[RFC PATCH v1.1 00/11] mm/damon/sysfs: kobject_del() directories that users can create/remove

[RFC PATCH v1.1 00/11] mm/damon/sysfs: kobject_del() directories that users can create/remove

[SeongJae Park]

DAMON sysfs interface allows users to create and remove arbitrary number
of directories on sysfs, using a few files having 'nr_' prefix.  For
example, 'nr_kdamonds'.  When the user writes a number 'N' to the files,
directories having name starting from '0' to 'N - 1' are created in the
same directory.  The pre-existing number-named directories are removed
before creating the new directories.

For the removal of the existing directories, DAMON sysfs interface use
only kobject_put().  Because DAMON sysfs interface is the only kernel
component that manages the directories, there is no problem in normal
situations.  However, if CONFIG_DEBUG_KOBJECT_RELEASE is enabled, the
removal of dirs are delayed.  Let's suppose a user writes a non-zero
number to the 'nr_*' files while there are pre-existing number-named
directories, on the config enabled kernel.  DAMON sysfs interface
decreases the reference counts of the existing directories and
immediately creates new directories.  Because the removal of the sysfs
directories is delayed, it shows some pre-existing directories of the
same names when it tries to create the new directories, and fails.

For example, the issue can be triggered like below:

    # grep DEBUG_KOBJECT_RELEASE /boot/config-$(uname -r)
    CONFIG_DEBUG_KOBJECT_RELEASE=y
    # ls
    nr_kdamonds
    # echo 1 > nr_kdamonds
    # echo 1 > nr_kdamonds
    bash: echo: write error: File exists
    # dmesg
    [...]
    [  300.880458] kobject: kobject_add_internal failed for 0 with -EEXIST, don't try to register things with the same name in the same directory.
    [...]

Some of the error handling paths of the directories also lack the
kobject_del() call.  If the user uses nr_* file right after the errors,
similar issues can happen.

This doesn't cause catastrophic issues like kernel panics or memory
corruptions.  Users can work around by removing all directories first
(write 0 to the nr_* files) and then create new directories after
confirming the old directories are gone.  But, this is definitely a bug
that causes a bad user experience.

Fix the issues by calling kobject_del() before creating new directories.

Patches Sequence
================

There are a number of bugs of this class that introduced by eleven
different commits.  Group fnd order fixes based on the introducing
commits.

Changes from RFC v1
- RFC v1: https://lore.kernel.org/20260616150844.88305-1-sj@kernel.org
- Add error path fixes.

SeongJae Park (11):
  mm/damon/sysfs: kobject_del() target (normal), context and kdamond
    dirs
  mm/damon/sysfs: kobject_del() region and target (error) dirs
  mm/damon/sysfs-schemes: kobject_del() scheme dirs
  mm/damon/sysfs-schemes: kobject_del() scheme region dirs
  mm/damon/sysfs-schemes: kobject_del() scheme filter dirs
  mm/damon/sysfs-schemes: kobject_del() scheme quota goal dirs
  mm/damon/sysfs-schemes: kobject_del() scheme action destination dirs
  mm/damon/sysfs: kobject_del() probe dirs
  mm/damon/sysfs: kobject_del() probe filter dirs
  mm/damon/sysfs: kobject_del() probe dirs in probes_addd_dir error path
  mm/damon/sysfs-schemes: kobject_del() region for populate_region error

 mm/damon/sysfs-schemes.c | 18 ++++++++++++++----
 mm/damon/sysfs.c         | 25 ++++++++++++++++++++-----
 2 files changed, 34 insertions(+), 9 deletions(-)


base-commit: c7d696ef153b9bea79d35140c7e9266fe9d3f7bb
-- 
2.47.3

[RFC PATCH v1.1 01/11] mm/damon/sysfs: kobject_del() target (normal), context and kdamond dirs

[SeongJae Park]

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for normal creation paths of target, context and kdamond
directories, and error paths of context and kdamond directories by
adding kobject_del() calls.

Note that this fix for target directories is not complete since it has a
similar issue in the damon_sysfs_targets_add_dirs() error path.  Because
the normal path issue and the error path issue are introduced by
different commits, this commit is fixing only the normal path issue.  A
commit for the error path will be added next.

Fixes: c951cd3b8901 ("mm/damon: implement a minimal stub for sysfs-based DAMON interface")
Cc: <stable@vger.kernel.org> # 5.18.x
Signed-off-by: SeongJae Park <sj@kernel.org>
---
 mm/damon/sysfs.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c
index 2e95e3bac774d..dba1c67fc188f 100644
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -333,6 +333,7 @@ static void damon_sysfs_targets_rm_dirs(struct damon_sysfs_targets *targets)
 
 	for (i = 0; i < targets->nr; i++) {
 		damon_sysfs_target_rm_dirs(targets_arr[i]);
+		kobject_del(&targets_arr[i]->kobj);
 		kobject_put(&targets_arr[i]->kobj);
 	}
 	targets->nr = 0;
@@ -1642,6 +1643,7 @@ static void damon_sysfs_contexts_rm_dirs(struct damon_sysfs_contexts *contexts)
 
 	for (i = 0; i < contexts->nr; i++) {
 		damon_sysfs_context_rm_dirs(contexts_arr[i]);
+		kobject_del(&contexts_arr[i]->kobj);
 		kobject_put(&contexts_arr[i]->kobj);
 	}
 	contexts->nr = 0;
@@ -1680,13 +1682,15 @@ static int damon_sysfs_contexts_add_dirs(struct damon_sysfs_contexts *contexts,
 
 		err = damon_sysfs_context_add_dirs(context);
 		if (err)
-			goto out;
+			goto del_out;
 
 		contexts_arr[i] = context;
 		contexts->nr++;
 	}
 	return 0;
 
+del_out:
+	kobject_del(&context->kobj);
 out:
 	damon_sysfs_contexts_rm_dirs(contexts);
 	kobject_put(&context->kobj);
@@ -2501,6 +2505,7 @@ static void damon_sysfs_kdamonds_rm_dirs(struct damon_sysfs_kdamonds *kdamonds)
 
 	for (i = 0; i < kdamonds->nr; i++) {
 		damon_sysfs_kdamond_rm_dirs(kdamonds_arr[i]);
+		kobject_del(&kdamonds_arr[i]->kobj);
 		kobject_put(&kdamonds_arr[i]->kobj);
 	}
 	kdamonds->nr = 0;
@@ -2555,13 +2560,15 @@ static int damon_sysfs_kdamonds_add_dirs(struct damon_sysfs_kdamonds *kdamonds,
 
 		err = damon_sysfs_kdamond_add_dirs(kdamond);
 		if (err)
-			goto out;
+			goto del_out;
 
 		kdamonds_arr[i] = kdamond;
 		kdamonds->nr++;
 	}
 	return 0;
 
+del_out:
+	kobject_del(&kdamond->kobj);
 out:
 	damon_sysfs_kdamonds_rm_dirs(kdamonds);
 	kobject_put(&kdamond->kobj);
-- 
2.47.3

[RFC PATCH v1.1 02/11] mm/damon/sysfs: kobject_del() region and target (error) dirs

[SeongJae Park]

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for the normal creation path of region directories and the
error path of target directories, by adding kobject_del() calls.

Fixes: 2031b14ea757 ("mm/damon/sysfs: support the physical address space monitoring")
Cc: <stable@vger.kernel.org> # 5.18.x
Signed-off-by: SeongJae Park <sj@kernel.org>
---
 mm/damon/sysfs.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c
index dba1c67fc188f..3c349f0fe80f0 100644
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -107,8 +107,10 @@ static void damon_sysfs_regions_rm_dirs(struct damon_sysfs_regions *regions)
 	struct damon_sysfs_region **regions_arr = regions->regions_arr;
 	int i;
 
-	for (i = 0; i < regions->nr; i++)
+	for (i = 0; i < regions->nr; i++) {
+		kobject_del(&regions_arr[i]->kobj);
 		kobject_put(&regions_arr[i]->kobj);
+	}
 	regions->nr = 0;
 	kfree(regions_arr);
 	regions->regions_arr = NULL;
@@ -372,13 +374,15 @@ static int damon_sysfs_targets_add_dirs(struct damon_sysfs_targets *targets,
 
 		err = damon_sysfs_target_add_dirs(target);
 		if (err)
-			goto out;
+			goto del_out;
 
 		targets_arr[i] = target;
 		targets->nr++;
 	}
 	return 0;
 
+del_out:
+	kobject_del(&target->kobj);
 out:
 	damon_sysfs_targets_rm_dirs(targets);
 	kobject_put(&target->kobj);
-- 
2.47.3

[RFC PATCH v1.1 03/11] mm/damon/sysfs-schemes: kobject_del() scheme dirs

[SeongJae Park]

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for scheme directories by adding kobject_del() calls.

Fixes: 7e84b1f8212a ("mm/damon/sysfs: support DAMON-based Operation Schemes")
Cc: <stable@vger.kernel.org> # 5.18.x
Signed-off-by: SeongJae Park <sj@kernel.org>
---
 mm/damon/sysfs-schemes.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
index 0134111c3c1ff..debf2a3a0d8fc 100644
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -2683,6 +2683,7 @@ void damon_sysfs_schemes_rm_dirs(struct damon_sysfs_schemes *schemes)
 
 	for (i = 0; i < schemes->nr; i++) {
 		damon_sysfs_scheme_rm_dirs(schemes_arr[i]);
+		kobject_del(&schemes_arr[i]->kobj);
 		kobject_put(&schemes_arr[i]->kobj);
 	}
 	schemes->nr = 0;
-- 
2.47.3

[RFC PATCH v1.1 04/11] mm/damon/sysfs-schemes: kobject_del() scheme region dirs

[SeongJae Park]

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for scheme region directories by adding kobject_del()
calls.

This issue was discovered [1] by Sashiko, though its analysis was
partially incorrect.

[1] https://lore.kernel.org/20260517205828.6204-1-sj@kernel.org

Fixes: 9277d0367ba1 ("mm/damon/sysfs-schemes: implement scheme region directory")
Cc: <stable@vger.kernel.org> # 6.2.x
Signed-off-by: SeongJae Park <sj@kernel.org>
---
 mm/damon/sysfs-schemes.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
index debf2a3a0d8fc..604b77a47a463 100644
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -334,6 +334,7 @@ static void damon_sysfs_scheme_regions_rm_dirs(
 	list_for_each_entry_safe(r, next, &regions->regions_list, list) {
 		damos_sysfs_region_rm_dirs(r);
 		list_del(&r->list);
+		kobject_del(&r->kobj);
 		kobject_put(&r->kobj);
 		regions->nr_regions--;
 	}
-- 
2.47.3

[RFC PATCH v1.1 05/11] mm/damon/sysfs-schemes: kobject_del() scheme filter dirs

[SeongJae Park]

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for scheme filter directories by adding kobject_del()
calls.

Fixes: 472e2b70eda6 ("mm/damon/sysfs-schemes: connect filter directory and filters directory")
Cc: <stable@vger.kernel.org> # 6.3.x
Signed-off-by: SeongJae Park <sj@kernel.org>
---
 mm/damon/sysfs-schemes.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
index 604b77a47a463..db6226c05b023 100644
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -914,8 +914,10 @@ static void damon_sysfs_scheme_filters_rm_dirs(
 	struct damon_sysfs_scheme_filter **filters_arr = filters->filters_arr;
 	int i;
 
-	for (i = 0; i < filters->nr; i++)
+	for (i = 0; i < filters->nr; i++) {
+		kobject_del(&filters_arr[i]->kobj);
 		kobject_put(&filters_arr[i]->kobj);
+	}
 	filters->nr = 0;
 	kfree(filters_arr);
 	filters->filters_arr = NULL;
-- 
2.47.3

[RFC PATCH v1.1 06/11] mm/damon/sysfs-schemes: kobject_del() scheme quota goal dirs

[SeongJae Park]

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for scheme quota goal directories by adding kobject_del()
calls.

