From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-179.mta1.migadu.com (out-179.mta1.migadu.com [95.215.58.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2945231ED93 for ; Thu, 26 Mar 2026 09:32:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774517572; cv=none; b=lLqa9eTh+o9d2Qsme4N5L2LEe1bkTPPgFhamXtTiLZMILOWIzdVb1abhNh6W1xfEyCewPVaMlJ1LVsDNtUI7tykKXuU2oF1qGL/Id61/U2Wcavj2USv0RYNFE8AScld7A4QfYDUGgsZ00FMIbhXaWL/5h/My5ed0jWdIFB9dV1Q= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774517572; c=relaxed/simple; bh=O0IiOBs8yIXl1MaNOx0G8J2vC73UaMSRhcYmWH9C5VM=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=TuSHMEdHt2K3zVbZUuRjzDUH0Cz/EVn3IZLeAMyXjXCqPEMXFbe69uuoBCQRaASL6joim8aGEdD4/P9nuZHt0kbQM5mIOHDZ3Rgx0Ho2HycLSDu617l1g3wed0f5yF8m+eb7wUX/czY5uVdNMcZkgE6+WUY/mQO0Rkxh//jJ+7c= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=bN8UNULu; arc=none smtp.client-ip=95.215.58.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="bN8UNULu" Message-ID: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1774517568; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4d2w+IeZPzwZNFXrmkaVTUOd7na0i876whNwb8z2LsQ=; b=bN8UNULujNhHQBCVz4SA0OwyjaGrwe0iL1C0peTLVX+hycckQpi62AVvS17PU5ZNIOl1Wp f1e9/3rI4CWB9wCJnkOfeTEXR+ZoEZ7am3x/Mku/X5r4FnRvVTP+rPBHMMLPOFxZMrKDgt +HAxna2jMQZbViYwsmwsKcKAc4DZrtw= Date: Thu, 26 Mar 2026 17:32:05 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH v2 4/4] mm: memcontrol: fix unexpected massive positive number in memcg_state_val_in_pages() To: "Lorenzo Stoakes (Oracle)" , akpm@linux-foundation.org Cc: hannes@cmpxchg.org, hughd@google.com, mhocko@suse.com, roman.gushchin@linux.dev, shakeel.butt@linux.dev, muchun.song@linux.dev, david@kernel.org, ziy@nvidia.com, harry.yoo@oracle.com, yosry.ahmed@linux.dev, imran.f.khan@oracle.com, kamalesh.babulal@oracle.com, axelrasmussen@google.com, yuanchu@google.com, weixugc@google.com, chenridong@huaweicloud.com, mkoutny@suse.com, hamzamahfooz@linux.microsoft.com, apais@linux.microsoft.com, lance.yang@linux.dev, bhe@redhat.com, usamaarif642@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, "Harry Yoo (Oracle)" , Qi Zheng References: <54c2b09c-84f8-4118-96a6-acc13ca2f245@lucifer.local> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Qi Zheng In-Reply-To: <54c2b09c-84f8-4118-96a6-acc13ca2f245@lucifer.local> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT On 3/26/26 5:16 PM, Lorenzo Stoakes (Oracle) wrote: > On Wed, Mar 25, 2026 at 10:13:25PM +0800, Qi Zheng wrote: >> From: Qi Zheng >> >> In memcg_state_val_in_pages(), if the passed val is negative, the >> expression val * unit / PAGE_SIZE could be implicitly converted to a >> massive positive number when compared with 1UL in the max() macro. >> This leads to returning an incorrect massive positive value. >> >> Fix this by using abs(val) to calculate the magnitude first, and then >> restoring the sign of the value before returning the result. Additionally, >> use mult_frac() to prevent potential overflow during the multiplication of >> val and unit. >> >> Reported-by: Harry Yoo (Oracle) >> Signed-off-by: Qi Zheng > > The logic is correct, but I think this needs rework for better > understanding, and obviously this should be squashed into 2/4 as per > Andrew. > > With the below change applied: > > Reviewed-by: Lorenzo Stoakes (Oracle) > >> --- >> mm/memcontrol.c | 7 +++++-- >> 1 file changed, 5 insertions(+), 2 deletions(-) >> >> diff --git a/mm/memcontrol.c b/mm/memcontrol.c >> index 04076a139dbe3..0c249255ebefb 100644 >> --- a/mm/memcontrol.c >> +++ b/mm/memcontrol.c >> @@ -787,11 +787,14 @@ static int memcg_page_state_unit(int item); >> static long memcg_state_val_in_pages(int idx, long val) >> { >> int unit = memcg_page_state_unit(idx); >> + long res; >> >> if (!val || unit == PAGE_SIZE) >> return val; >> - else >> - return max(val * unit / PAGE_SIZE, 1UL); > > Hm this was already fairly horrid, because we're comparing an unsigned long > value of 1 vs. a ULONG_MAX - abs(val) so this was intended to make 0 -> 1UL > but not what you'd mathematically think this was which was to make negative > values (logically < 1) -> 1. > > Of course before it was just broken and would promote (val * unit / > PAGE_SIZE) to unsigned long first (thus massive number) and return that :) > >> + >> + res = max(mult_frac(abs(val), unit, PAGE_SIZE), 1UL); > > This is way too compressed into one line and retains the confusing > behaviour. > > Could we split this out and explain what we're doing (sign-extension, > integer promotion and all of this stuff is confusing - so let's just accept > that and spell it out): > > /* Get the absolute value of (val * unit / PAGE_SIZE). */ > res = mult_frac(abs(val), unit, PAGE_SIZE); > /* Round up zero values. */ > res = res ?: 1; > /* Retain sign. */ > return val < 0 ? -res : res; > > This is functionally identical, but a lot more readable, I think. Make sense, I will update to v3. If Andrew needs me to merge this patchset into "[PATCH v6 00/33] Eliminate Dying Memory Cgroup" [1], then I will develop and send v7. [1]. https://lore.kernel.org/all/cover.1772711148.git.zhengqi.arch@bytedance.com/ Thanks, Qi > >> + >> + return val < 0 ? -res : res; >> } >> >> #ifdef CONFIG_MEMCG_V1 >> -- >> 2.20.1 >> > > Cheers, Lorenzo