From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB9512566D1; Fri, 25 Jul 2025 19:22:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=90.155.50.34 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753471336; cv=none; b=nqgNuJY/8iuOmn1pfEek7RBSJukpd5x0gMqg9MQXuGAyPIHTkn1nSWY/mE3ougrChhs02qecCYssE9/EVmhOhwgF65G8w/GUBZt4s9+w06nyGwLA1PCxA13q4Gsqjk1tfS0Ijf4dgph/9XEe+XR4G60Y7rrJjTZwlaMgvA+dbBk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1753471336; c=relaxed/simple; bh=EN0memeWc8zsRmmqQaJN3tydRXI+hElA61INak88DaE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Z5bPvD6wEl24MdTMfpHNqQaLmC7MBpBGLY73kMjabooSRHMaFvm81LPaI94tlo9N+fUZBG9IJbnJxysy9QbwzvqVSTs5hf2acJrG8DLP/R8rcCnCrbx7jqe5dgS7FPBGqhQdNjwJ6v7z4SG9aHcPHAclR95D9FEf55sX4iomCVs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=Lk5sxxlB; arc=none smtp.client-ip=90.155.50.34 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="Lk5sxxlB" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=I09JIX/VR8UzFPSTS0iYzzlehYa6ZqlWHEvSJTEox/k=; b=Lk5sxxlBaxLMJFagMCiKZqdsUR yUUw4QhQdsiPB7vCP1L81pqF4ODFPMynDL2BMvbek+zu1WAZCDgMkoYCdkpsYqjS2kORRMU0FWwzN 9BhN5vNcygaJtEPokCcluYYZv2ezC6OYYWZH2/rRzK7vBa4FOaH/ro+OKi12v5Nusuu+up+AhEXX2 sNFjpduilWWjvgPbVBizS/CrXhLUNw43Ismd+KKZ+gzJRf9JQaNqKNFdufKY8TvrscDMj23hlJ9bU 3Kxc7Ms1EYRHq1RHCEcOA+1ldyQmfvjbyrZALPGXfQ2FrrLhy8V6JbCOCLPE/oD79UE4QhSdbIgYv +NByrhzg==; Received: from willy by casper.infradead.org with local (Exim 4.98.2 #2 (Red Hat Linux)) id 1ufNzZ-0000000Gxp1-3gXc; Fri, 25 Jul 2025 19:22:06 +0000 Date: Fri, 25 Jul 2025 20:22:05 +0100 From: Matthew Wilcox To: Vlastimil Babka Cc: Li Qiong , Christoph Lameter , David Rientjes , Andrew Morton , Roman Gushchin , Harry Yoo , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2] mm: slub: avoid deref of free pointer in sanity checks if object is invalid Message-ID: References: <20250725064919.1785537-1-liqiong@nfschina.com> <996a7622-219f-4e05-96ce-96bbc70068b0@suse.cz> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Fri, Jul 25, 2025 at 06:10:51PM +0100, Matthew Wilcox wrote: > On Fri, Jul 25, 2025 at 06:47:01PM +0200, Vlastimil Babka wrote: > > On 7/25/25 08:49, Li Qiong wrote: > > > For debugging, object_err() prints free pointer of the object. > > > However, if check_valid_pointer() returns false for a object, > > > dereferncing `object + s->offset` can lead to a crash. Therefore, > > > print the object's address in such cases. > > I don't know where this patch came from (was it cc'd to linux-mm? i > don't see it) I've spent some more time thinking about this and I now believe that there are several calls to object_err() that can be passed a bad pointer: freelist_corrupted() check_object() on_freelist() alloc_consistency_checks() free_consistency_checks() so I think this line of attack is inappropriate. Instead, I think we need to make object_err() resilient against wild pointers. Specifically, avoid doing risky things in print_trailer() if object is not within slab.