Re: (sashiko review) [RFC PATCH v5.1 03/11] mm/damon/core: introduce failed region quota charge ratio
From: SeongJae Park
Date: Sat Apr 11 2026 - 14:06:09 EST
TL; DR: sashiko found no blocker for this patch.
Forwarding full sashiko review in a reply format with my inline comments below,
for sharing details of my view and doing followup discussions via mails if
needed.
> # review url: https://sashiko.dev/#/patchset/20260411164908.77189-4-sj@xxxxxxxxxx
> # start of sashiko.dev inline review
> commit cb228850cc3bb33cac86cdc674c79e2557af28a8
> Author: SeongJae Park <sj@xxxxxxxxxx>
>
> mm/damon/core: introduce failed region quota charge ratio
>
> This commit introduces a DAMON core API to set the charge ratio for
> action-failed memory. It allows API callers to specify the ratio flexibly
> using a numerator and denominator to avoid charging failed memory the same
> as successfully applied memory.
>
> > diff --git a/mm/damon/core.c b/mm/damon/core.c
> > index d04a107df7cfa..3398faeaa4350 100644
> > --- a/mm/damon/core.c
> > +++ b/mm/damon/core.c
>
> [ ... ]
>
> > @@ -2041,6 +2043,23 @@ static void damos_walk_cancel(struct damon_ctx *ctx)
> > mutex_unlock(&ctx->walk_control_lock);
> > }
> >
> > +static void damos_charge_quota(struct damos_quota *quota,
> > + unsigned long sz_region, unsigned long sz_applied)
> > +{
> > + /*
> > + * sz_applied could be bigger than sz_region, depending on ops
> > + * implementation of the action, e.g., damos_pa_pageout(). Charge only
> > + * the region size in the case.
> > + */
> > + if (!quota->fail_charge_denom || sz_applied > sz_region)
> > + quota->charged_sz += sz_region;
> > + else
> > + quota->charged_sz += sz_applied + mult_frac(
> > + (sz_region - sz_applied),
> > + quota->fail_charge_num,
> > + quota->fail_charge_denom);
>
> Could the mult_frac() calculation silently overflow here?
>
> The fail_charge_num and fail_charge_denom variables are user-controlled
> unsigned int parameters without bounds checking. The mult_frac(x, numer, denom)
> macro evaluates as quot * numer + (rem * numer) / denom, using the type of x,
> which is unsigned long in this case.
>
> On a 32-bit architecture, if a user configures a fine-grained ratio like
> 1000000 / 1000000, the remainder could be up to 999999. The intermediate
> calculation for rem * numer would evaluate to nearly 10^12, which overflows
> the 32-bit limit.
>
> Similarly, on 64-bit architectures, setting fail_charge_num to a very
> large value like UINT_MAX could cause the quot * numer operation to exceed
> the 64-bit limit for large memory regions.
>
> If an overflow occurs, it would severely under-account the charged size,
> breaking the quota enforcement in damos_quota_is_full() and allowing the
> scheme to silently bypass its configured action limits.
>
> Does this code need bounds checking for the numerator and denominator, or
> should it use a safer math helper to prevent the quota bypass?
Same sashiko question to the previous patch. My answer is also same. I will
keep this as is in favor of simplicity.
>
> > +}
>
>
> # end of sashiko.dev inline review
> # review url: https://sashiko.dev/#/patchset/20260411164908.77189-4-sj@xxxxxxxxxx
Thanks,
SJ
# hkml [1] generated a draft of this mail. You can regenerate
# this using below command:
#
# hkml patch sashiko_dev --for_forwarding \
# 20260411164908.77189-4-sj@xxxxxxxxxx
#
# [1] https://github.com/sjp38/hackermail