DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs.
SeongJae Park (2): mm/damon/sysfs: catch commit test ctx alloc failure mm/damon/sysfs: dealloc commit test ctx always
mm/damon/sysfs.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
base-commit: 3c39180d389ca58cf309b7aa58b6a3617151c226
The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.
Fixes: 4c9ea539ad59 ("mm/damon/sysfs: validate user inputs from damon_sysfs_commit_input()") Cc: stable@vger.kernel.org # 6.15.x Signed-off-by: SeongJae Park sj@kernel.org --- mm/damon/sysfs.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c index a212877ed240..27ebfe016871 100644 --- a/mm/damon/sysfs.c +++ b/mm/damon/sysfs.c @@ -1473,6 +1473,8 @@ static int damon_sysfs_commit_input(void *data) if (IS_ERR(param_ctx)) return PTR_ERR(param_ctx); test_ctx = damon_new_ctx(); + if (!test_ctx) + return -ENOMEM; err = damon_commit_ctx(test_ctx, param_ctx); if (err) { damon_destroy_ctx(test_ctx);
The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.
Fixes: 4c9ea539ad59 ("mm/damon/sysfs: validate user inputs from damon_sysfs_commit_input()") Cc: stable@vger.kernel.org # 6.15.x Signed-off-by: SeongJae Park sj@kernel.org --- mm/damon/sysfs.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c index 27ebfe016871..ccfb624a94b8 100644 --- a/mm/damon/sysfs.c +++ b/mm/damon/sysfs.c @@ -1476,12 +1476,11 @@ static int damon_sysfs_commit_input(void *data) if (!test_ctx) return -ENOMEM; err = damon_commit_ctx(test_ctx, param_ctx); - if (err) { - damon_destroy_ctx(test_ctx); + if (err) goto out; - } err = damon_commit_ctx(kdamond->damon_ctx, param_ctx); out: + damon_destroy_ctx(test_ctx); damon_destroy_ctx(param_ctx); return err; }
linux-stable-mirror@lists.linaro.org