From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C266037646C; Sun, 29 Mar 2026 15:34:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774798466; cv=none; b=Kqs/QTPY565ht8UNghlOC4QD1ftigitoxEeL4Y4Voj1K5aGzwmKAzZVzWiuwqqX0R17hjA7F2aOnWbhZqQv18i/Q425PMiRYUx0eaxRV1hj9IvgsI5xhWM2J8jn1wFRiRsrwZugZ+eaMFNXGAUX3l4p5afmQ74TQ95hwE4ULezI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774798466; c=relaxed/simple; bh=mjxyo8Wo+1BzdKdGSoOUfInOew/XdVOErwdc0gvYZeY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=swOuu7usXnhyiKpN1Sv1CTIbuXiCCUj0itBdtKqmklCMsqtT+r83YJfXIC35tObXYL3pPw6zvIqcbNxC4gpng1qrN0BmPgYSND6yAwHDESTKGBep0X65e4YrGHnLP6R18NBQB3IZ2VEM3b6qJGAO7gv/3qXj9PCF3NWk+4JbrEw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=emb8JOOd; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="emb8JOOd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3A8CEC116C6; Sun, 29 Mar 2026 15:34:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774798466; bh=mjxyo8Wo+1BzdKdGSoOUfInOew/XdVOErwdc0gvYZeY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=emb8JOOdNpsqVfoiVtt1ZKVYb5ifOAkMWDVK+O8IGT3lolH/H/6nJ8XA6yRU09plT xJGPyqusIY3NKAg6l9nnpb1E3aDTMO7pAVFvrjEuw224RDZ+mQs0frbC3fcA88gp+v FXuR2S6a02iGDizYm7aA+Q5EFxQmO4lkpsluUo+PBFjn5bKvp7sfL8bUONfoTd3mAj g/pb7oY1VQvOTay/v05/LGkRJlTn2D+lcbjJDjnK73kB7WVewp4a1ytlyHEMQGu1fV rDrjT/ZxB0oC/f2Q5W+8qYkNczR6kLo+cCnVqblzQGXA5n1SttNtK/t/T9OvxrLDf6 tJigshNKmIHhA== From: SeongJae Park To: SeongJae Park Cc: Andrew Morton , "# 6 . 19 . x" , damon@lists.linux.dev, linux-kernel@vger.kernel.org, linux-mm@kvack.org Subject: Re: (sashiko review) [PATCH 2/2] mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp Date: Sun, 29 Mar 2026 08:34:24 -0700 Message-ID: <20260329153425.47097-1-sj@kernel.org> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260329043902.46163-3-sj@kernel.org> References: Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Forwarding Sashiko review for doing discussions via mails. # review url: https://sashiko.dev/#/patchset/20260329043902.46163-3-sj@kernel.org # start of sashiko.dev inline review commit 1ede2d837f5cbf8e8d96fe4c6eab34aeaa071d56 Author: SeongJae Park mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp This commit adds validation for the node id in damos_get_node_memcg_used_bp() to prevent out-of-bounds memory access. If an invalid node id is provided, it now safely returns 0% for used memory and 100% for free memory. > diff --git a/mm/damon/core.c b/mm/damon/core.c > index 26bdeb658799..c45c62f8449d 100644 > --- a/mm/damon/core.c > +++ b/mm/damon/core.c > @@ -2273,6 +2273,13 @@ static unsigned long damos_get_node_memcg_used_bp( > unsigned long used_pages, numerator; > struct sysinfo i; > > + if (invalid_mem_node(goal->nid)) { > + if (goal->metric == DAMOS_QUOTA_NODE_MEMCG_USED_BP) > + return 0; > + else /* DAMOS_QUOTA_NODE_MEMCG_FREE_BP */ > + return 10000; > + } > + > memcg = mem_cgroup_get_from_id(goal->memcg_id); > if (!memcg) { > if (goal->metric == DAMOS_QUOTA_NODE_MEMCG_USED_BP) This isn't a bug introduced by this patch, but can the subtraction later in this function underflow? damos_get_node_memcg_used_bp() { ... else /* DAMOS_QUOTA_NODE_MEMCG_FREE_BP */ numerator = i.totalram - used_pages; ... } Since used_pages is fetched locklessly and i.totalram is the global managed pages count, could asynchronous rstat accounting lag or concurrent memory hot-remove operations cause used_pages to transiently exceed i.totalram? Also regarding the end of this function, is it possible for i.totalram to evaluate to 0 here? damos_get_node_memcg_used_bp() { ... return mult_frac(numerator, 10000, i.totalram); } If a node's memory is entirely reserved or concurrently offlined, si_meminfo_node() might set i.totalram to 0. If that happens, does mult_frac() execute an unchecked division by zero internally? Finally, does the mult_frac() macro overflow unsigned long on 32-bit architectures? The macro evaluates to q * n_ + r * n_ / d_, where r is numerator % i.totalram. On 32-bit systems, r is a 32-bit unsigned long. For nodes with more than ~1.7GB of RAM (where i.totalram exceeds ~429,496 pages), could r * 10000 silently overflow the 32-bit boundary and return a severely truncated value? # end of sashiko.dev inline review # review url: https://sashiko.dev/#/patchset/20260329043902.46163-3-sj@kernel.org # # hkml [1] generated a draft of this mail. It can be regenerated # using below command: # # hkml patch sashiko_dev --for_forwarding \ # 20260329043902.46163-3-sj@kernel.org # # [1] https://github.com/sjp38/hackermail Sent using hkml (https://github.com/sjp38/hackermail)