Commit ba1dd7ac authored Aug 16, 2025 by SeongJae Park Committed by Andrew Morton Aug 19, 2025

mm/damon/sysfs-schemes: put damos dests dir after removing its files

damon_sysfs_scheme_rm_dirs() puts dests directory kobject before removing
its internal files.  Sincee putting the kobject frees its container
struct, and the internal files removal accesses the container,
use-after-free happens.  Fix it by putting the reference _after_ removing
the files.

Link: https://lkml.kernel.org/r/20250816165559.2601-1-sj@kernel.org


Fixes: 2cd0bf85 ("mm/damon/sysfs-schemes: implement DAMOS action destinations directory")
Signed-off-by: SeongJae Park <sj@kernel.org>
Reported-by: Alexandre Ghiti <alex@ghiti.fr>
Closes: https://lore.kernel.org/2d39a734-320d-4341-8f8a-4019eec2dbf2@ghiti.fr


Tested-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

parent 053c8ebe

mm/damon/sysfs-schemes.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2158,8 +2158,8 @@ static void damon_sysfs_scheme_rm_dirs(struct damon_sysfs_scheme *scheme)
		{
		damon_sysfs_access_pattern_rm_dirs(scheme->access_pattern);
		kobject_put(&scheme->access_pattern->kobj);
		kobject_put(&scheme->dests->kobj);
		damos_sysfs_dests_rm_dirs(scheme->dests);
		kobject_put(&scheme->dests->kobj);
		damon_sysfs_quotas_rm_dirs(scheme->quotas);
		kobject_put(&scheme->quotas->kobj);
		kobject_put(&scheme->watermarks->kobj);