[PATCH] locking/lockdep: Validate class index in lock_chain_get_class()

[Naveen Kumar Chaudhary]

lock_chain_get_class() extracts a class index from chain_hlocks[] and
uses it to index directly into lock_classes[] without any validation.
If the chain data references a class that has been zapped (e.g., after
module unload), the class_idx bit will be cleared in lock_classes_in_use
and the function returns a pointer to a stale entry.

Add a DEBUG_LOCKS_WARN_ON() check using test_bit() on lock_classes_in_use.
Return NULL on failure so callers can handle it gracefully.

Update the sole caller in lockdep_proc.c to handle the NULL return.

Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@xxxxxxxxx>
---
 kernel/locking/lockdep.c      | 3 +++
 kernel/locking/lockdep_proc.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
index 2d4c5bab5af8..ca255269b714 100644
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -3561,6 +3561,9 @@ struct lock_class *lock_chain_get_class(struct lock_chain *chain, int i)
 	u16 chain_hlock = chain_hlocks[chain->base + i];
 	unsigned int class_idx = chain_hlock_class_idx(chain_hlock);
 
+	if (DEBUG_LOCKS_WARN_ON(!test_bit(class_idx, lock_classes_in_use)))
+		return NULL;
+
 	return lock_classes + class_idx;
 }
 
diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c
index 1916db9aa46b..2d1f6b43edd5 100644
--- a/kernel/locking/lockdep_proc.c
+++ b/kernel/locking/lockdep_proc.c
@@ -170,7 +170,7 @@ static int lc_show(struct seq_file *m, void *v)
 
 	for (i = 0; i < chain->depth; i++) {
 		class = lock_chain_get_class(chain, i);
-		if (!class->key)
+		if (!class || !class->key)
 			continue;
 
 		seq_printf(m, "[%p] ", class->key);
-- 
2.43.0