Re: [PATCH 0/2] mm/page_owner: fix TOCTOU races in lockless page state reading

Next message: Jakub Kicinski: "Re: [PATCH v2 net-next] sctp: use sctp_auth_shkey_release() in error path for consistency"
Previous message: NG, TZE YEE: "Re: [PATCH v3 3/3] i3c: master: Validate GET CCC payload length and retry M0/M2 once"
In reply to: Ye Liu: "[PATCH 2/2] mm/page_owner: use memcg_data snapshot instead of PageMemcgKmem() to avoid TOCTOU VM_BUG_ON"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Morton

Date: Wed Jun 24 2026 - 22:04:30 EST

On Thu, 25 Jun 2026 09:47:03 +0800 Ye Liu <ye.liu@xxxxxxxxx> wrote:

> Fix two TOCTOU races found during review of [1].
>
> page_owner reads page state locklessly by design. In two places the
> code reads the same metadata twice — once as a guard, then again as
> a use — and the page can be concurrently reallocated between the two:
>
> Patch 1: buddy_order_unsafe() in skip_buddy_pages() can return garbage
> if the page is allocated between PageBuddy() and the private read,
> causing the PFN to skip past a pfn_valid() boundary. Clamp the
> advance at MAX_ORDER_NR_PAGES.
>
> Patch 2: PageMemcgKmem() in print_page_owner_memcg() re-reads
> folio->memcg_data and triggers VM_BUG_ON assertions if the page
> became a tail page or slab page. Use the snapshot taken at entry.

That was fast. I haven't pushed out mm-new yet, so Sashiko wasn't able
to apply these.

> [1] https://lore.kernel.org/all/20260623065234.31866-2-ye.liu@xxxxxxxxx/
> [2] https://sashiko.dev/#/patchset/20260623065234.31866-2-ye.liu@xxxxxxxxx

Nothing cites "[2]". That's OK.