From: SeongJae Park <sj@kernel.org>
To: Josh Law <objecting@objecting.org>
Cc: SeongJae Park <sj@kernel.org>,
akpm@linux-foundation.org, damon@lists.linux.dev,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/4] mm/damon/sysfs: check contexts->nr in update_schemes_tried_regions
Date: Thu, 19 Mar 2026 19:15:01 -0700 [thread overview]
Message-ID: <20260320021502.1218-1-sj@kernel.org> (raw)
In-Reply-To: <20260319155742.186627-4-objecting@objecting.org>
On Thu, 19 Mar 2026 15:57:41 +0000 Josh Law <objecting@objecting.org> wrote:
> damon_sysfs_update_schemes_tried_regions() and its callback
> damon_sysfs_schemes_tried_regions_upd_one() access contexts_arr[0]
> without verifying nr_contexts >= 1. This can NULL deref if damon_ctx is
> non-NULL (preserved after stop) but nr_contexts has been set to 0. Add
> the missing check.
Nice catch. This can be triggered by privileged users.
# cd /sys/kernel/mm/damon/admin/kdamonds/
# echo 1 > nr_kdamonds
# echo 1 > contexts/nr_contexts
# echo on > state
# echo off > state
# echo 0 > contexts/nr_contexts
# echo update_schemes_tried_regions > state
# dmesg
[...]
[ 222.362338] BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
Weird sequence of commands, but even privileged users can make mistakes. So I
think this deserves Fixes: and Cc: stable.
But, this is just another instance of a class of bugs that I mentioned on the
reply to the second patch of this series. I'd suggest fixing all bugs of the
class with single fix, as I also mentioned on the second patch thread. Let's
discuss on the thread.
Thanks,
SJ
[...]
next prev parent reply other threads:[~2026-03-20 2:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-19 15:57 [PATCH 0/4] mm/damon/sysfs: fix resource leak and NULL pointer dereferences Josh Law
2026-03-19 15:57 ` [PATCH 1/4] mm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure Josh Law
2026-03-20 2:00 ` SeongJae Park
2026-03-19 15:57 ` [PATCH 2/4] mm/damon/sysfs: check contexts->nr before clear_schemes_tried_regions Josh Law
2026-03-20 2:13 ` SeongJae Park
2026-03-20 7:06 ` Josh Law
2026-03-20 14:47 ` SeongJae Park
2026-03-20 15:14 ` Josh Law
2026-03-20 15:51 ` SeongJae Park
2026-03-20 15:56 ` Josh Law
2026-03-19 15:57 ` [PATCH 3/4] mm/damon/sysfs: check contexts->nr in update_schemes_tried_regions Josh Law
2026-03-20 2:15 ` SeongJae Park [this message]
2026-03-19 15:57 ` [PATCH 4/4] mm/damon/sysfs: check contexts->nr in repeat_call_fn Josh Law
2026-03-20 2:06 ` SeongJae Park
2026-03-19 19:24 ` [PATCH 0/4] mm/damon/sysfs: fix resource leak and NULL pointer dereferences Josh Law
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260320021502.1218-1-sj@kernel.org \
--to=sj@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=damon@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=objecting@objecting.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.