slab fixes for 6.18-rc2

-----BEGIN PGP SIGNATURE----- iQFPBAABCAA5FiEEe7vIQRWZI0iWSE3xu+CwddJFiJoFAmjx/QwbFIAAAAAABAAO bWFudTIsMi41KzEuMTEsMiwyAAoJELvgsHXSRYiaTjQH/RIp1LU+WQTEREzU/BnU WLvPPDq/p/xy3uYFx8KaUx7gzu0p1kjvIC/7PBVf4uw4KdfC+mg6MIuM99e9rAkk LIVEko58iza0t+y0gX8DqGbYItumhafjzL/OdPKEdRzPWcWNzNMQyGfo/k1gDPF4 x9mBBuwnASLM7oCCenAmo0UpE6+Tf+gy9kYpN7QQ5+ZDk41DSbMx5wmU9SQu3I0u H3VYEiC57QMEo3Bdh+H0XqmvSXOew0u/pPmHLJncEM0nNiKeC3c+Rh9rLER8B7P/ hqtkGoSIwI2yjIZq3frpHV9yr4sRKQS7/Plu7C4smo1Z0afBzBrDL0UfzNWZQmxj mGs= =jd8H -----END PGP SIGNATURE----- Merge tag 'slab-for-6.18-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab Pull slab fixes from Vlastimil Babka: - Fixes for two bugs that can be triggered when debugging options are enabled (Hao Ge, Vlastimil Babka) * tag 'slab-for-6.18-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab: slab: reset slab->obj_ext when freeing and it is OBJEXTS_ALLOC_FAIL slab: fix clearing freelist in free_deferred_objects()
2026-03-08 04:04:43 +01:00 · 2025-10-18 06:59:25 -10:00 · 2025-10-18 06:59:25 -10:00 · 959f018f97
commit 959f018f97
parent f406055cb1 86f54f9b6c
1 changed files with 12 additions and 4 deletions
--- a/mm/slub.c
+++ b/mm/slub.c
@ -2170,8 +2170,15 @@ static inline void free_slab_obj_exts(struct slab *slab)
 	struct slabobj_ext *obj_exts;

 	obj_exts = slab_obj_exts(slab);
-	if (!obj_exts)
+	if (!obj_exts) {
+		/*
+		 * If obj_exts allocation failed, slab->obj_exts is set to
+		 * OBJEXTS_ALLOC_FAIL. In this case, we end up here and should
+		 * clear the flag.
+		 */
+		slab->obj_exts = 0;
 		return;
+	}

 	/*
 	 * obj_exts was created with __GFP_NO_OBJ_EXT flag, therefore its
@ -6443,15 +6450,16 @@ static void free_deferred_objects(struct irq_work *work)
 		slab = virt_to_slab(x);
 		s = slab->slab_cache;

+		/* Point 'x' back to the beginning of allocated object */
+		x -= s->offset;
+
 		/*
 		 * We used freepointer in 'x' to link 'x' into df->objects.
 		 * Clear it to NULL to avoid false positive detection
 		 * of "Freepointer corruption".
 		 */
-		*(void **)x = NULL;
+		set_freepointer(s, x, NULL);

-		/* Point 'x' back to the beginning of allocated object */
-		x -= s->offset;
 		__slab_free(s, slab, x, x, 1, _THIS_IP_);
 	}