* [PATCH] memcg: fix slab accounting in refill_obj_stock() trylock path
@ 2026-02-26 11:51 Hao Li
2026-02-26 13:39 ` Shakeel Butt
0 siblings, 1 reply; 6+ messages in thread
From: Hao Li @ 2026-02-26 11:51 UTC (permalink / raw)
To: hannes, mhocko, roman.gushchin, shakeel.butt
Cc: vbabka, harry.yoo, muchun.song, akpm, cgroups, linux-mm,
linux-kernel, Hao Li, stable
In the trylock path of refill_obj_stock(), mod_objcg_mlstate() should
use the real alloc/free bytes (i.e., nr_acct) for accounting, rather
than nr_bytes.
Fixes: 200577f69f29 ("memcg: objcg stock trylock without irq disabling")
Cc: stable@vger.kernel.org
Signed-off-by: Hao Li <hao.li@linux.dev>
---
mm/memcontrol.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 2d6dfba540d4..683f9f9bf47e 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -3060,7 +3060,7 @@ static void refill_obj_stock(struct obj_cgroup *objcg, unsigned int nr_bytes,
if (!local_trylock(&obj_stock.lock)) {
if (pgdat)
- mod_objcg_mlstate(objcg, pgdat, idx, nr_bytes);
+ mod_objcg_mlstate(objcg, pgdat, idx, nr_acct);
nr_pages = nr_bytes >> PAGE_SHIFT;
nr_bytes = nr_bytes & (PAGE_SIZE - 1);
atomic_add(nr_bytes, &objcg->nr_charged_bytes);
--
2.50.1
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] memcg: fix slab accounting in refill_obj_stock() trylock path 2026-02-26 11:51 [PATCH] memcg: fix slab accounting in refill_obj_stock() trylock path Hao Li @ 2026-02-26 13:39 ` Shakeel Butt 2026-02-26 13:44 ` Vlastimil Babka 0 siblings, 1 reply; 6+ messages in thread From: Shakeel Butt @ 2026-02-26 13:39 UTC (permalink / raw) To: Hao Li Cc: hannes, mhocko, roman.gushchin, vbabka, harry.yoo, muchun.song, akpm, cgroups, linux-mm, linux-kernel, stable On Thu, Feb 26, 2026 at 07:51:37PM +0800, Hao Li wrote: > In the trylock path of refill_obj_stock(), mod_objcg_mlstate() should > use the real alloc/free bytes (i.e., nr_acct) for accounting, rather > than nr_bytes. > > Fixes: 200577f69f29 ("memcg: objcg stock trylock without irq disabling") > Cc: stable@vger.kernel.org > Signed-off-by: Hao Li <hao.li@linux.dev> Thanks for the fix. Acked-by: Shakeel Butt <shakeel.butt@linux.dev> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] memcg: fix slab accounting in refill_obj_stock() trylock path 2026-02-26 13:39 ` Shakeel Butt @ 2026-02-26 13:44 ` Vlastimil Babka 2026-02-27 1:01 ` Hao Li 0 siblings, 1 reply; 6+ messages in thread From: Vlastimil Babka @ 2026-02-26 13:44 UTC (permalink / raw) To: Shakeel Butt, Hao Li Cc: hannes, mhocko, roman.gushchin, vbabka, harry.yoo, muchun.song, akpm, cgroups, linux-mm, linux-kernel, stable On 2/26/26 14:39, Shakeel Butt wrote: > On Thu, Feb 26, 2026 at 07:51:37PM +0800, Hao Li wrote: >> In the trylock path of refill_obj_stock(), mod_objcg_mlstate() should >> use the real alloc/free bytes (i.e., nr_acct) for accounting, rather >> than nr_bytes. >> >> Fixes: 200577f69f29 ("memcg: objcg stock trylock without irq disabling") >> Cc: stable@vger.kernel.org >> Signed-off-by: Hao Li <hao.li@linux.dev> > > Thanks for the fix. > > Acked-by: Shakeel Butt <shakeel.butt@linux.dev> What are the user-visible effects of the bug? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] memcg: fix slab accounting in refill_obj_stock() trylock path 2026-02-26 13:44 ` Vlastimil Babka @ 2026-02-27 1:01 ` Hao Li 2026-02-27 7:46 ` Vlastimil Babka 0 siblings, 1 reply; 6+ messages in thread From: Hao Li @ 2026-02-27 1:01 UTC (permalink / raw) To: Vlastimil Babka Cc: Shakeel Butt, hannes, mhocko, roman.gushchin, vbabka, harry.yoo, muchun.song, akpm, cgroups, linux-mm, linux-kernel, stable On Thu, Feb 26, 2026 at 02:44:02PM +0100, Vlastimil Babka wrote: > On 2/26/26 14:39, Shakeel Butt wrote: > > On Thu, Feb 26, 2026 at 07:51:37PM +0800, Hao Li wrote: > >> In the trylock path of refill_obj_stock(), mod_objcg_mlstate() should > >> use the real alloc/free bytes (i.e., nr_acct) for accounting, rather > >> than nr_bytes. > >> > >> Fixes: 200577f69f29 ("memcg: objcg stock trylock without irq disabling") > >> Cc: stable@vger.kernel.org > >> Signed-off-by: Hao Li <hao.li@linux.dev> > > > > Thanks for the fix. > > > > Acked-by: Shakeel Butt <shakeel.butt@linux.dev> > > What are the user-visible effects of the bug? The user-visible impact is that the NR_SLAB_RECLAIMABLE_B and NR_SLAB_UNRECLAIMABLE_B stats can end up being incorrect. For example, if a user allocates a 6144-byte object, then before this fix refill_obj_stock() calls mod_objcg_mlstate(..., nr_bytes=2048), even though it should account for 6144 bytes (i.e., nr_acct). When the user later frees the same object with kfree(), refill_obj_stock() calls mod_objcg_mlstate(..., nr_bytes=6144). This ends up adding 6144 to the stats, but it should be applying -6144 (i.e., nr_acct) since the object