DAMON development mailing list
 help / color / mirror / Atom feed
From: SJ Park <sj@kernel.org>
To: sashiko-bot@kernel.org
Cc: SJ Park <sj@kernel.org>, damon@lists.linux.dev
Subject: Re: [RFC PATCH 8/8] mm/damon/sysfs: remove region size validation
Date: Wed,  1 Jul 2026 17:19:18 -0700	[thread overview]
Message-ID: <20260702001919.87095-1-sj@kernel.org> (raw)
In-Reply-To: <20260701163455.526421F000E9@smtp.kernel.org>

On Wed, 01 Jul 2026 16:34:54 +0000 sashiko-bot@kernel.org wrote:

> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [High] Removing the `start > end` validation allows users to configure monitoring regions with negative sizes, causing integer underflow in region size calculations. This leads to infinite memory allocation loops (OOM), potential list corruption, and CPU soft lockups during DAMON region splitting and scheme operations.
> --
> 
> commit 013d66b2108372ca2ada7fc6fcfd5e07f93fd78c
> Author: SJ Park <sj@kernel.org>
> 
> mm/damon/sysfs: remove region size validation
> 
> This commit removes the region size validation in DAMON sysfs that checks
> for negative size regions. The commit message states that the validation is
> incomplete and that damon_set_regions() already performs complete
> validation.
> 
> > diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c
> > index e666dddf1feba..b65651498e0d1 100644
> > --- a/mm/damon/sysfs.c
> > +++ b/mm/damon/sysfs.c
> > @@ -1987,9 +1987,6 @@ static int damon_sysfs_set_regions(struct damon_target *t,
> >  		struct damon_sysfs_region *sys_region >  			sysfs_regions->regions_arr[i];
> >  
> > -		if (sys_region->ar.start > sys_region->ar.end)
> > -			goto out;
> > -
> 
> [Severity: High]
> The commit message mentions that damon_set_regions() does the complete
> validation, but looking at damon_set_regions() in mm/damon/core.c, does it
> actually validate that start <= end?
> 
> mm/damon/core.c:damon_set_regions() {
> 	...
> 	r = damon_new_region(
> 		ALIGN_DOWN(ranges[i].start, min_region_sz),
> 		ALIGN(ranges[i].end, min_region_sz));
> 	...
> }
> 
> If a user configures a region where start > end, wouldn't this cause an
> integer underflow when calculating the region size later? 
> 
> For example, could this underflow lead to an infinite memory allocation loop
> in mm/damon/core.c:damon_apply_min_nr_regions():
> 
> 	while (damon_sz_region(r) > max_region_sz) {
> 		damon_split_region_at(t, r, max_region_sz);
> 		r = damon_next_region(r);
> 	}
> 
> Could this loop evaluate the underflowed size and attempt to allocate new
> regions repeatedly until an OOM occurs?
> 
> Additionally, for newly split regions where start < end locally, could this
> spin over a massive address range without yielding and cause a CPU soft
> lockup in mm/damon/paddr.c:damon_pa_pageout():
> 
> 	while (addr < damon_pa_phys_addr(r->ar.end, addr_unit)) {
> 		...
> 	}

My previous reply [1] should again be applied here.

[1] https://lore.kernel.org/20260702001650.86841-1-sj@kernel.org


Thanks,
SJ

[...]

      reply	other threads:[~2026-07-02  0:19 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 14:48 [RFC PATCH 0/8] mm/damon: validate all parameters in the core SJ Park
2026-07-01 14:48 ` [RFC PATCH 1/8] mm/damon/core: safely validate src on damon_commit_ctx() SJ Park
2026-07-01 15:01   ` sashiko-bot
2026-07-01 15:06     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 2/8] mm/damon/core: do parameter testing commit on damon_start() SJ Park
2026-07-01 15:20   ` sashiko-bot
2026-07-02  0:05     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 3/8] mm/damon/sysfs: remove duplicated commit input validity check SJ Park
2026-07-01 15:29   ` sashiko-bot
2026-07-02  0:09     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 4/8] mm/damon/reclaim: remove duplicated min_region_sz power of 2 check SJ Park
2026-07-01 15:42   ` sashiko-bot
2026-07-02  0:10     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 5/8] mm/damon/lru_sort: remove duplicated min_region_sz power_of_2() check SJ Park
2026-07-01 15:56   ` sashiko-bot
2026-07-02  0:15     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 6/8] mm/damon: document region size validation in damon_set_regions() SJ Park
2026-07-01 16:04   ` sashiko-bot
2026-07-02  0:16     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 7/8] mm/damon/core: remove start, end check in damon_set_region_system_rams() SJ Park
2026-07-01 16:22   ` sashiko-bot
2026-07-02  0:18     ` SJ Park
2026-07-01 14:48 ` [RFC PATCH 8/8] mm/damon/sysfs: remove region size validation SJ Park
2026-07-01 16:34   ` sashiko-bot
2026-07-02  0:19     ` SJ Park [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702001919.87095-1-sj@kernel.org \
    --to=sj@kernel.org \
    --cc=damon@lists.linux.dev \
    --cc=sashiko-bot@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox