CVE-2026-23244

In the Linux kernel, the following vulnerability has been resolved:

nvme: fix memory allocation in nvme pr read keys()

nvme pr read keys() takes num keys from userspace and uses it to calculate the allocation size for rse via struct size(). The upper limit is PR KEYS MAX (64K).

A malicious or buggy userspace can pass a large num keys value that results in a 4MB allocation attempt at most, causing a warning in the page allocator when the order exceeds MAX PAGE ORDER.

To fix this, use kvzalloc() instead of kzalloc().

This bug has the same reasoning and fix with the patch below: https://lore.kernel.org/linux-block/20251212013510.3576091-1-kartikey406@gmail.com/

Warning log: WARNING: mm/page alloc.c:5216 at alloc frozen pages noprof+0x5aa/0x2300 mm/page alloc.c:5216, CPU#1: syz-executor117/272 Modules linked in: CPU: 1 UID: 0 PID: 272 Comm: syz-executor117 Not tainted 6.19.0 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010: alloc frozen pages noprof+0x5aa/0x2300 mm/page alloc.c:5216 Code: ff 83 bd a8 fe ff ff 0a 0f 86 69 fb ff ff 0f b6 1d f9 f9 c4 04 80 fb 01 0f 87 3b 76 30 ff 83 e3 01 75 09 c6 05 e4 f9 c4 04 01 <0f> 0b 48 c7 85 70 fe ff ff 00 00 00 00 e9 8f fd ff ff 31 c0 e9 0d RSP: 0018:ffffc90000fcf450 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff920001f9ea0 RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000040dc0 RBP: ffffc90000fcf648 R08: ffff88800b6c3380 R09: 0000000000000001 R10: ffffc90000fcf840 R11: ffff88807ffad280 R12: 0000000000000000 R13: 0000000000040dc0 R14: 0000000000000001 R15: ffffc90000fcf620 FS: 0000555565db33c0(0000) GS:ffff8880be26c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002000000c CR3: 0000000003b72000 CR4: 00000000000006f0 Call Trace: alloc pages mpol+0x236/0x4d0 mm/mempolicy.c:2486 alloc frozen pages noprof+0x149/0x180 mm/mempolicy.c:2557 kmalloc large node+0x10c/0x140 mm/slub.c:5598 kmalloc large node noprof+0x25/0xc0 mm/slub.c:5629 do kmalloc node mm/slub.c:5645 [inline] kmalloc noprof+0x483/0x6f0 mm/slub.c:5669 kmalloc noprof include/linux/slab.h:961 [inline] kzalloc noprof include/linux/slab.h:1094 [inline] nvme pr read keys+0x8f/0x4c0 drivers/nvme/host/pr.c:245 blkdev pr read keys block/ioctl.c:456 [inline] blkdev common ioctl+0x1b71/0x29b0 block/ioctl.c:730 blkdev ioctl+0x299/0x700 block/ioctl.c:786 vfs ioctl fs/ioctl.c:51 [inline] do sys ioctl fs/ioctl.c:597 [inline] se sys ioctl fs/ioctl.c:583 [inline] x64 sys ioctl+0x1bf/0x220 fs/ioctl.c:583 x64 sys call+0x1280/0x21b0 mnt/fuzznvme 1/fuzznvme/linux-build/v6.19/./arch/x86/include/generated/asm/syscalls 64.h:17 do syscall x64 arch/x86/entry/syscall 64.c:63 [inline] do syscall 64+0x71/0x330 arch/x86/entry/syscall 64.c:94 entry SYSCALL 64 after hwframe+0x76/0x7e RIP: 0033:0x7fb893d3108d Code: 28 c3 e8 46 1e 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffff61f2f38 EFLAGS: 00000246 ORIG RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffff61f3138 RCX: 00007fb893d3108d RDX: 0000000020000040 RSI: 00000000c01070ce RDI: 0000000000000003 RBP: 0000000000000001 R08: 0000000000000000 R09: 00007ffff61f3138 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffff61f3128 R14: 00007fb893dae530 R15: 0000000000000001