diff options
| author | SeongJae Park <sj@kernel.org> | 2026-01-17 09:52:50 -0800 |
|---|---|---|
| committer | Andrew Morton <akpm@linux-foundation.org> | 2026-01-31 14:22:45 -0800 |
| commit | 69714a74c19f5ae8b21e25558d62d893d48a3f18 (patch) | |
| tree | df0c7773fafb709128c3913b5bffd4b10ba94cf1 | |
| parent | 1736047a4e9606f11e044431dfe61516e3a7600b (diff) | |
mm/damon/core: cancel damos_walk() before damon_ctx->kdamond reset
damos_walk() request is canceled after damon_ctx->kdamond is reset. This
can make weird situations where damon_is_running() returns false but the
DAMON context has the damos_walk() request linked. There was a similar
situation for damon_call() requests handling [1], which _was_ able to
cause a racy use-after-free bug. Unlike the case of damon_call(), because
damos_walk() is always synchronously handled and allows only single
request at time, there is no such problematic race cases. But, keeping it
as is could stem another subtle race condition bug in future.
Avoid that by cancelling the requests before the ->kdamond reset. Note
that this change also makes all damon_ctx dependent resource cleanups
consistently done before the damon_ctx->kdamond reset.
Link: https://lkml.kernel.org/r/20260117175256.82826-4-sj@kernel.org
Link: https://lore.kernel.org/20251230014532.47563-1-sj@kernel.org [1]
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
| -rw-r--r-- | mm/damon/core.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/mm/damon/core.c b/mm/damon/core.c index 0c8ac11a49f9..0bed937b1dce 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -2856,14 +2856,13 @@ done: kfree(ctx->regions_score_histogram); kdamond_call(ctx, true); + damos_walk_cancel(ctx); pr_debug("kdamond (%d) finishes\n", current->pid); mutex_lock(&ctx->kdamond_lock); ctx->kdamond = NULL; mutex_unlock(&ctx->kdamond_lock); - damos_walk_cancel(ctx); - mutex_lock(&damon_lock); nr_running_ctxs--; if (!nr_running_ctxs && running_exclusive_ctxs) |