CVE-2026-23025

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/page_alloc: prevent pcp corruption with SMP=n<br /> <br /> The kernel test robot has reported:<br /> <br /> BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28<br /> lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0<br /> CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470<br /> Call Trace:<br /> <br /> __dump_stack (lib/dump_stack.c:95)<br /> dump_stack_lvl (lib/dump_stack.c:123)<br /> dump_stack (lib/dump_stack.c:130)<br /> spin_dump (kernel/locking/spinlock_debug.c:71)<br /> do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?)<br /> _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138)<br /> __free_frozen_pages (mm/page_alloc.c:2973)<br /> ___free_pages (mm/page_alloc.c:5295)<br /> __free_pages (mm/page_alloc.c:5334)<br /> tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290)<br /> ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289)<br /> ? rcu_core (kernel/rcu/tree.c:?)<br /> rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861)<br /> rcu_core_si (kernel/rcu/tree.c:2879)<br /> handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)<br /> __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725)<br /> irq_exit_rcu (kernel/softirq.c:741)<br /> sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052)<br /> <br /> <br /> RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)<br /> free_pcppages_bulk (mm/page_alloc.c:1494)<br /> drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632)<br /> __drain_all_pages (mm/page_alloc.c:2731)<br /> drain_all_pages (mm/page_alloc.c:2747)<br /> kcompactd (mm/compaction.c:3115)<br /> kthread (kernel/kthread.c:465)<br /> ? __cfi_kcompactd (mm/compaction.c:3166)<br /> ? __cfi_kthread (kernel/kthread.c:412)<br /> ret_from_fork (arch/x86/kernel/process.c:164)<br /> ? __cfi_kthread (kernel/kthread.c:412)<br /> ret_from_fork_asm (arch/x86/entry/entry_64.S:255)<br /> <br /> <br /> Matthew has analyzed the report and identified that in drain_page_zone()<br /> we are in a section protected by spin_lock(&amp;pcp-&gt;lock) and then get an<br /> interrupt that attempts spin_trylock() on the same lock. The code is<br /> designed to work this way without disabling IRQs and occasionally fail the<br /> trylock with a fallback. However, the SMP=n spinlock implementation<br /> assumes spin_trylock() will always succeed, and thus it&amp;#39;s normally a<br /> no-op. Here the enabled lock debugging catches the problem, but otherwise<br /> it could cause a corruption of the pcp structure.<br /> <br /> The problem has been introduced by commit 574907741599 ("mm/page_alloc:<br /> leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme<br /> recognizes the need for disabling IRQs to prevent nesting spin_trylock()<br /> sections on SMP=n, but the need to prevent the nesting in spin_lock() has<br /> not been recognized. Fix it by introducing local wrappers that change the<br /> spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places<br /> that do spin_lock(&amp;pcp-&gt;lock).<br /> <br /> [vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven]