[PATCH] lockdep: fix NULL pointer dereference in __lock_set_class()

Next message: Yan Zhu: "Re: [PATCH v3] docs/zh_CN: add module-signing Chinese translation"
Previous message: luca . boccassi: "[PATCH v7 1/4] liveupdate: add LUO_SESSION_MAGIC magic inode type"
In reply to: Dmitry Ilvokhin: "Re: [PATCH] lockdep: fix NULL pointer dereference in __lock_set_class()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Xiang Gao

Date: Sat Apr 18 2026 - 10:15:20 EST

From: Xiang Gao <gaoxiang17@xxxxxxxxxx>

register_lock_class() can return NULL on failure (e.g., exceeding
MAX_LOCKDEP_KEYS or lock_keys_in_use overflow). __lock_set_class()
uses the return value directly in pointer arithmetic without a NULL
check:

class = register_lock_class(lock, subclass, 0);
hlock->class_idx = class - lock_classes;

If class is NULL, this computes a garbage negative offset that corrupts
hlock->class_idx (a bitfield). Any subsequent hlock_class() call on
this hlock returns a garbage pointer, leading to memory corruption or
a crash.

The other call site in __lock_acquire() (line 5112) already handles
this correctly with an explicit NULL check. Add the same guard here.

Fixes: 64aa348edc61 ("lockdep: lock_set_subclass - reset a held lock's subclass")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Xiang Gao <gaoxiang17@xxxxxxxxxx>
---
kernel/locking/lockdep.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
index 2d4c5bab5af8..e0de81114824 100644
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -5437,6 +5437,8 @@ __lock_set_class(struct lockdep_map *lock, const char *name,
lock->wait_type_outer,
lock->lock_type);
class = register_lock_class(lock, subclass, 0);
+ if (!class)
+ return 0;
hlock->class_idx = class - lock_classes;

curr->lockdep_depth = i;
--
2.34.1