Re: (sashiko review) [RFC PATCH v5.1 03/11] mm/damon/core: introduce failed region quota charge ratio

[SeongJae Park <sj@kernel.org>]

TL; DR: sashiko found no blocker for this patch.

Forwarding full sashiko review in a reply format with my inline comments below,
for sharing details of my view and doing followup discussions via mails if
needed.

> # review url: https://sashiko.dev/#/patchset/20260411164908.77189-4-sj@kernel.org
> # start of sashiko.dev inline review
> commit cb228850cc3bb33cac86cdc674c79e2557af28a8
> Author: SeongJae Park <sj@kernel.org>
> 
> mm/damon/core: introduce failed region quota charge ratio
> 
> This commit introduces a DAMON core API to set the charge ratio for
> action-failed memory. It allows API callers to specify the ratio flexibly
> using a numerator and denominator to avoid charging failed memory the same
> as successfully applied memory.
> 
> > diff --git a/mm/damon/core.c b/mm/damon/core.c
> > index d04a107df7cfa..3398faeaa4350 100644
> > --- a/mm/damon/core.c
> > +++ b/mm/damon/core.c
> 
> [ ... ]
> 
> > @@ -2041,6 +2043,23 @@ static void damos_walk_cancel(struct damon_ctx *ctx)
> >  	mutex_unlock(&ctx->walk_control_lock);
> >  }
> >  
> > +static void damos_charge_quota(struct damos_quota *quota,
> > +		unsigned long sz_region, unsigned long sz_applied)
> > +{
> > +	/*
> > +	 * sz_applied could be bigger than sz_region, depending on ops
> > +	 * implementation of the action, e.g., damos_pa_pageout().  Charge only
> > +	 * the region size in the case.
> > +	 */
> > +	if (!quota->fail_charge_denom || sz_applied > sz_region)
> > +		quota->charged_sz += sz_region;
> > +	else
> > +		quota->charged_sz += sz_applied + mult_frac(
> > +				(sz_region - sz_applied),
> > +				quota->fail_charge_num,
> > +				quota->fail_charge_denom);
> 
> Could the mult_frac() calculation silently overflow here?
> 
> The fail_charge_num and fail_charge_denom variables are user-controlled
> unsigned int parameters without bounds checking. The mult_frac(x, numer, denom)
> macro evaluates as quot * numer + (rem * numer) / denom, using the type of x,
> which is unsigned long in this case.
> 
> On a 32-bit architecture, if a user configures a fine-grained ratio like
> 1000000 / 1000000, the remainder could be up to 999999. The intermediate
> calculation for rem * numer would evaluate to nearly 10^12, which overflows
> the 32-bit limit.
> 
> Similarly, on 64-bit architectures, setting fail_charge_num to a very
> large value like UINT_MAX could cause the quot * numer operation to exceed
> the 64-bit limit for large memory regions.
> 
> If an overflow occurs, it would severely under-account the charged size,
> breaking the quota enforcement in damos_quota_is_full() and allowing the
> scheme to silently bypass its configured action limits.
> 
> Does this code need bounds checking for the numerator and denominator, or
> should it use a safer math helper to prevent the quota bypass?

Same sashiko question to the previous patch.  My answer is also same.  I will
keep this as is in favor of simplicity.

> 
> > +}
> 
> 
> # end of sashiko.dev inline review
> # review url: https://sashiko.dev/#/patchset/20260411164908.77189-4-sj@kernel.org


Thanks,
SJ

# hkml [1] generated a draft of this mail.  You can regenerate
# this using below command:
#
#     hkml patch sashiko_dev --for_forwarding \
#             20260411164908.77189-4-sj@kernel.org
#
# [1] https://github.com/sjp38/hackermail