On Fri, Jul 25, 2025 at 06:10:51PM +0100, Matthew Wilcox wrote:
On Fri, Jul 25, 2025 at 06:47:01PM +0200, Vlastimil Babka wrote:
On 7/25/25 08:49, Li Qiong wrote:
For debugging, object_err() prints free pointer of the object. However, if check_valid_pointer() returns false for a object, dereferncing `object + s->offset` can lead to a crash. Therefore, print the object's address in such cases.
I don't know where this patch came from (was it cc'd to linux-mm? i don't see it)
I've spent some more time thinking about this and I now believe that there are several calls to object_err() that can be passed a bad pointer:
freelist_corrupted() check_object() on_freelist() alloc_consistency_checks() free_consistency_checks()
so I think this line of attack is inappropriate. Instead, I think we need to make object_err() resilient against wild pointers. Specifically, avoid doing risky things in print_trailer() if object is not within slab.