DAMON development mailing list
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "SJ Park" <sj@kernel.org>
Cc: damon@lists.linux.dev
Subject: Re: [RFC PATCH 2/8] mm/damon/core: do parameter testing commit on damon_start()
Date: Wed, 01 Jul 2026 15:20:50 +0000	[thread overview]
Message-ID: <20260701152050.BDBEE1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701144815.113325-3-sj@kernel.org>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] `damon_commit_ctx()` incorrectly validates `dst` against `test_ctx` instead of `src`, bypassing the safety mechanism.
- [Medium] Reusing a single `test_ctx` across multiple loop iterations in `damon_start()` leaks state between contexts, leading to non-deterministic validation outcomes.
--

commit db4fd1a9680927efd94179ba2c47dd9fdd14f123
Author: SJ Park <sj@kernel.org>

mm/damon/core: do parameter testing commit on damon_start()

damon_start() and damon_commit_ctx() are the two main API functions for
setting DAMON parameters. This commit embeds the parameter check already
present in damon_commit_ctx() into damon_start(), allowing callers to
safely use damon_start() without manually validating parameters first.

The commit message mentions that damon_commit_ctx() does holistic
parameters testing. Looking at damon_commit_ctx() in the same file:

mm/damon/core.c:damon_commit_ctx() {
	...
	test_ctx = damon_new_test_ctx(dst);
	if (!test_ctx)
		return -ENOMEM;
	err = __damon_commit_ctx(test_ctx, dst);
	if (err)
		goto out;
	err = __damon_commit_ctx(dst, src);
	...
}

[Severity: High]
Does this bypass the safety validation mechanism in damon_commit_ctx()?

The validation incorrectly tests the active context dst against test_ctx
instead of testing the incoming parameters src. 

If invalid parameters are supplied or if a mid-commit allocation fails, the
incoming parameters src are directly applied to the active context dst
without any prior dry-run validation. This leaves the active context dst in a
corrupted state (maybe_corrupted = true), potentially leading to monitoring
thread crashes or unpredictable kernel behavior.

> diff --git a/mm/damon/core.c b/mm/damon/core.c
> index 5ca176eb27e1d..ace202f47dd7c 100644
> --- a/mm/damon/core.c
> +++ b/mm/damon/core.c

[ ... ]

> @@ -1785,13 +1787,22 @@ static int __damon_start(struct damon_ctx *ctx)
>   */
>  int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive)
>  {
> +	struct damon_ctx *test_ctx;
>  	int i;
>  	int err = 0;
>  
> +	test_ctx = damon_new_ctx();
> +	if (!test_ctx)
> +		return -ENOMEM;
> +
>  	for (i = 0; i < nr_ctxs; i++) {
> -		if (!is_power_of_2(ctxs[i]->min_region_sz))
> -			return -EINVAL;
> +		err = __damon_commit_ctx(test_ctx, ctxs[i]);

[Severity: Medium]
Does reusing a single test_ctx across multiple loop iterations leak state
between contexts?

If a caller invokes damon_start() with multiple contexts (nr_ctxs > 1),
test_ctx is mutated in the first iteration. In the second iteration,
__damon_commit_ctx() runs on the same, un-cleared test_ctx.

For example, if ctxs[1] has an obsolete target:

mm/damon/core.c:damon_commit_targets() {
	...
		/* target to remove has no matching dst */
		if (src_target->obsolete) {
			err = -EINVAL;
			goto out;
		}
	...
}

It evaluates against the residual targets of ctxs[0]. If ctxs[0] had enough
targets, the obsolete target incorrectly matches and passes validation. If
ctxs[0] had no targets, it fails with -EINVAL, producing non-deterministic
validation results.

> +		if (err) {
> +			damon_destroy_ctx(test_ctx);
> +			return err;
> +		}
>  	}
> +	damon_destroy_ctx(test_ctx);
>  
>  	mutex_lock(&damon_lock);
>  	if ((exclusive && nr_running_ctxs) ||

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701144815.113325-1-sj@kernel.org?part=2

  reply	other threads:[~2026-07-01 15:20 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 14:48 [RFC PATCH 0/8] mm/damon: validate all parameters in the core SJ Park
2026-07-01 14:48 ` [RFC PATCH 1/8] mm/damon/core: safely validate src on damon_commit_ctx() SJ Park
2026-07-01 15:01   ` sashiko-bot
2026-07-01 15:06     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 2/8] mm/damon/core: do parameter testing commit on damon_start() SJ Park
2026-07-01 15:20   ` sashiko-bot [this message]
2026-07-02  0:05     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 3/8] mm/damon/sysfs: remove duplicated commit input validity check SJ Park
2026-07-01 15:29   ` sashiko-bot
2026-07-02  0:09     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 4/8] mm/damon/reclaim: remove duplicated min_region_sz power of 2 check SJ Park
2026-07-01 15:42   ` sashiko-bot
2026-07-02  0:10     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 5/8] mm/damon/lru_sort: remove duplicated min_region_sz power_of_2() check SJ Park
2026-07-01 15:56   ` sashiko-bot
2026-07-02  0:15     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 6/8] mm/damon: document region size validation in damon_set_regions() SJ Park
2026-07-01 16:04   ` sashiko-bot
2026-07-02  0:16     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 7/8] mm/damon/core: remove start, end check in damon_set_region_system_rams() SJ Park
2026-07-01 16:22   ` sashiko-bot
2026-07-02  0:18     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 8/8] mm/damon/sysfs: remove region size validation SJ Park
2026-07-01 16:34   ` sashiko-bot
2026-07-02  0:19     ` SJ Park

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701152050.BDBEE1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=damon@lists.linux.dev \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=sj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox