object_err() reports details of an object for further debugging, such as the freelist pointer, redzone, etc. However, if the pointer is invalid, attempting to access object metadata can lead to a crash since it does not point to a valid object.
In case check_valid_pointer() returns false for the pointer, only print the pointer value and skip accessing metadata.
Fixes: 81819f0fc828 ("SLUB core") Cc: stable@vger.kernel.org Signed-off-by: Li Qiong liqiong@nfschina.com --- v2: - rephrase the commit message, add comment for object_err(). v3: - check object pointer in object_err(). v4: - restore changes in alloc_consistency_checks(). v5: - rephrase message, fix code style. --- mm/slub.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/mm/slub.c b/mm/slub.c index 31e11ef256f9..b3eff1476c85 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1104,7 +1104,12 @@ static void object_err(struct kmem_cache *s, struct slab *slab, return;
slab_bug(s, reason); - print_trailer(s, slab, object); + if (!check_valid_pointer(s, slab, object)) { + print_slab_info(slab); + pr_err("Invalid pointer 0x%p\n", object); + } else { + print_trailer(s, slab, object); + } add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
WARN_ON(1);
On Mon, Aug 04, 2025 at 09:46:25AM +0800, Li Qiong wrote:
object_err() reports details of an object for further debugging, such as the freelist pointer, redzone, etc. However, if the pointer is invalid, attempting to access object metadata can lead to a crash since it does not point to a valid object.
In case check_valid_pointer() returns false for the pointer, only print the pointer value and skip accessing metadata.
Fixes: 81819f0fc828 ("SLUB core") Cc: stable@vger.kernel.org Signed-off-by: Li Qiong liqiong@nfschina.com
v2:
- rephrase the commit message, add comment for object_err().
v3:
- check object pointer in object_err().
v4:
- restore changes in alloc_consistency_checks().
v5:
- rephrase message, fix code style.
Looks good to me, Reviewed-by: Harry Yoo harry.yoo@oracle.com
On Mon, Aug 04, 2025 at 11:25:23AM +0900, Harry Yoo wrote:
On Mon, Aug 04, 2025 at 09:46:25AM +0800, Li Qiong wrote:
object_err() reports details of an object for further debugging, such as the freelist pointer, redzone, etc. However, if the pointer is invalid, attempting to access object metadata can lead to a crash since it does not point to a valid object.
In case check_valid_pointer() returns false for the pointer, only print the pointer value and skip accessing metadata.
Fixes: 81819f0fc828 ("SLUB core") Cc: stable@vger.kernel.org Signed-off-by: Li Qiong liqiong@nfschina.com
v2:
- rephrase the commit message, add comment for object_err().
v3:
- check object pointer in object_err().
v4:
- restore changes in alloc_consistency_checks().
v5:
- rephrase message, fix code style.
Looks good to me, Reviewed-by: Harry Yoo harry.yoo@oracle.com
-- Cheers, Harry / Hyeonggon
mm/slub.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/mm/slub.c b/mm/slub.c index 31e11ef256f9..b3eff1476c85 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1104,7 +1104,12 @@ static void object_err(struct kmem_cache *s, struct slab *slab, return; slab_bug(s, reason);
- print_trailer(s, slab, object);
- if (!check_valid_pointer(s, slab, object)) {
Wait, hold on. check_valid_pointer() returns true when object == NULL. the condition should be (!object || !check_valid_pointer())?
print_slab_info(slab);
pr_err("Invalid pointer 0x%p\n", object);
- } else {
print_trailer(s, slab, object);
- } add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
WARN_ON(1); -- 2.30.2
在 2025/8/4 10:35, Harry Yoo 写道:
On Mon, Aug 04, 2025 at 11:25:23AM +0900, Harry Yoo wrote:
On Mon, Aug 04, 2025 at 09:46:25AM +0800, Li Qiong wrote:
object_err() reports details of an object for further debugging, such as the freelist pointer, redzone, etc. However, if the pointer is invalid, attempting to access object metadata can lead to a crash since it does not point to a valid object.
In case check_valid_pointer() returns false for the pointer, only print the pointer value and skip accessing metadata.
Fixes: 81819f0fc828 ("SLUB core") Cc: stable@vger.kernel.org Signed-off-by: Li Qiong liqiong@nfschina.com
v2:
- rephrase the commit message, add comment for object_err().
v3:
- check object pointer in object_err().
v4:
- restore changes in alloc_consistency_checks().
v5:
- rephrase message, fix code style.
Looks good to me, Reviewed-by: Harry Yoo harry.yoo@oracle.com
-- Cheers, Harry / Hyeonggon
mm/slub.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/mm/slub.c b/mm/slub.c index 31e11ef256f9..b3eff1476c85 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1104,7 +1104,12 @@ static void object_err(struct kmem_cache *s, struct slab *slab, return; slab_bug(s, reason);
- print_trailer(s, slab, object);
- if (!check_valid_pointer(s, slab, object)) {
Wait, hold on. check_valid_pointer() returns true when object == NULL. the condition should be (!object || !check_valid_pointer())?
You're right, i ignored this situation.
print_slab_info(slab);
pr_err("Invalid pointer 0x%p\n", object);
- } else {
print_trailer(s, slab, object);
- } add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
WARN_ON(1); -- 2.30.2
linux-stable-mirror@lists.linaro.org