CVE-2026-53162

In the Linux kernel, the following vulnerability has been resolved:

memcg: use round-robin victim selection in refill stock

Harry Yoo reported that get random u32 below() is not safe to call in the nmi context and memcg charge draining can happen in nmi context.

More specifically get random u32 below() is neither reentrant- nor NMI-safe: it acquires a per-cpu local lock via local lock irqsave() on the batched entropy u32 state. An NMI that lands on a CPU mid-update of the ChaCha batch state and recurses into the random subsystem would corrupt that state. The memcg stock local trylock prevents re-entry on the percpu stock itself, but cannot protect an unrelated subsystem's per-cpu lock.

Replace the random pick with a per-cpu round-robin counter stored in memcg stock pcp and serialized by the same local trylock that already guards cached[] and nr pages[]. No atomics, no random calls, no extra locks needed.