Re: [RFC PATCH 1/2] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock

DAMON development mailing list
 help / color / mirror / Atom feed

From: SeongJae Park <sj@kernel.org>
To: sashiko-bot@kernel.org
Cc: SeongJae Park <sj@kernel.org>, damon@lists.linux.dev
Subject: Re: [RFC PATCH 1/2] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
Date: Wed, 22 Apr 2026 17:41:47 -0700	[thread overview]
Message-ID: <20260423004148.74722-1-sj@kernel.org> (raw)
In-Reply-To: <20260422203017.48F3EC19425@smtp.kernel.org>

On Wed, 22 Apr 2026 20:30:16 +0000 sashiko-bot@kernel.org wrote:

> Sashiko AI review found 1 potential issue(s):
> - [High] Breaking from `mem_cgroup_iter()` without calling `mem_cgroup_iter_break()` leaks a cgroup reference in `damon_sysfs_memcg_path_to_id()`.

Nice finding, but not this patch's fault.  I will separately work on this.

> --
> 
> commit f19bff910905231adad168cfffc97ed67cb1fde3
> Author: SeongJae Park <sj@kernel.org>
> 
> mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
> 
> This commit fixes a use-after-free vulnerability by using damon_sysfs_lock
> to protect concurrent user-direct reads and writes to the memcg_path sysfs
> file. The locking prevents readers from accessing the memory path buffer
> while it is being deallocated by a write operation.
> 
> > diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
> > index 5186966dafb35..8d32a20531d49 100644
> > --- a/mm/damon/sysfs-schemes.c
> > +++ b/mm/damon/sysfs-schemes.c
> 
> [ ... ]
> 
> > @@ -550,8 +555,13 @@ static ssize_t memcg_path_store(struct kobject *kobj,
> >  		return -ENOMEM;
> >  
> >  	strscpy(path, buf, count + 1);
> > +	if (!mutex_trylock(&damon_sysfs_lock)) {
> > +		kfree(path);
> > +		return -EBUSY;
> > +	}
> >  	kfree(filter->memcg_path);
> >  	filter->memcg_path = path;
> > +	mutex_unlock(&damon_sysfs_lock);
> >  	return count;
> >  }
> 
> This isn't a bug introduced by this patch, but I noticed a pre-existing
> issue in this file.
> 
> Does damon_sysfs_memcg_path_to_id() leak a cgroup reference when breaking
> early from the hierarchy walk?
> 
> mm/damon/sysfs-schemes.c:damon_sysfs_memcg_path_to_id() {
> 	...
> 	for (memcg = mem_cgroup_iter(NULL, NULL, NULL); memcg;
> 			memcg = mem_cgroup_iter(NULL, memcg, NULL)) {
> 		/* skip offlined memcg */
> 		if (!mem_cgroup_online(memcg))
> 			continue;
> 		if (damon_sysfs_memcg_path_eq(memcg, path, memcg_path)) {
> 			*id = mem_cgroup_id(memcg);
> 			found = true;
> 			break;
> 		}
> 	}
> 	...
> }
> 
> According to the API contract, if a hierarchy walk is aborted prematurely
> before a round-trip is complete, the caller must use
> mem_cgroup_iter_break(NULL, memcg) to drop the reference to the last visited
> cgroup.
> 
> Because this is missing, could every successful resolution of a memcg path
> permanently leak a css reference?
> 
> In environments where DAMON configurations are frequently updated (like
> dynamically profiling containers), this could lead to a buildup of "zombie"
> cgroups that cannot be destroyed, eventually pinning substantial kernel
> memory and causing system-wide memory exhaustion.

Nice finding.  As Sashiko also mentions, not this patch's fault, though.  I
will separately work on this.

> 
> -- 
> Sashiko AI review · https://sashiko.dev/#/patchset/20260422143503.71357-1-sj@kernel.org?part=1
> 


Thanks,
SJ

next prev parent reply	other threads:[~2026-04-23  0:41 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-22 14:34 [RFC PATCH 0/2] mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path SeongJae Park
2026-04-22 14:35 ` [RFC PATCH 1/2] mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock SeongJae Park
2026-04-22 20:30   ` sashiko-bot
2026-04-23  0:41     ` SeongJae Park [this message]
2026-04-22 14:35 ` [RFC PATCH 2/2] mm/damon/sysfs-schemes: protect path " SeongJae Park
2026-04-22 21:02   ` sashiko-bot
2026-04-23  0:46     ` SeongJae Park
2026-04-22 14:40 ` [RFC PATCH 0/2] mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path SeongJae Park

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260423004148.74722-1-sj@kernel.org \
    --to=sj@kernel.org \
    --cc=damon@lists.linux.dev \
    --cc=sashiko-bot@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox