From nobody Sat Apr 4 00:21:40 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41D5833D511; Sat, 21 Mar 2026 17:54:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774115676; cv=none; b=ZtFrNMJsKhN+v7THcGIGTc38AnEdXlSg1UTRmT3jd2KgiN5PqUXovuJWfCAKt5Is4hSgB3CHizs+R9wyifPO2nOKiD0tJ2PD83w8iEl6uGc9QHPf2qKj2GopFl4pBR3SI3tVijWvzMdWsumllJ+7NAW06TsRTvP3LZBv4wGdgLA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774115676; c=relaxed/simple; bh=kqdEPb3iNN0fFsVK6m3M9gMdlpedC9f1qzwxe6K56h4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SpOzFGSU/HJNFZlWZqo1LcStNKthZY8fxUEzzNozSnA2DmofchF4EkQt+/rmK0w6rRf4YCsult7vc51aXnA4Ym90S1ldo9BDvBxZ+f3gDVOubHRhDW8rqrnquj7Am4QtsV4jyD1+i7GUaPaYlIr5gZQ6a43/RZ3JPsIQZwgdQak= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Tgu/N2qJ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Tgu/N2qJ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BCC19C2BCB2; Sat, 21 Mar 2026 17:54:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774115675; bh=kqdEPb3iNN0fFsVK6m3M9gMdlpedC9f1qzwxe6K56h4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Tgu/N2qJidFELa4r9BzD1WwU6563wFyYLpFeqzAZwcZHxbUQJikNm03IhG6ga4O0P 4gkR7H8AeiwT7Q79DF5fBsXfw5MoTmKsIriNGT+uKc7s2Sr47yau3UxeyboKCyUNdA VHVtnCqKX7sB07ZBJrzXivgN8FdeB9gmCP2WUdCom/uNzGv82jAsM3B+kH6UczvgrJ K8FLKphL9mP90Y0th/QZNJhCYCQoiW1KQhQ32+FNA0GXtd2ARWr47W5nlxXUDUhvow cEFGjDgpkRYCMhjQLpwv7cpwXYW4UxUZXNvMrDeBZ0tPyNsHa0UdkaUZxRzrajinW0 AWj8UgrMbuYww== From: SeongJae Park To: Andrew Morton Cc: Josh Law , "# 6 . 18 . x" , SeongJae Park , damon@lists.linux.dev, linux-kernel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH v3 1/3] mm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure Date: Sat, 21 Mar 2026 10:54:24 -0700 Message-ID: <20260321175427.86000-2-sj@kernel.org> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260321175427.86000-1-sj@kernel.org> References: <20260321175427.86000-1-sj@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Josh Law When damon_sysfs_new_test_ctx() fails in damon_sysfs_commit_input(), param_ctx is leaked because the early return skips the cleanup at the out label. Destroy param_ctx before returning. Fixes: f0c5118ebb0e ("mm/damon/sysfs: catch commit test ctx alloc failure") Cc: # 6.18.x Signed-off-by: Josh Law Reviewed-by: SeongJae Park Signed-off-by: SeongJae Park --- mm/damon/sysfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c index 576d1ddd736bf..b573b9d607848 100644 --- a/mm/damon/sysfs.c +++ b/mm/damon/sysfs.c @@ -1524,8 +1524,10 @@ static int damon_sysfs_commit_input(void *data) if (IS_ERR(param_ctx)) return PTR_ERR(param_ctx); test_ctx =3D damon_sysfs_new_test_ctx(kdamond->damon_ctx); - if (!test_ctx) + if (!test_ctx) { + damon_destroy_ctx(param_ctx); return -ENOMEM; + } err =3D damon_commit_ctx(test_ctx, param_ctx); if (err) goto out; --=20 2.47.3 From nobody Sat Apr 4 00:21:40 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41CC733D4FA; Sat, 21 Mar 2026 