CVE-2026-46035
Description
In the Linux kernel, the following vulnerability has been resolved:
mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that unconditionally succeeds even when the lock is already held. As a result, alloc_frozen_pages_nolock() called from NMI context can re-enter rmqueue() and acquire the zone lock that the interrupted context is already holding, corrupting the freelists.
With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with the slub_kunit test module:
BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243 [...] Call Trace:
dump_stack_lvl+0x3f/0x60 do_raw_spin_trylock+0x41/0x50 _raw_spin_trylock+0x24/0x50 rmqueue.isra.0+0x2a9/0xa70 get_page_from_freelist+0xeb/0x450 alloc_frozen_pages_nolock_noprof+0x111/0x1e0 allocate_slab+0x42a/0x500 ___slab_alloc+0xa7/0x4c0 kmalloc_nolock_noprof+0x164/0x310 [...]
Fix this by returning NULL early when invoked from NMI on a UP kernel.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
UP kernel NMI re-entrancy in alloc_frozen_pages_nolock() corrupts freelists due to spin_trylock no-op; fix returns NULL early.
Vulnerability
In the Linux kernel on UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that unconditionally succeeds even when the lock is held. This allows alloc_frozen_pages_nolock() called from NMI context to re-enter rmqueue() and acquire the zone lock that the interrupted context holds, corrupting freelists. The bug affects kernels with the alloc_frozen_pages_nolock() function added; specific versions not given but fixed in commit [1].
Exploitation
An attacker able to trigger an NMI while the system is in a page allocation path could cause this re-entrancy. The NMI context must call alloc_frozen_pages_nolock(), e.g., via slab allocation like kmalloc_nolock_noprof from an NMI handler. On UP systems with CONFIG_DEBUG_SPINLOCK, the BUG is triggered.
Impact
Corruption of the page freelists leading to system instability, memory corruption, or potential privilege escalation. The attacker gains no direct control via this bug but may degrade system integrity.
Mitigation
Fixed by commit 620b46ed6ae17c8438d889c8c0cfddab36a1476c in the Linux kernel stable tree. Users should update to a kernel version containing this fix. No workaround is available for affected UP systems.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
605b4ed8bef30mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
1 file changed · +5 −1
mm/page_alloc.c+5 −1 modifieddiff --git a/mm/page_alloc.c b/mm/page_alloc.c index 43363fd3b8ea42..f676966180035c 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -7641,6 +7641,11 @@ struct page *alloc_frozen_pages_nolock_noprof(gfp_t gfp_flags, int nid, unsigned */ if (IS_ENABLED(CONFIG_PREEMPT_RT) && (in_nmi() || in_hardirq())) return NULL; + + /* On UP, spin_trylock() always succeeds even when it is locked */ + if (!IS_ENABLED(CONFIG_SMP) && in_nmi()) + return NULL; + if (!pcp_allowed_order(order)) return NULL; -- cgit 1.3-korg
a6d57efeaae3mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
1 file changed · +5 −1
mm/page_alloc.c+5 −1 modifieddiff --git a/mm/page_alloc.c b/mm/page_alloc.c index 04494bc2e46f98..e92898ad51cd81 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -7806,6 +7806,11 @@ struct page *alloc_frozen_pages_nolock_noprof(gfp_t gfp_flags, int nid, unsigned */ if (IS_ENABLED(CONFIG_PREEMPT_RT) && (in_nmi() || in_hardirq())) return NULL; + + /* On UP, spin_trylock() always succeeds even when it is locked */ + if (!IS_ENABLED(CONFIG_SMP) && in_nmi()) + return NULL; + if (!pcp_allowed_order(order)) return NULL; -- cgit 1.3-korg
620b46ed6ae1mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
1 file changed · +5 −1
mm/page_alloc.c+5 −1 modifieddiff --git a/mm/page_alloc.c b/mm/page_alloc.c index 111b54df8a3cbc..b1b1039287e93f 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -7775,6 +7775,11 @@ struct page *alloc_frozen_pages_nolock_noprof(gfp_t gfp_flags, int nid, unsigned */ if (IS_ENABLED(CONFIG_PREEMPT_RT) && (in_nmi() || in_hardirq())) return NULL; + + /* On UP, spin_trylock() always succeeds even when it is locked */ + if (!IS_ENABLED(CONFIG_SMP) && in_nmi()) + return NULL; + if (!pcp_allowed_order(order)) return NULL; -- cgit 1.3-korg
a6d57efeaae3mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
1 file changed · +5 −1
mm/page_alloc.c+5 −1 modifieddiff --git a/mm/page_alloc.c b/mm/page_alloc.c index 04494bc2e46f98..e92898ad51cd81 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -7806,6 +7806,11 @@ struct page *alloc_frozen_pages_nolock_noprof(gfp_t gfp_flags, int nid, unsigned */ if (IS_ENABLED(CONFIG_PREEMPT_RT) && (in_nmi() || in_hardirq())) return NULL; + + /* On UP, spin_trylock() always succeeds even when it is locked */ + if (!IS_ENABLED(CONFIG_SMP) && in_nmi()) + return NULL; + if (!pcp_allowed_order(order)) return NULL; -- cgit 1.3-korg
05b4ed8bef30mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
1 file changed · +5 −1
mm/page_alloc.c+5 −1 modifieddiff --git a/mm/page_alloc.c b/mm/page_alloc.c index 43363fd3b8ea42..f676966180035c 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -7641,6 +7641,11 @@ struct page *alloc_frozen_pages_nolock_noprof(gfp_t gfp_flags, int nid, unsigned */ if (IS_ENABLED(CONFIG_PREEMPT_RT) && (in_nmi() || in_hardirq())) return NULL; + + /* On UP, spin_trylock() always succeeds even when it is locked */ + if (!IS_ENABLED(CONFIG_SMP) && in_nmi()) + return NULL; + if (!pcp_allowed_order(order)) return NULL; -- cgit 1.3-korg
620b46ed6ae1mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP
1 file changed · +5 −1
mm/page_alloc.c+5 −1 modifieddiff --git a/mm/page_alloc.c b/mm/page_alloc.c index 111b54df8a3cbc..b1b1039287e93f 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -7775,6 +7775,11 @@ struct page *alloc_frozen_pages_nolock_noprof(gfp_t gfp_flags, int nid, unsigned */ if (IS_ENABLED(CONFIG_PREEMPT_RT) && (in_nmi() || in_hardirq())) return NULL; + + /* On UP, spin_trylock() always succeeds even when it is locked */ + if (!IS_ENABLED(CONFIG_SMP) && in_nmi()) + return NULL; + if (!pcp_allowed_order(order)) return NULL; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"On UP kernels, spin_trylock() is a no-op that unconditionally succeeds, allowing NMI-context re-entry into rmqueue() while the zone lock is already held, corrupting freelists."
Attack vector
An attacker who can trigger an NMI (Non-Maskable Interrupt) on a UP (uniprocessor) kernel can cause `alloc_frozen_pages_nolock()` to be called while the interrupted context already holds the zone lock. Because `spin_trylock()` on UP always succeeds, the NMI handler re-enters `rmqueue()` and corrupts the freelists. The bug is reproduced with the `slub_kunit` test module under `CONFIG_DEBUG_SPINLOCK` on UP.
Affected code
The vulnerability is in the function `alloc_frozen_pages_nolock_noprof()` in `mm/page_alloc.c` [patch_id=2660253]. On UP kernels, `spin_trylock()` is a no-op that unconditionally succeeds, so the function can re-enter `rmqueue()` from NMI context and corrupt freelists.
What the fix does
The patch adds an early return of NULL in `alloc_frozen_pages_nolock_noprof()` when the kernel is compiled without `CONFIG_SMP` (i.e., UP) and the call originates from NMI context [patch_id=2660253]. This prevents the function from reaching `rmqueue()` and attempting to acquire a lock that is already held, thereby avoiding freelist corruption. The fix mirrors the existing guard for `CONFIG_PREEMPT_RT` that already returns NULL in NMI/hardirq.
Preconditions
- configKernel must be compiled without CONFIG_SMP (UP kernel)
- inputThe alloc_frozen_pages_nolock() function must be invoked from NMI context
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.