is being freed. -- Thanks, Hao ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] memcg: fix slab accounting in refill_obj_stock() trylock path 2026-02-27 1:01 ` Hao Li @ 2026-02-27 7:46 ` Vlastimil Babka 2026-02-27 8:37 ` Hao Li 0 siblings, 1 reply; 6+ messages in thread From: Vlastimil Babka @ 2026-02-27 7:46 UTC (permalink / raw) To: Hao Li Cc: Shakeel Butt, hannes, mhocko, roman.gushchin, vbabka, harry.yoo, muchun.song, akpm, cgroups, linux-mm, linux-kernel, stable On 2/27/26 02:01, Hao Li wrote: > On Thu, Feb 26, 2026 at 02:44:02PM +0100, Vlastimil Babka wrote: >> On 2/26/26 14:39, Shakeel Butt wrote: >> > On Thu, Feb 26, 2026 at 07:51:37PM +0800, Hao Li wrote: >> >> In the trylock path of refill_obj_stock(), mod_objcg_mlstate() should >> >> use the real alloc/free bytes (i.e., nr_acct) for accounting, rather >> >> than nr_bytes. >> >> >> >> Fixes: 200577f69f29 ("memcg: objcg stock trylock without irq disabling") >> >> Cc: stable@vger.kernel.org >> >> Signed-off-by: Hao Li <hao.li@linux.dev> >> > >> > Thanks for the fix. >> > >> > Acked-by: Shakeel Butt <shakeel.butt@linux.dev> >> >> What are the user-visible effects of the bug? > > The user-visible impact is that the NR_SLAB_RECLAIMABLE_B and > NR_SLAB_UNRECLAIMABLE_B stats can end up being incorrect. > > For example, if a user allocates a 6144-byte object, then before this fix > refill_obj_stock() calls mod_objcg_mlstate(..., nr_bytes=2048), even though it > should account for 6144 bytes (i.e., nr_acct). > > When the user later frees the same object with kfree(), refill_obj_stock() calls > mod_objcg_mlstate(..., nr_bytes=6144). This ends up adding 6144 to the stats, > but it should be applying -6144 (i.e., nr_acct) since the object is being > freed. Thanks, I'm sure Andrew will amend the changelog with those useful details. Weird that we went since 6.16 with nobody noticing the stats were off - it sounds they could get really way off? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] memcg: fix slab accounting in refill_obj_stock() trylock path 2026-02-27 7:46 ` Vlastimil Babka @ 2026-02-27 8:37 ` Hao Li 0 siblings, 0 replies; 6+ messages in thread From: Hao Li @ 2026-02-27 8:37 UTC (permalink / raw) To: Vlastimil Babka Cc: Shakeel Butt, hannes, mhocko, roman.gushchin, vbabka, harry.yoo, muchun.song, akpm, cgroups, linux-mm, linux-kernel, stable On Fri, Feb 27, 2026 at 08:46:18AM +0100, Vlastimil Babka wrote: > On 2/27/26 02:01, Hao Li wrote: > > On Thu, Feb 26, 2026 at 02:44:02PM +0100, Vlastimil Babka wrote: > >> On 2/26/26 14:39, Shakeel Butt wrote: > >> > On Thu, Feb 26, 2026 at 07:51:37PM +0800, Hao Li wrote: > >> >> In the trylock path of refill_obj_stock(), mod_objcg_mlstate() should > >> >> use the real alloc/free bytes (i.e., nr_acct) for accounting, rather > >> >> than nr_bytes. > >> >> > >> >> Fixes: 200577f69f29 ("memcg: objcg stock trylock without irq disabling") > >> >> Cc: stable@vger.kernel.org > >> >> Signed-off-by: Hao Li <hao.li@linux.dev> > >> > > >> > Thanks for the fix. > >> > > >> > Acked-by: Shakeel Butt <shakeel.butt@linux.dev> > >> > >> What are the user-visible effects of the bug? > > > > The user-visible impact is that the NR_SLAB_RECLAIMABLE_B and > > NR_SLAB_UNRECLAIMABLE_B stats can end up being incorrect. > > > > For example, if a user allocates a 6144-byte object, then before this fix > > refill_obj_stock() calls mod_objcg_mlstate(..., nr_bytes=2048), even though it > > should account for 6144 bytes (i.e., nr_acct). > > > > When the user later frees the same object with kfree(), refill_obj_stock() calls > > mod_objcg_mlstate(..., nr_bytes=6144). This ends up adding 6144 to the stats, > > but it should be applying -6144 (i.e., nr_acct) since the object is being > > freed. > > Thanks, I'm sure Andrew will amend the changelog with those useful details. Got it. Thanks. > > Weird that we went since 6.16 with nobody noticing the stats were off - it > sounds they could get really way off? Indeed, it does seem a bit unbelievable. I suspect the conditions required for this issue to occur are quite strict: a process context first hold the obj_stock.lock, then get interrupted by an IRQ, and the IRQ path also reach refill_obj_stock and then hit the local_trylock-failed path. Therefore, I think a small amount of data distortion might be hard to observe. -- Thanks, Hao ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-02-27 8:37 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2026-02-26 11:51 [PATCH] memcg: fix slab accounting in refill_obj_stock() trylock path Hao Li 2026-02-26 13:39 ` Shakeel Butt 2026-02-26 13:44 ` Vlastimil Babka 2026-02-27 1:01 ` Hao Li 2026-02-27 7:46 ` Vlastimil Babka 2026-02-27 8:37 ` Hao Li
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox