From: SeongJae Park <sj@kernel.org>
To: SeongJae Park <sj@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"# 6 . 17 . x" <stable@vger.kernel.org>,
damon@lists.linux.dev, linux-kernel@vger.kernel.org,
linux-mm@kvack.org
Subject: Re: (sashiko review) [PATCH] mm/damon/stat: deallocate damon_call() failure leaking damon_ctx
Date: Wed, 1 Apr 2026 22:06:50 -0700 [thread overview]
Message-ID: <20260402050650.72289-1-sj@kernel.org> (raw)
In-Reply-To: <20260402020745.68554-1-sj@kernel.org>
On Wed, 1 Apr 2026 19:07:44 -0700 SeongJae Park <sj@kernel.org> wrote:
[...]
> > > --- a/mm/damon/stat.c
> > > +++ b/mm/damon/stat.c
> > > @@ -257,7 +257,12 @@ static int damon_stat_start(void)
> > >
> > > damon_stat_last_refresh_jiffies = jiffies;
> > > call_control.data = damon_stat_context;
> > > - return damon_call(damon_stat_context, &call_control);
> > > + err = damon_call(damon_stat_context, &call_control);
> > > + if (err) {
> > > + damon_destroy_ctx(damon_stat_context);
> >
> > Can this cause a use-after-free?
> >
> > Earlier in damon_stat_start(), damon_start() is called, which creates
> > and starts the kdamond_fn kernel thread. This thread actively uses the
> > damon_stat_context.
> >
> > If damon_call() fails, the kdamond_fn thread might still be running or
> > in its teardown phase. If we free the context directly using
> > damon_destroy_ctx() before the kthread has fully exited, the kthread
> > might access freed memory.
>
> Nice catch.
>
> FYI, I initially thought damon_call() of DAMON_STAT cannot fail, because it
> synchronizes its damon_start()/damon_stop() calls with module parameter
> handling function, and it doesn't update the context internal state, which
> means the damon_ctx->maybe_corrupted cannot be set. If that's true, this patch
> itself is not needed since the memory leak cannot exist.
>
> But, kdamond can fail for its internal memory allocation failures.
> Specifically, if ctx->region_score_histogram allocation is failed, it will be
> terminated. So, yes, sashiko is right. There is a chance.
>
> >
> > Should we call damon_stop() here to wait for the thread to safely exit
> > before destroying the context, similar to the teardown sequence in
> > damon_stat_stop()?
>
> Seems that is a workable option. But given the fact that kdamond is already in
> its termination step, it feels odd to me. I'll take more time to think about.
I just posted another approach [1] that can avoid the use-after-free, with RFC
tag for getting sashiko review before being merged.
[1] https://lore.kernel.org/20260402045928.71170-1-sj@kernel.org
Thanks,
SJ
[...]
prev parent reply other threads:[~2026-04-02 5:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 1:04 [PATCH] mm/damon/stat: deallocate damon_call() failure leaking damon_ctx SeongJae Park
2026-04-02 2:07 ` (sashiko review) " SeongJae Park
2026-04-02 5:06 ` SeongJae Park [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260402050650.72289-1-sj@kernel.org \
--to=sj@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=damon@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.