17:54:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774115676; cv=none; b=UuvnVYl7QRZmjGDcXGwPursyh3kJIB2WEMzVp0ABtdEaKh22529yP6dkj44LcMpGAo9Dczd0K7vJbeVtOVjq+S9623vxXXctIClUIo3e/65MmXvOrvIRol1FGiv3c8tGxmfIIemfPeKPUSzvKpkCRLSxNKdNhCVH2UVCobg05fQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774115676; c=relaxed/simple; bh=ozaZfolHMPA3TCsXC61RgAmpZFbdf9+Z14L9tHNxdsM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=B1dnZrvG+NaAOoWnVR75WCNOxFblggyQMUeJxma4ZSuxR8Qi8ch2vAh47Z82VNgHZ08+O2J62mrmKms/Km/2JFGy6KJRTkq62FJWTtqA6g+4Lzq7bevlLu2FcQ7aaHc324X2TGcTccTDZ1cVoqFqzXnIUYzI2T9iOXNH1+rzOsQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=JCIHzKeX; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="JCIHzKeX" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0406CC2BCB1; Sat, 21 Mar 2026 17:54:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774115676; bh=ozaZfolHMPA3TCsXC61RgAmpZFbdf9+Z14L9tHNxdsM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JCIHzKeX5pvZa/pwEj3y0EPD5StACRN04orUN65Kdv1WXpLao9Dujx/qWb/mXU4+C RVus4wCtn5m7UE7RqBn42VtY5j9UsdYWu1juthqS5tAfl5+UpXVYz7n1nn0uMaqh2L d0G5RwzGCzVI+SAvT6EVzdyKpu7150vdTBnFLBktJ8ZJnh/KP+hZa/jy/ocj33DodK MfA3LgZbo0y5KgbHsEJFWJQZJtbssPudiDvd0u58tn5HsXH1rP+itsnU9dCrSLUdyq tocW0aUsuhxVLw8eshlOWJLk3oKuRZx80ObGUz5H61jxy340nZPrKjLz7h3MRPlEeU qZGrGlBzTQx8g== From: SeongJae Park To: Andrew Morton Cc: Josh Law , "# 5 . 18 . x" , SeongJae Park , damon@lists.linux.dev, linux-kernel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH v3 2/3] mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0] Date: Sat, 21 Mar 2026 10:54:25 -0700 Message-ID: <20260321175427.86000-3-sj@kernel.org> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260321175427.86000-1-sj@kernel.org> References: <20260321175427.86000-1-sj@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Josh Law Multiple sysfs command paths dereference contexts_arr[0] without first verifying that kdamond->contexts->nr =3D=3D 1. A user can set nr_contexts to 0 via sysfs while DAMON is running, causing NULL pointer dereferences. In more detail, the issue can be triggered by privileged users like below. First, start DAMON and make contexts directory empty (kdamond->contexts->nr =3D=3D 0). # damo start # cd /sys/kernel/mm/damon/admin/kdamonds/0 # echo 0 > contexts/nr_contexts Then, each of below commands will cause the NULL pointer dereference. # echo update_schemes_stats > state # echo update_schemes_tried_regions > state # echo update_schemes_tried_bytes > state # echo update_schemes_effective_quotas > state # echo update_tuned_intervals > state Guard all commands (except OFF) at the entry point of damon_sysfs_handle_cmd(). Fixes: 0ac32b8affb5 ("mm/damon/sysfs: support DAMOS stats") Cc: # 5.18.x Signed-off-by: Josh Law Reviewed-by: SeongJae Park Signed-off-by: SeongJae Park --- mm/damon/sysfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c index b573b9d607848..ddc30586c0e61 100644 --- a/mm/damon/sysfs.c +++ b/mm/damon/sysfs.c @@ -1749,6 +1749,9 @@ static int damon_sysfs_update_schemes_tried_regions( static int damon_sysfs_handle_cmd(enum damon_sysfs_cmd cmd, struct damon_sysfs_kdamond *kdamond) { + if (cmd !=3D DAMON_SYSFS_CMD_OFF && kdamond->contexts->nr !=3D 1) + return -EINVAL; + switch (cmd) { case DAMON_SYSFS_CMD_ON: return damon_sysfs_turn_damon_on(kdamond); --=20 2.47.3 From nobody Sat Apr 4 00:21:40 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 76BEB33F37A; Sat, 21 Mar 2026 17:54:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774115676; cv=none; b=avIyBwvSwen7++nusbK8MGJz86kdcSXmYCX++72iY1QWFvBvxFPqIR2nBus5UahIZgVyb93clZR4i2lsv9+yPdQ7OfokHzGz48LiGr37EPZALqnqprMzGokOF0T6GyAEcKhy56xlpKmbgbqqBhym40Ys95O4dJmDwdDFqtVQUb0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774115676; c=relaxed/simple; bh=ypF4xKp6F1pbIquY3/unFTj0ZaJ4QsmqDevrapmiqYU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=F9mnHL9vwXoYrPQ1rCnCEPnsy4Wys8YQHPTt3eAKI8QrgTHAZacd0z6e11Vgfw0T/Kn94dJJRLTjlZQcKSxdiIK6xdTp5G/ClK48koTXEA41t7Eqqj8tQAj20xMeqR00ZaDMZQJ3t2dyYxZTXg2lJFWChQBENcEOJadMuQe9cyk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=QPBqAj1U; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="QPBqAj1U" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3E350C2BCB4; Sat, 21 Mar 2026 17:54:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774115676; bh=ypF4xKp6F1pbIquY3/unFTj0ZaJ4QsmqDevrapmiqYU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QPBqAj1UYUg3nMWYne8Sya+MKgu4V7EeGKLthl0o51iCB0NAPgs7sQgaXh4Xw8fds 2SU98NaNJ6MzubLEcUwGsVNIrEl9fomH6UIR1GjgcAr0qzkjoKQCVU3SbfxYkY2vZ/ uf2IwjhSs2FLSovNyLMfQUDal9VQijGA5yBmyICBzrzdUi/jhDx/WSjrYUnfLhsc3c D0pPtbGN+xU9+tIGrC28zdpiWLbAFzGViZZ1ZbQB7/Z96r9ZVuZAw9JzvYt0FBTEXj 82ykqjvPVIW7xc+YYHt+LiyuD28YP5oqnjg/0115RkfzVYi01+0926YFH+/QpJMhFr WpIlklGViaYsA== From: SeongJae Park To: Andrew Morton Cc: Josh Law , "# 6 . 17 . x" , SeongJae Park , damon@lists.linux.dev, linux-kernel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH v3 3/3] mm/damon/sysfs: check contexts->nr in repeat_call_fn Date: Sat, 21 Mar 2026 10:54:26 -0700 Message-ID: <20260321175427.86000-4-sj@kernel.org> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260321175427.86000-1-sj@kernel.org> References: <20260321175427.86000-1-sj@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Josh Law damon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(), damon_sysfs_upd_schemes_stats(), and damon_sysfs_upd_schemes_effective_quotas() without checking contexts->nr. If nr_contexts is set to 0 via sysfs while DAMON is running, these functions dereference contexts_arr[0] and cause a NULL pointer dereference. Add the missing check. For example, the issue can be reproduced using DAMON sysfs interface and DAMON user-space tool (damo) [1] like below. $ sudo damo start --refresh_interval 1s $ echo 0 | sudo tee \ /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts [1] https://github.com/damonitor/damo Link: https://patch.msgid.link/20260320163559.178101-3-objecting@objecting.= org Fixes: d809a7c64ba8 ("mm/damon/sysfs: implement refresh_ms file internal wo= rk") Cc: # 6.17.x Signed-off-by: Josh Law Reviewed-by: SeongJae Park Signed-off-by: SeongJae Park --- mm/damon/sysfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c index ddc30586c0e61..6a44a2f3d8fc9 100644 --- a/mm/damon/sysfs.c +++ b/mm/damon/sysfs.c @@ -1620,9 +1620,12 @@ static int damon_sysfs_repeat_call_fn(void *data) =20 if (!mutex_trylock(&damon_sysfs_lock)) return 0; + if (sysfs_kdamond->contexts->nr !=3D 1) + goto out; damon_sysfs_upd_tuned_intervals(sysfs_kdamond); damon_sysfs_upd_schemes_stats(sysfs_kdamond); damon_sysfs_upd_schemes_effective_quotas(sysfs_kdamond); +out: mutex_unlock(&damon_sysfs_lock); return 0; } --=20 2.47.3