* [PATCH v6] mm/slub: avoid accessing metadata when pointer is invalid in object_err()
@ 2025-08-04 2:57 Li Qiong
2025-08-04 9:01 ` Harry Yoo
2025-08-04 15:19 ` Vlastimil Babka
0 siblings, 2 replies; 7+ messages in thread
From: Li Qiong @ 2025-08-04 2:57 UTC (permalink / raw)
To: Christoph Lameter, David Rientjes, Andrew Morton, Vlastimil Babka
Cc: Roman Gushchin, Harry Yoo, linux-mm, linux-kernel, stable,
Li Qiong
object_err() reports details of an object for further debugging, such as
the freelist pointer, redzone, etc. However, if the pointer is invalid,
attempting to access object metadata can lead to a crash since it does
not point to a valid object.
In case the pointer is NULL or check_valid_pointer() returns false for
the pointer, only print the pointer value and skip accessing metadata.
Fixes: 81819f0fc828 ("SLUB core")
Cc: <stable@vger.kernel.org>
Signed-off-by: Li Qiong <liqiong@nfschina.com>
---
v2:
- rephrase the commit message, add comment for object_err().
v3:
- check object pointer in object_err().
v4:
- restore changes in alloc_consistency_checks().
v5:
- rephrase message, fix code style.
v6:
- add checking 'object' if NULL.
---
mm/slub.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/mm/slub.c b/mm/slub.c
index 31e11ef256f9..972cf2bb2ee6 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1104,7 +1104,12 @@ static void object_err(struct kmem_cache *s, struct slab *slab,
return;
slab_bug(s, reason);
- print_trailer(s, slab, object);
+ if (!object || !check_valid_pointer(s, slab, object)) {
+ print_slab_info(slab);
+ pr_err("Invalid pointer 0x%p\n", object);
+ } else {
+ print_trailer(s, slab, object);
+ }
add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
WARN_ON(1);
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v6] mm/slub: avoid accessing metadata when pointer is invalid in object_err()
2025-08-04 2:57 [PATCH v6] mm/slub: avoid accessing metadata when pointer is invalid in object_err() Li Qiong
@ 2025-08-04 9:01 ` Harry Yoo
2025-08-04 15:19 ` Vlastimil Babka
1 sibling, 0 replies; 7+ messages in thread
From: Harry Yoo @ 2025-08-04 9:01 UTC (permalink / raw)
To: Li Qiong
Cc: Christoph Lameter, David Rientjes, Andrew Morton, Vlastimil Babka,
Roman Gushchin, linux-mm, linux-kernel, stable
On Mon, Aug 04, 2025 at 10:57:59AM +0800, Li Qiong wrote:
> object_err() reports details of an object for further debugging, such as
> the freelist pointer, redzone, etc. However, if the pointer is invalid,
> attempting to access object metadata can lead to a crash since it does
> not point to a valid object.
>
> In case the pointer is NULL or check_valid_pointer() returns false for
> the pointer, only print the pointer value and skip accessing metadata.
>
> Fixes: 81819f0fc828 ("SLUB core")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Li Qiong <liqiong@nfschina.com>
> ---
> v2:
> - rephrase the commit message, add comment for object_err().
> v3:
> - check object pointer in object_err().
> v4:
> - restore changes in alloc_consistency_checks().
> v5:
> - rephrase message, fix code style.
> v6:
> - add checking 'object' if NULL.
> ---
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
> mm/slub.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index 31e11ef256f9..972cf2bb2ee6 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -1104,7 +1104,12 @@ static void object_err(struct kmem_cache *s, struct slab *slab,
> return;
>
> slab_bug(s, reason);
> - print_trailer(s, slab, object);
> + if (!object || !check_valid_pointer(s, slab, object)) {
> + print_slab_info(slab);
> + pr_err("Invalid pointer 0x%p\n", object);
> + } else {
> + print_trailer(s, slab, object);
> + }
> add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
>
> WARN_ON(1);
> --
> 2.30.2
>
--
Cheers,
Harry / Hyeonggon
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v6] mm/slub: avoid accessing metadata when pointer is invalid in object_err()
2025-08-04 2:57 [PATCH v6] mm/slub: avoid accessing metadata when pointer is invalid in object_err() Li Qiong
2025-08-04 9:01 ` Harry Yoo
@ 2025-08-04 15:19 ` Vlastimil Babka
2025-08-05 1:24 ` liqiong
` (2 more replies)
1 sibling, 3 replies; 7+ messages in thread
From: Vlastimil Babka @ 2025-08-04 15:19 UTC (permalink / raw)
To: Li Qiong, Christoph Lameter, David Rientjes, Andrew Morton
Cc: Roman Gushchin, Harry Yoo, linux-mm, linux-kernel, stable,
Matthew Wilcox
On 8/4/25 04:57, Li Qiong wrote:
> object_err() reports details of an object for further debugging, such as
> the freelist pointer, redzone, etc. However, if the pointer is invalid,
> attempting to access object metadata can lead to a crash since it does
> not point to a valid object.
