From: SeongJae Park <sj@kernel.org>
To: sashiko-bot@kernel.org
Cc: SeongJae Park <sj@kernel.org>,
"Liew Rui Yan" <aethernet65535@gmail.com>,
damon@lists.linux.dev
Subject: Re: [PATCH v5 1/2] mm/damon/lru_sort: validate min_region_size to be power of 2
Date: Fri, 1 May 2026 18:50:07 -0700 [thread overview]
Message-ID: <20260502015008.78351-1-sj@kernel.org> (raw)
In-Reply-To: <20260501021643.9CBAFC2BCB3@smtp.kernel.org>
On Fri, 01 May 2026 02:16:43 +0000 sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [High] A Time-of-Check to Time-of-Use (TOCTOU) race condition exists between the validation of `damon_lru_sort_mon_attrs.sample_interval` and its subsequent use, leading to a division-by-zero kernel panic.
> --
>
> commit 27c4642b5b420a4c1731c9385273b591e05b5b4c
> Author: Liew Rui Yan <aethernet65535@gmail.com>
>
> mm/damon/lru_sort: validate min_region_size to be power of 2
>
> This commit adds early validation for the min_region_sz parameter to ensure
> it is a power of 2. It prevents kdamond from incorrectly terminating with
> the maybe_corrupted flag when a user simply sets an invalid addr_unit.
>
> > diff --git a/mm/damon/lru_sort.c b/mm/damon/lru_sort.c
> > index 2eb559d913b62..eca88ed941b32 100644
> > --- a/mm/damon/lru_sort.c
> > +++ b/mm/damon/lru_sort.c
> > @@ -286,6 +286,11 @@ static int damon_lru_sort_apply_parameters(void)
> > param_ctx->addr_unit = addr_unit;
> > param_ctx->min_region_sz = max(DAMON_MIN_REGION_SZ / addr_unit, 1);
> >
> > + if (!is_power_of_2(param_ctx->min_region_sz)) {
> > + err = -EINVAL;
> > + goto out;
> > + }
> > +
> > if (!damon_lru_sort_mon_attrs.sample_interval) {
>
> This isn't a regression introduced by this patch,
So no blocker for this patch.
> but can a time-of-check
> to time-of-use (TOCTOU) race condition happen here?
>
> Because damon_lru_sort_mon_attrs is exposed as a module parameter, it can
> be modified concurrently. If a user concurrently writes 0 to sample_interval
> immediately after this check passes, the local attrs struct would copy the
> new zero value:
>
> attrs = damon_lru_sort_mon_attrs;
>
> Later in the function, damon_max_nr_accesses(&attrs) evaluates
> attrs.aggr_interval / attrs.sample_interval. Since sample_interval would
> be 0, could this trigger a divide-by-zero exception?
This cannot happen, as previously explained [1] to a similar question.
Seems Sashiko is not using mm-new as the baseline of DAMON patches, and
therefore does not know the fact we now doing this in synchronous manner.
[1] https://lore.kernel.org/20260429054135.91515-1-sj@kernel.org
Thanks,
SJ
[...]
next prev parent reply other threads:[~2026-05-02 1:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-01 1:37 [PATCH v5 0/2] mm/damon: validate min_region_size to be power of 2 Liew Rui Yan
2026-05-01 1:37 ` [PATCH v5 1/2] mm/damon/lru_sort: " Liew Rui Yan
2026-05-01 2:16 ` sashiko-bot
2026-05-02 1:50 ` SeongJae Park [this message]
2026-05-02 1:51 ` SeongJae Park
2026-05-01 1:37 ` [PATCH v5 2/2] mm/damon/reclaim: " Liew Rui Yan
2026-05-02 1:52 ` SeongJae Park
2026-05-12 3:36 ` [PATCH v5 0/2] mm/damon: " SeongJae Park
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260502015008.78351-1-sj@kernel.org \
--to=sj@kernel.org \
--cc=aethernet65535@gmail.com \
--cc=damon@lists.linux.dev \
--cc=sashiko-bot@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.