From: sashiko-bot@kernel.org
To: "SeongJae Park" <sj@kernel.org>
Cc: damon@lists.linux.dev
Subject: Re: [PATCH 04/11] mm/damon/sysfs-schemes: implement fail_charge_{num,denom} files
Date: Tue, 28 Apr 2026 01:54:35 +0000 [thread overview]
Message-ID: <20260428015436.8D935C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260428013402.115171-5-sj@kernel.org>
Sashiko AI review found 1 potential issue(s):
- [Medium] The sysfs store functions for `fail_charge_num` and `fail_charge_denom` do not validate or bound the ratio, leading to potential integer overflow in the core quota tracking logic.
--
commit 43a135a4abb7954bcb255ae58b1aa323b2447477
Author: SeongJae Park <sj@kernel.org>
mm/damon/sysfs-schemes: implement fail_charge_{num,denom} files
This commit implements the user-space ABI for the DAMOS action failed region
quota-charge ratio setup. It adds sysfs files for fail_charge_num and
fail_charge_denom to allow reading and setting the numerator and
denominator of the failed regions charge ratio.
> diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
> index 04746cbb3327..dee1f5788bea 100644
> --- a/mm/damon/sysfs-schemes.c
> +++ b/mm/damon/sysfs-schemes.c
[ ... ]
> +static ssize_t fail_charge_num_store(struct kobject *kobj,
> + struct kobj_attribute *attr, const char *buf, size_t count)
> +{
> + struct damon_sysfs_quotas *quotas = container_of(kobj,
> + struct damon_sysfs_quotas, kobj);
> + int err = kstrtouint(buf, 0, "as->fail_charge_num);
> +
> + if (err)
> + return -EINVAL;
> + return count;
> +}
Can this unbounded input lead to an integer overflow in the core quota
tracking logic?
The values read via kstrtouint() are unconstrained up to UINT_MAX. Later, in
damos_charge_quota(), these values are passed to:
mult_frac(sz_region - sz_applied, quota->fail_charge_num,
quota->fail_charge_denom)
If the region size in bytes is large (for example, a single DAMON region of
10 GB) and the numerator is set near UINT_MAX, their product could exceed
ULONG_MAX. For instance, 10GB * UINT_MAX is roughly 40 * 10^18, which is
larger than ULONG_MAX's 18.4 * 10^18.
Could this cause an overflow that wraps around to an anomalously small value,
effectively bypassing the administrator's configured quota limits?
> +
> +static ssize_t fail_charge_denom_show(struct kobject *kobj,
> + struct kobj_attribute *attr, char *buf)
> +{
> + struct damon_sysfs_quotas *quotas = container_of(kobj,
> + struct damon_sysfs_quotas, kobj);
> +
> + return sysfs_emit(buf, "%u\n", quotas->fail_charge_denom);
> +}
> +
> +static ssize_t fail_charge_denom_store(struct kobject *kobj,
> + struct kobj_attribute *attr, const char *buf, size_t count)
> +{
> + struct damon_sysfs_quotas *quotas = container_of(kobj,
> + struct damon_sysfs_quotas, kobj);
> + int err = kstrtouint(buf, 0, "as->fail_charge_denom);
> +
> + if (err)
> + return -EINVAL;
> + return count;
> +}
Does the fail_charge_denom input also require bounding to prevent the same
overflow issues when passed into the quota tracking logic?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260428013402.115171-1-sj@kernel.org?part=4
next prev parent reply other threads:[~2026-04-28 1:54 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 1:33 [PATCH 00/11] mm/damon: introduce DAMOS failed region quota charge ratio SeongJae Park
2026-04-28 1:33 ` [PATCH 01/11] mm/damon/core: handle <min_region_sz remaining quota as empty SeongJae Park
2026-04-28 2:00 ` sashiko-bot
2026-04-28 3:23 ` SeongJae Park
2026-04-28 1:33 ` [PATCH 02/11] mm/damon/core: merge regions after applying DAMOS schemes SeongJae Park
2026-04-28 1:33 ` [PATCH 03/11] mm/damon/core: introduce failed region quota charge ratio SeongJae Park
2026-04-28 3:00 ` sashiko-bot
2026-04-28 3:38 ` SeongJae Park
2026-04-28 1:33 ` [PATCH 04/11] mm/damon/sysfs-schemes: implement fail_charge_{num,denom} files SeongJae Park
2026-04-28 1:54 ` sashiko-bot [this message]
2026-04-28 3:41 ` SeongJae Park
2026-04-28 1:33 ` [PATCH 05/11] Docs/mm/damon/design: document fail_charge_{num,denom} SeongJae Park
2026-04-28 1:33 ` [PATCH 06/11] Docs/admin-guide/mm/damon/usage: document fail_charge_{num,denom} files SeongJae Park
2026-04-28 1:33 ` [PATCH 07/11] Docs/ABI/damon: document fail_charge_{num,denom} SeongJae Park
2026-04-28 1:33 ` [PATCH 08/11] mm/damon/tests/core-kunit: test fail_charge_{num,denom} committing SeongJae Park
2026-04-28 1:33 ` [PATCH 09/11] selftests/damon/_damon_sysfs: support failed region quota charge ratio SeongJae Park
2026-04-28 1:33 ` [PATCH 10/11] selftests/damon/drgn_dump_damon_status: " SeongJae Park
2026-04-28 1:34 ` [PATCH 11/11] selftests/damon/sysfs.py: test " SeongJae Park
2026-04-28 14:48 ` [PATCH 00/11] mm/damon: introduce DAMOS " Andrew Morton
2026-04-28 15:24 ` SeongJae Park
2026-05-01 1:56 ` SeongJae Park
2026-05-01 6:49 ` David Hildenbrand (Arm)
2026-05-02 1:56 ` SeongJae Park
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260428015436.8D935C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=damon@lists.linux.dev \
--cc=sashiko@lists.linux.dev \
--cc=sj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox