From: SeongJae Park <sj@kernel.org>
To: Josh Law <objecting@objecting.org>
Cc: SeongJae Park <sj@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
damon@lists.linux.dev, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm/damon/core: validate goal nid before accessing node data
Date: Wed, 25 Mar 2026 07:37:02 -0700 [thread overview]
Message-ID: <20260325143703.87583-1-sj@kernel.org> (raw)
In-Reply-To: <20260325073034.140353-1-objecting@objecting.org>
On Wed, 25 Mar 2026 07:30:34 +0000 Josh Law <objecting@objecting.org> wrote:
> damos_get_node_mem_bp() and damos_get_node_memcg_used_bp() pass
> goal->nid directly to si_meminfo_node() and NODE_DATA() without
> checking that it refers to a valid, online NUMA node. Since
> goal->nid is set from userspace via sysfs with no validation, a
> negative or out-of-range value causes an out-of-bounds access in
> NODE_DATA(), and a valid but offline node gives undefined results.
Nice catch!
>
> Add bounds and node_online() checks before using the nid.
>
> Fixes: 0e1c773b501f ("mm/damon/core: introduce damos quota goal metrics for memory node utilization")
Let's add Cc: stable.
> Signed-off-by: Josh Law <objecting@objecting.org>
> ---
> mm/damon/core.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/mm/damon/core.c b/mm/damon/core.c
> index 59b709f04975..6ee421141996 100644
> --- a/mm/damon/core.c
> +++ b/mm/damon/core.c
> @@ -2227,6 +2227,10 @@ static __kernel_ulong_t damos_get_node_mem_bp(
> struct sysinfo i;
> __kernel_ulong_t numerator;
>
> + if (goal->nid < 0 || goal->nid >= MAX_NUMNODES ||
> + !node_online(goal->nid))
Like damon_migrate_pages(), how about using node_state(goal->nid, N_MEMORY)
insted of node_online()?
> + return 0;
> +
> si_meminfo_node(&i, goal->nid);
> if (goal->metric == DAMOS_QUOTA_NODE_MEM_USED_BP)
> numerator = i.totalram - i.freeram;
> @@ -2243,6 +2247,10 @@ static unsigned long damos_get_node_memcg_used_bp(
> unsigned long used_pages, numerator;
> struct sysinfo i;
>
> + if (goal->nid < 0 || goal->nid >= MAX_NUMNODES ||
> + !node_online(goal->nid))
Ditto.
> + return 0;
> +
> memcg = mem_cgroup_get_from_id(goal->memcg_id);
> if (!memcg) {
> if (goal->metric == DAMOS_QUOTA_NODE_MEMCG_USED_BP)
> --
> 2.34.1
Thanks,
SJ
next prev parent reply other threads:[~2026-03-25 14:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-25 7:30 [PATCH] mm/damon/core: validate goal nid before accessing node data Josh Law
2026-03-25 14:37 ` SeongJae Park [this message]
2026-03-25 14:37 ` (sashiko review) " SeongJae Park
2026-03-25 15:04 ` SeongJae Park
2026-03-25 15:44 ` Josh Law
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260325143703.87583-1-sj@kernel.org \
--to=sj@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=damon@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=objecting@objecting.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.