Re: [PATCH mm-hotfixes v2 0/2] mm/page_alloc,slab: return NULL early from *_nolock() memory allocation APIs in NMI on UP

From: Vlastimil Babka (SUSE)

Date: Mon Apr 27 2026 - 04:00:27 EST

On 4/27/26 09:09, Harry Yoo (Oracle) wrote:
> Due to my mistake, V1 was sent twice w/o proper cover letter and
> Cc: stable. Please ignore V1. Apologies for the noise.
>
> Changes since V1:
> - used b4 to send patch series (w/ a proper cover letter) instead of
> my broken git send-email script (Thanks Vlastimil)
> - added Cc: stable to patches 1 and 2
>
> On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that
> unconditionally succeeds even when the lock is already held.
> As a result, alloc_frozen_pages_nolock() and kmalloc_nolock() called
> from an NMI context can successfully re-acquire the lock that the
> page/slab allocators are already holding (no deadlock because it's
> trylock, but leads to e.g., allocating the same page/object twice and
> causing use-after-free).
>
> It was discovered while testing the new kmalloc/kfree_nolock() test case
> in the slub_kunit test module with CONFIG_DEBUG_SPINLOCK=y on a UP
> kernel.
>
> Patch 1 fixes alloc_frozen_pages_nolock() and
> patch 2 fixes kmalloc_nolock().

Thanks. Given the problem exposed is in a slab kunit test I think it's
better to handle this in the slab tree. The page_alloc change is small and
should not cause conflicts. So I've merged both in slab/for-next.

> Note: As pointed out by Vlastimil Babka [1], in theory a kprobe in a
> locked section could trigger the same issue. However, fixing that
> involves a non-trivial rework (e.g., inventing a new spinlock type) or
> introduces unnecessary overhead for all spinlocks on UP (e.g., let all
> spinlocks check locked status on UP).
>
> Given that BPF tracing on UP is rare, and it's even more unlikely to
> trace a function called from the memory allocator within the locked
> section, this patch series addresses the issue only on NMI contexts
> (which is rare as well but now covered by the new test case).
>
> [1] https://lore.kernel.org/linux-mm/af3a7fa9-b368-4ffd-964d-9e4fcba863a8@xxxxxxxxxx
>
> Cc: stable.vger.kernel.org
> ---
> Harry Yoo (Oracle) (2):
> mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
> mm/slab: return NULL early from kmalloc_nolock() in NMI on UP
>
> mm/page_alloc.c | 5 +++++
> mm/slub.c | 4 ++++
> 2 files changed, 9 insertions(+)
> ---
> base-commit: ba24da38a519dfcff8cce3f3f2726d7b159a4d75
> change-id: 20260427-nolock-api-fix-bd056911e68e
>
> Best regards,
> --
> Cheers,
> Harry / Hyeonggon
>