From: sashiko-bot@kernel.org
To: "SeongJae Park" <sj@kernel.org>
Cc: damon@lists.linux.dev
Subject: Re: [RFC PATCH v1.3 05/18] mm/damon/core: use damon_nr_accesses_mvsum() in __damos_valid_target()
Date: Mon, 22 Jun 2026 14:37:24 +0000 [thread overview]
Message-ID: <20260622143724.A7CCA1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260622142139.30269-6-sj@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] 32-bit integer overflow in damon_nr_accesses_mvsum() leads to incorrect region access frequency scores.
--
commit 31c0062dc1352032d1779ac0035b6e2cd5a7461a
Author: SeongJae Park <sj@kernel.org>
mm/damon/core: use damon_nr_accesses_mvsum() in __damos_valid_target()
This commit changes __damos_valid_target() to use damon_nr_accesses_mvsum()
instead of reading the nr_accesses_bp field directly. This provides a more
error-tolerant moving sum access score for DAMOS scheme logic.
> diff --git a/mm/damon/core.c b/mm/damon/core.c
> index 8a7351b4a27c2..b9d47599f5cbc 100644
> --- a/mm/damon/core.c
> +++ b/mm/damon/core.c
> @@ -2128,10 +2128,11 @@ static void kdamond_tune_intervals(struct damon_ctx *c)
> damon_set_attrs(c, &new_attrs);
> }
>
> -static bool __damos_valid_target(struct damon_region *r, struct damos *s)
> +static bool __damos_valid_target(struct damon_region *r, struct damos *s,
> + struct damon_ctx *c)
> {
> unsigned long sz;
> - unsigned int nr_accesses = r->nr_accesses_bp / 10000;
> + unsigned int nr_accesses = damon_nr_accesses_mvsum(r, c);
[Severity: High]
Does this introduction of damon_nr_accesses_mvsum() expose an integer overflow
on 32-bit systems?
When calculating the access frequency score, damon_nr_accesses_mvsum() calls
mult_frac() which performs an intermediate multiplication:
mm/damon/core.c:damon_nr_accesses_mvsum() {
...
left_window_bp = mult_frac(left_window, 10000, window_len);
...
}
If a large tracking window is configured, for instance with an aggr_interval
of 1,000,000 us and a sample_interval of 1 us, window_len becomes 1,000,000
and left_window can reach up to 999,999.
The intermediate multiplication for mult_frac() uses the type of left_window,
which is unsigned long. On 32-bit architectures, this intermediate value
(e.g., 999,999 * 10000 = 9,999,990,000) exceeds the 32-bit maximum of
ULONG_MAX (4,294,967,295), causing a silent wrap-around.
This results in a completely incorrect left_window_bp value and drastically
undervalues the access frequency of memory regions.
Since __damos_valid_target() directly ingests this faulty access score, could
this regression lead DAMOS schemes to inappropriately skip highly active memory
regions and break memory reclamation or migration mechanisms on 32-bit systems?
>
> sz = damon_sz_region(r);
> return s->pattern.min_sz_region <= sz &&
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260622142139.30269-1-sj@kernel.org?part=5
next prev parent reply other threads:[~2026-06-22 14:37 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 14:21 [RFC PATCH v1.3 00/18] mm/damon: optimize out nr_accesses_bp SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 01/18] mm/damon: introduce damon_nr_accesses_mvsum() SeongJae Park
2026-06-22 14:36 ` sashiko-bot
2026-06-22 14:21 ` [RFC PATCH v1.3 02/18] mm/damon/tests/core-kunit: test damon_mvsum() SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 03/18] mm/damon/core: always update ->last_nr_accesses for intervals change SeongJae Park
2026-06-22 14:37 ` sashiko-bot
2026-06-22 14:21 ` [RFC PATCH v1.3 04/18] mm/damon/core: handle unreset nr_accesses in damon_nr_accesses_mvsum() SeongJae Park
2026-06-22 14:42 ` sashiko-bot
2026-06-22 14:21 ` [RFC PATCH v1.3 05/18] mm/damon/core: use damon_nr_accesses_mvsum() in __damos_valid_target() SeongJae Park
2026-06-22 14:37 ` sashiko-bot [this message]
2026-06-22 14:21 ` [RFC PATCH v1.3 06/18] mm/damon/core: use damon_nr_accesses_mvsum() for damos region tracing SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 07/18] mm/damon/sysfs-schemes: use damon_nr_accesses_mvsum() for damo regions SeongJae Park
2026-06-22 14:36 ` sashiko-bot
2026-06-22 14:21 ` [RFC PATCH v1.3 08/18] mm/damon/core: remove damon_warn_fix_nr_accesses_corruption() SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 09/18] mm/damon/core: remove damon_verify_reset_aggregated() SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 10/18] mm/damon/core: remove damon_verify_merge_regions_of() SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 11/18] mm/damon/tests/core-kunit: remove nr_accesses_bp setup and tests SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 12/18] selftests/damon/drgn_dump_damon_status: do not dump nr_accesses_bp SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 13/18] mm/damon/core: remove nr_accesses_bp setups and updates SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 14/18] mm/damon/core: remove attrs param from damon_update_region_access_rate() SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 15/18] mm/damonn/paddr: remove attrs param from __damon_pa_check_access() SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 16/18] mm/damon/vaddr: remove attrs param from __damon_va_check_access() SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 17/18] mm/damon/core: remove damon_moving_sum() and its unit test SeongJae Park
2026-06-22 14:21 ` [RFC PATCH v1.3 18/18] mm/damon: remove damon_region->nr_accesses_bp SeongJae Park
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260622143724.A7CCA1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=damon@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
--cc=sj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.