Commit 04aa71da authored May 15, 2026 by Uladzislau Rezki (Sony) Committed by Andrew Morton May 21, 2026

mm/vmalloc: do not trigger BUG() on BH disabled context

__get_vm_area_node() currently triggers a BUG() if in_interrupt() returns
true.  However, in_interrupt() also reports true when BH are disabled.

The bridge code can call rhashtable_lookup_insert_fast() with bottom
halves disabled:

__vlan_add()
 -> br_fdb_add_local()
  spin_lock_bh(&br->hash_lock); <-- Disable BH
   -> fdb_add_local()
    -> fdb_create()
     -> rhashtable_lookup_insert_fast()
      -> kvmalloc()
       -> vmalloc()
        -> __get_vm_area_node()
         -> BUG_ON(in_interrupt())
  spin_unlock_bh(&br->hash_lock)

this triggers the BUG() despite the caller not being in NMI or
hard IRQ context.

Replace the in_interrupt() check with in_nmi() || in_hardirq().

Link: https://lore.kernel.org/20260515153009.2296191-1-urezki@gmail.com


Fixes: c6307674 ("mm: kvmalloc: add non-blocking support for vmalloc")
Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Cc: Ido Schimmel <idosch@nvidia.com>
Reported-by:  <syzbot+8b12fc6e0fb139765b58@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/all/69ff8c7c.050a0220.1036b8.000b.GAE@google.com/


Reviewed-by: Baoquan He <baoquan.he@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

parent f0af98ff

mm/vmalloc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -3203,7 +3203,7 @@ struct vm_struct *__get_vm_area_node(unsigned long size,
		struct vm_struct *area;
		unsigned long requested_size = size;

		BUG_ON(in_interrupt());
		BUG_ON(in_nmi() \|\| in_hardirq());
		size = ALIGN(size, 1ul << shift);
		if (unlikely(!size))
		return NULL;