CVE-2026-46279

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/alloc_tag: clear codetag for pages allocated before page_ext initialization<br /> <br /> Due to initialization ordering, page_ext is allocated and initialized<br /> relatively late during boot. Some pages have already been allocated and<br /> freed before page_ext becomes available, leaving their codetag<br /> uninitialized.<br /> <br /> A clear example is in init_section_page_ext(): alloc_page_ext() calls<br /> kmemleak_alloc(). If the slab cache has no free objects, it falls back to<br /> the buddy allocator to allocate memory. However, at this point page_ext<br /> is not yet fully initialized, so these newly allocated pages have no<br /> codetag set. These pages may later be reclaimed by KASAN, which causes<br /> the warning to trigger when they are freed because their codetag ref is<br /> still empty.<br /> <br /> Use a global array to track pages allocated before page_ext is fully<br /> initialized. The array size is fixed at 8192 entries, and will emit a<br /> warning if this limit is exceeded. When page_ext initialization<br /> completes, set their codetag to empty to avoid warnings when they are<br /> freed later.<br /> <br /> This warning is only observed with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and<br /> mem_profiling_compressed disabled:<br /> <br /> [ 9.582133] ------------[ cut here ]------------<br /> [ 9.582137] alloc_tag was not set<br /> [ 9.582139] WARNING: ./include/linux/alloc_tag.h:164 at __pgalloc_tag_sub+0x40f/0x550, CPU#5: systemd/1<br /> [ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy)<br /> [ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> [ 9.582194] RIP: 0010:__pgalloc_tag_sub+0x40f/0x550<br /> [ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7<br /> [ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246<br /> [ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c<br /> [ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460<br /> [ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324<br /> [ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00<br /> [ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360<br /> [ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000<br /> [ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0<br /> [ 9.582211] PKRU: 55555554<br /> [ 9.582212] Call Trace:<br /> [ 9.582213] <br /> [ 9.582214] ? __pfx___pgalloc_tag_sub+0x10/0x10<br /> [ 9.582216] ? check_bytes_and_report+0x68/0x140<br /> [ 9.582219] __free_frozen_pages+0x2e4/0x1150<br /> [ 9.582221] ? __free_slab+0xc2/0x2b0<br /> [ 9.582224] qlist_free_all+0x4c/0xf0<br /> [ 9.582227] kasan_quarantine_reduce+0x15d/0x180<br /> [ 9.582229] __kasan_slab_alloc+0x69/0x90<br /> [ 9.582232] kmem_cache_alloc_noprof+0x14a/0x500<br /> [ 9.582234] do_getname+0x96/0x310<br /> [ 9.582237] do_readlinkat+0x91/0x2f0<br /> [ 9.582239] ? __pfx_do_readlinkat+0x10/0x10<br /> [ 9.582240] ? get_random_bytes_user+0x1df/0x2c0<br /> [ 9.582244] __x64_sys_readlinkat+0x96/0x100<br /> [ 9.582246] do_syscall_64+0xce/0x650<br /> [ 9.582250] ? __x64_sys_getrandom+0x13a/0x1e0<br /> [ 9.582252] ? __pfx___x64_sys_getrandom+0x10/0x10<br /> [ 9.582254] ? do_syscall_64+0x114/0x650<br /> [ 9.582255] ? ksys_read+0xfc/0x1d0<br /> [ 9.582258] ? __pfx_ksys_read+0x10/0x10<br /> [ 9.582260] ? do_syscall_64+0x114/0x650<br /> [ 9.582262] ? do_syscall_64+0x114/0x650<br /> [ 9.582264] ? __pfx_fput_close_sync+0x10/0x10<br /> [ 9.582266] ? file_close_fd_locked+0x178/0x2a0<br /> [ 9.582268] ? __x64_sys_faccessat2+0x96/0x100<br /> [ 9.582269] ? __x64_sys_close+0x7d/0xd0<br /> [ 9.582271] ? do_syscall_64+0x114/0x650<br /> [ 9.582273] ? do_syscall_64+0x114/0x650<br /> [ 9.582275] ? clear_bhb_loop+0x50/0xa0<br /> [ 9.582277] ? clear_bhb_l<br /> ---truncated---