* [RFC PATCH 0/2] mm/damon/core: validate damos_quota_goal->nid
@ 2026-03-28 0:54 SeongJae Park
2026-03-28 0:54 ` [RFC PATCH 1/2] mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp SeongJae Park
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: SeongJae Park @ 2026-03-28 0:54 UTC (permalink / raw)
Cc: SeongJae Park, # 6 . 16 . x, Andrew Morton, damon, linux-kernel,
linux-mm
node_mem[cg]_{used,free}_bp DAMOS quota goals receive the node id. The
node id is used for si_meminfo_node() and NODE_DATA() without proper
validation. As a result, privileged users can trigger an out of bounds
memory access using DAMON_SYSFS. Fix the issues.
The issue was originally reported [1] with a fix by another author. The
original author announced [2] that they will stop working including the
fix that was still in the review stage. Hence I'm restarting this.
[1] https://lore.kernel.org/20260325073034.140353-1-objecting@objecting.org
[2] https://lore.kernel.org/20260327040924.68553-1-sj@kernel.org
SeongJae Park (2):
mm/damon/core: validate damos_quota_goal->nid for
node_mem_{used,free}_bp
mm/damon/core: validate damos_quota_goal->nid for
node_memcg_{used,free}_bp
mm/damon/core.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
base-commit: 7da5718476562bc8136c08216a1621aac09bcb51
--
2.47.3
^ permalink raw reply [flat|nested] 6+ messages in thread* [RFC PATCH 1/2] mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp
2026-03-28 0:54 [RFC PATCH 0/2] mm/damon/core: validate damos_quota_goal->nid SeongJae Park
@ 2026-03-28 0:54 ` SeongJae Park
2026-03-28 2:29 ` (sashiko review) " SeongJae Park
2026-03-28 0:54 ` [RFC PATCH 2/2] mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp SeongJae Park
2026-03-28 2:29 ` (sashiko status) [RFC PATCH 0/2] mm/damon/core: validate damos_quota_goal->nid SeongJae Park
2 siblings, 1 reply; 6+ messages in thread
From: SeongJae Park @ 2026-03-28 0:54 UTC (permalink / raw)
Cc: SeongJae Park, # 6 . 16 . x, Andrew Morton, damon, linux-kernel,
linux-mm
Users can set damos_quota_goal->nid with arbitrary value for
node_mem_{used,free}_bp. But DAMON core is using those for
si_meminfo_node() without the validation of the value. This can result
in out of bounds memory access. The issue can actually triggered using
DAMON user-space tool (damo), like below.
$ sudo ./damo start --damos_action stat \
--damos_quota_goal node_mem_used_bp 50% -1 \
--damos_quota_interval 1s
$ sudo dmesg
[...]
[ 65.565986] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098
Fix this issue by adding the validation of the given node. If an
invalid node id is given, it returns 0% for used memory ratio, and 100%
for free memory ratio.
Fixes: 0e1c773b501f ("mm/damon/core: introduce damos quota goal metrics for memory node utilization")
Cc: <stable@vger.kernel.org> # 6.16.x
Signed-off-by: SeongJae Park <sj@kernel.org>
---
mm/damon/core.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/mm/damon/core.c b/mm/damon/core.c
index ddabb93f2377..9a848d7647ef 100644
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -2217,12 +2217,24 @@ static inline u64 damos_get_some_mem_psi_total(void)
#endif /* CONFIG_PSI */
#ifdef CONFIG_NUMA
+static bool invalid_mem_node(int nid)
+{
+ return nid < 0 || nid >= MAX_NUMNODES || !node_state(nid, N_MEMORY);
+}
+
static __kernel_ulong_t damos_get_node_mem_bp(
struct damos_quota_goal *goal)
{
struct sysinfo i;
__kernel_ulong_t numerator;
+ if (invalid_mem_node(goal->nid)) {
+ if (goal->metric == DAMOS_QUOTA_NODE_MEM_USED_BP)
+ return 0;
+ else /* DAMOS_QUOTA_NODE_MEM_FREE_BP */
+ return 10000;
+ }
+
si_meminfo_node(&i, goal->nid);
if (goal->metric == DAMOS_QUOTA_NODE_MEM_USED_BP)
numerator = i.totalram - i.freeram;
--
2.47.3
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: (sashiko review) [RFC PATCH 1/2] mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp
2026-03-28 0:54 ` [RFC PATCH 1/2] mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp SeongJae Park
@ 2026-03-28 2:29 ` SeongJae Park
0 siblings, 0 replies; 6+ messages in thread
From: SeongJae Park @ 2026-03-28 2:29 UTC (permalink / raw)
To: SeongJae Park; +Cc: # 6 . 16 . x, Andrew Morton, damon, linux-kernel, linux-mm
Forwarding Sashiko review for doing discussions via mails.
