From: sashiko-bot@kernel.org
To: "Brendan Jackman" <jackmanb@google.com>
Cc: linux-kernel@vger.kernel.org, linux-rt-devel@lists.linux.dev
Subject: Re: [PATCH v4 18/18] mm: factor out can_spin_trylock()
Date: Thu, 02 Jul 2026 12:28:21 +0000 [thread overview]
Message-ID: <20260702122822.562721F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260702-alloc-trylock-v4-18-0af8ff387e80@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The refactoring to deduplicate spin_trylock safety checks into can_spin_trylock() missed __free_frozen_pages(), leaving a pre-existing UP NMI corruption bug unpatched.
--
Note: The format of this report has been altered to provide a free-form
summary of the findings due to recitation restrictions.
commit a99a7a468132ab177e1233c7e2f5644523ace0a7
Author: Brendan Jackman <jackmanb@google.com>
Subject: mm: factor out can_spin_trylock()
This commit introduces can_spin_trylock() to deduplicate checks for whether
the current context is safe for spin_trylock(). It updates
alloc_nolock_allowed() in mm/page_alloc.c and __kmalloc_nolock_noprof() in
mm/slub.c to use this newly factored helper.
Link: https://lore.kernel.org/all/397859cb-b127-4cc6-9c71-044afc99bf0c@kernel.org/
[Severity: High]
This isn't a bug introduced by this patch, but the deduplication refactoring
appears to have missed an open-coded check in __free_frozen_pages() in
mm/page_alloc.c.
Could this open-coded check also be updated to use the new
can_spin_trylock() helper to resolve a pre-existing UP NMI safety issue?
When __free_frozen_pages() handles FPI_TRYLOCK, it explicitly checks for
CONFIG_PREEMPT_RT and NMI/hardirq context. On UP systems where CONFIG_SMP
is disabled, spin_trylock() and its variants are defined to unconditionally
succeed because there is no actual lock state tracked.
If a caller invokes free_pages_nolock() from an NMI context on a UP system,
the current RT-specific check fails. The execution then falls back to
free_one_page(), where spin_trylock_irqsave() falsely succeeds even if the
NMI interrupted another task that was actively modifying the free list under
the zone lock.
This allows concurrent modification of the free list, which can lead to
corruption and kernel panics.
Updating the check in __free_frozen_pages() to use !can_spin_trylock()
would catch the UP NMI case and safely route the allocation to the lockless
add_page_to_zone_llist() path instead.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260702-alloc-trylock-v4-0-0af8ff387e80@google.com?part=18
prev parent reply other threads:[~2026-07-02 12:28 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 9:49 [PATCH v4 00/18] mm: Some cleanups for page allocator APIs Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 01/18] mm/page_alloc: rename ALLOC_TRYLOCK -> ALLOC_NOLOCK Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 02/18] mm/page_alloc: some renames to clarify alloc_flags scopes Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 03/18] mm: name some args in a function declaration Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 04/18] mm: Split out internal page_alloc.h Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 05/18] mm/page_alloc: unify __alloc_frozen_pages[_nolock]_noprof() Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 06/18] mm/page_alloc: relax GFP WARN in nolock allocs Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 07/18] mm: move some stuff to mm/page_alloc.h Brendan Jackman
2026-07-02 10:28 ` sashiko-bot
2026-07-02 9:49 ` [PATCH v4 08/18] perf/x86/intel: Use higher-level allocator API Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 09/18] KVM: VMX: " Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 10/18] x86/virt: " Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 11/18] sgi-xp: " Brendan Jackman
2026-07-02 10:54 ` sashiko-bot
2026-07-02 9:49 ` [PATCH v4 12/18] net/funeth: Switch to " Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 13/18] mm: Remove __alloc_pages_node() Brendan Jackman
2026-07-02 11:11 ` sashiko-bot
2026-07-02 9:49 ` [PATCH v4 14/18] mm: Move __alloc_pages() to mm/page_alloc.h Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 15/18] mm: replace __GFP_NO_CODETAG with ALLOC_NO_CODETAG Brendan Jackman
2026-07-03 2:29 ` Hao Ge
2026-07-02 9:49 ` [PATCH v4 16/18] mm: remove the __GFP_NO_OBJ_EXT flag Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 17/18] mm/page_alloc: drop alloc_flags arg from alloc_flags_cma() Brendan Jackman
2026-07-02 9:49 ` [PATCH v4 18/18] mm: factor out can_spin_trylock() Brendan Jackman
2026-07-02 12:28 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702122822.562721F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=jackmanb@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rt-devel@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox