From nobody Sun May 24 20:33:08 2026 Received: from out-170.mta1.migadu.com (out-170.mta1.migadu.com [95.215.58.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D6B2D215F42 for ; Thu, 21 May 2026 22:38:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779403101; cv=none; b=DYtAn9SbNKOr5VMc8sciFAlaPzWrh0ToIoXHoPBpsDYC3LsiJrKtufQhFxWWQD0rzlckunR7nfW/AYSLMWwuV2H4xNANKT8I15yBPSZUe7w9Pfw3TcYE2m9q87le6iBcVu4gKgLS1XP0OwMLtJ2b87gKQQfTCp02giC2KZAYXBU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779403101; c=relaxed/simple; bh=cjoM5LSmWQBwTgtLHebSs5jQ0kPflzmMH4iiNReCfBs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=KuD/5H97/dVS6Yo68IhO5B8kks13qUawdWIkP1L2t+b/9mqQtCCGpTTrxYEXPQocpRJRzAkm4q00AV1Gj9aJG/kPRSU202RerCEi3Nm0XNAa9HpGpsICp/PJbfHqLwgysjoZFfobebyNjhzZ/ty83XZapwdPETxE1maB4/kJPBc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=v9g1XUQp; arc=none smtp.client-ip=95.215.58.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="v9g1XUQp" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1779403096; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=tUi5+SVB2s9OC9ZFGLX4sLcZOUGZkUOYCUsvpkjnlcM=; b=v9g1XUQp0LjMCL5Wl+pmKwYTOD40EbXI0cC8p0Hy5ftbqmMQR7n+LPH2sK7JHitDRO9Ash pjlzVYFAkEAw4trzcwLdI+efv+bkiEua81mve2flffuu9mXyR5TnAtupzahMU/8vGoKNNg GjpSLF2YLa61lwDpo4H6YlePn7/Z4Uw= From: Shakeel Butt To: Andrew Morton Cc: Johannes Weiner , Michal Hocko , Roman Gushchin , Muchun Song , Harry Yoo , Meta kernel team , linux-mm@kvack.org, cgroups@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] memcg: use round-robin victim selection in refill_stock Date: Thu, 21 May 2026 15:37:51 -0700 Message-ID: <20260521223751.3794625-1-shakeel.butt@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" Harry Yoo reported that get_random_u32_below() is not safe to call in the nmi context and memcg charge draining can happen in nmi context. More specifically get_random_u32_below() is neither reentrant- nor NMI-safe: it acquires a per-cpu local_lock via local_lock_irqsave() on the batched_entropy_u32 state. An NMI that lands on a CPU mid-update of the ChaCha batch state and recurses into the random subsystem would corrupt that state. The memcg_stock local_trylock prevents re-entry on the percpu stock itself, but cannot protect an unrelated subsystem's per-cpu lock. Replace the random pick with a per-cpu round-robin counter stored in memcg_stock_pcp and serialized by the same local_trylock that already guards cached[] and nr_pages[]. No atomics, no random calls, no extra locks needed. Fixes: f735eebe55f8f ("memcg: multi-memcg percpu charge cache") Reported-by: Harry Yoo Closes: https://lore.kernel.org/4e20f643-6983-4b6e-b12d-c6c4eb20ae0c@kernel= .org/ Signed-off-by: Shakeel Butt Acked-by: Harry Yoo (Oracle) --- mm/memcontrol.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 0eb50e639f0a..6392a2704441 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -2031,6 +2031,7 @@ struct memcg_stock_pcp { =20 struct work_struct work; unsigned long flags; + uint8_t drain_idx; }; =20 static DEFINE_PER_CPU_ALIGNED(struct memcg_stock_pcp, memcg_stock) =3D { @@ -2214,7 +2215,9 @@ static void refill_stock(struct mem_cgroup *memcg, un= signed int nr_pages) if (!success) { i =3D empty_slot; if (i =3D=3D -1) { - i =3D get_random_u32_below(NR_MEMCG_STOCK); + i =3D stock->drain_idx++; + if (stock->drain_idx =3D=3D NR_MEMCG_STOCK) + stock->drain_idx =3D 0; drain_stock(stock, i); } css_get(&memcg->css); --=20 2.53.0-Meta