CVE-2026-46279

In the Linux kernel, the following vulnerability has been resolved:

mm/alloc tag: clear codetag for pages allocated before page ext initialization

Due to initialization ordering, page ext is allocated and initialized relatively late during boot. Some pages have already been allocated and freed before page ext becomes available, leaving their codetag uninitialized.

A clear example is in init section page ext(): alloc page ext() calls kmemleak alloc(). If the slab cache has no free objects, it falls back to the buddy allocator to allocate memory. However, at this point page ext is not yet fully initialized, so these newly allocated pages have no codetag set. These pages may later be reclaimed by KASAN, which causes the warning to trigger when they are freed because their codetag ref is still empty.

Use a global array to track pages allocated before page ext is fully initialized. The array size is fixed at 8192 entries, and will emit a warning if this limit is exceeded. When page ext initialization completes, set their codetag to empty to avoid warnings when they are freed later.

This warning is only observed with CONFIG MEM ALLOC PROFILING DEBUG=Y and mem profiling compressed disabled:

[ 9.582133] ------------[ cut here ]------------ [ 9.582137] alloc tag was not set [ 9.582139] WARNING: ./include/linux/alloc tag.h:164 at pgalloc tag sub+0x40f/0x550, CPU#5: systemd/1 [ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy) [ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 9.582194] RIP: 0010: pgalloc tag sub+0x40f/0x550 [ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 <67> 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7 [ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246 [ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c [ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460 [ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324 [ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00 [ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360 [ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000 [ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0 [ 9.582211] PKRU: 55555554 [ 9.582212] Call Trace: [ 9.582213] [ 9.582214] ? pfx pgalloc tag sub+0x10/0x10 [ 9.582216] ? check bytes and report+0x68/0x140 [ 9.582219] free frozen pages+0x2e4/0x1150 [ 9.582221] ? free slab+0xc2/0x2b0 [ 9.582224] qlist free all+0x4c/0xf0 [ 9.582227] kasan quarantine reduce+0x15d/0x180 [ 9.582229] kasan slab alloc+0x69/0x90 [ 9.582232] kmem cache alloc noprof+0x14a/0x500 [ 9.582234] do getname+0x96/0x310 [ 9.582237] do readlinkat+0x91/0x2f0 [ 9.582239] ? pfx do readlinkat+0x10/0x10 [ 9.582240] ? get random bytes user+0x1df/0x2c0 [ 9.582244] x64 sys readlinkat+0x96/0x100 [ 9.582246] do syscall 64+0xce/0x650 [ 9.582250] ? x64 sys getrandom+0x13a/0x1e0 [ 9.582252] ? pfx x64 sys getrandom+0x10/0x10 [ 9.582254] ? do syscall 64+0x114/0x650 [ 9.582255] ? ksys read+0xfc/0x1d0 [ 9.582258] ? pfx ksys read+0x10/0x10 [ 9.582260] ? do syscall 64+0x114/0x650 [ 9.582262] ? do syscall 64+0x114/0x650 [ 9.582264] ? pfx fput close sync+0x10/0x10 [ 9.582266] ? file close fd locked+0x178/0x2a0 [ 9.582268] ? x64 sys faccessat2+0x96/0x100 [ 9.582269] ? x64 sys close+0x7d/0xd0 [ 9.582271] ? do syscall 64+0x114/0x650 [ 9.582273] ? do syscall 64+0x114/0x650 [ 9.582275] ? clear bhb loop+0x50/0xa0 [ 9.582277] ? clear bhb l ---truncated---