From: SeongJae Park <sj@kernel.org>
Cc: SeongJae Park <sj@kernel.org>,
"# 6 . 16 . x" <stable@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
damon@lists.linux.dev, linux-kernel@vger.kernel.org,
linux-mm@kvack.org
Subject: [RFC PATCH v2 2/2] samples/damon/mtier: handle damon_stop() failure
Date: Tue, 9 Jun 2026 07:21:17 -0700 [thread overview]
Message-ID: <20260609142119.68120-3-sj@kernel.org> (raw)
In-Reply-To: <20260609142119.68120-1-sj@kernel.org>
damon_sample_mtier_stop() assumes its damon_stop() call will always
successfully stops the two DAMON contexts. Hence it deallocates the two
DAMON contexts after the damon_stop() call. However, if a given context
is already stopped, damon_stop() fails and returns an error while
letting the DAMON contexts that have not yet stopped keep running. This
kind of unexpected early DAMON context stops could happen due to memory
allocation failures in kdamond_fn(). Because damon_sample_mtier_stop()
just deallocates all DAMON contexts with damon_target and damon_region
objects that are linked to the contexts, the execution of the unstopped
DAMON context (kdamond) ends up using the memory that freed
(use-after-free). Fix the issue by separating the damon_stop() to be
invoked per context.
Note that DAMON_SYSFS also allows multiple DAMON contexts execution.
But, it calls damon_stop() for each context one by one. Hence this
issue is only in mtier.
For the long term, it would be better to refactor damon_stop() to always
ensure stopping all contexts regardless of the failures in the middle.
Make this fix in the current way, though, to keep it simple and easy to
backport. I will do the refactoring later.
The issue was discovered [1] by Sashiko.
[1] https://lore.kernel.org/20260609014219.3013-1-sj@kernel.org
Fixes: 82a08bde3cf7 ("samples/damon: implement a DAMON module for memory tiering")
Cc: <stable@vger.kernel.org> # 6.16.x
Signed-off-by: SeongJae Park <sj@kernel.org>
---
samples/damon/mtier.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/samples/damon/mtier.c b/samples/damon/mtier.c
index 66b591f2180fa..faaaaa12e6206 100644
--- a/samples/damon/mtier.c
+++ b/samples/damon/mtier.c
@@ -199,7 +199,8 @@ static int damon_sample_mtier_start(void)
static void damon_sample_mtier_stop(void)
{
- damon_stop(ctxs, 2);
+ damon_stop(ctxs, 1);
+ damon_stop(&ctxs[1], 1);
damon_destroy_ctx(ctxs[0]);
damon_destroy_ctx(ctxs[1]);
}
--
2.47.3
prev parent reply other threads:[~2026-06-09 14:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 14:21 [RFC PATCH v2 0/2] samples/damon/mtier: handle damon_{start,stop}() failures SeongJae Park
2026-06-09 14:21 ` [RFC PATCH v2 1/2] samples/damon/mtier: handle damon_start() failure SeongJae Park
2026-06-09 14:21 ` SeongJae Park [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609142119.68120-3-sj@kernel.org \
--to=sj@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=damon@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox