Re: [PATCH] memcg: fix slab accounting in refill_obj_stock() trylock path

Next message: Jason Gunthorpe: "Re: [PATCH v1] iommu: Skip mapping at address 0x0 if it already exists"
Previous message: SeongJae Park: "Re: [PATCH v3 1/5] mm: introduce zone lock wrappers"
In reply to: Vlastimil Babka: "Re: [PATCH] memcg: fix slab accounting in refill_obj_stock() trylock path"
Next in thread: Vlastimil Babka: "Re: [PATCH] memcg: fix slab accounting in refill_obj_stock() trylock path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hao Li

Date: Thu Feb 26 2026 - 20:02:05 EST

On Thu, Feb 26, 2026 at 02:44:02PM +0100, Vlastimil Babka wrote:
> On 2/26/26 14:39, Shakeel Butt wrote:
> > On Thu, Feb 26, 2026 at 07:51:37PM +0800, Hao Li wrote:
> >> In the trylock path of refill_obj_stock(), mod_objcg_mlstate() should
> >> use the real alloc/free bytes (i.e., nr_acct) for accounting, rather
> >> than nr_bytes.
> >>
> >> Fixes: 200577f69f29 ("memcg: objcg stock trylock without irq disabling")
> >> Cc: stable@xxxxxxxxxxxxxxx
> >> Signed-off-by: Hao Li <hao.li@xxxxxxxxx>
> >
> > Thanks for the fix.
> >
> > Acked-by: Shakeel Butt <shakeel.butt@xxxxxxxxx>
>
> What are the user-visible effects of the bug?

The user-visible impact is that the NR_SLAB_RECLAIMABLE_B and
NR_SLAB_UNRECLAIMABLE_B stats can end up being incorrect.

For example, if a user allocates a 6144-byte object, then before this fix
refill_obj_stock() calls mod_objcg_mlstate(..., nr_bytes=2048), even though it
should account for 6144 bytes (i.e., nr_acct).

When the user later frees the same object with kfree(), refill_obj_stock() calls
mod_objcg_mlstate(..., nr_bytes=6144). This ends up adding 6144 to the stats,
but it should be applying -6144 (i.e., nr_acct) since the object is being
freed.

--
Thanks,
Hao