mm/damon/core: cancel damos_walk() before damon_ctx->kdamond reset

damos_walk() request is canceled after damon_ctx->kdamond is reset.  This
can make weird situations where damon_is_running() returns false but the
DAMON context has the damos_walk() request linked.  There was a similar
situation for damon_call() requests handling [1], which _was_ able to
cause a racy use-after-free bug.  Unlike the case of damon_call(), because
damos_walk() is always synchronously handled and allows only single
request at time, there is no such problematic race cases.  But, keeping it
as is could stem another subtle race condition bug in future.

Avoid that by cancelling the requests before the ->kdamond reset.  Note
that this change also makes all damon_ctx dependent resource cleanups
consistently done before the damon_ctx->kdamond reset.

Link: https://lkml.kernel.org/r/20260117175256.82826-4-sj@kernel.org
Link: https://lore.kernel.org/20251230014532.47563-1-sj@kernel.org
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/mm/damon/core.c b/mm/damon/core.c
index 0c8ac11a49f92232a5d0d93c8d7ed216b2c211c6..0bed937b1dcece5bfc5d22db530098b3477fecf5 100644 (file)
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -2856,14 +2856,13 @@ done:
 
        kfree(ctx->regions_score_histogram);
        kdamond_call(ctx, true);
+       damos_walk_cancel(ctx);
 
        pr_debug("kdamond (%d) finishes\n", current->pid);
        mutex_lock(&ctx->kdamond_lock);
        ctx->kdamond = NULL;
        mutex_unlock(&ctx->kdamond_lock);
 
-       damos_walk_cancel(ctx);
-
        mutex_lock(&damon_lock);
        nr_running_ctxs--;
        if (!nr_running_ctxs && running_exclusive_ctxs)