On 8/4/25 04:57, Li Qiong wrote:
object_err() reports details of an object for further debugging, such as the freelist pointer, redzone, etc. However, if the pointer is invalid, attempting to access object metadata can lead to a crash since it does not point to a valid object.
In case the pointer is NULL or check_valid_pointer() returns false for the pointer, only print the pointer value and skip accessing metadata.
We should explain that this is not theoretical so justify the stable cc, so I would add:
One known path to the crash is when alloc_consistency_checks() determines the pointer to the allocated object is invalid beause of a freelist corruption, and calls object_err() to report it. The debug code should report and handle the corruption gracefully and not crash in the process.
If you agree, I can do this when picking up the patch after merge window, no need to resend.
Fixes: 81819f0fc828 ("SLUB core") Cc: stable@vger.kernel.org Signed-off-by: Li Qiong liqiong@nfschina.com
v2:
- rephrase the commit message, add comment for object_err().
v3:
- check object pointer in object_err().
v4:
- restore changes in alloc_consistency_checks().
v5:
- rephrase message, fix code style.
v6:
- add checking 'object' if NULL.
mm/slub.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/mm/slub.c b/mm/slub.c index 31e11ef256f9..972cf2bb2ee6 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1104,7 +1104,12 @@ static void object_err(struct kmem_cache *s, struct slab *slab, return; slab_bug(s, reason);
- print_trailer(s, slab, object);
- if (!object || !check_valid_pointer(s, slab, object)) {
print_slab_info(slab);pr_err("Invalid pointer 0x%p\n", object);- } else {
print_trailer(s, slab, object);- } add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
WARN_ON(1);