The MGLRU already supports reclaiming only from anonymous memory
via the /sys/kernel/debug/lru_gen interface. Now, memory.reclaim
also supports the swappiness=max parameter to enable reclaiming
solely from anonymous memory. To unify the semantics of proactive
reclaiming from anonymous folios, the max parameter is introduced.
Additionally, the use of SWAPPINESS_ANON_ONLY in place of
'MAX_SWAPPINESS + 1' improves code clarity and makes the intention
more explicit.
Signed-off-by: Zhongkun He <hezhongkun.hzk@bytedance.com>
---
Documentation/admin-guide/mm/multigen_lru.rst | 5 ++--
mm/vmscan.c | 26 ++++++++++++++-----
2 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/Documentation/admin-guide/mm/multigen_lru.rst b/Documentation/admin-guide/mm/multigen_lru.rst
index 33e068830497..9cb54b4ff5d9 100644
--- a/Documentation/admin-guide/mm/multigen_lru.rst
+++ b/Documentation/admin-guide/mm/multigen_lru.rst
@@ -151,8 +151,9 @@ generations less than or equal to ``min_gen_nr``.
``min_gen_nr`` should be less than ``max_gen_nr-1``, since
``max_gen_nr`` and ``max_gen_nr-1`` are not fully aged (equivalent to
the active list) and therefore cannot be evicted. ``swappiness``
-overrides the default value in ``/proc/sys/vm/swappiness``.
-``nr_to_reclaim`` limits the number of pages to evict.
+overrides the default value in ``/proc/sys/vm/swappiness`` and the valid
+range is [0-200, max], with max being exclusively used for the reclamation
+of anonymous memory. ``nr_to_reclaim`` limits the number of pages to evict.
A typical use case is that a job scheduler runs this command before it
tries to land a new job on a server. If it fails to materialize enough
diff --git a/mm/vmscan.c b/mm/vmscan.c
index c99a6a48d0bc..18a175752b57 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -2697,8 +2697,11 @@ static bool should_clear_pmd_young(void)
READ_ONCE((lruvec)->lrugen.min_seq[LRU_GEN_FILE]), \
}
+#define max_evictable_type(swappiness) \
+ ((swappiness) != SWAPPINESS_ANON_ONLY)
+
#define evictable_min_seq(min_seq, swappiness) \
- min((min_seq)[!(swappiness)], (min_seq)[(swappiness) <= MAX_SWAPPINESS])
+ min((min_seq)[!(swappiness)], (min_seq)[max_evictable_type(swappiness)])
#define for_each_gen_type_zone(gen, type, zone) \
for ((gen) = 0; (gen) < MAX_NR_GENS; (gen)++) \
@@ -2706,7 +2709,7 @@ static bool should_clear_pmd_young(void)
for ((zone) = 0; (zone) < MAX_NR_ZONES; (zone)++)
#define for_each_evictable_type(type, swappiness) \
- for ((type) = !(swappiness); (type) <= ((swappiness) <= MAX_SWAPPINESS); (type)++)
+ for ((type) = !(swappiness); (type) <= max_evictable_type(swappiness); (type)++)
#define get_memcg_gen(seq) ((seq) % MEMCG_NR_GENS)
#define get_memcg_bin(bin) ((bin) % MEMCG_NR_BINS)
@@ -3857,7 +3860,7 @@ static bool inc_min_seq(struct lruvec *lruvec, int type, int swappiness)
int hist = lru_hist_from_seq(lrugen->min_seq[type]);
int new_gen, old_gen = lru_gen_from_seq(lrugen->min_seq[type]);
- if (type ? swappiness > MAX_SWAPPINESS : !swappiness)
+ if (type ? (swappiness == SWAPPINESS_ANON_ONLY) : !swappiness)
goto done;
/* prevent cold/hot inversion if the type is evictable */
@@ -5523,7 +5526,7 @@ static int run_cmd(char cmd, int memcg_id, int nid, unsigned long seq,
if (swappiness < MIN_SWAPPINESS)
swappiness = get_swappiness(lruvec, sc);
- else if (swappiness > MAX_SWAPPINESS + 1)
+ else if (swappiness > SWAPPINESS_ANON_ONLY)
goto done;
switch (cmd) {
@@ -5580,7 +5583,7 @@ static ssize_t lru_gen_seq_write(struct file *file, const char __user *src,
while ((cur = strsep(&next, ",;\n"))) {
int n;
int end;
- char cmd;
+ char cmd, swap_string[5];
unsigned int memcg_id;
unsigned int nid;
unsigned long seq;
@@ -5591,13 +5594,22 @@ static ssize_t lru_gen_seq_write(struct file *file, const char __user *src,
if (!*cur)
continue;
- n = sscanf(cur, "%c %u %u %lu %n %u %n %lu %n", &cmd, &memcg_id, &nid,
- &seq, &end, &swappiness, &end, &opt, &end);
+ n = sscanf(cur, "%c %u %u %lu %n %4s %n %lu %n", &cmd, &memcg_id, &nid,
+ &seq, &end, swap_string, &end, &opt, &end);
if (n < 4 || cur[end]) {
err = -EINVAL;
break;
}
+ /* set by userspace for anonymous memory only */
+ if (!strncmp("max", swap_string, sizeof("max"))) {
+ swappiness = SWAPPINESS_ANON_ONLY;
+ } else {
+ err = kstrtouint(swap_string, 0, &swappiness);
+ if (err)
+ break;
+ }
+
err = run_cmd(cmd, memcg_id, nid, seq, &sc, swappiness, opt);
if (err)
break;
--
2.39.5On Wed, Apr 09, 2025 at 03:06:19PM +0800, Zhongkun He wrote:
> + /* set by userspace for anonymous memory only */
> + if (!strncmp("max", swap_string, sizeof("max"))) {
This pattern of strncmp("foo", str, sizeof("foo")) is exactly the same
as strcmp(). It doesn't provide any additional security. The strncmp()
function is meant for matching string prefixes and it's a relatively
common bug to do this:
intended: if (strcmp(string, "prefix", sizeof("prefix") - 1) == 0) {
actual: if (strcmp(string, "prefix", sizeof("prefix")) == 0) {
I have a static checker warning for these:
https://lore.kernel.org/all/30210ed77b40b4b6629de659cb56b9ec7832c447.1744452787.git.dan.carpenter@linaro.org/
If people deliberately misuse the function then it makes it trickier
to tell accidental mistakes from deliberate mistakes.
regards,
dan carpenter
Hi Dan
On Wed, Apr 30, 2025 at 3:59 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> On Wed, Apr 09, 2025 at 03:06:19PM +0800, Zhongkun He wrote:
> > + /* set by userspace for anonymous memory only */
> > + if (!strncmp("max", swap_string, sizeof("max"))) {
>
> This pattern of strncmp("foo", str, sizeof("foo")) is exactly the same
> as strcmp(). It doesn't provide any additional security. The strncmp()
> function is meant for matching string prefixes and it's a relatively
> common bug to do this:
>
> intended: if (strcmp(string, "prefix", sizeof("prefix") - 1) == 0) {
> actual: if (strcmp(string, "prefix", sizeof("prefix")) == 0) {
>
Yes, I understand the difference.
> I have a static checker warning for these:
> https://lore.kernel.org/all/30210ed77b40b4b6629de659cb56b9ec7832c447.1744452787.git.dan.carpenter@linaro.org/
>
> If people deliberately misuse the function then it makes it trickier
> to tell accidental mistakes from deliberate mistakes.
>
if (!strncmp("max", swap_string, sizeof("max"))) {
The length of swap_string is 5 because it's read using sscanf, which
will add the null terminator \0
at the end of the string. If we input max into the interface,
swap_string will contain max\0, which is
equivalent to the string "max". Since we only need to compare the
first few characters(There are other
possible inputs as well.) — effectively treating it as a prefix match
— I used strncmp.
Thank you for the reminder, Dan.
> regards,
> dan carpenter
>
On Thu, May 01, 2025 at 09:56:57AM +0800, Zhongkun He wrote:
> Hi Dan
>
> On Wed, Apr 30, 2025 at 3:59 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
> >
> > On Wed, Apr 09, 2025 at 03:06:19PM +0800, Zhongkun He wrote:
> > > + /* set by userspace for anonymous memory only */
> > > + if (!strncmp("max", swap_string, sizeof("max"))) {
> >
> > This pattern of strncmp("foo", str, sizeof("foo")) is exactly the same
> > as strcmp(). It doesn't provide any additional security. The strncmp()
> > function is meant for matching string prefixes and it's a relatively
> > common bug to do this:
> >
> > intended: if (strcmp(string, "prefix", sizeof("prefix") - 1) == 0) {
> > actual: if (strcmp(string, "prefix", sizeof("prefix")) == 0) {
> >
>
> Yes, I understand the difference.
>
> > I have a static checker warning for these:
> > https://lore.kernel.org/all/30210ed77b40b4b6629de659cb56b9ec7832c447.1744452787.git.dan.carpenter@linaro.org/
> >
> > If people deliberately misuse the function then it makes it trickier
> > to tell accidental mistakes from deliberate mistakes.
> >
>
> if (!strncmp("max", swap_string, sizeof("max"))) {
>
> The length of swap_string is 5 because it's read using sscanf, which
> will add the null terminator \0
> at the end of the string. If we input max into the interface,
> swap_string will contain max\0, which is
> equivalent to the string "max". Since we only need to compare the
> first few characters(There are other
> possible inputs as well.) — effectively treating it as a prefix match
> — I used strncmp.
I'm a not sure I understand. You say you are treating it as a "prefix
match", but sizeof("max") is 4 so this is not treated as a prefix. Did
you mean to write strlen("max") which does not include the NUL
terminator?
regards,
dan carpenter
On Fri, May 2, 2025 at 2:59 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> On Thu, May 01, 2025 at 09:56:57AM +0800, Zhongkun He wrote:
> > Hi Dan
> >
> > On Wed, Apr 30, 2025 at 3:59 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
> > >
> > > On Wed, Apr 09, 2025 at 03:06:19PM +0800, Zhongkun He wrote:
> > > > + /* set by userspace for anonymous memory only */
> > > > + if (!strncmp("max", swap_string, sizeof("max"))) {
> > >
> > > This pattern of strncmp("foo", str, sizeof("foo")) is exactly the same
> > > as strcmp(). It doesn't provide any additional security. The strncmp()
> > > function is meant for matching string prefixes and it's a relatively
> > > common bug to do this:
> > >
> > > intended: if (strcmp(string, "prefix", sizeof("prefix") - 1) == 0) {
> > > actual: if (strcmp(string, "prefix", sizeof("prefix")) == 0) {
> > >
> >
> > Yes, I understand the difference.
> >
> > > I have a static checker warning for these:
> > > https://lore.kernel.org/all/30210ed77b40b4b6629de659cb56b9ec7832c447.1744452787.git.dan.carpenter@linaro.org/
> > >
> > > If people deliberately misuse the function then it makes it trickier
> > > to tell accidental mistakes from deliberate mistakes.
> > >
> >
> > if (!strncmp("max", swap_string, sizeof("max"))) {
> >
> > The length of swap_string is 5 because it's read using sscanf, which
> > will add the null terminator \0
> > at the end of the string. If we input max into the interface,
> > swap_string will contain max\0, which is
> > equivalent to the string "max". Since we only need to compare the
> > first few characters(There are other
> > possible inputs as well.) — effectively treating it as a prefix match
> > — I used strncmp.
>
> I'm a not sure I understand. You say you are treating it as a "prefix
> match", but sizeof("max") is 4 so this is not treated as a prefix. Did
> you mean to write strlen("max") which does not include the NUL
> terminator?
>
Hi Dan, sorry for the late reply.
I agree with you that we should use strncmp for prefix matches
and I will update it later.
Thanks.
> regards,
> dan carpenter
>
>
On Wed, 9 Apr 2025 15:06:19 +0800 Zhongkun He <hezhongkun.hzk@bytedance.com> wrote:
> The MGLRU
paging yuzhao?
> already supports reclaiming only from anonymous memory
> via the /sys/kernel/debug/lru_gen interface. Now, memory.reclaim
> also supports the swappiness=max parameter to enable reclaiming
> solely from anonymous memory. To unify the semantics of proactive
> reclaiming from anonymous folios, the max parameter is introduced.
>
> Additionally, the use of SWAPPINESS_ANON_ONLY in place of
> 'MAX_SWAPPINESS + 1' improves code clarity and makes the intention
> more explicit.
>
> --- a/mm/vmscan.c
> +++ b/mm/vmscan.c
> @@ -2697,8 +2697,11 @@ static bool should_clear_pmd_young(void)
> READ_ONCE((lruvec)->lrugen.min_seq[LRU_GEN_FILE]), \
> }
>
> +#define max_evictable_type(swappiness) \
> + ((swappiness) != SWAPPINESS_ANON_ONLY)
> +
> #define evictable_min_seq(min_seq, swappiness) \
> - min((min_seq)[!(swappiness)], (min_seq)[(swappiness) <= MAX_SWAPPINESS])
> + min((min_seq)[!(swappiness)], (min_seq)[max_evictable_type(swappiness)])
Why oh why did we implement these in cpp?
>
> @@ -3857,7 +3860,7 @@ static bool inc_min_seq(struct lruvec *lruvec, int type, int swappiness)
> int hist = lru_hist_from_seq(lrugen->min_seq[type]);
> int new_gen, old_gen = lru_gen_from_seq(lrugen->min_seq[type]);
>
> - if (type ? swappiness > MAX_SWAPPINESS : !swappiness)
> + if (type ? (swappiness == SWAPPINESS_ANON_ONLY) : !swappiness)
This expression makes my brain bleed.
if (type) {
if (swappiness == SWAPPINESS_ANON_ONLY) {
/*
* Nice comment explaining why we're doing this
*/
goto done;;
}
} else {
if (!swappiness) {
/*
* Nice comment explaining why we're doing this
*/
goto done;
}
}
or
if (type && (swappiness == SWAPPINESS_ANON_ONLY)) {
/*
* Nice comment explaining why we're doing this
*/
goto done;
}
if (!type && !swappiness) {
/*
* Nice comment explaining why we're doing this
*/
goto done;
}
It's much more verbose, but it has the huge advantage that it creates
locations where we can add comments which tell readers what's going on.
Which is pretty important, no?
> goto done;
>
> /* prevent cold/hot inversion if the type is evictable */
> @@ -5523,7 +5526,7 @@ static int run_cmd(char cmd, int memcg_id, int nid, unsigned long seq,
>
> if (swappiness < MIN_SWAPPINESS)
> swappiness = get_swappiness(lruvec, sc);
> - else if (swappiness > MAX_SWAPPINESS + 1)
> + else if (swappiness > SWAPPINESS_ANON_ONLY)
> goto done;
>
> switch (cmd) {
> @@ -5580,7 +5583,7 @@ static ssize_t lru_gen_seq_write(struct file *file, const char __user *src,
> while ((cur = strsep(&next, ",;\n"))) {
> int n;
> int end;
> - char cmd;
> + char cmd, swap_string[5];
> unsigned int memcg_id;
> unsigned int nid;
> unsigned long seq;
> @@ -5591,13 +5594,22 @@ static ssize_t lru_gen_seq_write(struct file *file, const char __user *src,
> if (!*cur)
> continue;
>
> - n = sscanf(cur, "%c %u %u %lu %n %u %n %lu %n", &cmd, &memcg_id, &nid,
> - &seq, &end, &swappiness, &end, &opt, &end);
> + n = sscanf(cur, "%c %u %u %lu %n %4s %n %lu %n", &cmd, &memcg_id, &nid,
> + &seq, &end, swap_string, &end, &opt, &end);
Permits userspace to easily overrun swap_string[]. OK, it's root-only,
but still, why permit this?
> if (n < 4 || cur[end]) {
> err = -EINVAL;
> break;
> }
>
> + /* set by userspace for anonymous memory only */
> + if (!strncmp("max", swap_string, sizeof("max"))) {
Can sscanf() give us a non null-terminated string?
> + swappiness = SWAPPINESS_ANON_ONLY;
> + } else {
> + err = kstrtouint(swap_string, 0, &swappiness);
> + if (err)
> + break;
> + }
> +
> err = run_cmd(cmd, memcg_id, nid, seq, &sc, swappiness, opt);
> if (err)
> break;
On Thu, Apr 10, 2025 at 10:10 AM Andrew Morton
<akpm@linux-foundation.org> wrote:
>
> On Wed, 9 Apr 2025 15:06:19 +0800 Zhongkun He <hezhongkun.hzk@bytedance.com> wrote:
>
> > The MGLRU
>
> paging yuzhao?
I have cc yuzhao and look forward to the relay.
>
> > already supports reclaiming only from anonymous memory
> > via the /sys/kernel/debug/lru_gen interface. Now, memory.reclaim
> > also supports the swappiness=max parameter to enable reclaiming
> > solely from anonymous memory. To unify the semantics of proactive
> > reclaiming from anonymous folios, the max parameter is introduced.
> >
> > Additionally, the use of SWAPPINESS_ANON_ONLY in place of
> > 'MAX_SWAPPINESS + 1' improves code clarity and makes the intention
> > more explicit.
> >
> > --- a/mm/vmscan.c
> > +++ b/mm/vmscan.c
> > @@ -2697,8 +2697,11 @@ static bool should_clear_pmd_young(void)
> > READ_ONCE((lruvec)->lrugen.min_seq[LRU_GEN_FILE]), \
> > }
> >
> > +#define max_evictable_type(swappiness) \
> > + ((swappiness) != SWAPPINESS_ANON_ONLY)
> > +
> > #define evictable_min_seq(min_seq, swappiness) \
> > - min((min_seq)[!(swappiness)], (min_seq)[(swappiness) <= MAX_SWAPPINESS])
> > + min((min_seq)[!(swappiness)], (min_seq)[max_evictable_type(swappiness)])
>
> Why oh why did we implement these in cpp?