>
> In case the pointer is NULL or check_valid_pointer() returns false for
> the pointer, only print the pointer value and skip accessing metadata.
We should explain that this is not theoretical so justify the stable cc, so
I would add:
One known path to the crash is when alloc_consistency_checks() determines
the pointer to the allocated object is invalid beause of a freelist
corruption, and calls object_err() to report it. The debug code should
report and handle the corruption gracefully and not crash in the process.
If you agree, I can do this when picking up the patch after merge window, no
need to resend.
> Fixes: 81819f0fc828 ("SLUB core")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Li Qiong <liqiong@nfschina.com>
> ---
> v2:
> - rephrase the commit message, add comment for object_err().
> v3:
> - check object pointer in object_err().
> v4:
> - restore changes in alloc_consistency_checks().
> v5:
> - rephrase message, fix code style.
> v6:
> - add checking 'object' if NULL.
> ---
> mm/slub.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index 31e11ef256f9..972cf2bb2ee6 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -1104,7 +1104,12 @@ static void object_err(struct kmem_cache *s, struct slab *slab,
> return;
>
> slab_bug(s, reason);
> - print_trailer(s, slab, object);
> + if (!object || !check_valid_pointer(s, slab, object)) {
> + print_slab_info(slab);
> + pr_err("Invalid pointer 0x%p\n", object);
> + } else {
> + print_trailer(s, slab, object);
> + }
> add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
>
> WARN_ON(1);
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v6] mm/slub: avoid accessing metadata when pointer is invalid in object_err()
2025-08-04 15:19 ` Vlastimil Babka
@ 2025-08-05 1:24 ` liqiong
2025-08-25 15:22 ` Vlastimil Babka
2025-08-05 12:27 ` Matthew Wilcox
2025-08-05 12:38 ` Harry Yoo
2 siblings, 1 reply; 7+ messages in thread
From: liqiong @ 2025-08-05 1:24 UTC (permalink / raw)
To: Vlastimil Babka, Christoph Lameter, David Rientjes, Andrew Morton
Cc: Harry Yoo, linux-kernel, stable, Matthew Wilcox
在 2025/8/4 23:19, Vlastimil Babka 写道:
> On 8/4/25 04:57, Li Qiong wrote:
>> object_err() reports details of an object for further debugging, such as
>> the freelist pointer, redzone, etc. However, if the pointer is invalid,
>> attempting to access object metadata can lead to a crash since it does
>> not point to a valid object.
>>
>> In case the pointer is NULL or check_valid_pointer() returns false for
>> the pointer, only print the pointer value and skip accessing metadata.
> We should explain that this is not theoretical so justify the stable cc, so
> I would add:
>
> One known path to the crash is when alloc_consistency_checks() determines
> the pointer to the allocated object is invalid beause of a freelist
> corruption, and calls object_err() to report it. The debug code should
> report and handle the corruption gracefully and not crash in the process.
>
> If you agree, I can do this when picking up the patch after merge window, no
> need to resend.
Agree, thanks.
>> Fixes: 81819f0fc828 ("SLUB core")
>> Cc: <stable@vger.kernel.org>
>> Signed-off-by: Li Qiong <liqiong@nfschina.com>
>> ---
>> v2:
>> - rephrase the commit message, add comment for object_err().
>> v3:
>> - check object pointer in object_err().
>> v4:
>> - restore changes in alloc_consistency_checks().
>> v5:
>> - rephrase message, fix code style.
>> v6:
>> - add checking 'object' if NULL.
>> ---
>> mm/slub.c | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/mm/slub.c b/mm/slub.c
>> index 31e11ef256f9..972cf2bb2ee6 100644
>> --- a/mm/slub.c
>> +++ b/mm/slub.c
>> @@ -1104,7 +1104,12 @@ static void object_err(struct kmem_cache *s, struct slab *slab,
>> return;
>>
>> slab_bug(s, reason);
>> - print_trailer(s, slab, object);
>> + if (!object || !check_valid_pointer(s, slab, object)) {
>> + print_slab_info(slab);
>> + pr_err("Invalid pointer 0x%p\n", object);
>> + } else {
>> + print_trailer(s, slab, object);
>> + }
>> add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
>>
>> WARN_ON(1);
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v6] mm/slub: avoid accessing metadata when pointer is invalid in object_err()
2025-08-04 15:19 ` Vlastimil Babka
2025-08-05 1:24 ` liqiong
@ 2025-08-05 12:27 ` Matthew Wilcox
2025-08-05 12:38 ` Harry Yoo
2 siblings, 0 replies; 7+ messages in thread
From: Matthew Wilcox @ 2025-08-05 12:27 UTC (permalink / raw)
To: Vlastimil Babka
Cc: Li Qiong, Christoph Lameter, David Rientjes, Andrew Morton,
Roman Gushchin, Harry Yoo, linux-mm, linux-kernel, stable
On Mon, Aug 04, 2025 at 05:19:59PM +0200, Vlastimil Babka wrote:
> On 8/4/25 04:57, Li Qiong wrote:
> > object_err() reports details of an object for further debugging, such as
> > the freelist pointer, redzone, etc. However, if the pointer is invalid,
> > attempting to access object metadata can lead to a crash since it does
> > not point to a valid object.
