The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Brendan Jackman" <jackmanb@google.com>
Cc: linux-kernel@vger.kernel.org, linux-rt-devel@lists.linux.dev
Subject: Re: [PATCH v4 18/18] mm: factor out can_spin_trylock()
Date: Thu, 02 Jul 2026 12:28:21 +0000	[thread overview]
Message-ID: <20260702122822.562721F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260702-alloc-trylock-v4-18-0af8ff387e80@google.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The refactoring to deduplicate spin_trylock safety checks into can_spin_trylock() missed __free_frozen_pages(), leaving a pre-existing UP NMI corruption bug unpatched.
--

Note: The format of this report has been altered to provide a free-form
summary of the findings due to recitation restrictions.

commit a99a7a468132ab177e1233c7e2f5644523ace0a7
Author: Brendan Jackman <jackmanb@google.com>
Subject: mm: factor out can_spin_trylock()

This commit introduces can_spin_trylock() to deduplicate checks for whether 
the current context is safe for spin_trylock(). It updates 
alloc_nolock_allowed() in mm/page_alloc.c and __kmalloc_nolock_noprof() in 
mm/slub.c to use this newly factored helper.

Link: https://lore.kernel.org/all/397859cb-b127-4cc6-9c71-044afc99bf0c@kernel.org/

[Severity: High]

This isn't a bug introduced by this patch, but the deduplication refactoring 
appears to have missed an open-coded check in __free_frozen_pages() in 
mm/page_alloc.c. 

Could this open-coded check also be updated to use the new 
can_spin_trylock() helper to resolve a pre-existing UP NMI safety issue?

When __free_frozen_pages() handles FPI_TRYLOCK, it explicitly checks for
CONFIG_PREEMPT_RT and NMI/hardirq context. On UP systems where CONFIG_SMP 
is disabled, spin_trylock() and its variants are defined to unconditionally 
succeed because there is no actual lock state tracked.

If a caller invokes free_pages_nolock() from an NMI context on a UP system, 
the current RT-specific check fails. The execution then falls back to 
free_one_page(), where spin_trylock_irqsave() falsely succeeds even if the 
NMI interrupted another task that was actively modifying the free list under 
the zone lock. 

This allows concurrent modification of the free list, which can lead to 
corruption and kernel panics.

Updating the check in __free_frozen_pages() to use !can_spin_trylock() 
would catch the UP NMI case and safely route the allocation to the lockless 
add_page_to_zone_llist() path instead.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260702-alloc-trylock-v4-0-0af8ff387e80@google.com?part=18

      reply	other threads:[~2026-07-02 12:28 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02  9:49 [PATCH v4 00/18] mm: Some cleanups for page allocator APIs Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 01/18] mm/page_alloc: rename ALLOC_TRYLOCK -> ALLOC_NOLOCK Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 02/18] mm/page_alloc: some renames to clarify alloc_flags scopes Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 03/18] mm: name some args in a function declaration Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 04/18] mm: Split out internal page_alloc.h Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 05/18] mm/page_alloc: unify __alloc_frozen_pages[_nolock]_noprof() Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 06/18] mm/page_alloc: relax GFP WARN in nolock allocs Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 07/18] mm: move some stuff to mm/page_alloc.h Brendan Jackman
2026-07-02 10:28   ` sashiko-bot
2026-07-02  9:49 ` [PATCH v4 08/18] perf/x86/intel: Use higher-level allocator API Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 09/18] KVM: VMX: " Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 10/18] x86/virt: " Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 11/18] sgi-xp: " Brendan Jackman
2026-07-02 10:54   ` sashiko-bot
2026-07-02  9:49 ` [PATCH v4 12/18] net/funeth: Switch to " Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 13/18] mm: Remove __alloc_pages_node() Brendan Jackman
2026-07-02 11:11   ` sashiko-bot
2026-07-02  9:49 ` [PATCH v4 14/18] mm: Move __alloc_pages() to mm/page_alloc.h Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 15/18] mm: replace __GFP_NO_CODETAG with ALLOC_NO_CODETAG Brendan Jackman
2026-07-03  2:29   ` Hao Ge
2026-07-02  9:49 ` [PATCH v4 16/18] mm: remove the __GFP_NO_OBJ_EXT flag Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 17/18] mm/page_alloc: drop alloc_flags arg from alloc_flags_cma() Brendan Jackman
2026-07-02  9:49 ` [PATCH v4 18/18] mm: factor out can_spin_trylock() Brendan Jackman
2026-07-02 12:28   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702122822.562721F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=jackmanb@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rt-devel@lists.linux.dev \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox