RSP: 0084:1f0f2e6600000000 EFLAGS: 841f0f2e660000 ORIG_RAX: 2e66000000000084
[ 54.110294][ T0] RAX: 2e66000000000084 RBX: 2e66000000000084 RCX: 0000000000841f0f
[ 54.112621][ T0] RDX: 000000841f0f2e66 RSI: 00841f0f2e660000 RDI: 1f0f2e6600000000
[ 54.114700][ T0] RBP: 1f0f2e6600000000 R08: 1f0f2e6600000000 R09: 00841f0f2e660000
[ 54.117100][ T0] R10: 000000841f0f2e66 R11: 0000000000841f0f R12: 00841f0f2e660000
[ 54.119233][ T0] R13: 000000841f0f2e66 R14: 0000000000841f0f R15: 2e66000000000084
[ 54.121210][ T0] </TASK>
[ 54.122004][ T0] irq event stamp: 0
[ 54.122967][ T0] hardirqs last enabled at (0): [<0000000000000000>] 0x0
[ 54.124748][ T0] hardirqs last disabled at (0): [<0000000000000000>] 0x0
[ 54.126760][ T0] softirqs last enabled at (0): [<0000000000000000>] 0x0
[ 54.128589][ T0] softirqs last disabled at (0): [<0000000000000000>] 0x0
[ 54.130515][ T0] ---[ end trace 0000000000000000 ]---
[ 54.131853][ T0] FIX kmem_cache: Marking all objects used
[ 54.137998][ T0] =============================================================================
[ 54.164966][ T0] BUG kmem_cache (Tainted: G B W T ): Freepointer corrupt
[ 54.168591][ T0] -----------------------------------------------------------------------------
[ 54.168591][ T0]
[ 54.168591][ T0] -----------------------------------------------------------------------------
[ 54.168591][ T0]
[ 54.172896][ T0] Slab 0xffffea0004001080 objects=9 used=1 fp=0xffff888100042200 flags=0x4000000000000000(zone=2)
[ 54.176176][ T0] Object 0xffff888100042040 @offset=64 fp=0x649e22a70baa83ae
[ 54.176176][ T0]
[ 54.176176][ T0] Object 0xffff888100042040 @offset=64 fp=0x649e22a70baa83ae
[ 54.176176][ T0]
[ 54.179185][ T0] Redzone ffff888100042000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 54.182194][ T0] Redzone ffff888100042010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 54.185079][ T0] Redzone ffff888100042020: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 54.188065][ T0] Redzone ffff888100042030: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 54.191066][ T0] Object ffff888100042040: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.194179][ T0] Object ffff888100042050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.197272][ T0] Object ffff888100042060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.200275][ T0] Object ffff888100042070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.203121][ T0] Object ffff888100042080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.206273][ T0] Object ffff888100042090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.209183][ T0] Object ffff8881000420a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.211956][ T0] Object ffff8881000420b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.215170][ T0] Object ffff8881000420c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.218051][ T0] Object ffff8881000420d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.220882][ T0] Object ffff8881000420e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.223739][ T0] Object ffff8881000420f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.226475][ T0] Object ffff888100042100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 54.229268][ T0] Object ffff888100042110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
[ 54.232081][ T0] Redzone ffff888100042120: bb bb bb bb bb bb bb bb ........
[ 54.240289][ T0] Padding ffff888100042180: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 54.244580][ T0] Padding ffff888100042190: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 54.248946][ T0] Padding ffff8881000421a0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 54.252300][ T0] Padding ffff8881000421b0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 54.255423][ T0] ------------[ cut here ]------------
[ 54.256910][ T0] WARNING: mm/slub.c:1231 at object_err+0x6c/0x7f, CPU#0: swapper/0
[ 54.259466][ T0] Modules linked in:
[ 54.260739][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G B W T 7.1.0-rc1-00001-g895272864130 #1 PREEMPT(undef)
[ 54.264411][ T0] Tainted: [B]=BAD_PAGE, [W]=WARN, [T]=RANDSTRUCT
[ 54.266719][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 54.271041][ T0] RIP: 0010:object_err+0x6c/0x7f
[ 54.272617][ T0] Code: c7 c7 1f 95 42 85 e8 b3 1a fe ff eb 0e 48 89 da 4c 89 ee 4c 89 e7 e8 13 fe ff ff be 01 00 00 00 bf 05 00 00 00 e8 c4 f7 2f 00 <0f> 0b 5b 41 5c 41 5d 5d 31 c0 31 d2 31 c9 31 f6 31 ff c3 be 00 10
[ 54.278858][ T0] RSP: 0000:ffffffff85607c40 EFLAGS: 00010046
[ 54.280701][ T0] RAX: 0000000000000000 RBX: ffff888100042040 RCX: 0000000000000000
[ 54.282917][ T0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 54.285854][ T0] RBP: ffffffff85607c58 R08: 0000000000000000 R09: 0000000000000000
[ 54.288711][ T0] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff86ad8f20
[ 54.291194][ T0] R13: ffffea0004001080 R14: 00000000000000bb R15: 0000000000000001
[ 54.293497][ T0] FS: 0000000000000000(0000) GS:0000000000000000(0000) knlGS:0000000000000000
[ 54.296100][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 54.298178][ T0] CR2: ffff88883ffff000 CR3: 00000000056ba000 CR4: 00000000000000b0
[ 54.300578][ T0] Call Trace:
[ 54.301701][ T0] <TASK>
[ 54.302556][ T0] check_object.cold+0x4b/0x50
[ 54.304075][ T0] alloc_debug_processing+0x9b/0x180
[ 54.305771][ T0] alloc_single_from_new_slab+0x82/0x200
[ 54.307575][ T0] ? alloc_slab_obj_exts_early+0x5/0x2c0
[ 54.309885][ T0] ? allocate_slab+0x11b/0x380
[ 54.311397][ T0] ___slab_alloc+0x1ad/0x340
[ 54.312978][ T0] ? bootstrap+0x20/0xb0
[ 54.314381][ T0] kmem_cache_alloc_noprof+0x30b/0x540
[ 54.316375][ T0] ? bootstrap+0x20/0xb0
[ 54.317924][ T0] bootstrap+0x20/0xb0
[ 54.319165][ T0] kmem_cache_init+0xbb/0x330
[ 54.320577][ T0] ? preallocate_vmalloc_pages+0x1a4/0x2b0
[ 54.322318][ T0] mm_core_init+0x12b/0x170
[ 54.323813][ T0] start_kernel+0x173/0x370
[ 54.325087][ T0] x86_64_start_reservations+0x28/0x30
[ 54.326828][ T0] x86_64_start_kernel+0x131/0x140
[ 54.328433][ T0] common_startup_64+0xbd/0xc8
[ 54.329884][ T0] RIP: 2e66:0x841f0f
[ 54.331003][ T0] Code: Unable to access opcode bytes at 0x841ee5.
[ 54.333204][ T0] RSP: 0084:1f0f2e6600000000 EFLAGS: 841f0f2e660000 ORIG_RAX: 2e66000000000084
[ 54.341141][ T0] RAX: 2e66000000000084 RBX: 2e66000000000084 RCX: 0000000000841f0f
[ 54.344540][ T0] RDX: 000000841f0f2e66 RSI: 00841f0f2e660000 RDI: 1f0f2e6600000000
[ 54.348106][ T0] RBP: 1f0f2e6600000000 R08: 1f0f2e6600000000 R09: 00841f0f2e660000
[ 54.350959][ T0] R10: 000000841f0f2e66 R11: 0000000000841f0f R12: 00841f0f2e660000
[ 54.353348][ T0] R13: 000000841f0f2e66 R14: 0000000000841f0f R15: 2e66000000000084
[ 54.355758][ T0] </TASK>
[ 54.356638][ T0] irq event stamp: 0
[ 54.357904][ T0] hardirqs last enabled at (0): [<0000000000000000>] 0x0
[ 54.360403][ T0] hardirqs last disabled at (0): [<0000000000000000>] 0x0
[ 54.362935][ T0] softirqs last enabled at (0): [<0000000000000000>] 0x0
[ 54.365496][ T0] softirqs last disabled at (0): [<0000000000000000>] 0x0
[ 54.367816][ T0] ---[ end trace 0000000000000000 ]---
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20260430/202604301428.e2b8d3dd-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [linux-next:master] [mm/slub] 8952728641: BUG_kmem_cache:Freepointer_corrupt
2026-04-30 6:16 [linux-next:master] [mm/slub] 8952728641: BUG_kmem_cache:Freepointer_corrupt kernel test robot
@ 2026-04-30 8:12 ` Harry Yoo (Oracle)
2026-04-30 8:25 ` hu.shengming
0 siblings, 1 reply; 3+ messages in thread
From: Harry Yoo (Oracle) @ 2026-04-30 8:12 UTC (permalink / raw)
To: kernel test robot
Cc: Shengming Hu, oe-lkp, lkp, Vlastimil Babka, Hao Li, linux-mm
Taking a quick look...
On Thu, Apr 30, 2026 at 02:16:37PM +0800, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "BUG_kmem_cache:Freepointer_corrupt" on:
>
> commit: 8952728641305ebcd03e80f79b8d31bb41d6d95f ("mm/slub: defer freelist construction until after bulk allocation from a new slab")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>
> [test failed on linux-next/master 9974969c14031a097d6b45bcb7a06bb4aa525c40]
>
> in testcase: boot
>
> config: x86_64-randconfig-001-20251114
> compiler: gcc-14
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
[...]
> [ 53.929047][ T0] =============================================================================
> [ 53.931786][ T0] BUG kmem_cache (Tainted: G T ): Freepointer corrupt
> [ 53.934858][ T0] -----------------------------------------------------------------------------
> [ 53.934858][ T0]
> [ 53.934858][ T0] -----------------------------------------------------------------------------
> [ 53.934858][ T0]
> [ 53.939608][ T0] Slab 0xffffea0004001040 objects=9 used=1 fp=0xffff888100041200 flags=0x4000000000000000(zone=2)
> [ 53.944008][ T0] Object 0xffff888100041040 @offset=64 fp=0x64ae22a70baa83ae
> [ 53.944008][ T0]
> [ 53.944008][ T0] Object 0xffff888100041040 @offset=64 fp=0x64ae22a70baa83ae
> [ 53.944008][ T0]
> [ 53.950913][ T0] Redzone ffff888100041000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
> [ 53.954703][ T0] Redzone ffff888100041010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
> [ 53.957662][ T0] Redzone ffff888100041020: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
> [ 53.960527][ T0] Redzone ffff888100041030: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
> [ 53.963607][ T0] Object ffff888100041040: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.966785][ T0] Object ffff888100041050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.969753][ T0] Object ffff888100041060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.972621][ T0] Object ffff888100041070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.975559][ T0] Object ffff888100041080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.978756][ T0] Object ffff888100041090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.981898][ T0] Object ffff8881000410a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.985140][ T0] Object ffff8881000410b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.988289][ T0] Object ffff8881000410c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.991279][ T0] Object ffff8881000410d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.993987][ T0] Object ffff8881000410e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.996539][ T0] Object ffff8881000410f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 53.999493][ T0] Object ffff888100041100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> [ 54.002253][ T0] Object ffff888100041110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
> [ 54.005170][ T0] Redzone ffff888100041120: bb bb bb bb bb bb bb bb ........
> [ 54.007879][ T0] Padding ffff888100041180: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
> [ 54.010661][ T0] Padding ffff888100041190: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
> [ 54.013403][ T0] Padding ffff8881000411a0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
> [ 54.016151][ T0] Padding ffff8881000411b0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
the object content has 0x6b (POISON_FREE) and there is no free pointer
because we skipped it when allocating objects from a new slab.
> [ 54.019282][ T0] Disabling lock debugging due to kernel taint
> [ 54.021208][ T0] ------------[ cut here ]------------
> [ 54.022797][ T0] WARNING: mm/slub.c:1231 at object_err+0x6c/0x7f, CPU#0: swapper/0
> [ 54.077963][ T0] <TASK>
> [ 54.079139][ T0] check_object.cold+0x4b/0x50
> [ 54.080583][ T0] alloc_debug_processing+0x9b/0x180
But alloc_debug_processing() always expect a valid free pointer (within
the slab or NULL.
I think it can be fixed by initializing the free pointer in
before calling alloc_debug_processing() in alloc_single_from_new_slab().
(with a comment explaining why)
Could you respin the patch with the issue addressed, Shengming?
> [ 54.082495][ T0] alloc_single_from_new_slab+0x82/0x200
> [ 54.084323][ T0] ? alloc_slab_obj_exts_early+0x5/0x2c0
> [ 54.086455][ T0] ? allocate_slab+0x11b/0x380
> [ 54.087892][ T0] ___slab_alloc+0x1ad/0x340
> [ 54.089129][ T0] ? bootstrap+0x20/0xb0
> [ 54.090520][ T0] kmem_cache_alloc_noprof+0x30b/0x540
> [ 54.092010][ T0] ? bootstrap+0x20/0xb0
> [ 54.093328][ T0] bootstrap+0x20/0xb0
> [ 54.094484][ T0] kmem_cache_init+0xbb/0x330
> [ 54.095786][ T0] ? preallocate_vmalloc_pages+0x1a4/0x2b0
> [ 54.097485][ T0] mm_core_init+0x12b/0x170
> [ 54.098935][ T0] start_kernel+0x173/0x370
> [ 54.100291][ T0] x86_64_start_reservations+0x28/0x30
> [ 54.101912][ T0] x86_64_start_kernel+0x131/0x140
> [ 54.103325][ T0] common_startup_64+0xbd/0xc8
> [ 54.131853][ T0] FIX kmem_cache: Marking all objects used
--
Cheers,
Harry / Hyeonggon
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [linux-next:master] [mm/slub] 8952728641: BUG_kmem_cache:Freepointer_corrupt
2026-04-30 8:12 ` Harry Yoo (Oracle)
@ 2026-04-30 8:25 ` hu.shengming
0 siblings, 0 replies; 3+ messages in thread
From: hu.shengming @ 2026-04-30 8:25 UTC (permalink / raw)
To: harry; +Cc: oliver.sang, oe-lkp, lkp, vbabka, hao.li, linux-mm
Harry wrote:
> Taking a quick look...
>
> On Thu, Apr 30, 2026 at 02:16:37PM +0800, kernel test robot wrote:
> >
> >
> > Hello,
> >
> > kernel test robot noticed "BUG_kmem_cache:Freepointer_corrupt" on:
> >
> > commit: 8952728641305ebcd03e80f79b8d31bb41d6d95f ("mm/slub: defer freelist construction until after bulk allocation from a new slab")
> > https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
> >
> > [test failed on linux-next/master 9974969c14031a097d6b45bcb7a06bb4aa525c40]
> >
> > in testcase: boot
> >
> > config: x86_64-randconfig-001-20251114
> > compiler: gcc-14
> > test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G
> >
> > (please refer to attached dmesg/kmsg for entire log/backtrace)
>
> [...]
>
> > [ 53.929047][ T0] =============================================================================
> > [ 53.931786][ T0] BUG kmem_cache (Tainted: G T ): Freepointer corrupt
> > [ 53.934858][ T0] -----------------------------------------------------------------------------
> > [ 53.934858][ T0]
> > [ 53.934858][ T0] -----------------------------------------------------------------------------
> > [ 53.934858][ T0]
> > [ 53.939608][ T0] Slab 0xffffea0004001040 objects=9 used=1 fp=0xffff888100041200 flags=0x4000000000000000(zone=2)
> > [ 53.944008][ T0] Object 0xffff888100041040 @offset=64 fp=0x64ae22a70baa83ae
> > [ 53.944008][ T0]
> > [ 53.944008][ T0] Object 0xffff888100041040 @offset=64 fp=0x64ae22a70baa83ae
> > [ 53.944008][ T0]
> > [ 53.950913][ T0] Redzone ffff888100041000: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
> > [ 53.954703][ T0] Redzone ffff888100041010: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
> > [ 53.957662][ T0] Redzone ffff888100041020: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
> > [ 53.960527][ T0] Redzone ffff888100041030: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
> > [ 53.963607][ T0] Object ffff888100041040: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.966785][ T0] Object ffff888100041050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.969753][ T0] Object ffff888100041060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.972621][ T0] Object ffff888100041070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.975559][ T0] Object ffff888100041080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.978756][ T0] Object ffff888100041090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.981898][ T0] Object ffff8881000410a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.985140][ T0] Object ffff8881000410b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.988289][ T0] Object ffff8881000410c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.991279][ T0] Object ffff8881000410d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.993987][ T0] Object ffff8881000410e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.996539][ T0] Object ffff8881000410f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 53.999493][ T0] Object ffff888100041100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> > [ 54.002253][ T0] Object ffff888100041110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
> > [ 54.005170][ T0] Redzone ffff888100041120: bb bb bb bb bb bb bb bb ........
