Index: linux-2.6.17/mm/slab.c
===================================================================
--- linux-2.6.17.orig/mm/slab.c	2006-06-17 18:49:35.000000000 -0700
+++ linux-2.6.17/mm/slab.c	2006-07-26 16:31:04.585093693 -0700
@@ -2571,7 +2571,7 @@ failed:
 	return 0;
 }
 
-#if DEBUG
+#if 1
 
 /*
  * Perform extra freeing checks:
@@ -2602,6 +2602,9 @@ static void *cache_free_debugcheck(struc
 	struct page *page;
 	unsigned int objnr;
 	struct slab *slabp;
+	int i;
+	int entries = 0;
+
 
 	objp -= obj_offset(cachep);
 	kfree_debugcheck(objp);
@@ -2618,70 +2621,16 @@ static void *cache_free_debugcheck(struc
 	}
 	slabp = page_get_slab(page);
 
-	if (cachep->flags & SLAB_RED_ZONE) {
-		if (*dbg_redzone1(cachep, objp) != RED_ACTIVE ||
-				*dbg_redzone2(cachep, objp) != RED_ACTIVE) {
-			slab_error(cachep, "double free, or memory outside"
-						" object was overwritten");
-			printk(KERN_ERR "%p: redzone 1:0x%lx, "
-					"redzone 2:0x%lx.\n",
-			       objp, *dbg_redzone1(cachep, objp),
-			       *dbg_redzone2(cachep, objp));
-		}
-		*dbg_redzone1(cachep, objp) = RED_INACTIVE;
-		*dbg_redzone2(cachep, objp) = RED_INACTIVE;
-	}
-	if (cachep->flags & SLAB_STORE_USER)
-		*dbg_userword(cachep, objp) = caller;
-
 	objnr = obj_to_index(cachep, slabp, objp);
 
 	BUG_ON(objnr >= cachep->num);
 	BUG_ON(objp != index_to_obj(cachep, slabp, objnr));
-
-	if (cachep->flags & SLAB_DEBUG_INITIAL) {
-		/*
-		 * Need to call the slab's constructor so the caller can
-		 * perform a verify of its state (debugging).  Called without
-		 * the cache-lock held.
-		 */
-		cachep->ctor(objp + obj_offset(cachep),
-			     cachep, SLAB_CTOR_CONSTRUCTOR | SLAB_CTOR_VERIFY);
-	}
-	if (cachep->flags & SLAB_POISON && cachep->dtor) {
-		/* we want to cache poison the object,
-		 * call the destruction callback
-		 */
-		cachep->dtor(objp + obj_offset(cachep), cachep, 0);
-	}
-#ifdef CONFIG_DEBUG_SLAB_LEAK
-	slab_bufctl(slabp)[objnr] = BUFCTL_FREE;
-#endif
-	if (cachep->flags & SLAB_POISON) {
-#ifdef CONFIG_DEBUG_PAGEALLOC
-		if ((cachep->buffer_size % PAGE_SIZE)==0 && OFF_SLAB(cachep)) {
-			store_stackinfo(cachep, objp, (unsigned long)caller);
-			kernel_map_pages(virt_to_page(objp),
-					 cachep->buffer_size / PAGE_SIZE, 0);
-		} else {
-			poison_obj(cachep, objp, POISON_FREE);
-		}
-#else
-		poison_obj(cachep, objp, POISON_FREE);
-#endif
-	}
-	return objp;
-}
-
-static void check_slabp(struct kmem_cache *cachep, struct slab *slabp)
-{
-	kmem_bufctl_t i;
-	int entries = 0;
-
+	spin_lock(&cachep->nodelists[slabp->nodeid]->list_lock);
 	/* Check slab's freelist to see if this obj is there. */
 	for (i = slabp->free; i != BUFCTL_END; i = slab_bufctl(slabp)[i]) {
 		entries++;
-		if (entries > cachep->num || i >= cachep->num)
+		if (entries > cachep->num || i >= cachep->num ||
+			objp == index_to_obj(cachep, slabp, i))
 			goto bad;
 	}
 	if (entries != cachep->num - slabp->inuse) {
@@ -2699,7 +2648,10 @@ bad:
 		printk("\n");
 		BUG();
 	}
+	spin_unlock(&cachep->nodelists[slabp->nodeid]->list_lock);
+	return objp;
 }
+#define check_slabp(x,y) do { } while(0)
 #else
 #define kfree_debugcheck(x) do { } while(0)
 #define cache_free_debugcheck(x,objp,z) (objp)