Fixes: 7f262da0a30d ("mm/damon/sysfs-schemes: implement files for scheme quota goals setup")
Cc: <stable@vger.kernel.org> # 6.8.x
Signed-off-by: SeongJae Park <sj@kernel.org>
---
 mm/damon/sysfs-schemes.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
index db6226c05b023..573a40c679be3 100644
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -1465,8 +1465,10 @@ static void damos_sysfs_quota_goals_rm_dirs(
 	struct damos_sysfs_quota_goal **goals_arr = goals->goals_arr;
 	int i;
 
-	for (i = 0; i < goals->nr; i++)
+	for (i = 0; i < goals->nr; i++) {
+		kobject_del(&goals_arr[i]->kobj);
 		kobject_put(&goals_arr[i]->kobj);
+	}
 	goals->nr = 0;
 	kfree(goals_arr);
 	goals->goals_arr = NULL;
-- 
2.47.3

[RFC PATCH v1.1 07/11] mm/damon/sysfs-schemes: kobject_del() scheme action destination dirs

[SeongJae Park]

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for scheme action destination directories by adding
kobject_del() calls.

Fixes: 2cd0bf85a203 ("mm/damon/sysfs-schemes: implement DAMOS action destinations directory")
Cc: <stable@vger.kernel.org> # 6.17.x
Signed-off-by: SeongJae Park <sj@kernel.org>
---
 mm/damon/sysfs-schemes.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
index 573a40c679be3..0c0c9637b594e 100644
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -2145,8 +2145,10 @@ static void damos_sysfs_dests_rm_dirs(
 	struct damos_sysfs_dest **dests_arr = dests->dests_arr;
 	int i;
 
-	for (i = 0; i < dests->nr; i++)
+	for (i = 0; i < dests->nr; i++) {
+		kobject_del(&dests_arr[i]->kobj);
 		kobject_put(&dests_arr[i]->kobj);
+	}
 	dests->nr = 0;
 	kfree(dests_arr);
 	dests->dests_arr = NULL;
-- 
2.47.3

[RFC PATCH v1.1 08/11] mm/damon/sysfs: kobject_del() probe dirs

[SeongJae Park]

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for data attribute probe directories by adding
kobject_del() calls.

Fixes: bf3ea3d30880 ("mm/damon/sysfs: implement probe dir")
Signed-off-by: SeongJae Park <sj@kernel.org>
---
 mm/damon/sysfs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c
index 3c349f0fe80f0..5ca45654cdd39 100644
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -1139,6 +1139,7 @@ static void damon_sysfs_probes_rm_dirs(
 
 	for (i = 0; i < probes->nr; i++) {
 		damon_sysfs_probe_rm_dirs(probes_arr[i]);
+		kobject_del(&probes_arr[i]->kobj);
 		kobject_put(&probes_arr[i]->kobj);
 	}
 	probes->nr = 0;
-- 
2.47.3

[RFC PATCH v1.1 09/11] mm/damon/sysfs: kobject_del() probe filter dirs

[SeongJae Park]

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for data attribute probe filter directories by adding
kobject_del() calls.

Fixes: 82e66aef7714 ("mm/damon/sysfs: implement filter dir")
Signed-off-by: SeongJae Park <sj@kernel.org>
---
 mm/damon/sysfs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c
index 5ca45654cdd39..36a0e82601697 100644
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -962,8 +962,10 @@ static void damon_sysfs_filters_rm_dirs(struct damon_sysfs_filters *filters)
 	struct damon_sysfs_filter **filters_arr = filters->filters_arr;
 	int i;
 
-	for (i = 0; i < filters->nr; i++)
+	for (i = 0; i < filters->nr; i++) {
+		kobject_del(&filters_arr[i]->kobj);
 		kobject_put(&filters_arr[i]->kobj);
+	}
 	filters->nr = 0;
 	kfree(filters_arr);
 	filters->filters_arr = NULL;
-- 
2.47.3

[RFC PATCH v1.1 10/11] mm/damon/sysfs: kobject_del() probe dirs in probes_addd_dir error path

[SeongJae Park]

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts.
Fix the issue for data attribute probe filter directories in the error
handling path of damon_sysfs_probes_add_dirs() by adding a kobject_del()
call.

Fixes: af7cb41af9a9 ("mm/damon/sysfs: implement filters directory")
Signed-off-by: SeongJae Park <sj@kernel.org>
---
 mm/damon/sysfs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c
index 36a0e82601697..ffbc99411f53b 100644
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -1183,6 +1183,7 @@ static int damon_sysfs_probes_add_dirs(
 
 		err = damon_sysfs_probe_add_dirs(probe);
 		if (err) {
+			kobject_del(&probe->kobj);
 			kobject_put(&probe->kobj);
 			damon_sysfs_probes_rm_dirs(probes);
 			return err;
-- 
2.47.3

[RFC PATCH v1.1 11/11] mm/damon/sysfs-schemes: kobject_del() region for populate_region error

[SeongJae Park]

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts.
Fix the issue for tried region directories in the error handling path of
damon_sysfs_populate_region_dir() by adding a kobject_del() call.