> > [ 54.007879][ T0] Padding ffff888100041180: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
> > [ 54.010661][ T0] Padding ffff888100041190: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
> > [ 54.013403][ T0] Padding ffff8881000411a0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
> > [ 54.016151][ T0] Padding ffff8881000411b0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
>
> the object content has 0x6b (POISON_FREE) and there is no free pointer
> because we skipped it when allocating objects from a new slab.
>
Hi Harry,
Many thanks for the quick review and catching this!
> > [ 54.019282][ T0] Disabling lock debugging due to kernel taint
> > [ 54.021208][ T0] ------------[ cut here ]------------
> > [ 54.022797][ T0] WARNING: mm/slub.c:1231 at object_err+0x6c/0x7f, CPU#0: swapper/0
> > [ 54.077963][ T0] <TASK>
> > [ 54.079139][ T0] check_object.cold+0x4b/0x50
> > [ 54.080583][ T0] alloc_debug_processing+0x9b/0x180
>
> But alloc_debug_processing() always expect a valid free pointer (within
> the slab or NULL.
>
> I think it can be fixed by initializing the free pointer in
> before calling alloc_debug_processing() in alloc_single_from_new_slab().
> (with a comment explaining why)
>
> Could you respin the patch with the issue addressed, Shengming?
>
I have just finished creating the patch and running the tests. I was about to send the patch
with the fix you suggested.I’ll include the change where the free pointer is initialized before
calling alloc_debug_processing() in alloc_single_from_new_slab(), along with a comment
explaining why it's necessary.
> > [ 54.082495][ T0] alloc_single_from_new_slab+0x82/0x200
> > [ 54.084323][ T0] ? alloc_slab_obj_exts_early+0x5/0x2c0
> > [ 54.086455][ T0] ? allocate_slab+0x11b/0x380
> > [ 54.087892][ T0] ___slab_alloc+0x1ad/0x340
> > [ 54.089129][ T0] ? bootstrap+0x20/0xb0
> > [ 54.090520][ T0] kmem_cache_alloc_noprof+0x30b/0x540
> > [ 54.092010][ T0] ? bootstrap+0x20/0xb0
> > [ 54.093328][ T0] bootstrap+0x20/0xb0
> > [ 54.094484][ T0] kmem_cache_init+0xbb/0x330
> > [ 54.095786][ T0] ? preallocate_vmalloc_pages+0x1a4/0x2b0
> > [ 54.097485][ T0] mm_core_init+0x12b/0x170
> > [ 54.098935][ T0] start_kernel+0x173/0x370
> > [ 54.100291][ T0] x86_64_start_reservations+0x28/0x30
> > [ 54.101912][ T0] x86_64_start_kernel+0x131/0x140
> > [ 54.103325][ T0] common_startup_64+0xbd/0xc8
> > [ 54.131853][ T0] FIX kmem_cache: Marking all objects used
>
> --
> Cheers,
> Harry / Hyeonggon
--
With Best Regards,
Shengming
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-30 8:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-30 6:16 [linux-next:master] [mm/slub] 8952728641: BUG_kmem_cache:Freepointer_corrupt kernel test robot
2026-04-30 8:12 ` Harry Yoo (Oracle)
2026-04-30 8:25 ` hu.shengming
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox