[PATCH v2 4/4] mm: memcontrol: fix unexpected massive positive number in memcg_state_val_in_pages()

Next message: Guenter Roeck: "Re: [PATCH v5 1/2] dt-bindings: hwmon: isl68137: Add compatible strings for RAA228942 and RAA228943"
Previous message: Qi Zheng: "[PATCH v2 3/4] mm: memcontrol: correct the nr_pages parameter type of mem_cgroup_update_lru_size()"
In reply to: Qi Zheng: "[PATCH v2 3/4] mm: memcontrol: correct the nr_pages parameter type of mem_cgroup_update_lru_size()"
Next in thread: Lorenzo Stoakes (Oracle): "Re: [PATCH v2 4/4] mm: memcontrol: fix unexpected massive positive number in memcg_state_val_in_pages()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Qi Zheng

Date: Wed Mar 25 2026 - 10:22:01 EST

From: Qi Zheng <zhengqi.arch@xxxxxxxxxxxxx>

In memcg_state_val_in_pages(), if the passed val is negative, the
expression val * unit / PAGE_SIZE could be implicitly converted to a
massive positive number when compared with 1UL in the max() macro.
This leads to returning an incorrect massive positive value.

Fix this by using abs(val) to calculate the magnitude first, and then
restoring the sign of the value before returning the result. Additionally,
use mult_frac() to prevent potential overflow during the multiplication of
val and unit.

Reported-by: Harry Yoo (Oracle) <harry@xxxxxxxxxx>
Signed-off-by: Qi Zheng <zhengqi.arch@xxxxxxxxxxxxx>
---
mm/memcontrol.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 04076a139dbe3..0c249255ebefb 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -787,11 +787,14 @@ static int memcg_page_state_unit(int item);
static long memcg_state_val_in_pages(int idx, long val)
{
int unit = memcg_page_state_unit(idx);
+ long res;

if (!val || unit == PAGE_SIZE)
return val;
- else
- return max(val * unit / PAGE_SIZE, 1UL);
+
+ res = max(mult_frac(abs(val), unit, PAGE_SIZE), 1UL);
+
+ return val < 0 ? -res : res;
}

#ifdef CONFIG_MEMCG_V1
--
2.20.1