From: sashiko-bot@kernel.org
To: "SeongJae Park" <sj@kernel.org>
Cc: damon@lists.linux.dev
Subject: Re: [RFC PATCH v2.2 15/28] mm/damon/sysfs-schemes: implement tried_regions/<r>/probes/
Date: Fri, 15 May 2026 01:27:15 +0000 [thread overview]
Message-ID: <20260515012715.D161EC2BCC6@smtp.kernel.org> (raw)
In-Reply-To: <20260515004433.128933-16-sj@kernel.org>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
- [Critical] Use-After-Free and Double-Put of kobjects due to delayed release
- [High] Lockless list corruption in delayed kobject release
- [High] State variables (`nr_regions`, `total_bytes`) leak on error paths
- [Medium] Undefined Behavior from unvalidated pointer arithmetic on NULL
--
commit 2a0f4a006e3babc368de4c2d048d4ec6e1aec966
Author: SeongJae Park <sj@kernel.org>
mm/damon/sysfs-schemes: implement tried_regions/<r>/probes/
This commit adds a probes/ sysfs directory under DAMOS tried regions to
show per-region probe hit counts.
> diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
> index 245d63808411a..0bca89217b8fa 100644
> --- a/mm/damon/sysfs-schemes.c
> +++ b/mm/damon/sysfs-schemes.c
[ ... ]
> @@ -34,10 +61,36 @@ static struct damon_sysfs_scheme_region *damon_sysfs_scheme_region_alloc(
> sysfs_region->ar = region->ar;
> sysfs_region->nr_accesses = region->nr_accesses_bp / 10000;
> sysfs_region->age = region->age;
> + sysfs_region->probes = NULL;
> INIT_LIST_HEAD(&sysfs_region->list);
> return sysfs_region;
> }
>
> +static int damos_sysfs_region_add_dirs(
> + struct damon_sysfs_scheme_region *region)
> +{
> + struct damos_sysfs_probes *probes = damos_sysfs_probes_alloc();
> + int err;
> +
> + if (!probes)
> + return -ENOMEM;
> + err = kobject_init_and_add(&probes->kobj, &damos_sysfs_probes_ktype,
> + ®ion->kobj, "probes");
> + if (err) {
> + kobject_put(&probes->kobj);
> + return err;
> + }
> +
> + region->probes = probes;
> + return 0;
> +}
> +
> +static void damos_sysfs_region_rm_dirs(
> + struct damon_sysfs_scheme_region *region)
> +{
> + kobject_put(®ion->probes->kobj);
If damos_sysfs_region_add_dirs() fails, region->probes remains NULL.
If damos_sysfs_region_rm_dirs() is subsequently called on this region,
will ®ion->probes->kobj evaluate the address of a member of a NULL pointer?
While this evaluates to a NULL pointer because kobj is at offset 0, is it
safe to rely on this undefined behavior, or should there be an
if (!region->probes) check?
> +}
> +
> static ssize_t start_show(struct kobject *kobj, struct kobj_attribute *attr,
> char *buf)
> {
> @@ -165,6 +218,7 @@ static void damon_sysfs_scheme_regions_rm_dirs(
>
> list_for_each_entry_safe(r, next, ®ions->regions_list, list) {
> /* release function deletes it from the list */
> + damos_sysfs_region_rm_dirs(r);
> kobject_put(&r->kobj);
If the kobject release is delayed (e.g. because userspace holds a sysfs file
open in the region directory, or CONFIG_DEBUG_KOBJECT_RELEASE is enabled),
the region remains on the regions_list.
If a user consecutively writes to the sysfs state file to clear regions,
damon_sysfs_scheme_regions_rm_dirs() will iterate over the same region again.
Will this call kobject_put(®ion->probes->kobj) a second time on the
already-freed probes kobject, triggering a use-after-free and refcount
underflow?
Should region->probes be set to NULL after the put to avoid this?
Also, regarding the list management, this isn't a regression introduced here,
but the comment mentions the release function deletes it from the list. If
kobject release runs asynchronously in a worker thread, can the release
function list_del() run concurrently while this loop iterates the list,
silently corrupting the doubly-linked list?
> regions->nr_regions--;
> }
> @@ -2932,9 +2986,14 @@ void damos_sysfs_populate_region_dir(struct damon_sysfs_schemes *sysfs_schemes,
> if (kobject_init_and_add(®ion->kobj,
> &damon_sysfs_scheme_region_ktype,
> &sysfs_regions->kobj, "%d",
> - sysfs_regions->nr_regions++)) {
> - kobject_put(®ion->kobj);
> - }
> + sysfs_regions->nr_regions++))
> + goto out;
> + if (damos_sysfs_region_add_dirs(region))
> + goto out;
> + return;
> +
> +out:
> + kobject_put(®ion->kobj);
Earlier in this function, sysfs_regions->total_bytes is increased, and
sysfs_regions->nr_regions is incremented.
If damos_sysfs_region_add_dirs() fails and the code jumps to the out label,
these state variables are not reverted. Since
damon_sysfs_scheme_regions_rm_dirs() only decrements nr_regions by 1 per
region in the list, do these counters permanently drift, causing accounting
issues?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260515004433.128933-1-sj@kernel.org?part=15
next prev parent reply other threads:[~2026-05-15 1:27 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 0:44 [RFC PATCH v2.2 00/28] mm/damon: introduce data attributes monitoring SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 01/28] mm/damon/core: introduce struct damon_probe SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 02/28] mm/damon/core: embed damon_probe objects in damon_ctx SeongJae Park
2026-05-15 1:17 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 03/28] mm/damon/core: introduce damon_filter SeongJae Park
2026-05-15 1:14 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 04/28] mm/damon/core: commit probes SeongJae Park
2026-05-15 1:05 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 05/28] mm/damon/core: introduce damon_region->probe_hits SeongJae Park
2026-05-15 0:54 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 06/28] mm/damon/core: introduce damon_ops->apply_probes SeongJae Park
2026-05-15 0:53 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 07/28] mm/damon/core: do data attributes monitoring SeongJae Park
2026-05-15 1:05 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 08/28] mm/damon/paddr: support " SeongJae Park
2026-05-15 1:29 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 09/28] mm/damon/sysfs: implement probes dir SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 10/28] mm/damon/sysfs: implement probe dir SeongJae Park
2026-05-15 1:08 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 11/28] mm/damon/sysfs: implement filters directory SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 12/28] mm/damon/sysfs: implement filter dir SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 13/28] mm/damon/sysfs: implement filter dir files SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 14/28] mm/damon/sysfs: setup probes on DAMON core API parameters SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 15/28] mm/damon/sysfs-schemes: implement tried_regions/<r>/probes/ SeongJae Park
2026-05-15 1:27 ` sashiko-bot [this message]
2026-05-15 0:44 ` [RFC PATCH v2.2 16/28] mm/damon/sysfs-schemes: implement probe dir SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 17/28] mm/damon/sysfs-schemes: implement probe/hits file SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 18/28] mm/damon: trace probe_hits SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 19/28] selftests/damon/sysfs.sh: test probes dir SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 20/28] Docs/mm/damon/design: document data attributes monitoring SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 21/28] Docs/admin-guide/mm/damon/usage: " SeongJae Park
2026-05-15 1:06 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 22/28] mm/damon/core: introduce DAMON_FILTER_TYPE_MEMCG SeongJae Park
2026-05-15 1:22 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 23/28] mm/damon/paddr: support DAMON_FILTER_TYPE_MEMCG SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 24/28] mm/damon/sysfs: add filters/<F>/path file SeongJae Park
2026-05-15 1:35 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 25/28] mm/damon/sysfs-schemes: move memcg_path_to_id() to sysfs-common SeongJae Park
2026-05-15 1:24 ` sashiko-bot
2026-05-15 0:44 ` [RFC PATCH v2.2 26/28] mm/damon/sysfs: setup damon_filter->memcg_id from path SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 27/28] Docs/mm/damon/design: update for memcg damon filter SeongJae Park
2026-05-15 0:44 ` [RFC PATCH v2.2 28/28] Docs/admin-guide/mm/damon/usage: " SeongJae Park
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515012715.D161EC2BCC6@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=damon@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
--cc=sj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.