From: SeongJae Park <sj@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: SeongJae Park <sj@kernel.org>,
damon@lists.linux.dev, linux-kernel@vger.kernel.org,
linux-mm@kvack.org
Subject: [PATCH 3/8] mm/damon/core: cancel damos_walk() before damon_ctx->kdamond reset
Date: Sat, 17 Jan 2026 09:52:50 -0800 [thread overview]
Message-ID: <20260117175256.82826-4-sj@kernel.org> (raw)
In-Reply-To: <20260117175256.82826-1-sj@kernel.org>
damos_walk() request is canceled after damon_ctx->kdamond is reset.
This can make weird situations where damon_is_running() returns false
but the DAMON context has the damos_walk() request linked. There was a
similar situation for damon_call() requests handling [1], which _was_
able to cause a racy use-after-free bug. Unlike the case of
damon_call(), because damos_walk() is always synchronously handled and
allows only single request at time, there is no such problematic race
cases. But, keeping it as is could stem another subtle race condition
bug in future.
Avoid that by cancelling the requests before the ->kdamond reset. Note
that this change also makes all damon_ctx dependent resource cleanups
consistently done before the damon_ctx->kdamond reset.
[1] https://lore.kernel.org/20251230014532.47563-1-sj@kernel.org
Signed-off-by: SeongJae Park <sj@kernel.org>
---
mm/damon/core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/mm/damon/core.c b/mm/damon/core.c
index 0c8ac11a49f9..0bed937b1dce 100644
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -2856,14 +2856,13 @@ static int kdamond_fn(void *data)
kfree(ctx->regions_score_histogram);
kdamond_call(ctx, true);
+ damos_walk_cancel(ctx);
pr_debug("kdamond (%d) finishes\n", current->pid);
mutex_lock(&ctx->kdamond_lock);
ctx->kdamond = NULL;
mutex_unlock(&ctx->kdamond_lock);
- damos_walk_cancel(ctx);
-
mutex_lock(&damon_lock);
nr_running_ctxs--;
if (!nr_running_ctxs && running_exclusive_ctxs)
--
2.47.3
next prev parent reply other threads:[~2026-01-17 17:53 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-17 17:52 [PATCH 0/8] mm/damon: cleanup kdamond, damon_call(), damos filter and DAMON_MIN_REGION SeongJae Park
2026-01-17 17:52 ` [PATCH 1/8] mm/damon: remove damon_operations->cleanup() SeongJae Park
2026-01-17 17:52 ` [PATCH 2/8] mm/damon/core: cleanup targets and regions at once on kdamond termination SeongJae Park
2026-01-17 17:52 ` SeongJae Park [this message]
2026-01-17 17:52 ` [PATCH 4/8] mm/damon/core: process damon_call_control requests on a local list SeongJae Park
2026-01-17 17:52 ` [PATCH 5/8] mm/damon: document damon_call_control->dealloc_on_cancel repeat behavior SeongJae Park
2026-01-17 17:52 ` [PATCH 6/8] mm/damon/core: rename damos_filter_out() to damos_core_filter_out() SeongJae Park
2026-01-17 17:52 ` [PATCH 7/8] mm/damon: rename DAMON_MIN_REGION to DAMON_MIN_REGION_SZ SeongJae Park
2026-01-17 17:52 ` [PATCH 8/8] mm/damon: rename min_sz_region of damon_ctx to min_region_sz SeongJae Park
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260117175256.82826-4-sj@kernel.org \
--to=sj@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=damon@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox