[PATCH v2] mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]

Next message: Maxime Ripard: "[PATCH v2 08/20] drm/plane: Add new atomic_create_state callback"
Previous message: Josh Law: "[PATCH v2] mm/damon/sysfs: check contexts-&gt;nr in repeat_call_fn"
In reply to: Josh Law: "[PATCH v2] mm/damon/sysfs: check contexts-&gt;nr in repeat_call_fn"
Next in thread: SeongJae Park: "Re: [PATCH v2] mm/damon/sysfs: fix param_ctx leak on damon_sysfs_new_test_ctx() failure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Law

Date: Fri Mar 20 2026 - 12:35:51 EST

Multiple sysfs command paths dereference contexts_arr[0] without first
verifying that nr_contexts >= 1. A user can set nr_contexts to 0 via
sysfs while DAMON is running, causing NULL pointer dereferences.

Guard all commands (except OFF) at the entry point of
damon_sysfs_handle_cmd().

Fixes: 0ac32b8affb5 ("mm/damon/sysfs: support DAMOS stats")
Cc: <stable@xxxxxxxxxxxxxxx> # 5.18.x
Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>
Reviewed-by: SeongJae Park <sj@xxxxxxxxxx>
---
mm/damon/sysfs.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c
index b573b9d60784..ddc30586c0e6 100644
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -1749,6 +1749,9 @@ static int damon_sysfs_update_schemes_tried_regions(
static int damon_sysfs_handle_cmd(enum damon_sysfs_cmd cmd,
struct damon_sysfs_kdamond *kdamond)
{
+ if (cmd != DAMON_SYSFS_CMD_OFF && kdamond->contexts->nr != 1)
+ return -EINVAL;
+
switch (cmd) {
case DAMON_SYSFS_CMD_ON:
return damon_sysfs_turn_damon_on(kdamond);
--
2.34.1