[PATCH 0/2] mm/page_owner: fix TOCTOU races in lockless page state reading

Next message: Ye Liu: "[PATCH 1/2] mm/page_owner: clamp skip_buddy_pages() PFN advance at MAX_ORDER_NR_PAGES boundary"
Previous message: Shyam Saini: "Re: [RFC PATCH] reserve_mem: add support for static memory"
Next in thread: Ye Liu: "[PATCH 1/2] mm/page_owner: clamp skip_buddy_pages() PFN advance at MAX_ORDER_NR_PAGES boundary"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ye Liu

Date: Wed Jun 24 2026 - 21:47:29 EST

Fix two TOCTOU races found during review of [1].

page_owner reads page state locklessly by design. In two places the
code reads the same metadata twice — once as a guard, then again as
a use — and the page can be concurrently reallocated between the two:

Patch 1: buddy_order_unsafe() in skip_buddy_pages() can return garbage
if the page is allocated between PageBuddy() and the private read,
causing the PFN to skip past a pfn_valid() boundary. Clamp the
advance at MAX_ORDER_NR_PAGES.

Patch 2: PageMemcgKmem() in print_page_owner_memcg() re-reads
folio->memcg_data and triggers VM_BUG_ON assertions if the page
became a tail page or slab page. Use the snapshot taken at entry.

[1] https://lore.kernel.org/all/20260623065234.31866-2-ye.liu@xxxxxxxxx/
[2] https://sashiko.dev/#/patchset/20260623065234.31866-2-ye.liu@xxxxxxxxx

Ye Liu (2):
mm/page_owner: clamp skip_buddy_pages() PFN advance at
MAX_ORDER_NR_PAGES boundary
mm/page_owner: use memcg_data snapshot instead of PageMemcgKmem() to
avoid TOCTOU VM_BUG_ON

mm/page_owner.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)

--
2.43.0