git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Hao Ge <gehao@kylinos.cn>
	Thu, 23 Oct 2025 14:33:13 +0000 (22:33 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 29 Oct 2025 13:10:22 +0000 (14:10 +0100)
commit	1bbdfd647627cdab5d618995d083da5dc79973e2
tree	5a5d7750c70606145ecce4579132708824083f7b	tree \| snapshot
parent	7c34feda6a9a203c9744281f1b6671b7dad2012d	commit \| diff

slab: Fix obj_ext mistakenly considered NULL due to race condition

commit 7f434e1d9a17ca5f567c9796c9c105a65c18db9a upstream.

If two competing threads enter alloc_slab_obj_exts(), and the one that
allocates the vector wins the cmpxchg(), the other thread that failed
allocation mistakenly assumes that slab->obj_exts is still empty due to
its own allocation failure. This will then trigger warnings with
CONFIG_MEM_ALLOC_PROFILING_DEBUG checks in the subsequent free path.

Therefore, let's check the result of cmpxchg() to see if marking the
allocation as failed was successful. If it wasn't, check whether the
winning side has succeeded its allocation (it might have been also
marking it as failed) and if yes, return success.

Suggested-by: Harry Yoo <harry.yoo@oracle.com>
Fixes: f7381b911640 ("slab: mark slab->obj_exts allocation failures unconditionally")
Cc: <stable@vger.kernel.org>
Signed-off-by: Hao Ge <gehao@kylinos.cn>
Link: https://patch.msgid.link/20251023143313.1327968-1-hao.ge@linux.dev
Reviewed-by: Suren Baghdasaryan <surenb@google.com>
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>