DEBIAN-CVE-2026-23025

In the Linux kernel, the following vulnerability has been resolved:  mm/pagealloc: prevent pcp corruption with SMP=n  The kernel test robot has reported:   BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28   lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .ownercpu: 0  CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT  8cc09ef94dcec767faa911515ce9e609c45db470  Call Trace:   <IRQ>   dumpstack (lib/dumpstack.c:95)   dumpstacklvl (lib/dumpstack.c:123)   dumpstack (lib/dumpstack.c:130)   spindump (kernel/locking/spinlockdebug.c:71)   dorawspintrylock (kernel/locking/spinlockdebug.c:?)   rawspintrylock (include/linux/spinlockapismp.h:89 kernel/locking/spinlock.c:138)   freefrozenpages (mm/pagealloc.c:2973)   freepages (mm/pagealloc.c:5295)   freepages (mm/pagealloc.c:5334)   tlbremovetablercu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmugather.c:227 mm/mmugather.c:290)   ? cfitlbremovetablercu (mm/mmugather.c:289)   ? rcucore (kernel/rcu/tree.c:?)   rcucore (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861)   rcucoresi (kernel/rcu/tree.c:2879)   handlesoftirqs (arch/x86/include/asm/jumplabel.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)   irqexitrcu (arch/x86/include/asm/jumplabel.h:36 kernel/softirq.c:725)   irqexitrcu (kernel/softirq.c:741)   sysvecapictimerinterrupt (arch/x86/kernel/apic/apic.c:1052)   </IRQ>   <TASK>  RIP: 0010:rawspinunlockirqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlockapismp.h:152 kernel/locking/spinlock.c:194)   freepcppagesbulk (mm/pagealloc.c:1494)   drainpageszone (include/linux/spinlock.h:391 mm/pagealloc.c:2632)   drainallpages (mm/pagealloc.c:2731)   drainallpages (mm/pagealloc.c:2747)   kcompactd (mm/compaction.c:3115)   kthread (kernel/kthread.c:465)   ? cfikcompactd (mm/compaction.c:3166)   ? cfikthread (kernel/kthread.c:412)   retfromfork (arch/x86/kernel/process.c:164)   ? _cfikthread (kernel/kthread.c:412)   retfromforkasm (arch/x86/entry/entry64.S:255)   </TASK>  Matthew has analyzed the report and identified that in drainpagezone() we are in a section protected by spinlock(&pcp->lock) and then get an interrupt that attempts spintrylock() on the same lock.  The code is designed to work this way without disabling IRQs and occasionally fail the trylock with a fallback.  However, the SMP=n spinlock implementation assumes spintrylock() will always succeed, and thus it's normally a no-op.  Here the enabled lock debugging catches the problem, but otherwise it could cause a corruption of the pcp structure.  The problem has been introduced by commit 574907741599 ("mm/pagealloc: leave IRQs enabled for per-cpu page allocations").  The pcp locking scheme recognizes the need for disabling IRQs to prevent nesting spintrylock() sections on SMP=n, but the need to prevent the nesting in spinlock() has not been recognized.  Fix it by introducing local wrappers that change the spinlock() to spinlockiqsave() with SMP=n and use them in all places that do spinlock(&pcp->lock).  [vbabka@suse.cz: add pcp prefix to the spinlock_irqsave wrappers, per Steven]