Re: [RFC PATCH 1/2] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock

All of lore.kernel.org
 help / color / mirror / Atom feed

From: SeongJae Park <sj@kernel.org>
To: sashiko-bot@kernel.org
Cc: SeongJae Park <sj@kernel.org>, damon@lists.linux.dev
Subject: Re: [RFC PATCH 1/2] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
Date: Wed, 22 Apr 2026 17:41:47 -0700	[thread overview]
Message-ID: <20260423004148.74722-1-sj@kernel.org> (raw)
In-Reply-To: <20260422203017.48F3EC19425@smtp.kernel.org>

On Wed, 22 Apr 2026 20:30:16 +0000 sashiko-bot@kernel.org wrote:

> Sashiko AI review found 1 potential issue(s):
> - [High] Breaking from `mem_cgroup_iter()` without calling `mem_cgroup_iter_break()` leaks a cgroup reference in `damon_sysfs_memcg_path_to_id()`.

Nice finding, but not this patch's fault.  I will separately work on this.

> --
> 
> commit f19bff910905231adad168cfffc97ed67cb1fde3
> Author: SeongJae Park <sj@kernel.org>
> 
> mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
> 
> This commit fixes a use-after-free vulnerability by using damon_sysfs_lock
> to protect concurrent user-direct reads and writes to the memcg_path sysfs
> file. The locking prevents readers from accessing the memory path buffer
> while it is being deallocated by a write operation.
> 
> > diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
> > index 5186966dafb35..8d32a20531d49 100644
> > --- a/mm/damon/sysfs-schemes.c
> > +++ b/mm/damon/sysfs-schemes.c
> 
> [ ... ]
> 
> > @@ -550,8 +555,13 @@ static ssize_t memcg_path_store(struct kobject *kobj,
> >  		return -ENOMEM;
> >  
> >  	strscpy(path, buf, count + 1);
> > +	if (!mutex_trylock(&damon_sysfs_lock)) {
> > +		kfree(path);
> > +		return -EBUSY;
> > +	}
> >  	kfree(filter->memcg_path);
> >  	filter->memcg_path = path;
> > +	mutex_unlock(&damon_sysfs_lock);
> >  	return count;
> >  }
> 
> This isn't a bug introduced by this patch, but I noticed a pre-existing
> issue in this file.
> 
> Does damon_sysfs_memcg_path_to_id() leak a cgroup reference when breaking
> early from the hierarchy walk?
> 
> mm/damon/sysfs-schemes.c:damon_sysfs_memcg_path_to_id() {
> 	...
> 	for (memcg = mem_cgroup_iter(NULL, NULL, NULL); memcg;
> 			memcg = mem_cgroup_iter(NULL, memcg, NULL)) {
> 		/* skip offlined memcg */
> 		if (!mem_cgroup_online(memcg))
> 			continue;
> 		if (damon_sysfs_memcg_path_eq(memcg, path, memcg_path)) {
> 			*id = mem_cgroup_id(memcg);
> 			found = true;
> 			break;
> 		}
> 	}
> 	...
> }
> 
> According to the API contract, if a hierarchy walk is aborted prematurely
> before a round-trip is complete, the caller must use
> mem_cgroup_iter_break(NULL, memcg) to drop the reference to the last visited
> cgroup.
> 
> Because this is missing, could every successful resolution of a memcg path
> permanently leak a css reference?
> 
> In environments where DAMON configurations are frequently updated (like
> dynamically profiling containers), this could lead to a buildup of "zombie"
> cgroups that cannot be destroyed, eventually pinning substantial kernel
> memory and causing system-wide memory exhaustion.

Nice finding.  As Sashiko also mentions, not this patch's fault, though.  I
will separately work on this.

> 
> -- 
> Sashiko AI review · https://sashiko.dev/#/patchset/20260422143503.71357-1-sj@kernel.org?part=1
> 


Thanks,
SJ

next prev parent reply	other threads:[~2026-04-23  0:41 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-22 14:34 [RFC PATCH 0/2] mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path SeongJae Park
2026-04-22 14:35 ` [RFC PATCH 1/2] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock SeongJae Park
2026-04-22 20:30   ` sashiko-bot
2026-04-23  0:41     ` SeongJae Park [this message]
2026-04-22 14:35 ` [RFC PATCH 2/2] mm/damon/sysfs-schemes: protect path " SeongJae Park
2026-04-22 21:02   ` sashiko-bot
2026-04-23  0:46     ` SeongJae Park
2026-04-22 14:40 ` [RFC PATCH 0/2] mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path SeongJae Park

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260423004148.74722-1-sj@kernel.org \
    --to=sj@kernel.org \
    --cc=damon@lists.linux.dev \
    --cc=sashiko-bot@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.