Re: [PATCH v2] mm: slub: avoid deref of free pointer in sanity checks if object is invalid

[Matthew Wilcox]

On Fri, Jul 25, 2025 at 06:10:51PM +0100, Matthew Wilcox wrote:
> On Fri, Jul 25, 2025 at 06:47:01PM +0200, Vlastimil Babka wrote:
> > On 7/25/25 08:49, Li Qiong wrote:
> > > For debugging, object_err() prints free pointer of the object.
> > > However, if check_valid_pointer() returns false for a object,
> > > dereferncing `object + s->offset` can lead to a crash. Therefore,
> > > print the object's address in such cases.
> 
> I don't know where this patch came from (was it cc'd to linux-mm? i
> don't see it)

I've spent some more time thinking about this and I now believe that
there are several calls to object_err() that can be passed a bad
pointer:

freelist_corrupted()
check_object()
on_freelist()
alloc_consistency_checks()
free_consistency_checks()

so I think this line of attack is inappropriate.  Instead, I think we
need to make object_err() resilient against wild pointers.  Specifically,
avoid doing risky things in print_trailer() if object is not within slab.