Just want to make the code more clear. Maybe we should do more like this
/* The range of swappiness is [0,1-200,201], 0 means file type only;
* 1-200 anon and file type; 201 anon type only
*/
#define max_type(swappiness) ((swappiness) != SWAPPINESS_ANON_ONLY)
#define min_type(swappiness) !(swappiness)
#define evictable_min_seq(min_seq, swappiness) \
min((min_seq)[min_type(swappiness)], (min_seq)[max_type(swappiness)])
#define for_each_evictable_type(type, swappiness) \
- for ((type) = !(swappiness); (type) <= ((swappiness) <=
MAX_SWAPPINESS); (type)++)
+ for ((type) = min_type(swappiness) ; (type) <=
max_type(swappiness); (type)++)
>
> >
> > @@ -3857,7 +3860,7 @@ static bool inc_min_seq(struct lruvec *lruvec, int type, int swappiness)
> > int hist = lru_hist_from_seq(lrugen->min_seq[type]);
> > int new_gen, old_gen = lru_gen_from_seq(lrugen->min_seq[type]);
> >
> > - if (type ? swappiness > MAX_SWAPPINESS : !swappiness)
> > + if (type ? (swappiness == SWAPPINESS_ANON_ONLY) : !swappiness)
>
> This expression makes my brain bleed.
>
> if (type) {
> if (swappiness == SWAPPINESS_ANON_ONLY) {
> /*
> * Nice comment explaining why we're doing this
> */
> goto done;;
> }
> } else {
> if (!swappiness) {
> /*
> * Nice comment explaining why we're doing this
> */
> goto done;
> }
> }
>
> or
>
> if (type && (swappiness == SWAPPINESS_ANON_ONLY)) {
> /*
> * Nice comment explaining why we're doing this
> */
> goto done;
> }
>
> if (!type && !swappiness) {
> /*
> * Nice comment explaining why we're doing this
> */
> goto done;
> }
>
> It's much more verbose, but it has the huge advantage that it creates
> locations where we can add comments which tell readers what's going on.
> Which is pretty important, no?
>
Yes, I agree. Will do, thanks.
> > goto done;
> >
> > /* prevent cold/hot inversion if the type is evictable */
> > @@ -5523,7 +5526,7 @@ static int run_cmd(char cmd, int memcg_id, int nid, unsigned long seq,
> >
> > if (swappiness < MIN_SWAPPINESS)
> > swappiness = get_swappiness(lruvec, sc);
> > - else if (swappiness > MAX_SWAPPINESS + 1)
> > + else if (swappiness > SWAPPINESS_ANON_ONLY)
> > goto done;
> >
> > switch (cmd) {
> > @@ -5580,7 +5583,7 @@ static ssize_t lru_gen_seq_write(struct file *file, const char __user *src,
> > while ((cur = strsep(&next, ",;\n"))) {
> > int n;
> > int end;
> > - char cmd;
> > + char cmd, swap_string[5];
> > unsigned int memcg_id;
> > unsigned int nid;
> > unsigned long seq;
> > @@ -5591,13 +5594,22 @@ static ssize_t lru_gen_seq_write(struct file *file, const char __user *src,
> > if (!*cur)
> > continue;
> >
> > - n = sscanf(cur, "%c %u %u %lu %n %u %n %lu %n", &cmd, &memcg_id, &nid,
> > - &seq, &end, &swappiness, &end, &opt, &end);
> > + n = sscanf(cur, "%c %u %u %lu %n %4s %n %lu %n", &cmd, &memcg_id, &nid,
> > + &seq, &end, swap_string, &end, &opt, &end);
>
> Permits userspace to easily overrun swap_string[]. OK, it's root-only,
> but still, why permit this?
>
IICC, the arg in sscanf is %4s meaning the length of the string will
not be allowed to overrun
the swap_string, thanks.
> > if (n < 4 || cur[end]) {
> > err = -EINVAL;
> > break;
> > }
> >
> > + /* set by userspace for anonymous memory only */
> > + if (!strncmp("max", swap_string, sizeof("max"))) {
>
> Can sscanf() give us a non null-terminated string?
>
No, the sscanf will add '\0' to the end, so the maximum number of
input characters is 4,
and the length of swap_string is 5, with one character reserved for
the null terminator '\0'
for sscanf.
Thanks for your time.
> > + swappiness = SWAPPINESS_ANON_ONLY;
> > + } else {
> > + err = kstrtouint(swap_string, 0, &swappiness);
> > + if (err)
> > + break;
> > + }
> > +
> > err = run_cmd(cmd, memcg_id, nid, seq, &sc, swappiness, opt);
> > if (err)
> > break;
>
© 2016 - 2026 Red Hat, Inc.