From: SeongJae Park <sj@kernel.org>
To: JaeJoon Jung <rgbi3307@gmail.com>
Cc: SeongJae Park <sj@kernel.org>,
damon@lists.linux.dev, linux-mm@kvack.org, rgbi3307@nate.com
Subject: Re: [PATCH] mm/damon/sysfs: preventing duplicated list_add_tail() at the damon_call()
Date: Wed, 24 Dec 2025 16:32:04 -0800 [thread overview]
Message-ID: <20251225003205.14522-1-sj@kernel.org> (raw)
In-Reply-To: <20251224094401.20384-1-rgbi3307@gmail.com>
Hello JaeJoon,
On Wed, 24 Dec 2025 18:43:58 +0900 JaeJoon Jung <rgbi3307@gmail.com> wrote:
> cd /sys/kernel/mm/damon/admin
> echo "off" > kdamonds/0/state
>
> echo "commit" > kdamonds/0/state
> echo "commit" > kdamonds/0/state
>
> If you repeat "commit" twice with the kdamonds/0/state set to "off"
> with the above command, list_add corruption error occurs as follows:
>
> 4-page vmalloc region starting at 0xffffffc600a38000 allocated at
> kernel_clone+0x44/0x41e
> ------------[ cut here ]------------
> list_add corruption. prev->next should be next (ffffffd6c7c5a6a8),
> but was ffffffc600a3bcc8. (prev=ffffffc600a3bcc8).
> WARNING: lib/list_debug.c:32 at __list_add_valid_or_report+
> 0xd8/0xe2, CPU#0: bash/466
> Modules linked in: dwmac_starfive stmmac_platform stmmac pcs_xpcs phylink
> CPU: 0 UID: 0 PID: 466 Comm: bash Tainted: G W 6.19.0-rc2+ #1 PREEMPTLAZY
> Tainted: [W]=WARN
> Hardware name: StarFive VisionFive 2 v1.3B (DT)
> epc : __list_add_valid_or_report+0xd8/0xe2
> ra : __list_add_valid_or_report+0xd8/0xe2
> epc : ffffffff80540bce ra : ffffffff80540bce sp : ffffffc600a3bc00
> gp : ffffffff81caec40 tp : ffffffd6c036f080 t0 : 0000000000000000
> t1 : 0000000000006000 t2 : 0000000000000002 s0 : ffffffc600a3bc30
> s1 : ffffffc600a3bcc8 a0 : ffffffd6fbf49a40 a1 : ffffffd6c036f080
> a2 : 0000000000000000 a3 : 0000000000000001 a4 : 0000000000000000
> a5 : 0000000000000000 a6 : 0000000020000000 a7 : 0000000000000001
> s2 : ffffffd6c7c5a6a8 s3 : ffffffc600a3bcc8 s4 : ffffffc600a3bcc8
> s5 : ffffffd6c7c5a6b8 s6 : ffffffd6c7c5a6a8 s7 : 0000003ff3f32794
> s8 : 0000002ab38c9118 s9 : 0000000000000065 s10: 0000003f823a5cb8
> s11: 0000003f823264e8 t3 : 0000000000000001 t4 : 0000000000000000
> t5 : 00000000fa83b2da t6 : 000000000051df90
> status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003
> [<ffffffff80540bce>] __list_add_valid_or_report+0xd8/0xe2
> [<ffffffff80255c86>] damon_call+0x52/0xe8
> [<ffffffff8025c9a8>] damon_sysfs_damon_call+0x60/0x8a
> [<ffffffff8025daf4>] state_store+0xfc/0x294
> [<ffffffff80dbf1fa>] kobj_attr_store+0xe/0x1a
> [<ffffffff802f070c>] sysfs_kf_write+0x42/0x56
> [<ffffffff802eef4e>] kernfs_fop_write_iter+0xf4/0x178
> [<ffffffff8026545c>] vfs_write+0x1b6/0x3b2
> [<ffffffff80265782>] ksys_write+0x52/0xbc
> [<ffffffff80265800>] __riscv_sys_write+0x14/0x1c
> [<ffffffff80ddf124>] do_trap_ecall_u+0x19c/0x26e
> [<ffffffff80deaa38>] handle_exception+0x150/0x15c
> ---[ end trace 0000000000000000 ]---
> -bash: echo: write error: Invalid argument
Thank you for finding issue!
Also appreciate for sharing your detailed reproducer. Nevertheless, I think
the reproducer can be more detailed. E.g., you could explicitly explain the
fact that the reproduction step should be executed only after starting DAMON
with the kdamond, and the kernel should run with CONFIG_lIST_HARDENED to get
the output from the kernel log.
>
> The cause of the above error is that list_add_tail() is executed
> repeatedly while executing damon_call(ctx, control)
> in damon_sysfs_damon_call(). The execution flow is summarized below:
>
> damon_sysfs_damon_call()
> --> damon_call(ctx, control)
> list_add_tail(control, ctx->call_contols);
> --> /* list_add corruption error */
> if (!damon_is_running)
> return -EINVAL;
>
> If you execute damon_call() when damon_sysfs_kdamond_running() is true,
> you can prevent the error of duplicate execution of list_add_tail().
The kdamond might be terminated between the damon_call() call and the
damon_is_running() check inside the damon_call() execution. In the case, the
problem may still happen.
The problem happens because damon_call() is not removing the damon_call_control
object before returning the error, right? What about removing the object
before returning the error?
>
> Signed-off-by: JaeJoon Jung <rgbi3307@gmail.com>
Could you please also add Fixes: and Cc: stable@ ?
Thanks,
SJ
[...]
next prev parent reply other threads:[~2025-12-25 0:32 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-24 9:43 JaeJoon Jung
2025-12-25 0:32 ` SeongJae Park [this message]
2025-12-25 2:35 ` JaeJoon Jung
2025-12-25 19:49 ` SeongJae Park
2025-12-26 1:48 ` JaeJoon Jung
2025-12-26 18:41 ` SeongJae Park
2025-12-26 23:53 ` JaeJoon Jung
2025-12-27 17:42 ` SeongJae Park
2025-12-29 3:38 ` JaeJoon Jung
2025-12-29 15:14 ` SeongJae Park
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251225003205.14522-1-sj@kernel.org \
--to=sj@kernel.org \
--cc=damon@lists.linux.dev \
--cc=linux-mm@kvack.org \
--cc=rgbi3307@gmail.com \
--cc=rgbi3307@nate.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox