[PATCH] cgroup: ensure stable pid sorting in cmppid()

[PATCH] cgroup: ensure stable pid sorting in cmppid()

[Kaushlendra Kumar]

The subtraction-based comparator (a - b) in cmppid() can
overflow for large pid_t differences, producing incorrect
sign values. This breaks qsort() ordering guarantees and
may cause unstable or wrong sort results in pidlist output.

Replace with a three-way comparison idiom:
  (a > b) - (a < b)

This reliably returns -1, 0, or +1 without overflow,
ensuring correct and stable qsort() behavior for all
pid_t values.

Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
---
 kernel/cgroup/cgroup-v1.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 724950c4b690..7fdfa37aaa5f 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -281,7 +281,10 @@ static int pidlist_uniq(pid_t *list, int length)
  */
 static int cmppid(const void *a, const void *b)
 {
-	return *(pid_t *)a - *(pid_t *)b;
+	pid_t pa = *(pid_t *)a;
+	pid_t pb = *(pid_t *)b;
+
+	return (pa > pb) - (pa < pb);
 }
 
 static struct cgroup_pidlist *cgroup_pidlist_find(struct cgroup *cgrp,
-- 
2.34.1

Re: [PATCH] cgroup: ensure stable pid sorting in cmppid()

[Tejun Heo]

Hello,

On Sat, Feb 21, 2026 at 09:19:07AM +0530, Kaushlendra Kumar wrote:
> The subtraction-based comparator (a - b) in cmppid() can
> overflow for large pid_t differences, producing incorrect
> sign values. This breaks qsort() ordering guarantees and
> may cause unstable or wrong sort results in pidlist output.

Can you give examples of such an overflow? What values would cause that?

Thanks.

-- 
tejun

RE: [PATCH] cgroup: ensure stable pid sorting in cmppid()

[Kumar, Kaushlendra]

> Can you give examples of such an overflow? What values
> would cause that?

pid_t is a signed 32-bit integer. Consider:

  a = 2147483647  (INT_MAX, 0x7FFFFFFF)
  b = -1

  a - b = 2147483647 - (-1) = 2147483648

This overflows signed int32, wrapping to a big negative value.

In practice, pid_t values in Linux are positive
, so this overflow cannot happen with real PIDs
today. However, the subtraction pattern is a known
antipattern for comparison functions, and using the
three-way idiom is the safer.(less, greater and equal)

If you prefer, I can adjust the commit message to note
that this is a correctness hardening rather than a fix
for a currently triggerable bug.

BR,
Kaushlendra

Re: [PATCH] cgroup: ensure stable pid sorting in cmppid()

[Tejun Heo]

On Sat, Feb 21, 2026 at 05:45:03AM +0000, Kumar, Kaushlendra wrote:
> > Can you give examples of such an overflow? What values
> > would cause that?
> 
> pid_t is a signed 32-bit integer. Consider:
> 
>   a = 2147483647  (INT_MAX, 0x7FFFFFFF)
>   b = -1
> 
>   a - b = 2147483647 - (-1) = 2147483648
> 
> This overflows signed int32, wrapping to a big negative value.
> 
> In practice, pid_t values in Linux are positive

and limited to PID_MAX_LIMIT (4mil).

> , so this overflow cannot happen with real PIDs
> today. However, the subtraction pattern is a known
> antipattern for comparison functions, and using the
> three-way idiom is the safer.(less, greater and equal)

It's a bigger anti pattern to complicate code for non-existent problems.

Thanks.

-- 
tejun