Fixes: b574a82d10de ("mm/damon/sysfs-schemes: implement tried_regions/<r>/probes/")
Signed-off-by: SeongJae Park <sj@kernel.org>
---
 mm/damon/sysfs-schemes.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
index 0c0c9637b594e..d3b414f7bd205 100644
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -3132,12 +3132,14 @@ void damos_sysfs_populate_region_dir(struct damon_sysfs_schemes *sysfs_schemes,
 				sysfs_regions->nr_regions))
 		goto out;
 	if (damos_sysfs_region_add_dirs(region, ctx, r))
-		goto out;
+		goto del_out;
 
 	list_add_tail(&region->list, &sysfs_regions->regions_list);
 	sysfs_regions->nr_regions++;
 	return;
 
+del_out:
+	kobject_del(&region->kobj);
 out:
 	kobject_put(&region->kobj);
 }
-- 
2.47.3

Re: [RFC PATCH v1.1 05/11] mm/damon/sysfs-schemes: kobject_del() scheme filter dirs

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Incomplete bug fix: missing kobject_del() in damos_sysfs_probes_rm_dirs() and damon_sysfs_schemes_add_dirs() error path.
--

commit ada3b579d341495d80858ab88063949ce50e3fd8
Author: SeongJae Park <sj@kernel.org>

mm/damon/sysfs-schemes: kobject_del() scheme filter dirs

This commit fixes directory creation failures caused by name conflicts by
adding kobject_del() calls for scheme filter directories when
CONFIG_DEBUG_KOBJECT_RELEASE is enabled.

> diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
> index bf08e6e1f1635..300930c2c5b3f 100644
> --- a/mm/damon/sysfs-schemes.c
> +++ b/mm/damon/sysfs-schemes.c
> @@ -914,8 +914,10 @@ static void damon_sysfs_scheme_filters_rm_dirs(
>  	struct damon_sysfs_scheme_filter **filters_arr = filters->filters_arr;
>  	int i;
>  
> -	for (i = 0; i < filters->nr; i++)
> +	for (i = 0; i < filters->nr; i++) {
> +		kobject_del(&filters_arr[i]->kobj);
>  		kobject_put(&filters_arr[i]->kobj);
> +	}

[Severity: High]
This is a pre-existing issue, but while we are adding kobject_del() here to 
prevent name conflicts, are there other locations that need the same fix?

For instance, in damos_sysfs_probes_rm_dirs(), the code iterates over 
probes_arr and calls kobject_put() without a preceding kobject_del():

	for (i = 0; i < probes->nr; i++)
		kobject_put(&probes_arr[i]->kobj);

Additionally, in the error path of damon_sysfs_schemes_add_dirs(), if 
damon_sysfs_scheme_add_dirs() fails after a successful kobject_init_and_add(), 
the cleanup jumps to the out label:

out:
	damon_sysfs_schemes_rm_dirs(schemes);
	kobject_put(&scheme->kobj);
	return err;

Could these missing kobject_del() calls leave sysfs directories pending
delayed release, allowing the same name conflict crashes to occur?

>  	filters->nr = 0;
>  	kfree(filters_arr);
>  	filters->filters_arr = NULL;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617144807.91441-1-sj@kernel.org?part=5

Re: [RFC PATCH v1.1 02/11] mm/damon/sysfs: kobject_del() region and target (error) dirs

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Medium] The patch series missed adding `kobject_del()` in the error path of `damon_sysfs_schemes_add_dirs()`. If `kobject_init_and_add()` succeeds but the subsequent `damon_sysfs_scheme_add_dirs()` fails, the code jumps to the `out:` label and calls `kobject_put(&scheme->kobj)` without first calling `kobject_del()`. Because the parent `schemes` directory persists, the failed scheme directory (e.g., '1') remains visible in sysfs until `CONFIG_DEBUG_KOBJECT_RELEASE` finally frees it. If userspace retries updating `nr_schemes`, it will fail with `-EEXIST`.
--

commit 58b8f68e38892e33bea755abf310672a0f0bb285
Author: SeongJae Park <sj@kernel.org>

mm/damon/sysfs: kobject_del() region and target (error) dirs

This commit fixes directory name conflicts caused by missing kobject_del() calls.
It ensures kobject_del() is called in the region directories removal path and
the target directories error path. This resolves failures when creating
directories with CONFIG_DEBUG_KOBJECT_RELEASE enabled.

Cc: <stable@vger.kernel.org> # 5.18.x

> diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c
> index dba1c67fc188f..3c349f0fe80f0 100644
> --- a/mm/damon/sysfs.c
> +++ b/mm/damon/sysfs.c

[ ... ]

> @@ -372,13 +374,15 @@ static int damon_sysfs_targets_add_dirs(struct damon_sysfs_targets *targets,
>  
>  		err = damon_sysfs_target_add_dirs(target);
>  		if (err)
> -			goto out;
> +			goto del_out;
>  
>  		targets_arr[i] = target;
>  		targets->nr++;
>  	}
>  	return 0;
>  
> +del_out:
> +	kobject_del(&target->kobj);
>  out:
>  	damon_sysfs_targets_rm_dirs(targets);
>  	kobject_put(&target->kobj);

[Severity: Medium]
This is a pre-existing issue, but I noticed a similar pattern in
mm/damon/sysfs-schemes.c that seems to be missing a kobject_del() call.

In mm/damon/sysfs-schemes.c:damon_sysfs_schemes_add_dirs():

	err = kobject_init_and_add(&scheme->kobj,
			&damon_sysfs_scheme_ktype, &schemes->kobj,
			"%d", i);
	if (err)
		goto out;
	err = damon_sysfs_scheme_add_dirs(scheme);
	if (err)
		goto out;

	schemes_arr[i] = scheme;
	schemes->nr++;
}
return 0;

out:
	damon_sysfs_schemes_rm_dirs(schemes);
	kobject_put(&scheme->kobj);
	return err;

If damon_sysfs_scheme_add_dirs() fails after a successful
kobject_init_and_add(), we jump to out and call kobject_put() without first
calling kobject_del().

