From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3ECFC433EF for ; Sat, 23 Oct 2021 18:47:31 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 2631B60EB2 for ; Sat, 23 Oct 2021 18:47:31 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 2631B60EB2 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 66B47940007; Sat, 23 Oct 2021 14:47:30 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 61B296B0071; Sat, 23 Oct 2021 14:47:30 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4E24F940007; Sat, 23 Oct 2021 14:47:30 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0152.hostedemail.com [216.40.44.152]) by kanga.kvack.org (Postfix) with ESMTP id 3BDF46B006C for ; Sat, 23 Oct 2021 14:47:30 -0400 (EDT) Received: from smtpin32.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id E62952C68B for ; Sat, 23 Oct 2021 18:47:29 +0000 (UTC) X-FDA: 78728585418.32.1E0BAF4 Received: from mail-oi1-f181.google.com (mail-oi1-f181.google.com [209.85.167.181]) by imf07.hostedemail.com (Postfix) with ESMTP id 9487310000AC for ; Sat, 23 Oct 2021 18:47:29 +0000 (UTC) Received: by mail-oi1-f181.google.com with SMTP id s9so9462825oiw.6 for ; Sat, 23 Oct 2021 11:47:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7m875e4gGbT9nJQnt7puIjT90v2deLXARSSVrDwAsaE=; b=bVOldoUU4d+XYS7ZXqGjEpYtcTgLqY3fYHMsip6uOlcF7SYeUcFRH6tgFJdBZmPiSh OcojrSdVXwWgQp9LhJA63RZ9hxearsZf3qIXnViUFkWxaVH0mHMfsPab1NkUDd0P0OKY 42pf0Es8q4Yhw2bv8fdwYemPmJPHOaKjoYBrjOeYACcO+UeOOCFhr9kvkHljD+Y4BHZM /f4HcpZ55kIE20b+RsNjhnjxEdk8VPRQfS9xyokwhuxGwEiChafOwcs+bt6g3exx/ucB 4Lo3Lg8dw+R5CtFegZlOShxkE5cUNPurfnwnvMRnTVC84f5R9wQBeuwGyLB9u8WS3Pxl Q6jA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7m875e4gGbT9nJQnt7puIjT90v2deLXARSSVrDwAsaE=; b=Kj4RE67wse6u7zsekc5TCbY90/WAHTVlQchFo5TBbL8vem7a9f4ClQTHgZenPABkiU rYc/nmj3JNSEM5vk1phVUJRFyAeOoce8gGcp9oWyLaCydV2pJbV2kicZ/i+Zi8xUf9rl Azbndqx9i0z39foDw+lYqshiBujYqxd7RxfBMWxL8/OwuCdOqghOtJ5PN7hsgZd6u9v+ xtRgzaQgoxJssQlkw2ExDyQUIzNtri+EMkpcjsS+AnAw/9vMJvLiwiywaS45KGVHCGbS 5h6pOOqW+E1m7nnGPxHfOyTwO/Zkfj+gknYo/nYF7zx5MH9Vo+JTwacgmolYhORjjxv0 FOOw== X-Gm-Message-State: AOAM5318nnxqS2KONK+sHdLuKjL/9CUhWPRwAz8v278YmUKeBvsVz9Yf BfYvPg+A96XrOKTaqP6DIl0tHQU3JIQzGt/6UCsf7Q== X-Google-Smtp-Source: ABdhPJwGfrrU38MT0H8XVlAmIc0nlnxPYap1OdIzl3RCYp07Xzqjq5mtzlS1kkf4ZWdBZm0w0npP2Z7LzGvOgmjC01g= X-Received: by 2002:a05:6808:6ce:: with SMTP id m14mr5291817oih.134.1635014848757; Sat, 23 Oct 2021 11:47:28 -0700 (PDT) MIME-Version: 1.0 References: <20211023171802.4693-1-cyeaa@connect.ust.hk> In-Reply-To: <20211023171802.4693-1-cyeaa@connect.ust.hk> From: Marco Elver Date: Sat, 23 Oct 2021 20:47:17 +0200 Message-ID: Subject: Re: [PATCH] mm/kfence: fix null pointer dereference on pointer meta To: Chengfeng Ye Cc: glider@google.com, akpm@linux-foundation.org, dvyukov@google.com, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 9487310000AC X-Stat-Signature: qckdnr3oqjrpixme73kfznhncea7c6fd Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=bVOldoUU; spf=pass (imf07.hostedemail.com: domain of elver@google.com designates 209.85.167.181 as permitted sender) smtp.mailfrom=elver@google.com; dmarc=pass (policy=reject) header.from=google.com X-HE-Tag: 1635014849-242523 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sat, 23 Oct 2021 at 19:20, Chengfeng Ye wrote: > The pointer meta return from addr_to_metadata could be null, so > there is a potential null pointer dereference issue. Fix this > by adding a null check before dereference. > > Fixes: 0ce20dd8 ("mm: add Kernel Electric-Fence infrastructure") > Signed-off-by: Chengfeng Ye > --- > mm/kfence/core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/kfence/core.c b/mm/kfence/core.c > index 7a97db8bc8e7..7d2ec787e921 100644 > --- a/mm/kfence/core.c > +++ b/mm/kfence/core.c > @@ -811,7 +811,7 @@ void __kfence_free(void *addr) > * objects once it has been freed. meta->cache may be NULL if the cache > * was destroyed. > */ > - if (unlikely(meta->cache && (meta->cache->flags & SLAB_TYPESAFE_BY_RCU))) > + if (unlikely(meta && meta->cache && (meta->cache->flags & SLAB_TYPESAFE_BY_RCU))) > call_rcu(&meta->rcu_head, rcu_guarded_free); > else > kfence_guarded_free(addr, meta, false); Sorry -- Nack. What bug did you encounter? Please see [1], and I'm afraid this attempt makes even less sense because if it were (hypothetically) NULL like you say we just call kfence_guarded_free() and crash there. [1] https://lkml.kernel.org/r/CANpmjNMcgUsdvXrvQHn+-y1w-z-6QAS+WJ27RB2DCnVxORRcuw@mail.gmail.com However, what I wrote in [1] equally applies here: > [...] > Adding a check like this could also hide genuine bugs, as meta should > never be NULL in __kfence_free(). If it is, we'd like to see a crash. > > Did you read kfence_free() in include/linux/kfence.h? It already > prevents __kfence_free() being called with a non-KFENCE address. > > Without a more thorough explanation, Nack. May I ask which static analysis tool keeps flagging this? Thanks, -- Marco