> >
> > In case the pointer is NULL or check_valid_pointer() returns false for
> > the pointer, only print the pointer value and skip accessing metadata.
You realy need to get the nfschina mail system fixed. None of your
messages are making it through to linux-mm. Either that or start
sending emails from a different provider.
> > Fixes: 81819f0fc828 ("SLUB core")
> > Cc: <stable@vger.kernel.org>
> > Signed-off-by: Li Qiong <liqiong@nfschina.com>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v6] mm/slub: avoid accessing metadata when pointer is invalid in object_err()
2025-08-04 15:19 ` Vlastimil Babka
2025-08-05 1:24 ` liqiong
2025-08-05 12:27 ` Matthew Wilcox
@ 2025-08-05 12:38 ` Harry Yoo
2 siblings, 0 replies; 7+ messages in thread
From: Harry Yoo @ 2025-08-05 12:38 UTC (permalink / raw)
To: Vlastimil Babka
Cc: Li Qiong, Christoph Lameter, David Rientjes, Andrew Morton,
Roman Gushchin, linux-mm, linux-kernel, stable, Matthew Wilcox
On Mon, Aug 04, 2025 at 05:19:59PM +0200, Vlastimil Babka wrote:
> On 8/4/25 04:57, Li Qiong wrote:
> > object_err() reports details of an object for further debugging, such as
> > the freelist pointer, redzone, etc. However, if the pointer is invalid,
> > attempting to access object metadata can lead to a crash since it does
> > not point to a valid object.
> >
> > In case the pointer is NULL or check_valid_pointer() returns false for
> > the pointer, only print the pointer value and skip accessing metadata.
>
> We should explain that this is not theoretical so justify the stable cc, so
> I would add:
>
> One known path to the crash is when alloc_consistency_checks() determines
> the pointer to the allocated object is invalid beause of a freelist
nit: beause -> because
> corruption, and calls object_err() to report it. The debug code should
> report and handle the corruption gracefully and not crash in the process.
>
> If you agree, I can do this when picking up the patch after merge window, no
> need to resend.
>
> > Fixes: 81819f0fc828 ("SLUB core")
> > Cc: <stable@vger.kernel.org>
> > Signed-off-by: Li Qiong <liqiong@nfschina.com>
> > ---
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
--
Cheers,
Harry / Hyeonggon
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v6] mm/slub: avoid accessing metadata when pointer is invalid in object_err()
2025-08-05 1:24 ` liqiong
@ 2025-08-25 15:22 ` Vlastimil Babka
0 siblings, 0 replies; 7+ messages in thread
From: Vlastimil Babka @ 2025-08-25 15:22 UTC (permalink / raw)
To: liqiong, Christoph Lameter, David Rientjes, Andrew Morton
Cc: Harry Yoo, linux-kernel, stable, Matthew Wilcox
On 8/5/25 03:24, liqiong wrote:
>
>
> 在 2025/8/4 23:19, Vlastimil Babka 写道:
>> On 8/4/25 04:57, Li Qiong wrote:
>>> object_err() reports details of an object for further debugging, such as
>>> the freelist pointer, redzone, etc. However, if the pointer is invalid,
>>> attempting to access object metadata can lead to a crash since it does
>>> not point to a valid object.
>>>
>>> In case the pointer is NULL or check_valid_pointer() returns false for
>>> the pointer, only print the pointer value and skip accessing metadata.
>> We should explain that this is not theoretical so justify the stable cc, so
>> I would add:
>>
>> One known path to the crash is when alloc_consistency_checks() determines
>> the pointer to the allocated object is invalid beause of a freelist
>> corruption, and calls object_err() to report it. The debug code should
>> report and handle the corruption gracefully and not crash in the process.
>>
>> If you agree, I can do this when picking up the patch after merge window, no
>> need to resend.
>
> Agree, thanks.
Merged to -next, thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-08-25 15:22 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-04 2:57 [PATCH v6] mm/slub: avoid accessing metadata when pointer is invalid in object_err() Li Qiong
2025-08-04 9:01 ` Harry Yoo
2025-08-04 15:19 ` Vlastimil Babka
2025-08-05 1:24 ` liqiong
2025-08-25 15:22 ` Vlastimil Babka
2025-08-05 12:27 ` Matthew Wilcox
2025-08-05 12:38 ` Harry Yoo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).