From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9AD8B34F46B for ; Thu, 26 Mar 2026 07:49:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774511376; cv=none; b=m0/Vcg9yB6x19HQkuOSPFBVT9lC+FiApL692Kg/8jkzwwjIVGGoyut8gnlT1LaTbDlKnbmx1qUe929gsisSQItmrfjy0yzfC+IwemJVnJ+CQ/UtJuFmMiXLPvqTKf8NacUkDHY0h3pt4KL5gpyd7SIEaDMBGGSJGSvkaR9HFNKg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774511376; c=relaxed/simple; bh=8nDB0oIo9sqP+FijthFROT29NVoG3BUWxTpP48hvkek=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=LFweIaRYfpKy3tYgvCy1+6Czf/Es85dprRt/pjnAEkF7SAiOFHqu/FnTiDIfVxZycMuBKR71vN95Jd4eVNetFyGm1s+m0tT2fRYyKZ0nqKgrgqZuNyjJW173wFeNow1gajKcoYy/vsAi9VoWw9EwOjMOMUvW8RmcqGBL044I0FU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hkTsvYfa; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hkTsvYfa" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D514EC116C6; Thu, 26 Mar 2026 07:49:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774511376; bh=8nDB0oIo9sqP+FijthFROT29NVoG3BUWxTpP48hvkek=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hkTsvYfajtcOeDkmzxVnXZPB2gMnKtbblkzQU25KKyYfVjxKrAmcnsG2HvW2Pyp2Z QhZq5DD9vHAfMR9eyxPw4NLTwavh+FCHeFujDF0XTGOtBAk0PhYcT7fqw/9+q1qjoS SCPPd5SW7YD44nCxsNiBPVAIOGAvoA+1D3vTYlRlra0VnQmZYizJY9QJkKHTKjIJRa w8kjOcDpASnJgwOagDdLyiYQgt8xlzdMswfysdAJuaaxs8+Bw+gUZixqOlU5FhBQVP fo1VKlx4D/y06nZZ3Zb7ayFbYUaWeUGZwdTUhCWNSkviEAOWSyF/Z7e/eOsU70HLhl qAEfB0rFMIlFQ== Date: Thu, 26 Mar 2026 16:49:34 +0900 From: "Harry Yoo (Oracle)" To: Qi Zheng Cc: hannes@cmpxchg.org, hughd@google.com, mhocko@suse.com, roman.gushchin@linux.dev, shakeel.butt@linux.dev, muchun.song@linux.dev, david@kernel.org, lorenzo.stoakes@oracle.com, ziy@nvidia.com, yosry.ahmed@linux.dev, imran.f.khan@oracle.com, kamalesh.babulal@oracle.com, axelrasmussen@google.com, yuanchu@google.com, weixugc@google.com, chenridong@huaweicloud.com, mkoutny@suse.com, akpm@linux-foundation.org, hamzamahfooz@linux.microsoft.com, apais@linux.microsoft.com, lance.yang@linux.dev, bhe@redhat.com, usamaarif642@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Qi Zheng Subject: Re: [PATCH 2/3] mm: memcontrol: correct the parameter type of __mod_memcg{_lruvec}_state() Message-ID: References: <90524ca3806e24105ab5f2d69435f57c2ae034cb.1774342371.git.zhengqi.arch@bytedance.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Wed, Mar 25, 2026 at 10:43:58AM +0900, Harry Yoo (Oracle) wrote: > On Tue, Mar 24, 2026 at 07:31:28PM +0800, Qi Zheng wrote: > > @@ -784,7 +784,7 @@ static int memcg_page_state_unit(int item); > > * Normalize the value passed into memcg_rstat_updated() to be in pages. Round > > * up non-zero sub-page updates to 1 page as zero page updates are ignored. > > */ > > -static int memcg_state_val_in_pages(int idx, int val) > > +static long memcg_state_val_in_pages(int idx, long val) > > { > > int unit = memcg_page_state_unit(idx); > > Sashiko AI made an interesting argument [1] that this could lead to > incorrectly returning a very large positive number. Let me verify that. > > [1] https://sashiko.dev/#/patchset/cover.1774342371.git.zhengqi.arch%40bytedance.com > > Sashiko wrote: > > Does this change inadvertently break the handling of negative byte-sized > > updates? > > Looking at the rest of the function: > > if (!val || unit == PAGE_SIZE) > > return val; > > else > > return max(val * unit / PAGE_SIZE, 1UL); > > > PAGE_SIZE is defined as an unsigned long. > > Right, it's defined as 1UL << PAGE_SHIFT. > > > When val is negative, such as during uncharging of byte-sized stats like > > MEMCG_ZSWAP_B, the expression val * unit is a negative long. > > Right. > > > Dividing a signed long by an unsigned long causes the signed long to be > > promoted to unsigned before division, > > Right. > > > resulting in a massive positive > > number instead of a small negative one. > > Let's look at an example (assuming unit is 1). > > val = val * unit = -16384 (-16 KiB) > val * unit / PAGE_SIZE = 0xFFFFFFFFFFFFC000 / PAGE_SIZE = 0x3FFFFFFFFFFFFF > max(0x3FFFFFFFFFFFFF, 1UL) = 0x3FFFFFFFFFF > > Yeah, that's a massive positive number. > > Hmm but how did it work when it was int? Oops, I was about to say... "Oh, doesn't patch 4/4 in v2 need to have Fixes: 7bd5bc3ce963 ("mm: memcg: normalize the value passed into memcg_rstat_updated()") ???" but then I realized that I made a silly mistake here. > val = val * unit = -16384 (-16KiB) > val * unit / PAGE_SIZE = 0xFFFFFFFFFFFFC000 / PAGE_SIZE = 0x3FFFFFFFFFFFFF Err, I should have divided it by 0x1000, not 0x4096. val * unit / PAGE_SIZE = 0xFFFFFFFFFFFFC000 / 0x1000 = 0xFFFFFFFFFFFFC max(val * unit / PAGE_SIZE, 1UL) = 0xFFFFFFFFFFFFC (int)0xFFFFFFFFFFFFC = -4. > max(val * unit / PAGE_SIZE, 1UL) = 0x3FFFFFFFFFFFFF > (int)0x3FFFFFFFFFFFFF = 0xFFFFFFFF = (-1) > > That's incorrect. It should have been -4? So that was correct. The existing logic produces an accurate number (intended or not) as it is right-shifted to only PAGE_SHIFT bits and truncated to int. The existing logic is fine, it'll only be a problem when it's not truncated to int. > > Before this change, the function returned an int, which implicitly truncated > > the massive unsigned 64-bit result to a 32-bit int, accidentally yielding the > > correct negative arithmetic value. > > So... "accidentally yielding the correct negative arithemetic value" > is wrong. I was wrong, not sashiko! > Sounds like it's been subtly broken even before this patch and nobody > noticed. No, it's not. -- Cheers, Harry / Hyeonggon