mm/slub: avoid accessing metadata when pointer is invalid in object_err()

[ Upstream commit b4efccec8d06ceb10a7d34d7b1c449c569d53770 ]

object_err() reports details of an object for further debugging, such as
the freelist pointer, redzone, etc. However, if the pointer is invalid,
attempting to access object metadata can lead to a crash since it does
not point to a valid object.

One known path to the crash is when alloc_consistency_checks()
determines the pointer to the allocated object is invalid because of a
freelist corruption, and calls object_err() to report it. The debug code
should report and handle the corruption gracefully and not crash in the
process.

In case the pointer is NULL or check_valid_pointer() returns false for
the pointer, only print the pointer value and skip accessing metadata.

Fixes: 81819f0fc828 ("SLUB core")
Cc: <stable@vger.kernel.org>
Signed-off-by: Li Qiong <liqiong@nfschina.com>
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/mm/slub.c b/mm/slub.c
index d2544c88a5c43c8d4f3d9589df5b8703515699cd..391f9db1c8f38134dbcf0ef583fab9ae114bf707 100644 (file)
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -988,7 +988,12 @@ static void object_err(struct kmem_cache *s, struct slab *slab,
                return;
 
        slab_bug(s, "%s", reason);
-       print_trailer(s, slab, object);
+       if (!object || !check_valid_pointer(s, slab, object)) {
+               print_slab_info(slab);
+               pr_err("Invalid pointer 0x%p\n", object);
+       } else {
+               print_trailer(s, slab, object);
+       }
        add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
 }