With CONFIG_DEBUG_KOBJECT_RELEASE enabled, could the persisting parent schemes
directory cause an -EEXIST conflict if userspace retries updating nr_schemes?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617144807.91441-1-sj@kernel.org?part=2

Re: [RFC PATCH v1.1 03/11] mm/damon/sysfs-schemes: kobject_del() scheme dirs

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing `kobject_del()` on error path in `damon_sysfs_schemes_add_dirs()` leads to `-EEXIST` sysfs directory creation failures
--

commit 9080a7ab1bab654c1e6a9f081551a9609de62cbf
Author: SeongJae Park <sj@kernel.org>

mm/damon/sysfs-schemes: kobject_del() scheme dirs

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for scheme directories by adding kobject_del() calls.

> diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
> index 329cfd0bbe9f3..37cf6edb54f17 100644
> --- a/mm/damon/sysfs-schemes.c
> +++ b/mm/damon/sysfs-schemes.c
> @@ -2686,6 +2686,7 @@ void damon_sysfs_schemes_rm_dirs(struct damon_sysfs_schemes *schemes)
>  
>  	for (i = 0; i < schemes->nr; i++) {
>  		damon_sysfs_scheme_rm_dirs(schemes_arr[i]);
> +		kobject_del(&schemes_arr[i]->kobj);
>  		kobject_put(&schemes_arr[i]->kobj);
>  	}
>  	schemes->nr = 0;

[Severity: High]
This isn't a bug introduced by this patch, but it appears a similar issue
might still exist in damon_sysfs_schemes_add_dirs() on the error path.

While subsequent patches in this series successfully fixed this exact pattern
for other arrays, it seems damon_sysfs_schemes_add_dirs() might have been
missed.

If kobject_init_and_add() succeeds for a new scheme, but child directory
creation via damon_sysfs_scheme_add_dirs() fails, the code branches to the
out label:

mm/damon/sysfs-schemes.c:damon_sysfs_schemes_add_dirs() {
    ...
		err = kobject_init_and_add(&scheme->kobj,
				&damon_sysfs_scheme_ktype, &schemes->kobj,
				"%d", i);
		if (err)
			goto out;
		err = damon_sysfs_scheme_add_dirs(scheme);
		if (err)
			goto out;
    ...
out:
	damon_sysfs_schemes_rm_dirs(schemes);
	kobject_put(&scheme->kobj);
	return err;
}

Can this lead to the scheme directory lingering in sysfs because kobject_del()
is missing before kobject_put()?

If CONFIG_DEBUG_KOBJECT_RELEASE is enabled, kobject_cleanup() is delayed.
Since the parent persistent schemes directory survives, could a subsequent user
write to resize the array attempt to recreate a directory with the same
numerical ID and result in an -EEXIST conflict?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617144807.91441-1-sj@kernel.org?part=3

Re: [RFC PATCH v1.1 08/11] mm/damon/sysfs: kobject_del() probe dirs

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Medium] Missing `kobject_del()` in the error path of `damon_sysfs_schemes_add_dirs()` leads to deferred sysfs deletion and potential name conflicts.
--

commit 59e78cde42822b1eaae59f38d966ef1a15a1a9b6
Author: SeongJae Park <sj@kernel.org>

mm/damon/sysfs: kobject_del() probe dirs
    
This commit adds missing kobject_del() calls in the cleanup path for data
attribute probe directories. It prevents directory creation failures caused
by name conflicts when CONFIG_DEBUG_KOBJECT_RELEASE is enabled.

> diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c
> index 3c349f0fe80f0..5ca45654cdd39 100644
> --- a/mm/damon/sysfs.c
> +++ b/mm/damon/sysfs.c
> @@ -1139,6 +1139,7 @@ static void damon_sysfs_probes_rm_dirs(
>  
>  	for (i = 0; i < probes->nr; i++) {
>  		damon_sysfs_probe_rm_dirs(probes_arr[i]);
> +		kobject_del(&probes_arr[i]->kobj);
>  		kobject_put(&probes_arr[i]->kobj);

[Severity: Medium]
This is a pre-existing issue, but does damon_sysfs_schemes_add_dirs()
in mm/damon/sysfs-schemes.c need a similar fix?

If kobject_init_and_add(&scheme->kobj) succeeds but the subsequent
damon_sysfs_scheme_add_dirs(scheme) fails, the error path drops the
reference without synchronously unregistering the kobject:

mm/damon/sysfs-schemes.c:damon_sysfs_schemes_add_dirs() {
        ...
out:
        damon_sysfs_schemes_rm_dirs(schemes);
        kobject_put(&scheme->kobj);
        return err;
}

Without an explicit kobject_del() here, the cleanup is deferred. If
CONFIG_DEBUG_KOBJECT_RELEASE is enabled, could retrying the operation
fail with -EEXIST due to a name collision?

>  	}
>  	probes->nr = 0;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617144807.91441-1-sj@kernel.org?part=8

Re: [RFC PATCH v1.1 01/11] mm/damon/sysfs: kobject_del() target (normal), context and kdamond dirs

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

Pre-existing issues:
- [High] Memory leak and uninitialized pointer dereference in `damon_sysfs_scheme_add_dirs()` error path due to shifted labels.
- [Medium] Missing `kobject_del()` in `damos_sysfs_probes_rm_dirs()` causes sysfs name conflicts under `CONFIG_DEBUG_KOBJECT_RELEASE`.
- [Medium] Missing `kobject_del()` in `damon_sysfs_schemes_add_dirs()` error path causes sysfs name conflicts.
--

commit ca062d775b58ea3ec065a28f4400047399c0f380
Author: SeongJae Park <sj@kernel.org>

mm/damon/sysfs: kobject_del() target (normal), context and kdamond dirs
    
On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for normal creation paths of target, context and kdamond
directories, and error paths of context and kdamond directories by
adding kobject_del() calls.

Cc: <stable@vger.kernel.org> # 5.18.x

> diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c
> index 2e95e3bac774d..dba1c67fc188f 100644
> --- a/mm/damon/sysfs.c
> +++ b/mm/damon/sysfs.c

[ ... ]

> @@ -1642,6 +1643,7 @@ static void damon_sysfs_contexts_rm_dirs(struct damon_sysfs_contexts *contexts)
>  
>  	for (i = 0; i < contexts->nr; i++) {
>  		damon_sysfs_context_rm_dirs(contexts_arr[i]);
> +		kobject_del(&contexts_arr[i]->kobj);
>  		kobject_put(&contexts_arr[i]->kobj);
>  	}
>  	contexts->nr = 0;

[Severity: Medium]
This isn't a bug introduced by this patch, but does damos_sysfs_probes_rm_dirs()
need a similar kobject_del() fix to avoid sysfs name conflicts?

mm/damon/sysfs-schemes.c:damos_sysfs_probes_rm_dirs() {
...
	for (i = 0; i < probes->nr; i++)
		kobject_put(&probes_arr[i]->kobj);
	probes->nr = 0;
...
}

[ ... ]

> @@ -1680,13 +1682,15 @@ static int damon_sysfs_contexts_add_dirs(struct damon_sysfs_contexts *contexts,
>  
>  		err = damon_sysfs_context_add_dirs(context);
>  		if (err)
> -			goto out;
> +			goto del_out;
>  
>  		contexts_arr[i] = context;
>  		contexts->nr++;
>  	}
>  	return 0;
>  
> +del_out:
> +	kobject_del(&context->kobj);
>  out:
>  	damon_sysfs_contexts_rm_dirs(contexts);
>  	kobject_put(&context->kobj);

[Severity: Medium]
This is a pre-existing issue, but does damon_sysfs_schemes_add_dirs() need a
similar kobject_del() fix in its error path?

mm/damon/sysfs-schemes.c:damon_sysfs_schemes_add_dirs() {
...
		err = kobject_init_and_add(&scheme->kobj, ...);
		if (err)
			goto out;
		err = damon_sysfs_scheme_add_dirs(scheme);
		if (err)
			goto out;
...
out:
	damon_sysfs_schemes_rm_dirs(schemes);
	kobject_put(&scheme->kobj);
	return err;
}

If damon_sysfs_scheme_add_dirs() fails after kobject_init_and_add() succeeds,
the out label puts the reference without unlinking it.

Could this cause a directory creation failure on retry under delayed release?

[Severity: High]
This isn't a bug introduced by this patch, but while looking at error paths,
does damon_sysfs_scheme_add_dirs() have an uninitialized pointer dereference
and a resource leak?

mm/damon/sysfs-schemes.c:damon_sysfs_scheme_add_dirs() {
...
	err = damon_sysfs_scheme_set_stats(scheme);
	if (err)
		goto put_filters_watermarks_quotas_access_pattern_out;
	err = damon_sysfs_scheme_set_tried_regions(scheme);
	if (err)
		goto put_tried_regions_out;
	return 0;

put_tried_regions_out:
	kobject_put(&scheme->tried_regions->kobj);
	scheme->tried_regions = NULL;
...
}

If damon_sysfs_scheme_set_tried_regions() fails, the code jumps to
put_tried_regions_out and dereferences scheme->tried_regions. 

Since damon_sysfs_scheme_alloc() allocates memory without zeroing it, won't
this dereference an uninitialized pointer?

Additionally, this jump entirely skips cleaning up the successfully
initialized stats object.

Should there be a put_stats_out cleanup label to avoid leaking it?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617144807.91441-1-sj@kernel.org?part=1

Re: [RFC PATCH v1.1 04/11] mm/damon/sysfs-schemes: kobject_del() scheme region dirs

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] Incomplete fix: `damos_sysfs_probes_rm_dirs()` lacks `kobject_del()` during array updates.
- [High] Missing `kobject_del()` in error paths after successful `kobject_init_and_add()`.
--

commit 092044609406a531b0aee50bbd25500efab8e006
Author: SeongJae Park <sj@kernel.org>
Subject: mm/damon/sysfs-schemes: kobject_del() scheme region dirs

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for scheme region directories by adding kobject_del()
calls.

Link: https://lore.kernel.org/20260517205828.6204-1-sj@kernel.org

> diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
> index 37cf6edb54f17..bf08e6e1f1635 100644
> --- a/mm/damon/sysfs-schemes.c
> +++ b/mm/damon/sysfs-schemes.c
> @@ -334,6 +334,7 @@ static void damon_sysfs_scheme_regions_rm_dirs(
>  	list_for_each_entry_safe(r, next, &regions->regions_list, list) {
>  		damos_sysfs_region_rm_dirs(r);

[Severity: High]
This is a pre-existing issue, but since damos_sysfs_region_rm_dirs()
calls damos_sysfs_probes_rm_dirs(), does damos_sysfs_probes_rm_dirs()
also need to explicitly call kobject_del() to avoid the same name
conflict regressions?

Looking at damos_sysfs_probes_rm_dirs():

mm/damon/sysfs-schemes.c:damos_sysfs_probes_rm_dirs() {
	...
	for (i = 0; i < probes->nr; i++)
		kobject_put(&probes_arr[i]->kobj);
	...
}

If kobject_del() isn't called here prior to kobject_put(), won't delayed
releases under CONFIG_DEBUG_KOBJECT_RELEASE collide with immediate
recreations, leading to -EEXIST failures when retrying probe creation?


[Severity: High]
This isn't a bug introduced by this patch, but does this code also miss
kobject_del() in the error paths after successful kobject_init_and_add()
calls?

In the error paths for directory creation, if kobject_init_and_add()
succeeds but subsequent setup steps fail, should the error rollback
explicitly call kobject_del() before kobject_put() to unlink the
directory?

mm/damon/sysfs-schemes.c:damos_sysfs_region_add_dirs() {
	...
	err = kobject_init_and_add(&probes->kobj, &damos_sysfs_probes_ktype,
			&region->kobj, "probes");
	if (err)
		goto fail;
	err = damos_sysfs_probes_add_dirs(probes, ctx, dregion);
	if (err)
		goto fail;
	...
fail:
	kobject_put(&probes->kobj);
	return err;
}

mm/damon/sysfs-schemes.c:damon_sysfs_schemes_add_dirs() {
	...
		err = kobject_init_and_add(&scheme->kobj,
				&damon_sysfs_scheme_ktype, &schemes->kobj,
				"%d", i);
		if (err)
			goto out;
		err = damon_sysfs_scheme_add_dirs(scheme);
		if (err)
			goto out;
	...
out:
	damon_sysfs_schemes_rm_dirs(schemes);
	kobject_put(&scheme->kobj);
	return err;
}

If kobject_del() is omitted in these error paths, could the directory
remain anchored in sysfs, causing -EEXIST name conflicts on retry
because the array count was not incremented?

>  		list_del(&r->list);
> +		kobject_del(&r->kobj);
>  		kobject_put(&r->kobj);
>  		regions->nr_regions--;
>  	}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617144807.91441-1-sj@kernel.org?part=4

Re: [RFC PATCH v1.1 06/11] mm/damon/sysfs-schemes: kobject_del() scheme quota goal dirs

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing `kobject_del()` in the error path of `damon_sysfs_schemes_add_dirs()`, leading to sysfs directory name conflicts.
--

commit 58717b37ac0466e3caf0f4f4b66fbd823b1faaab
Author: SeongJae Park <sj@kernel.org>

mm/damon/sysfs-schemes: kobject_del() scheme quota goal dirs

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for scheme quota goal directories by adding kobject_del()
calls.

> diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
> index 300930c2c5b3f..737638be84f15 100644
> --- a/mm/damon/sysfs-schemes.c
> +++ b/mm/damon/sysfs-schemes.c
> @@ -1465,8 +1465,10 @@ static void damos_sysfs_quota_goals_rm_dirs(
>  	struct damos_sysfs_quota_goal **goals_arr = goals->goals_arr;
>  	int i;
>  
> -	for (i = 0; i < goals->nr; i++)
> +	for (i = 0; i < goals->nr; i++) {
> +		kobject_del(&goals_arr[i]->kobj);
>  		kobject_put(&goals_arr[i]->kobj);
> +	}
>  	goals->nr = 0;
>  	kfree(goals_arr);
>  	goals->goals_arr = NULL;

[Severity: High]
This isn't a bug introduced by this patch, but it appears the same missing
kobject_del() issue exists in damon_sysfs_schemes_add_dirs().

When damon_sysfs_schemes_add_dirs() fails after successfully calling
kobject_init_and_add() for a new scheme, the error path drops the kobject
reference using kobject_put(), but fails to call kobject_del():

mm/damon/sysfs-schemes.c:damon_sysfs_schemes_add_dirs() {
    ...
		err = kobject_init_and_add(&scheme->kobj,
				&damon_sysfs_scheme_ktype, &schemes->kobj,
				"%d", i);
		if (err)
			goto out;
		err = damon_sysfs_scheme_add_dirs(scheme);
		if (err)
			goto out;
    ...
out:
	damon_sysfs_schemes_rm_dirs(schemes);
	kobject_put(&scheme->kobj);
	return err;
}

Under CONFIG_DEBUG_KOBJECT_RELEASE, the release of the kobject is delayed.
Because the parent kobject is persistent, the scheme directory remains
linked in the sysfs tree until the delay expires.

If a user subsequently retries writing to nr_schemes, could the kernel
attempt to create a new scheme kobject with the same name under the same
parent, triggering a -EEXIST name collision?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617144807.91441-1-sj@kernel.org?part=6

Re: [RFC PATCH v1.1 07/11] mm/damon/sysfs-schemes: kobject_del() scheme action destination dirs

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing kobject_del() in damon_sysfs_schemes_add_dirs() error path causes sysfs name collision
--

commit 34de5330acff239aa85773dbe06b9dce6ee27d61
Author: SeongJae Park <sj@kernel.org>

mm/damon/sysfs-schemes: kobject_del() scheme action destination dirs

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts. Fix
those issues for scheme action destination directories by adding
kobject_del() calls.

Cc: <stable@vger.kernel.org> # 6.17.x

> diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
> index 737638be84f15..108f6de32f8c1 100644
> --- a/mm/damon/sysfs-schemes.c
> +++ b/mm/damon/sysfs-schemes.c
> @@ -2148,8 +2148,10 @@ static void damos_sysfs_dests_rm_dirs(
>  	struct damos_sysfs_dest **dests_arr = dests->dests_arr;
>  	int i;
>  
> -	for (i = 0; i < dests->nr; i++)
> +	for (i = 0; i < dests->nr; i++) {
> +		kobject_del(&dests_arr[i]->kobj);
>  		kobject_put(&dests_arr[i]->kobj);
> +	}
>  	dests->nr = 0;
>  	kfree(dests_arr);
>  	dests->dests_arr = NULL;

[Severity: High]
This isn't a bug introduced by this patch, but does the out: error path in
damon_sysfs_schemes_add_dirs() have a similar issue?

If kobject_init_and_add() succeeds for a new scheme but the subsequent
damon_sysfs_scheme_add_dirs() call fails, it jumps to the out: label:

mm/damon/sysfs-schemes.c:damon_sysfs_schemes_add_dirs() {
...
		err = kobject_init_and_add(&scheme->kobj,
				&damon_sysfs_scheme_ktype, &schemes->kobj,
				"%d", i);
		if (err)
			goto out;
		err = damon_sysfs_scheme_add_dirs(scheme);
		if (err)
			goto out;
...
out:
	damon_sysfs_schemes_rm_dirs(schemes);
	kobject_put(&scheme->kobj);
	return err;
}

Since the failed scheme hasn't been added to schemes_arr yet,
damon_sysfs_schemes_rm_dirs() only cleans up the previously added schemes.
Then kobject_put() is called on the current scheme without a prior
kobject_del().

With CONFIG_DEBUG_KOBJECT_RELEASE enabled, could this omission leave the
newly created sysfs directory intact and cause a name collision (-EEXIST)
if userspace retries creating the schemes shortly after?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617144807.91441-1-sj@kernel.org?part=7

Re: [RFC PATCH v1.1 11/11] mm/damon/sysfs-schemes: kobject_del() region for populate_region error

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing `kobject_del()` in the error path of `damon_sysfs_schemes_add_dirs()` leads to a directory name conflict.
--

commit 49e94fa00bb0dc5e89c773883517ea2c4db5c66b
Author: SeongJae Park <sj@kernel.org>

mm/damon/sysfs-schemes: kobject_del() region for populate_region error

On CONFIG_DEBUG_KOBJECT_RELEASE enabled kernel, lack of kobject_del()
could cause directories creation failures due to the name conflicts.
Fix the issue for tried region directories in the error handling path of
damon_sysfs_populate_region_dir() by adding a kobject_del() call.

Fixes: b574a82d10de ("mm/damon/sysfs-schemes: implement tried_regions/<r>/probes/")
Signed-off-by: SeongJae Park <sj@kernel.org>

> diff --git a/mm/damon/sysfs-schemes.c b/mm/damon/sysfs-schemes.c
> index 108f6de32f8c1..084700e422cd5 100644
> --- a/mm/damon/sysfs-schemes.c
> +++ b/mm/damon/sysfs-schemes.c
[ ... ]
> @@ -3135,12 +3135,14 @@ void damos_sysfs_populate_region_dir(struct damon_sysfs_schemes *sysfs_schemes,
>  				sysfs_regions->nr_regions))
>  		goto out;
>  	if (damos_sysfs_region_add_dirs(region, ctx, r))
> -		goto out;
> +		goto del_out;
>  
>  	list_add_tail(&region->list, &sysfs_regions->regions_list);
>  	sysfs_regions->nr_regions++;
>  	return;
>  
> +del_out:
> +	kobject_del(&region->kobj);
>  out:
>  	kobject_put(&region->kobj);
>  }

[Severity: High]
This isn't a bug introduced by this patch, but does the exact same problem
exist in damon_sysfs_schemes_add_dirs() when damon_sysfs_scheme_add_dirs()
fails?

mm/damon/sysfs-schemes.c:damon_sysfs_schemes_add_dirs():

	for (i = 0; i < nr_schemes; i++) {
		...
		err = kobject_init_and_add(&scheme->kobj,
				&damon_sysfs_scheme_ktype, &schemes->kobj,
				"%d", i);
		if (err)
			goto out;
		err = damon_sysfs_scheme_add_dirs(scheme);
		if (err)
			goto out;

		schemes_arr[i] = scheme;
		schemes->nr++;
	}
	return 0;

out:
	damon_sysfs_schemes_rm_dirs(schemes);
	kobject_put(&scheme->kobj);
	return err;

If damon_sysfs_scheme_add_dirs() fails, the code jumps to the out: label
and skips calling kobject_del(&scheme->kobj) for the scheme that successfully
ran kobject_init_and_add().

Under CONFIG_DEBUG_KOBJECT_RELEASE, this delayed kobject_release() could lead
to a directory name conflict (e.g. "0") if userspace retries writing to
nr_schemes immediately.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617144807.91441-1-sj@kernel.org?part=11

Re: [RFC PATCH v1.1 10/11] mm/damon/sysfs: kobject_del() probe dirs in probes_addd_dir error path

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing kobject_del() in damon_sysfs_schemes_add_dirs() error path causes sysfs name collisions.
--

commit 173cb69d781e9cc64949d93111b81f4c2c036934
Author: SeongJae Park <sj@kernel.org>

mm/damon/sysfs: kobject_del() probe dirs in probes_addd_dir error path

This commit fixes a directory creation failure caused by name conflicts
when CONFIG_DEBUG_KOBJECT_RELEASE is enabled. It adds a missing
kobject_del() call to the error handling path of
damon_sysfs_probes_add_dirs() to properly clean up the kobject before
releasing it.

> diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c
> index 36a0e82601697..ffbc99411f53b 100644
> --- a/mm/damon/sysfs.c
> +++ b/mm/damon/sysfs.c
> @@ -1183,6 +1183,7 @@ static int damon_sysfs_probes_add_dirs(
>  
>  		err = damon_sysfs_probe_add_dirs(probe);
>  		if (err) {
> +			kobject_del(&probe->kobj);

[Severity: High]
This is a pre-existing issue, but does damon_sysfs_schemes_add_dirs() in
mm/damon/sysfs-schemes.c also need a similar fix?

If kobject_init_and_add() succeeds but the subsequent
damon_sysfs_scheme_add_dirs() fails (e.g., due to -ENOMEM), the error
path jumps to the out label:

out:
	damon_sysfs_schemes_rm_dirs(schemes);
	kobject_put(&scheme->kobj);
	return err;

At this point, damon_sysfs_schemes_rm_dirs() only cleans up previously
fully initialized schemes. The current scheme is not yet part of the array,
so kobject_del() is never called for it. 

When CONFIG_DEBUG_KOBJECT_RELEASE is enabled, kobject_put() delays
memory cleanup. Because kobject_del() wasn't called to unlink it from
sysfs, the lingering kobject can cause a name collision on any subsequent
attempt to write to nr_schemes, preventing further scheme creation until
the delayed release occurs.

Should we add kobject_del(&scheme->kobj) in that error path as well?

>  			kobject_put(&probe->kobj);
>  			damon_sysfs_probes_rm_dirs(probes);
>  			return err;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260617144807.91441-1-sj@kernel.org?part=10