From nobody Sun Oct 5 12:34:19 2025 Received: from mail.nfschina.com (unknown [42.101.60.213]) by smtp.subspace.kernel.org (Postfix) with SMTP id 1D22A2E371F; Mon, 4 Aug 2025 02:58:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=42.101.60.213 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754276291; cv=none; b=EUfjJHERTPtV392jd21TkYGv7JUA4ncUUaOcdx/LP2OdgEr21Fv4WzF2d4JKEK4hREqgnIYfTVYg12zrGzfWd7Sz5nScDJyVezTzww67fXXJ8Bv/a4akHwSJgWhUZo03DGUQdfh+06LmvUU1Wo4UdFvio2Lsi2OeaH+EC8EYoVY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754276291; c=relaxed/simple; bh=o1QnEsSp+T6ymD88En6qwH1YK+2Y/eNVievk3YbYMWo=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=aGCf9sq03tUsXzGCkMbbM+LkWC4PkBk4DGpWXwCYS7c1i3zeSPF9XRq3eD7BiTK3A7JZSvGwBpLl+yvEhoDI2Horl5mk8f3Q9vJriosHdZBq6cVdQpyuLxswXHom8Lf0NoG/Q6FBHJsjC62DPTPbInYP7rQMlRQeUkRbUj3DshM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nfschina.com; spf=pass smtp.mailfrom=nfschina.com; arc=none smtp.client-ip=42.101.60.213 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nfschina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nfschina.com Received: from liqiong-suma.shanghai.nfschina.local (unknown [180.167.10.98]) by mail.nfschina.com (MailData Gateway V2.8.8) with ESMTPSA id 648A860109958; Mon, 4 Aug 2025 10:58:04 +0800 (CST) X-MD-Sfrom: liqiong@nfschina.com X-MD-SrcIP: 180.167.10.98 From: Li Qiong To: Christoph Lameter , David Rientjes , Andrew Morton , Vlastimil Babka Cc: Roman Gushchin , Harry Yoo , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Li Qiong Subject: [PATCH v6] mm/slub: avoid accessing metadata when pointer is invalid in object_err() Date: Mon, 4 Aug 2025 10:57:59 +0800 Message-Id: <20250804025759.382343-1-liqiong@nfschina.com> X-Mailer: git-send-email 2.30.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" object_err() reports details of an object for further debugging, such as the freelist pointer, redzone, etc. However, if the pointer is invalid, attempting to access object metadata can lead to a crash since it does not point to a valid object. In case the pointer is NULL or check_valid_pointer() returns false for the pointer, only print the pointer value and skip accessing metadata. Fixes: 81819f0fc828 ("SLUB core") Cc: Signed-off-by: Li Qiong Reviewed-by: Harry Yoo Reviewed-by: Matthew Wilcox (Oracle) --- v2: - rephrase the commit message, add comment for object_err(). v3: - check object pointer in object_err(). v4: - restore changes in alloc_consistency_checks(). v5: - rephrase message, fix code style. v6: - add checking 'object' if NULL. --- mm/slub.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/mm/slub.c b/mm/slub.c index 31e11ef256f9..972cf2bb2ee6 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1104,7 +1104,12 @@ static void object_err(struct kmem_cache *s, struct = slab *slab, return; =20 slab_bug(s, reason); - print_trailer(s, slab, object); + if (!object || !check_valid_pointer(s, slab, object)) { + print_slab_info(slab); + pr_err("Invalid pointer 0x%p\n", object); + } else { + print_trailer(s, slab, object); + } add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); =20 WARN_ON(1); --=20 2.30.2