The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Brendan Jackman" <jackmanb@google.com>
Cc: linux-rt-devel@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 18/18] mm: factor out can_spin_trylock()
Date: Fri, 03 Jul 2026 12:55:22 +0000	[thread overview]
Message-ID: <20260703125522.AF2C61F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260703-alloc-trylock-v5-18-c87b714e19d3@google.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Unsafe trylock from NMI on UP systems due to missed deduplication in `free_unref_page_commit()`
--

commit b53c6ec11ab7f82add433847a77e54a590090942
Author: Brendan Jackman <jackmanb@google.com>

mm: factor out can_spin_trylock()

Deduplicate checks for whether the current context is safe for
spin_trylock().

Link: https://lore.kernel.org/all/397859cb-b127-4cc6-9c71-044afc99bf0c@kernel.org/

> diff --git a/mm/page_alloc.c b/mm/page_alloc.c
> index c3b246e67ed14..a63733dac659e 100644
> --- a/mm/page_alloc.c
> +++ b/mm/page_alloc.c

[ ... ]

>  static inline bool alloc_nolock_allowed(void)
>  {

[ ... ]

> -	if (IS_ENABLED(CONFIG_PREEMPT_RT) && (in_nmi() || in_hardirq()))
> -		return false;
> -
> -	/* On UP, spin_trylock() always succeeds even when it is locked */
> -	if (!IS_ENABLED(CONFIG_SMP) && in_nmi())
> +	if (!can_spin_trylock())
>  		return false;

[Severity: High]
This is a pre-existing issue, but could this deduplication also be applied to
free_unref_page_commit() in mm/page_alloc.c?

It looks like free_unref_page_commit() still uses an open-coded check:

	if (unlikely((fpi_flags & FPI_TRYLOCK) && IS_ENABLED(CONFIG_PREEMPT_RT)
		     && (in_nmi() || in_hardirq()))) {
		add_page_to_zone_llist(zone, page, order);
		return;
	}

Since the open-coded check in free_unref_page_commit() doesn't check for UP
systems, would an asynchronous page free executed from an NMI context on a
uniprocessor system (e.g., via a BPF memory allocator) incorrectly proceed past
this check?

On UP systems, spin_trylock_irqsave() only disables interrupts and
unconditionally returns true, providing no mutual exclusion against the
interrupted context. Could this allow both the NMI and the interrupted process
to concurrently modify the zone list structures and corrupt memory?

Applying !can_spin_trylock() here seems like it would fulfill the intent of
this patch and resolve the UP + NMI case.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260703-alloc-trylock-v5-0-c87b714e19d3@google.com?part=18

  reply	other threads:[~2026-07-03 12:55 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 12:31 [PATCH v5 00/18] mm: Some cleanups for page allocator APIs Brendan Jackman
2026-07-03 12:31 ` [PATCH v5 01/18] mm/page_alloc: rename ALLOC_TRYLOCK -> ALLOC_NOLOCK Brendan Jackman
2026-07-03 13:59   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 02/18] mm/page_alloc: some renames to clarify alloc_flags scopes Brendan Jackman
2026-07-03 14:01   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 03/18] mm: name some args in a function declaration Brendan Jackman
2026-07-03 14:02   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 04/18] mm: Split out internal page_alloc.h Brendan Jackman
2026-07-03 14:07   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 05/18] mm/page_alloc: unify __alloc_frozen_pages[_nolock]_noprof() Brendan Jackman
2026-07-03 14:42   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 06/18] mm/page_alloc: relax GFP WARN in nolock allocs Brendan Jackman
2026-07-03 12:43   ` sashiko-bot
2026-07-03 14:44   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 07/18] mm: move some stuff to mm/page_alloc.h Brendan Jackman
2026-07-03 14:46   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 08/18] perf/x86/intel: Use higher-level allocator API Brendan Jackman
2026-07-03 14:49   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 09/18] KVM: VMX: " Brendan Jackman
2026-07-03 14:49   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 10/18] x86/virt: " Brendan Jackman
2026-07-03 14:50   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 11/18] sgi-xp: " Brendan Jackman
2026-07-03 12:48   ` sashiko-bot
2026-07-03 14:51   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 12/18] net/funeth: Switch to " Brendan Jackman
2026-07-03 12:53   ` sashiko-bot
2026-07-03 14:52   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 13/18] mm: Remove __alloc_pages_node() Brendan Jackman
2026-07-03 12:54   ` sashiko-bot
2026-07-03 14:57   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 14/18] mm: Move __alloc_pages() to mm/page_alloc.h Brendan Jackman
2026-07-03 15:05   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 15/18] mm: replace __GFP_NO_CODETAG with ALLOC_NO_CODETAG Brendan Jackman
2026-07-03 12:31 ` [PATCH v5 16/18] mm: remove the __GFP_NO_OBJ_EXT flag Brendan Jackman
2026-07-03 12:31 ` [PATCH v5 17/18] mm/page_alloc: drop alloc_flags arg from alloc_flags_cma() Brendan Jackman
2026-07-03 15:10   ` Zi Yan
2026-07-03 12:31 ` [PATCH v5 18/18] mm: factor out can_spin_trylock() Brendan Jackman
2026-07-03 12:55   ` sashiko-bot [this message]
2026-07-03 15:12   ` Zi Yan
2026-07-03 12:47 ` [PATCH v5 00/18] mm: Some cleanups for page allocator APIs Vlastimil Babka (SUSE)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703125522.AF2C61F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=jackmanb@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rt-devel@lists.linux.dev \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox