From nobody Mon Jun 8 07:21:47 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 216B23D75BF; Fri, 5 Jun 2026 01:38:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780623546; cv=none; b=qJrj2uk8mklNB34ydZn5MSOn4nTOUkId101npWuICTQJZOlPbeuLmLbqha71eyQpI40SX/YUs9GyTd+XWVSpN6GstkqWKGEoigExw+3HHfZh7X4yD1ayG/U2gWZ0gZWaZbT6/DNFh2AbJvswWoKUINeCJirN0v6E56QAqpNmp/Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780623546; c=relaxed/simple; bh=mBcLU6n7ojT+f9p0l+H/Z7NAPsufzFOyPPPkEgNBFG8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=S1hxwLP0NNVhpAQ+ECjyvvasqnzDJjCcEV9UyeWxw3ICUzYpMvSAvYl2fh5vzWIX8zHuKCyOhqPQkFwfBqT9ouhkYeZX6XhDOnXpf0fY1KzHGsnkDfMN+KyfChG33luoYCO1tny+T7/xede0yIGa7QRYyHs6XNCd8qea3gRYOFE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=IszDWLyF; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="IszDWLyF" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4288E1F00893; Fri, 5 Jun 2026 01:38:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780623537; bh=3FMzbu3u71nQTcvhV84Inp+2khcRaSZTlpCYSxQCCNM=; h=From:To:Cc:Subject:Date; b=IszDWLyFitkjiWmwl+Kee4Ar/yCCt+rr2vPxubON5Sn5HOqlMHCIUrqBfjdR0v+TI S1nvsmhv6yxqw7JSKXKNx26PulPRAU2/+sRVyNVePkQdxFb/yHdL6yvTZjmeKrB/jw tEC57196PqU+PM5l4g4iAtO4uaJUcITvtuF76B3M/fNt4U5ZA88WHatwJWQ06vcYoi KgUa5ObeT1M0LTVK37OUko46qiJbqdUrKj63jVzY/BTxIakQVHNetitOxwJnM5Ryqo 8+IFVvW6INjYGSyo85+h9YLAsm525Fj9em3MXZE1P3uyPmsplPhmUs6h+CIslCzKDB zRLqtJGVFfySw== From: SeongJae Park To: Andrew Morton Cc: SeongJae Park , "# 6 . 11 . x" , damon@lists.linux.dev, linux-kernel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH] mm/damon/core: always put unsuccessfully committed target pids Date: Thu, 4 Jun 2026 18:38:48 -0700 Message-ID: <20260605013849.83750-1-sj@kernel.org> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" damon_commit_target() puts and gets the destination and the source target pids. It puts the destination target pid because it will be overwritten by the source target pid. It gets the source pid because the caller is supposed to eventually put the pids. In more detail, the caller will call damon_destroy_ctx() after damon_commit_ctx() to destroy the entire source context. And in this case, [f]vaddr operation set's cleanup_target() callback will put the pids. The commit operation is made at the context level. The operation can fail in multiple places including in the middle and after the targets commit operations. For any such failures, immediately the error is returned to the damon_commit_ctx() caller. If some or all of the source target pids were committed to the destination during the unsuccessful context commit attempt, those pids should be put twice. The source context will do the put operations using the above explained routine. However, let's suppose the destination context was not originally using [f]vaddr operation set and the commit failed before the ops of the source context is committed. The destination does not have the cleanup_target() ops callback, so it cannot put the pids via the damon_destroy_ctx(). As a result, the pids are leaked. The issue in the real world would be not very common. The commit feature is for changing parameters of running DAMON context while inheriting internal status like the monitoring results. The monitoring results of a physical address range ain't have things that are beneficial to be inherited to a virtual address ranges monitoring. So the problem-causing DAMON control would be not very common in the real world. That said, it is a supported feature. And damon_commit_target() failure due to memory allocation is relatively realistic [1] if there are a huge number of target regions. Fix by putting the pids in the commit operation in case of the failures. The issue was discovered [2] by Sashiko. [1] https://lore.kernel.org/20260603112306.58490-1-akinobu.mita@gmail.com [2] https://lore.kernel.org/20260320020056.835-1-sj@kernel.org Fixes: 83dc7bbaecae ("mm/damon/sysfs: use damon_commit_ctx()") Cc: # 6.11.x Signed-off-by: SeongJae Park --- Changes from RFC v1.1 - rfc v1.1: https://lore.kernel.org/20260604143514.84310-1-sj@kernel.org - Rebase to latest mm-new. - Drop RFC tag. Changes from RFC - rfc: https://lore.kernel.org/20260604042349.67720-1-sj@kernel.org - Check destination cleaanup availability using the cleanup callback. - Do the cleanup for all commit failure points in [targets commit, ops commit] scope. - Wordsmith the commit message. - Add 'Fixes:' and Cc: stable@. mm/damon/core.c | 55 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 47 insertions(+), 8 deletions(-) diff --git a/mm/damon/core.c b/mm/damon/core.c index 265d51ade25bf..7e4b9affc5b06 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1387,10 +1387,36 @@ static int damon_commit_target( return 0; } =20 +/* + * damon_revert_target_commits() - revert unsuccessful target commits. + * @dst: Commit destination context + * @failed: Commit failed destination target + * @src: Commit source context + * + * Revert target states that changed by damon_commit_target(), and cannot = be + * cleaned up by the destination context's ops.cleanup_target(). + */ +static void damon_revert_target_commits(struct damon_ctx *dst, + struct damon_target *failed, struct damon_ctx *src) +{ + struct damon_target *target; + + if (!damon_target_has_pid(src)) + return; + if (dst->ops.cleanup_target) + return; + damon_for_each_target(target, dst) { + if (target =3D=3D failed) + return; + put_pid(target->pid); + } +} + static int damon_commit_targets( struct damon_ctx *dst, struct damon_ctx *src) { struct damon_target *dst_target, *next, *src_target, *new_target; + struct damon_target *failed; int i =3D 0, j =3D 0, err; =20 damon_for_each_target_safe(dst_target, next, dst) { @@ -1404,8 +1430,10 @@ static int damon_commit_targets( dst_target, damon_target_has_pid(dst), src_target, damon_target_has_pid(src), src->min_region_sz); - if (err) - return err; + if (err) { + failed =3D dst_target; + goto out; + } } else { struct damos *s; =20 @@ -1419,25 +1447,34 @@ static int damon_commit_targets( } } =20 + failed =3D NULL; damon_for_each_target_safe(src_target, next, src) { if (j++ < i) continue; /* target to remove has no matching dst */ - if (src_target->obsolete) - return -EINVAL; + if (src_target->obsolete) { + err =3D -EINVAL; + goto out; + } new_target =3D damon_new_target(); - if (!new_target) - return -ENOMEM; + if (!new_target) { + err =3D -ENOMEM; + goto out; + } err =3D damon_commit_target(new_target, false, src_target, damon_target_has_pid(src), src->min_region_sz); if (err) { damon_destroy_target(new_target, NULL); - return err; + goto out; } damon_add_target(dst, new_target); } return 0; + +out: + damon_revert_target_commits(dst, failed, src); + return err; } =20 static void damon_commit_filter(struct damon_filter *dst, @@ -1571,8 +1608,10 @@ int damon_commit_ctx(struct damon_ctx *dst, struct d= amon_ctx *src) */ if (!damon_attrs_equals(&dst->attrs, &src->attrs)) { err =3D damon_set_attrs(dst, &src->attrs); - if (err) + if (err) { + damon_revert_target_commits(dst, NULL, src); return err; + } } dst->pause =3D src->pause; dst->ops =3D src->ops; base-commit: f499b8d2253d32f4ea1e16198f348e6259cc14ca --=20 2.47.3