Re: [RFC PATCH v3 07/28] mm/damon/core: do data attributes monitoring

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
- [High] The `probe_hits` array counters can silently overflow, yielding corrupted monitoring results.
- [High] DAMON dynamically merges regions based strictly on `nr_accesses`, which corrupts the spatial granularity of `probe_hits`.
- [High] If DAMON is run without `check_accesses`, all regions will be aggressively merged up to `sz_limit`, neutralizing data attribute monitoring.
- [High] Size-weighted average calculations for `probe_hits` overflow `unsigned long` on 32-bit systems.
--

commit 55dcc5294b4ee96c9d7e5a24e9dcdb0d798c401d
Author: SeongJae Park <sj@kernel.org>

mm/damon/core: do data attributes monitoring

Implement the data attributes monitoring execution.  Update kdamond to
invoke the probes application callback, and reset the aggregated number
of per-region per-probe positive samples for every aggregation interval.

> diff --git a/mm/damon/core.c b/mm/damon/core.c
> index e5667660b4cd9..dde3c8d8fef89 100644
> --- a/mm/damon/core.c
> +++ b/mm/damon/core.c
> @@ -1886,10 +1886,14 @@ static void kdamond_reset_aggregated(struct damon_ctx *c)
>  		struct damon_region *r;
>  
>  		damon_for_each_region(r, t) {
> +			int i;
> +
>  			trace_damon_aggregated(ti, r, damon_nr_regions(t));
>  			damon_warn_fix_nr_accesses_corruption(r);
>  			r->last_nr_accesses = r->nr_accesses;
>  			r->nr_accesses = 0;
> +			for (i = 0; i < DAMON_MAX_PROBES; i++)
> +				r->probe_hits[i] = 0;

Can probe_hits overflow here?

The probe_hits array is defined as unsigned char, which has a maximum value
of 255.

The number of samples per interval is user-configurable and can legitimately
exceed 255 (e.g., a 1000ms aggregation with a 1ms sample interval yields 1000
samples).

If a probe matches continuously under such configurations, could the counter
silently overflow and wrap around, corrupting the monitoring results?

>  			damon_verify_reset_aggregated(r, c);
>  		}
>  		ti++;
> @@ -3179,6 +3183,8 @@ static int kdamond_fn(void *data)
>  
>  		if (ctx->ops.check_accesses)
>  			max_nr_accesses = ctx->ops.check_accesses(ctx);
> +		if (ctx->ops.apply_probes)
> +			ctx->ops.apply_probes(ctx);

If DAMON is configured strictly for data attribute monitoring where
check_accesses is NULL but apply_probes is set, max_nr_accesses and all
regional nr_accesses persistently evaluate to 0.

Will this cause all adjacent regions to have a calculated difference
threshold of 0, resulting in all regions merging indiscriminately up to
sz_limit during the subsequent kdamond_merge_regions() call?

Additionally, damon_merge_regions_of() merges adjacent regions by evaluating
only nr_accesses:

abs(prev->nr_accesses - r->nr_accesses) <= thres

Since this merge condition ignores probe_hits, could two contiguous regions
with identical access frequencies but vastly different data attributes be
incorrectly merged?

Does calculating the size-weighted average for probe_hits risk overflowing on
32-bit systems?

When damon_merge_two_regions() calculates averages using:

(metric * sz_l + metric * sz_r) / (sz_l + sz_r)

Both sz_l and sz_r are evaluated in bytes as unsigned long. On 32-bit
systems where ULONG_MAX is roughly 4 GB, a 200 MB region with 25 probe_hits
yields an intermediate product of 5,000,000,000.

Does this silently overflow the 32-bit unsigned long and corrupt the region
metrics?

>  
>  		if (time_after_eq(ctx->passed_sample_intervals,
>  					next_aggregation_sis)) {

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260516183712.81393-1-sj@kernel.org?part=7