commit 67c31476ccaf040fbe990bef02dd544296d43706
Author: Mike Kelly <mike@weatherwax.co.uk>
Date:   Sat Feb 28 20:54:15 2026 +0000

    Page allocation from a CPU pool does not consider vm_page_alloc_paused.
    
    A non-empty CPU page pool always allocates pages even when
    vm_page_alloc_paused is set. An unprivileged thread can therefore
    acquire a signicant number of pages until the pool is empty. The cycle
    can continue for a longer period if the pool is replenished by a VM
    privileged thread before the unprivileged thread requests more pages
    and in extreme cases can result in complete system memory exhaustion.
    Message-ID: <20260228205443.67047-2-mike@weatherwax.co.uk>

diff --git a/vm/vm_page.c b/vm/vm_page.c
index 47eeb042..5cdf0c7b 100644
--- a/vm/vm_page.c
+++ b/vm/vm_page.c
@@ -687,6 +687,11 @@ vm_page_seg_alloc(struct vm_page_seg *seg, unsigned int order,
     assert(order < VM_PAGE_NR_FREE_LISTS);
 
     if (order == 0) {
+
+        if (vm_page_alloc_paused && current_thread()
+	    && !current_thread()->vm_privilege)
+	  return NULL;
+
         thread_pin();
         cpu_pool = vm_page_cpu_pool_get(seg);
         simple_lock(&cpu_pool->lock);
