Box TLS-SLL + free boundary hardening: normalize C0–C6 to base (ptr-1) at free boundary; route all caches/freelists via base; replace remaining g_tls_sll_head direct writes with Box API (tls_sll_push/splice) in refill/magazine/ultra; keep C7 excluded. Fixes rbp=0xa0 free crash by preventing header overwrite and centralizing TLS-SLL invariants.

core/hakmem_tiny_fastcache.inc.h

@@ -87,6 +87,10 @@ static inline __attribute__((always_inline)) void* tiny_fast_pop(int class_idx)
     } else {
         g_fast_count[class_idx] = 0;
     }
+    // Headerless class (1KB): clear embedded next pointer before returning to user
+    if (__builtin_expect(class_idx == 7, 0)) {
+        *(void**)head = NULL;
+    }
     return head;
 }