The quilt patch titled Subject: mm/damon/dbgfs: check if rm_contexts input is for a real context has been removed from the -mm tree. Its filename was mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj@xxxxxxxxxx> Subject: mm/damon/dbgfs: check if rm_contexts input is for a real context Date: Mon, 7 Nov 2022 16:50:00 +0000 A user could write a name of a file under 'damon/' debugfs directory, which is not a user-created context, to 'rm_contexts' file. In the case, 'dbgfs_rm_context()' just assumes it's the valid DAMON context directory only if a file of the name exist. As a result, invalid memory access could happen as below. Fix the bug by checking if the given input is for a directory. This check can filter out non-context inputs because directories under 'damon/' debugfs directory can be created via only 'mk_contexts' file. This bug has found by syzbot[1]. [1] https://lore.kernel.org/damon/000000000000ede3ac05ec4abf8e@xxxxxxxxxx/ Link: https://lkml.kernel.org/r/20221107165001.5717-2-sj@xxxxxxxxxx Fixes: 75c1c2b53c78 ("mm/damon/dbgfs: support multiple contexts") Signed-off-by: SeongJae Park <sj@xxxxxxxxxx> Reported-by: syzbot+6087eafb76a94c4ac9eb@xxxxxxxxxxxxxxxxxxxxxxxxx Cc: <stable@xxxxxxxxxxxxxxx> [5.15.x] Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- mm/damon/dbgfs.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/mm/damon/dbgfs.c~mm-damon-dbgfs-check-if-rm_contexts-input-is-for-a-real-context +++ a/mm/damon/dbgfs.c @@ -890,6 +890,7 @@ out: static int dbgfs_rm_context(char *name) { struct dentry *root, *dir, **new_dirs; + struct inode *inode; struct damon_ctx **new_ctxs; int i, j; int ret = 0; @@ -905,6 +906,12 @@ static int dbgfs_rm_context(char *name) if (!dir) return -ENOENT; + inode = d_inode(dir); + if (!S_ISDIR(inode->i_mode)) { + ret = -EINVAL; + goto out_dput; + } + new_dirs = kmalloc_array(dbgfs_nr_ctxs - 1, sizeof(*dbgfs_dirs), GFP_KERNEL); if (!new_dirs) { _ Patches currently in -mm which might be from sj@xxxxxxxxxx are mm-damon-core-split-out-damos-charged-region-skip-logic-into-a-new-function.patch mm-damon-core-split-damos-application-logic-into-a-new-function.patch mm-damon-core-split-out-scheme-stat-update-logic-into-a-new-function.patch mm-damon-core-split-out-scheme-quota-adjustment-logic-into-a-new-function.patch mm-damon-sysfs-use-damon_addr_range-for-regions-start-and-end-values.patch mm-damon-sysfs-remove-parameters-of-damon_sysfs_region_alloc.patch mm-damon-sysfs-move-sysfs_lock-to-common-module.patch mm-damon-sysfs-move-unsigned-long-range-directory-to-common-module.patch mm-damon-sysfs-split-out-kdamond-independent-schemes-stats-update-logic-into-a-new-function.patch mm-damon-sysfs-split-out-schemes-directory-implementation-to-separate-file.patch mm-damon-modules-deduplicate-init-steps-for-damon-context-setup.patch mm-damon-reclaimlru_sort-remove-unnecessarily-included-headers.patch mm-damon-reclaim-enable-and-disable-synchronously.patch selftests-damon-add-tests-for-damon_reclaims-enabled-parameter.patch mm-damon-lru_sort-enable-and-disable-synchronously.patch selftests-damon-add-tests-for-damon_lru_sorts-enabled-parameter.patch docs-admin-guide-mm-damon-usage-describe-the-rules-of-sysfs-region-directories.patch docs-admin-guide-mm-damon-usage-fix-wrong-usage-example-of-init_regions-file.patch mm-damon-core-add-a-callback-for-scheme-target-regions-check.patch mm-damon-sysfs-schemes-implement-schemes-tried_regions-directory.patch mm-damon-sysfs-schemes-implement-scheme-region-directory.patch mm-damon-sysfs-implement-damos-tried-regions-update-command.patch mm-damon-sysfs-schemes-implement-damos-tried-regions-clear-command.patch tools-selftets-damon-sysfs-test-tried_regions-directory-existence.patch docs-admin-guide-mm-damon-usage-document-schemes-s-tried_regions-sysfs-directory.patch docs-abi-damon-document-schemes-s-tried_regions-sysfs-directory.patch selftests-damon-test-non-context-inputs-to-rm_contexts-file.patch