[PATCH mm-hotfixes v2 0/2] mm/page_alloc,slab: return NULL early from *_nolock() memory allocation APIs in NMI on UP
From: Harry Yoo (Oracle)
Date: Mon Apr 27 2026 - 03:12:15 EST
Due to my mistake, V1 was sent twice w/o proper cover letter and
Cc: stable. Please ignore V1. Apologies for the noise.
Changes since V1:
- used b4 to send patch series (w/ a proper cover letter) instead of
my broken git send-email script (Thanks Vlastimil)
- added Cc: stable to patches 1 and 2
On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that
unconditionally succeeds even when the lock is already held.
As a result, alloc_frozen_pages_nolock() and kmalloc_nolock() called
from an NMI context can successfully re-acquire the lock that the
page/slab allocators are already holding (no deadlock because it's
trylock, but leads to e.g., allocating the same page/object twice and
causing use-after-free).
It was discovered while testing the new kmalloc/kfree_nolock() test case
in the slub_kunit test module with CONFIG_DEBUG_SPINLOCK=y on a UP
kernel.
Patch 1 fixes alloc_frozen_pages_nolock() and
patch 2 fixes kmalloc_nolock().
Note: As pointed out by Vlastimil Babka [1], in theory a kprobe in a
locked section could trigger the same issue. However, fixing that
involves a non-trivial rework (e.g., inventing a new spinlock type) or
introduces unnecessary overhead for all spinlocks on UP (e.g., let all
spinlocks check locked status on UP).
Given that BPF tracing on UP is rare, and it's even more unlikely to
trace a function called from the memory allocator within the locked
section, this patch series addresses the issue only on NMI contexts
(which is rare as well but now covered by the new test case).
[1] https://lore.kernel.org/linux-mm/af3a7fa9-b368-4ffd-964d-9e4fcba863a8@xxxxxxxxxx
Cc: stable.vger.kernel.org
---
Harry Yoo (Oracle) (2):
mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
mm/slab: return NULL early from kmalloc_nolock() in NMI on UP
mm/page_alloc.c | 5 +++++
mm/slub.c | 4 ++++
2 files changed, 9 insertions(+)
---
base-commit: ba24da38a519dfcff8cce3f3f2726d7b159a4d75
change-id: 20260427-nolock-api-fix-bd056911e68e
Best regards,
--
Cheers,
Harry / Hyeonggon