Re: [PATCH] mm: slub: fix dereference invalid pointer in alloc_consistency_checks

[Harry Yoo <harry.yoo@oracle.com>]

On Fri, Jul 25, 2025 at 10:48:54AM +0800, Li Qiong wrote:
> In object_err(), need dereference the 'object' pointer, it may cause
> a invalid pointer fault. Use slab_err() instead.

Hi Li Qiong, this patch makes sense to me.
But I'd suggest to rephrase it a little bit, like:

mm/slab: avoid deref of free pointer in sanity checks if object is invalid

For debugging purposes, object_err() prints free pointer of the object.
However, if check_valid_pointer() returns false for object,
`object + s->offset` is also invalid and dereferncing it can lead to a
crash. Therefore, avoid dereferencing it and only print the object's
address in such cases.

> Signed-off-by: Li Qiong <liqiong@nfschina.com>

Which commit introduced this problem?
A Fixes: tag is needed to determine which -stable versions it should be
backported to.

And to backport MM patches to -stable, you need to explicitly add
'Cc: stable@vger.kernel.org' to the patch.

> ---
>  mm/slub.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/mm/slub.c b/mm/slub.c
> index 31e11ef256f9..3a2e57e2e2d7 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -1587,7 +1587,7 @@ static inline int alloc_consistency_checks(struct kmem_cache *s,
>  		return 0;
>  
>  	if (!check_valid_pointer(s, slab, object)) {
> -		object_err(s, slab, object, "Freelist Pointer check fails");
> +		slab_err(s, slab, "Freelist Pointer (0x%p) check fails", object);

Can this be
slab_err(s, slab, "Invalid object pointer 0x%p", object);
to align with free_consistency_checks()?

>  		return 0;
>  	}
>  

It might be worth adding a comment in object_err() stating that it should
only be called when check_valid_pointer() returns true for object, and
a WARN_ON_ONCE(!check_valid_pointer(s, slab, object)) to catch incorrect
usages?

-- 
Cheers,
Harry / Hyeonggon