CVE-2026-23025 (GCVE-0-2026-23025)

Vulnerability from cvelistv5 – Published: 2026-01-31 11:42 – Updated: 2026-01-31 11:42
VLAI?
Title
mm/page_alloc: prevent pcp corruption with SMP=n
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: prevent pcp corruption with SMP=n The kernel test robot has reported: BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28 lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0 CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470 Call Trace: <IRQ> __dump_stack (lib/dump_stack.c:95) dump_stack_lvl (lib/dump_stack.c:123) dump_stack (lib/dump_stack.c:130) spin_dump (kernel/locking/spinlock_debug.c:71) do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?) _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138) __free_frozen_pages (mm/page_alloc.c:2973) ___free_pages (mm/page_alloc.c:5295) __free_pages (mm/page_alloc.c:5334) tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290) ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289) ? rcu_core (kernel/rcu/tree.c:?) rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861) rcu_core_si (kernel/rcu/tree.c:2879) handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623) __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725) irq_exit_rcu (kernel/softirq.c:741) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052) </IRQ> <TASK> RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) free_pcppages_bulk (mm/page_alloc.c:1494) drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632) __drain_all_pages (mm/page_alloc.c:2731) drain_all_pages (mm/page_alloc.c:2747) kcompactd (mm/compaction.c:3115) kthread (kernel/kthread.c:465) ? __cfi_kcompactd (mm/compaction.c:3166) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork (arch/x86/kernel/process.c:164) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork_asm (arch/x86/entry/entry_64.S:255) </TASK> Matthew has analyzed the report and identified that in drain_page_zone() we are in a section protected by spin_lock(&pcp->lock) and then get an interrupt that attempts spin_trylock() on the same lock. The code is designed to work this way without disabling IRQs and occasionally fail the trylock with a fallback. However, the SMP=n spinlock implementation assumes spin_trylock() will always succeed, and thus it's normally a no-op. Here the enabled lock debugging catches the problem, but otherwise it could cause a corruption of the pcp structure. The problem has been introduced by commit 574907741599 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme recognizes the need for disabling IRQs to prevent nesting spin_trylock() sections on SMP=n, but the need to prevent the nesting in spin_lock() has not been recognized. Fix it by introducing local wrappers that change the spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places that do spin_lock(&pcp->lock). [vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 5749077415994eb02d660b2559b9d8278521e73d , < 4a04ff9cd816e7346fcc8126f00ed80481f6569d (git)
Affected: 5749077415994eb02d660b2559b9d8278521e73d , < df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6 (git)
Affected: 5749077415994eb02d660b2559b9d8278521e73d , < 3098f8f7c7b0686c74827aec42a2c45e69801ff8 (git)
Affected: 5749077415994eb02d660b2559b9d8278521e73d , < 038a102535eb49e10e93eafac54352fcc5d78847 (git)
Affected: d1da921452b3ee7e07383c12955ab1c6f3b08752 (git)
Create a notification for this product.
    Linux Linux Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.122 , ≤ 6.6.* (semver)
Unaffected: 6.12.67 , ≤ 6.12.* (semver)
Unaffected: 6.18.7 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc6 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/page_alloc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4a04ff9cd816e7346fcc8126f00ed80481f6569d",
              "status": "affected",
              "version": "5749077415994eb02d660b2559b9d8278521e73d",
              "versionType": "git"
            },
            {
              "lessThan": "df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6",
              "status": "affected",
              "version": "5749077415994eb02d660b2559b9d8278521e73d",
              "versionType": "git"
            },
            {
              "lessThan": "3098f8f7c7b0686c74827aec42a2c45e69801ff8",
              "status": "affected",
              "version": "5749077415994eb02d660b2559b9d8278521e73d",
              "versionType": "git"
            },
            {
              "lessThan": "038a102535eb49e10e93eafac54352fcc5d78847",
              "status": "affected",
              "version": "5749077415994eb02d660b2559b9d8278521e73d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d1da921452b3ee7e07383c12955ab1c6f3b08752",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/page_alloc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.122",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.67",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.7",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc6",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.57",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: prevent pcp corruption with SMP=n\n\nThe kernel test robot has reported:\n\n BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28\n  lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0\n CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT  8cc09ef94dcec767faa911515ce9e609c45db470\n Call Trace:\n  \u003cIRQ\u003e\n  __dump_stack (lib/dump_stack.c:95)\n  dump_stack_lvl (lib/dump_stack.c:123)\n  dump_stack (lib/dump_stack.c:130)\n  spin_dump (kernel/locking/spinlock_debug.c:71)\n  do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?)\n  _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138)\n  __free_frozen_pages (mm/page_alloc.c:2973)\n  ___free_pages (mm/page_alloc.c:5295)\n  __free_pages (mm/page_alloc.c:5334)\n  tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290)\n  ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289)\n  ? rcu_core (kernel/rcu/tree.c:?)\n  rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861)\n  rcu_core_si (kernel/rcu/tree.c:2879)\n  handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)\n  __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725)\n  irq_exit_rcu (kernel/softirq.c:741)\n  sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052)\n  \u003c/IRQ\u003e\n  \u003cTASK\u003e\n RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)\n  free_pcppages_bulk (mm/page_alloc.c:1494)\n  drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632)\n  __drain_all_pages (mm/page_alloc.c:2731)\n  drain_all_pages (mm/page_alloc.c:2747)\n  kcompactd (mm/compaction.c:3115)\n  kthread (kernel/kthread.c:465)\n  ? __cfi_kcompactd (mm/compaction.c:3166)\n  ? __cfi_kthread (kernel/kthread.c:412)\n  ret_from_fork (arch/x86/kernel/process.c:164)\n  ? __cfi_kthread (kernel/kthread.c:412)\n  ret_from_fork_asm (arch/x86/entry/entry_64.S:255)\n  \u003c/TASK\u003e\n\nMatthew has analyzed the report and identified that in drain_page_zone()\nwe are in a section protected by spin_lock(\u0026pcp-\u003elock) and then get an\ninterrupt that attempts spin_trylock() on the same lock.  The code is\ndesigned to work this way without disabling IRQs and occasionally fail the\ntrylock with a fallback.  However, the SMP=n spinlock implementation\nassumes spin_trylock() will always succeed, and thus it\u0027s normally a\nno-op.  Here the enabled lock debugging catches the problem, but otherwise\nit could cause a corruption of the pcp structure.\n\nThe problem has been introduced by commit 574907741599 (\"mm/page_alloc:\nleave IRQs enabled for per-cpu page allocations\").  The pcp locking scheme\nrecognizes the need for disabling IRQs to prevent nesting spin_trylock()\nsections on SMP=n, but the need to prevent the nesting in spin_lock() has\nnot been recognized.  Fix it by introducing local wrappers that change the\nspin_lock() to spin_lock_iqsave() with SMP=n and use them in all places\nthat do spin_lock(\u0026pcp-\u003elock).\n\n[vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-31T11:42:04.426Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4a04ff9cd816e7346fcc8126f00ed80481f6569d"
        },
        {
          "url": "https://git.kernel.org/stable/c/df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/3098f8f7c7b0686c74827aec42a2c45e69801ff8"
        },
        {
          "url": "https://git.kernel.org/stable/c/038a102535eb49e10e93eafac54352fcc5d78847"
        }
      ],
      "title": "mm/page_alloc: prevent pcp corruption with SMP=n",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23025",
    "datePublished": "2026-01-31T11:42:04.426Z",
    "dateReserved": "2026-01-13T15:37:45.941Z",
    "dateUpdated": "2026-01-31T11:42:04.426Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23025\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-31T12:16:05.820\",\"lastModified\":\"2026-01-31T12:16:05.820\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/page_alloc: prevent pcp corruption with SMP=n\\n\\nThe kernel test robot has reported:\\n\\n BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28\\n  lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0\\n CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT  8cc09ef94dcec767faa911515ce9e609c45db470\\n Call Trace:\\n  \u003cIRQ\u003e\\n  __dump_stack (lib/dump_stack.c:95)\\n  dump_stack_lvl (lib/dump_stack.c:123)\\n  dump_stack (lib/dump_stack.c:130)\\n  spin_dump (kernel/locking/spinlock_debug.c:71)\\n  do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?)\\n  _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138)\\n  __free_frozen_pages (mm/page_alloc.c:2973)\\n  ___free_pages (mm/page_alloc.c:5295)\\n  __free_pages (mm/page_alloc.c:5334)\\n  tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290)\\n  ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289)\\n  ? rcu_core (kernel/rcu/tree.c:?)\\n  rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861)\\n  rcu_core_si (kernel/rcu/tree.c:2879)\\n  handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)\\n  __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725)\\n  irq_exit_rcu (kernel/softirq.c:741)\\n  sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052)\\n  \u003c/IRQ\u003e\\n  \u003cTASK\u003e\\n RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)\\n  free_pcppages_bulk (mm/page_alloc.c:1494)\\n  drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632)\\n  __drain_all_pages (mm/page_alloc.c:2731)\\n  drain_all_pages (mm/page_alloc.c:2747)\\n  kcompactd (mm/compaction.c:3115)\\n  kthread (kernel/kthread.c:465)\\n  ? __cfi_kcompactd (mm/compaction.c:3166)\\n  ? __cfi_kthread (kernel/kthread.c:412)\\n  ret_from_fork (arch/x86/kernel/process.c:164)\\n  ? __cfi_kthread (kernel/kthread.c:412)\\n  ret_from_fork_asm (arch/x86/entry/entry_64.S:255)\\n  \u003c/TASK\u003e\\n\\nMatthew has analyzed the report and identified that in drain_page_zone()\\nwe are in a section protected by spin_lock(\u0026pcp-\u003elock) and then get an\\ninterrupt that attempts spin_trylock() on the same lock.  The code is\\ndesigned to work this way without disabling IRQs and occasionally fail the\\ntrylock with a fallback.  However, the SMP=n spinlock implementation\\nassumes spin_trylock() will always succeed, and thus it\u0027s normally a\\nno-op.  Here the enabled lock debugging catches the problem, but otherwise\\nit could cause a corruption of the pcp structure.\\n\\nThe problem has been introduced by commit 574907741599 (\\\"mm/page_alloc:\\nleave IRQs enabled for per-cpu page allocations\\\").  The pcp locking scheme\\nrecognizes the need for disabling IRQs to prevent nesting spin_trylock()\\nsections on SMP=n, but the need to prevent the nesting in spin_lock() has\\nnot been recognized.  Fix it by introducing local wrappers that change the\\nspin_lock() to spin_lock_iqsave() with SMP=n and use them in all places\\nthat do spin_lock(\u0026pcp-\u003elock).\\n\\n[vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/038a102535eb49e10e93eafac54352fcc5d78847\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3098f8f7c7b0686c74827aec42a2c45e69801ff8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4a04ff9cd816e7346fcc8126f00ed80481f6569d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.