[PATCH] mm/kasan: Fix null pointer dereference warning in qlink_to_cache()

[PATCH] mm/kasan: Fix null pointer dereference warning in qlink_to_cache()

[Gautam Menghani]

The function virt_to_slab() declared in slab.h can return NULL if the
address does not belong to a slab. This case is not handled in the
function qlink_to_cache() in the file quarantine.c, which can cause a
NULL pointer dereference in "virt_to_slab(qlink)->slab_cache". 
This issue was discovered by fanalyzer (my gcc version: 12.1.1 20220507)

Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
---
 mm/kasan/quarantine.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/mm/kasan/quarantine.c b/mm/kasan/quarantine.c
index 75585077eb6d..c7554f5b9fb6 100644
--- a/mm/kasan/quarantine.c
+++ b/mm/kasan/quarantine.c
@@ -128,7 +128,13 @@ static unsigned long quarantine_batch_size;
 
 static struct kmem_cache *qlink_to_cache(struct qlist_node *qlink)
 {
-	return virt_to_slab(qlink)->slab_cache;
+	struct slab *folio_slab = virt_to_slab(qlink);
+
+	if (!folio_slab) {
+		pr_warn("The address %p does not belong to a slab", qlink);
+		return NULL;
+	}
+	return folio_slab->slab_cache;
 }
 
 static void *qlink_to_object(struct qlist_node *qlink, struct kmem_cache *cache)
-- 
2.36.1

Re: [PATCH] mm/kasan: Fix null pointer dereference warning in qlink_to_cache()

[Andrey Ryabinin]

On 6/26/22 20:03, Gautam Menghani wrote:
> The function virt_to_slab() declared in slab.h can return NULL if the
> address does not belong to a slab. This case is not handled in the
> function qlink_to_cache() in the file quarantine.c, which can cause a
> NULL pointer dereference in "virt_to_slab(qlink)->slab_cache". 

qlink is always slab address, so I don't think this patch makes sense.
NAK.