[PATCH] lockdep: fix NULL pointer dereference in __lock_set

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] lockdep: fix NULL pointer dereference in __lock_set_class()
@ 2026-04-16  8:54 Xiang Gao
  2026-04-16 15:04 ` Waiman Long
  2026-04-16 15:20 ` Dmitry Ilvokhin
  0 siblings, 2 replies; 3+ messages in thread
From: Xiang Gao @ 2026-04-16  8:54 UTC (permalink / raw)
  To: peterz, mingo, will, boqun; +Cc: longman, linux-kernel, Xiang Gao

From: Xiang Gao <gaoxiang17@xiaomi.com>

register_lock_class() can return NULL on failure (e.g., exceeding
MAX_LOCKDEP_KEYS or lock_keys_in_use overflow). __lock_set_class()
uses the return value directly in pointer arithmetic without a NULL
check:

  class = register_lock_class(lock, subclass, 0);
  hlock->class_idx = class - lock_classes;

If class is NULL, this computes a garbage negative offset that corrupts
hlock->class_idx (a bitfield). Any subsequent hlock_class() call on
this hlock returns a garbage pointer, leading to memory corruption or
a crash.

The other call site in __lock_acquire() (line 5112) already handles
this correctly with an explicit NULL check. Add the same guard here.

Signed-off-by: Xiang Gao <gaoxiang17@xiaomi.com>
---
 kernel/locking/lockdep.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
index 2d4c5bab5af8..e0de81114824 100644
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -5437,6 +5437,8 @@ __lock_set_class(struct lockdep_map *lock, const char *name,
 			      lock->wait_type_outer,
 			      lock->lock_type);
 	class = register_lock_class(lock, subclass, 0);
+	if (!class)
+		return 0;
 	hlock->class_idx = class - lock_classes;

 	curr->lockdep_depth = i;
-- 
2.34.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] lockdep: fix NULL pointer dereference in __lock_set_class()
  2026-04-16  8:54 [PATCH] lockdep: fix NULL pointer dereference in __lock_set_class() Xiang Gao
@ 2026-04-16 15:04 ` Waiman Long
  2026-04-16 15:20 ` Dmitry Ilvokhin
  1 sibling, 0 replies; 3+ messages in thread
From: Waiman Long @ 2026-04-16 15:04 UTC (permalink / raw)
  To: Xiang Gao, peterz, mingo, will, boqun; +Cc: linux-kernel, Xiang Gao


On 4/16/26 4:54 AM, Xiang Gao wrote:
> From: Xiang Gao <gaoxiang17@xiaomi.com>
>
> register_lock_class() can return NULL on failure (e.g., exceeding
> MAX_LOCKDEP_KEYS or lock_keys_in_use overflow). __lock_set_class()
> uses the return value directly in pointer arithmetic without a NULL
> check:
>
>    class = register_lock_class(lock, subclass, 0);
>    hlock->class_idx = class - lock_classes;
>
> If class is NULL, this computes a garbage negative offset that corrupts
> hlock->class_idx (a bitfield). Any subsequent hlock_class() call on
> this hlock returns a garbage pointer, leading to memory corruption or
> a crash.
>
> The other call site in __lock_acquire() (line 5112) already handles
> this correctly with an explicit NULL check. Add the same guard here.
>
> Signed-off-by: Xiang Gao <gaoxiang17@xiaomi.com>
> ---
>   kernel/locking/lockdep.c | 2 ++
>   1 file changed, 2 insertions(+)
>
> diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
> index 2d4c5bab5af8..e0de81114824 100644
> --- a/kernel/locking/lockdep.c
> +++ b/kernel/locking/lockdep.c
> @@ -5437,6 +5437,8 @@ __lock_set_class(struct lockdep_map *lock, const char *name,
>   			      lock->wait_type_outer,
>   			      lock->lock_type);
>   	class = register_lock_class(lock, subclass, 0);
> +	if (!class)
> +		return 0;
>   	hlock->class_idx = class - lock_classes;
>   
>   	curr->lockdep_depth = i;

LKTM, maybe you can add "Fixes: 64aa348edc61 ("lockdep: 
lock_set_subclass - reset a held lock's subclass")"

Reviewed-by: Waiman Long <longman@redhat.com>



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] lockdep: fix NULL pointer dereference in __lock_set_class()
  2026-04-16  8:54 [PATCH] lockdep: fix NULL pointer dereference in __lock_set_class() Xiang Gao
  2026-04-16 15:04 ` Waiman Long
@ 2026-04-16 15:20 ` Dmitry Ilvokhin
  1 sibling, 0 replies; 3+ messages in thread
From: Dmitry Ilvokhin @ 2026-04-16 15:20 UTC (permalink / raw)
  To: Xiang Gao; +Cc: peterz, mingo, will, boqun, longman, linux-kernel, Xiang Gao

On Thu, Apr 16, 2026 at 04:54:43PM +0800, Xiang Gao wrote:
> From: Xiang Gao <gaoxiang17@xiaomi.com>
> 
> register_lock_class() can return NULL on failure (e.g., exceeding
> MAX_LOCKDEP_KEYS or lock_keys_in_use overflow). __lock_set_class()
> uses the return value directly in pointer arithmetic without a NULL
> check:
> 
>   class = register_lock_class(lock, subclass, 0);
>   hlock->class_idx = class - lock_classes;
> 
> If class is NULL, this computes a garbage negative offset that corrupts
> hlock->class_idx (a bitfield). Any subsequent hlock_class() call on
> this hlock returns a garbage pointer, leading to memory corruption or
> a crash.
> 
> The other call site in __lock_acquire() (line 5112) already handles
> this correctly with an explicit NULL check. Add the same guard here.
> 
> Signed-off-by: Xiang Gao <gaoxiang17@xiaomi.com>

Reviewed-by: Dmitry Ilvokhin <d@ilvokhin.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-16 15:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-16  8:54 [PATCH] lockdep: fix NULL pointer dereference in __lock_set_class() Xiang Gao
2026-04-16 15:04 ` Waiman Long
2026-04-16 15:20 ` Dmitry Ilvokhin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox