diff --git a/core/mempool.cc b/core/mempool.cc
index d30f924d75..1774bb0e8f 100644
--- a/core/mempool.cc
+++ b/core/mempool.cc
@@ -670,7 +670,7 @@ struct header {
     char fence[16];
     size_t size2;
 };
-static const size_t pad_before = mmu::page_size;
+static const size_t pad_before = 2 * mmu::page_size;
 static const size_t pad_after = mmu::page_size;
 
 void* malloc(size_t size)
@@ -679,15 +679,15 @@ void* malloc(size_t size)
         return std_malloc(size);
     }
 
-    auto hsize = size + sizeof(header);
-    auto asize = align_up(hsize, mmu::page_size);
+    auto asize = align_up(size, mmu::page_size);
     auto padded_size = pad_before + asize + pad_after;
     void* v = free_area.fetch_add(padded_size, std::memory_order_relaxed);
+    mmu::vpopulate(v, mmu::page_size);
+    new (v) header(size);
     v += pad_before;
     mmu::vpopulate(v, asize);
-    auto h = new (v) header(size);
-    memset(v + hsize, '$', asize - hsize);
-    return h + 1;
+    memset(v + size, '$', asize - size);
+    return v;
 }
 
 void free(void* v)
@@ -695,14 +695,14 @@ void free(void* v)
     if (v < debug_base) {
         return std_free(v);
     }
-    auto h = static_cast<header*>(v) - 1;
+    auto h = static_cast<header*>(v - pad_before);
     auto size = h->size;
-    auto hsize = size + sizeof(header);
-    auto asize = align_up(hsize, mmu::page_size);
-    char* vv = reinterpret_cast<char*>(h);
-    assert(std::all_of(vv + hsize, vv  + asize, [=](char c) { return c == '$'; }));
+    auto asize = align_up(size, mmu::page_size);
+    char* vv = reinterpret_cast<char*>(v);
+    assert(std::all_of(vv + size, vv + asize, [=](char c) { return c == '$'; }));
     h->~header();
-    mmu::vdepopulate(h, asize);
+    mmu::vdepopulate(h, mmu::page_size);
+    mmu::vdepopulate(v, asize);
 }
 
 void* realloc(void* v, size_t size)