From nobody Fri Apr  3 03:01:57 2026
Received: from out-179.mta0.migadu.com (out-179.mta0.migadu.com
 [91.218.175.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8175C3CF690
	for <linux-kernel@vger.kernel.org>; Wed, 25 Mar 2026 14:14:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=91.218.175.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774448085; cv=none;
 b=f/fwJwzMK2PVHXUb94gwppQuQgSdlEFwPt/tdTs87otoarTtCKmNUF3q1BHKOeuUNncRWRUr56wgXK68DFrnZ4mH8ymIZ0VQYynmH/wd29JSHXa5D6KzwXEbxeXMUkk22Jjf8rKtrLW1zPRbqfA0xLbf2WaHMJyX+/LTSjZ6UB4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774448085; c=relaxed/simple;
	bh=RBr0GG8xIGT4fesfFWwXpgueLgDhL/RIVQ/ES9sL00I=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=S1fBLQtSjw3/epEDawlUkq9WvuTHMxvET3SbkqtZhUcG2t4QqjrGCVJoM0yNnxtKnKUbcWD1NON1xoewWmNvOdIisivrIdMYRZgIAsoR7zh/NMOrKh2l2TjavMacOent9Ju4+jfXmw/yrYL31dR2MFNvP/i7nW4kn/jvkE3BgrY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev;
 spf=pass smtp.mailfrom=linux.dev;
 dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b=IfW4H6mh; arc=none smtp.client-ip=91.218.175.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b="IfW4H6mh"
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
 include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1774448082;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=GfBsoDL0TdJCX01wAdt/UD4xIx2OOwlMqUeevckOt8M=;
	b=IfW4H6mhNJCubVgaXAbZu9//dP2m8TqmdlOA07BDlu2eFkZzJDy4Z89jxVfVbR/1/gMIl9
	zCYGnGFEchRelxAFRAOxy44bDZK5T6Ehs3pLozBWFivDbUClgmIWGyFoa6McxTimHmRfMc
	Ud3mYvlHZBeL6mnT4hpLIGoiLDdSTDU=
From: Qi Zheng <qi.zheng@linux.dev>
To: hannes@cmpxchg.org,
	hughd@google.com,
	mhocko@suse.com,
	roman.gushchin@linux.dev,
	shakeel.butt@linux.dev,
	muchun.song@linux.dev,
	david@kernel.org,
	ljs@kernel.org,
	ziy@nvidia.com,
	harry.yoo@oracle.com,
	yosry.ahmed@linux.dev,
	imran.f.khan@oracle.com,
	kamalesh.babulal@oracle.com,
	axelrasmussen@google.com,
	yuanchu@google.com,
	weixugc@google.com,
	chenridong@huaweicloud.com,
	mkoutny@suse.com,
	akpm@linux-foundation.org,
	hamzamahfooz@linux.microsoft.com,
	apais@linux.microsoft.com,
	lance.yang@linux.dev,
	bhe@redhat.com,
	usamaarif642@gmail.com
Cc: linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Qi Zheng <zhengqi.arch@bytedance.com>,
	"Harry Yoo (Oracle)" <harry@kernel.org>
Subject: [PATCH v2 4/4] mm: memcontrol: fix unexpected massive positive number
 in memcg_state_val_in_pages()
Date: Wed, 25 Mar 2026 22:13:25 +0800
Message-ID: 
 <e19052a28a7b604c012bfdfc900fd09543976284.1774447069.git.zhengqi.arch@bytedance.com>
In-Reply-To: <cover.1774447069.git.zhengqi.arch@bytedance.com>
References: <cover.1774447069.git.zhengqi.arch@bytedance.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Migadu-Flow: FLOW_OUT
Content-Type: text/plain; charset="utf-8"

From: Qi Zheng <zhengqi.arch@bytedance.com>

In memcg_state_val_in_pages(), if the passed val is negative, the
expression val * unit / PAGE_SIZE could be implicitly converted to a
massive positive number when compared with 1UL in the max() macro.
This leads to returning an incorrect massive positive value.

Fix this by using abs(val) to calculate the magnitude first, and then
restoring the sign of the value before returning the result. Additionally,
use mult_frac() to prevent potential overflow during the multiplication of
val and unit.

Reported-by: Harry Yoo (Oracle) <harry@kernel.org>
Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
Reviewed-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
---
 mm/memcontrol.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 04076a139dbe3..0c249255ebefb 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -787,11 +787,14 @@ static int memcg_page_state_unit(int item);
 static long memcg_state_val_in_pages(int idx, long val)
 {
 	int unit =3D memcg_page_state_unit(idx);
+	long res;
=20
 	if (!val || unit =3D=3D PAGE_SIZE)
 		return val;
-	else
-		return max(val * unit / PAGE_SIZE, 1UL);
+
+	res =3D max(mult_frac(abs(val), unit, PAGE_SIZE), 1UL);
+
+	return val < 0 ? -res : res;
 }
=20
 #ifdef CONFIG_MEMCG_V1
--=20
2.20.1