# review url: https://sashiko.dev/#/patchset/20260328005412.7606-2-sj@kernel.org
# start of sashiko.dev inline review
commit add63112781ae04626ae6cb9bce55a85234f6e49
Author: SeongJae Park <sj@kernel.org>
mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp
This commit adds validation for the given memory node id to prevent out of
bounds access when calculating node memory metrics. If an invalid node id
is provided, it defaults to returning 0% used or 100% free memory.
> diff --git a/mm/damon/core.c b/mm/damon/core.c
> --- a/mm/damon/core.c
> +++ b/mm/damon/core.c
[ ... ]
> @@ -2239,12 +2239,24 @@ static inline u64 damos_get_some_mem_psi_total(void)
> static __kernel_ulong_t damos_get_node_mem_bp(
> struct damos_quota_goal *goal)
> {
> struct sysinfo i;
> __kernel_ulong_t numerator;
>
> + if (invalid_mem_node(goal->nid)) {
> + if (goal->metric == DAMOS_QUOTA_NODE_MEM_USED_BP)
> + return 0;
> + else /* DAMOS_QUOTA_NODE_MEM_FREE_BP */
> + return 10000;
> + }
> +
> si_meminfo_node(&i, goal->nid);
> if (goal->metric == DAMOS_QUOTA_NODE_MEM_USED_BP)
> numerator = i.totalram - i.freeram;
> else /* DAMOS_QUOTA_NODE_MEM_FREE_BP */
> numerator = i.freeram;
> return mult_frac(numerator, 10000, i.totalram);
Could this result in a division by zero panic?
While invalid_mem_node() checks node_state(nid, N_MEMORY) to ensure the
node has present memory pages, si_meminfo_node() sets i.totalram based
solely on managed pages. If all memory on the node is reserved, i.totalram
could be 0.
Additionally, since the node_state() check is lockless, memory could be
concurrently offlined after invalid_mem_node() but before si_meminfo_node(),
also resulting in i.totalram being 0.
Would it be safer to explicitly verify i.totalram is greater than 0 before
calling mult_frac()?
# end of sashiko.dev inline review
# review url: https://sashiko.dev/#/patchset/20260328005412.7606-2-sj@kernel.org
#
# hkml [1] generated a draft of this mail. It can be regenerated
# using below command:
#
# hkml patch sashiko_dev --for_forwarding \
# 20260328005412.7606-2-sj@kernel.org
#
# [1] https://github.com/sjp38/hackermail
Sent using hkml (https://github.com/sjp38/hackermail)
^ permalink raw reply [flat|nested] 6+ messages in thread
* [RFC PATCH 2/2] mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp
2026-03-28 0:54 [RFC PATCH 0/2] mm/damon/core: validate damos_quota_goal->nid SeongJae Park
2026-03-28 0:54 ` [RFC PATCH 1/2] mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp SeongJae Park
@ 2026-03-28 0:54 ` SeongJae Park
2026-03-28 2:30 ` (sashiko review) " SeongJae Park
2026-03-28 2:29 ` (sashiko status) [RFC PATCH 0/2] mm/damon/core: validate damos_quota_goal->nid SeongJae Park
2 siblings, 1 reply; 6+ messages in thread
From: SeongJae Park @ 2026-03-28 0:54 UTC (permalink / raw)
Cc: SeongJae Park, # 6 . 19 . x, Andrew Morton, damon, linux-kernel,
linux-mm
Users can set damos_quota_goal->nid with arbitrary value for
node_memcg_{used,free}_bp. But DAMON core is using those for
NODE-DATA() without a validation of the value. This can result in out
of bounds memory access. The issue can actually triggered using DAMON
user-space tool (damo), like below.
$ sudo mkdir /sys/fs/cgroup/foo
$ sudo ./damo start --damos_action stat --damos_quota_interval 1s \
--damos_quota_goal node_memcg_used_bp 50% -1 /foo
$ sudo dmseg
[...]
[ 524.181426] Unable to handle kernel paging request at virtual address 0000000000002c00
Fix this issue by adding the validation of the given node id. If an
invalid node id is given, it returns 0% for used memory ratio, and 100%
for free memory ratio.
Fixes: b74a120bcf50 ("mm/damon/core: implement DAMOS_QUOTA_NODE_MEMCG_USED_BP")
Cc: <stable@vger.kernel.org> # 6.19.x
Signed-off-by: SeongJae Park <sj@kernel.org>
---
mm/damon/core.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/mm/damon/core.c b/mm/damon/core.c
index 9a848d7647ef..3298ee8d8f64 100644
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -2251,6 +2251,13 @@ static unsigned long damos_get_node_memcg_used_bp(
unsigned long used_pages, numerator;
struct sysinfo i;
+ if (invalid_mem_node(goal->nid)) {
+ if (goal->metric == DAMOS_QUOTA_NODE_MEMCG_USED_BP)
+ return 0;
+ else /* DAMOS_QUOTA_NODE_MEM_FREE_BP */
+ return 10000;
+ }
+
memcg = mem_cgroup_get_from_id(goal->memcg_id);
if (!memcg) {
if (goal->metric == DAMOS_QUOTA_NODE_MEMCG_USED_BP)
--
2.47.3
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: (sashiko review) [RFC PATCH 2/2] mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp
2026-03-28 0:54 ` [RFC PATCH 2/2] mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp SeongJae Park
@ 2026-03-28 2:30 ` SeongJae Park
0 siblings, 0 replies; 6+ messages in thread
From: SeongJae Park @ 2026-03-28 2:30 UTC (permalink / raw)
To: SeongJae Park; +Cc: # 6 . 19 . x, Andrew Morton, damon, linux-kernel, linux-mm
Forwarding Sashiko review for doing discussions via mails.
# review url: https://sashiko.dev/#/patchset/20260328005412.7606-3-sj@kernel.org
# start of sashiko.dev inline review
commit d10719045bbbd92307cf40ef0886ce0e81cb9caa
Author: SeongJae Park <sj@kernel.org>
mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp
This commit adds validation for the damos_quota_goal->nid when calculating
node memory cgroup usage ratios. If an invalid node ID is provided, it
returns 0% for used memory and 100% for free memory to prevent out-of-bounds
memory access during NODE_DATA() lookups.
> diff --git a/mm/damon/core.c b/mm/damon/core.c
> --- a/mm/damon/core.c
> +++ b/mm/damon/core.c
> @@ -2273,6 +2273,13 @@ static unsigned long damos_get_node_memcg_used_bp(
> unsigned long used_pages, numerator;
> struct sysinfo i;
>
> + if (invalid_mem_node(goal->nid)) {
> + if (goal->metric == DAMOS_QUOTA_NODE_MEMCG_USED_BP)
> + return 0;
> + else /* DAMOS_QUOTA_NODE_MEM_FREE_BP */
This isn't a bug, but there is a typo in the comment here. It says
DAMOS_QUOTA_NODE_MEM_FREE_BP instead of DAMOS_QUOTA_NODE_MEMCG_FREE_BP.
> + return 10000;
> + }
> +
[ ... ]
> si_meminfo_node(&i, goal->nid);
> if (goal->metric == DAMOS_QUOTA_NODE_MEMCG_USED_BP)
> numerator = used_pages;
> else /* DAMOS_QUOTA_NODE_MEMCG_FREE_BP */
> numerator = i.totalram - used_pages;
> return mult_frac(numerator, 10000, i.totalram);
> }
Does this code safely handle nodes with zero managed pages?
While the new invalid_mem_node() check ensures the node has N_MEMORY set, a
node could still have zero managed pages if all its memory is reserved, or
if a concurrent hot-remove event drops the pages to zero just before
si_meminfo_node() runs. If i.totalram evaluates to 0, mult_frac() will
cause a divide-by-zero kernel panic.
Can this calculation also silently overflow on 32-bit architectures?
Both used_pages and i.totalram are unsigned long. Since numerator <=
i.totalram, mult_frac() bypasses the initial integer division and computes
numerator * 10000 directly. If the memory cgroup uses more than ~1.7GB
(about 429,496 4KB pages), numerator * 10000 will exceed the maximum
32-bit unsigned long value, resulting in an incorrect ratio.
# end of sashiko.dev inline review
# review url: https://sashiko.dev/#/patchset/20260328005412.7606-3-sj@kernel.org
#
# hkml [1] generated a draft of this mail. It can be regenerated
# using below command:
#
# hkml patch sashiko_dev --for_forwarding \
# 20260328005412.7606-3-sj@kernel.org
#
# [1] https://github.com/sjp38/hackermail
Sent using hkml (https://github.com/sjp38/hackermail)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: (sashiko status) [RFC PATCH 0/2] mm/damon/core: validate damos_quota_goal->nid
2026-03-28 0:54 [RFC PATCH 0/2] mm/damon/core: validate damos_quota_goal->nid SeongJae Park
2026-03-28 0:54 ` [RFC PATCH 1/2] mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp SeongJae Park
2026-03-28 0:54 ` [RFC PATCH 2/2] mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp SeongJae Park
@ 2026-03-28 2:29 ` SeongJae Park
2 siblings, 0 replies; 6+ messages in thread
From: SeongJae Park @ 2026-03-28 2:29 UTC (permalink / raw)
To: SeongJae Park; +Cc: # 6 . 16 . x, Andrew Morton, damon, linux-kernel, linux-mm
Forwarding sashiko.dev review status for this thread.
# review url: https://sashiko.dev/#/patchset/20260328005412.7606-1-sj@kernel.org
- [RFC PATCH 1/2] mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp
- status: Reviewed
- review: ISSUES MAY FOUND
- [RFC PATCH 2/2] mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp
- status: Reviewed
- review: ISSUES MAY FOUND
# hkml [1] generated a draft of this mail. It can be regenerated
# using below command:
#
# hkml patch sashiko_dev --thread_status --for_forwarding \
# 20260328005412.7606-1-sj@kernel.org
#
# [1] https://github.com/sjp38/hackermail
Sent using hkml (https://github.com/sjp38/hackermail)
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-03-28 2:30 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-28 0:54 [RFC PATCH 0/2] mm/damon/core: validate damos_quota_goal->nid SeongJae Park
2026-03-28 0:54 ` [RFC PATCH 1/2] mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp SeongJae Park
2026-03-28 2:29 ` (sashiko review) " SeongJae Park
2026-03-28 0:54 ` [RFC PATCH 2/2] mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp SeongJae Park
2026-03-28 2:30 ` (sashiko review) " SeongJae Park
2026-03-28 2:29 ` (sashiko status) [RFC PATCH 0/2] mm/damon/core: validate damos_quota_goal->nid SeongJae Park
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox