Re: [PATCH 3/4] mm/damon/sysfs: check contexts->nr in update_schemes_tried_regions

Next message: Martin K. Petersen: "Re: [PATCH v5 phy-next 09/27] scsi: ufs: exynos: stop poking into struct phy guts"
Previous message: Suren Baghdasaryan: "Re: [PATCH] mm/alloc_tag: clear codetag for pages allocated before page_ext initialization"
In reply to: Josh Law: "[PATCH 3/4] mm/damon/sysfs: check contexts-&gt;nr in update_schemes_tried_regions"
Next in thread: Josh Law: "[PATCH 4/4] mm/damon/sysfs: check contexts-&gt;nr in repeat_call_fn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: SeongJae Park

Date: Thu Mar 19 2026 - 22:15:19 EST

On Thu, 19 Mar 2026 15:57:41 +0000 Josh Law <objecting@xxxxxxxxxxxxx> wrote:

> damon_sysfs_update_schemes_tried_regions() and its callback
> damon_sysfs_schemes_tried_regions_upd_one() access contexts_arr[0]
> without verifying nr_contexts >= 1. This can NULL deref if damon_ctx is
> non-NULL (preserved after stop) but nr_contexts has been set to 0. Add
> the missing check.

Nice catch. This can be triggered by privileged users.

# cd /sys/kernel/mm/damon/admin/kdamonds/
# echo 1 > nr_kdamonds
# echo 1 > contexts/nr_contexts
# echo on > state
# echo off > state
# echo 0 > contexts/nr_contexts
# echo update_schemes_tried_regions > state
# dmesg
[...]
[ 222.362338] BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]

Weird sequence of commands, but even privileged users can make mistakes. So I
think this deserves Fixes: and Cc: stable.

But, this is just another instance of a class of bugs that I mentioned on the
reply to the second patch of this series. I'd suggest fixing all bugs of the
class with single fix, as I also mentioned on the second patch thread. Let's
discuss on the thread.

Thanks,
SJ

[...]