On Sat, Dec 25, 2021 at 05:53:23PM +0000, Matthew Wilcox wrote:
> On Sat, Dec 25, 2021 at 09:16:55AM +0000, Hyeonggon Yoo wrote:
> > # mm: Convert struct page to struct slab in functions used by other subsystems
> > I'm not familiar with kasan, but to ask:
> > Does ____kasan_slab_free detect invalid free if someone frees
> > an object that is not allocated from slab?
> >
> > @@ -341,7 +341,7 @@ static inline bool ____kasan_slab_free(struct kmem_cache *cache, void *object,
> > - if (unlikely(nearest_obj(cache, virt_to_head_page(object), object) !=
> > + if (unlikely(nearest_obj(cache, virt_to_slab(object), object) !=
> > object)) {
> > kasan_report_invalid_free(tagged_object, ip);
> > return true;
> >
> > I'm asking this because virt_to_slab() will return NULL if folio_test_slab()
> > returns false. That will cause NULL pointer dereference in nearest_obj.
> > I don't think this change is intended.
>
> You need to track down how this could happen. As far as I can tell,
> it's always called when we know the object is part of a slab. That's
> where the cachep pointer is deduced from.
Thank you Matthew, you are right. I read the code too narrowly.
when we call kasan hooks, we know that the object is allocated from
the slab cache. (through cache_from_obj)
I'll review that patch again in part 3!
Thanks,
Hyeonggon
