CVE-2025-38517

In the Linux kernel, the following vulnerability has been resolved:

lib/alloctag: do not acquire non-existent lock in alloctagtopusers()

alloctagtopusers() attempts to lock alloctagcttype->modlock even when the alloctagcttype is not allocated because:

1) alloc tagging is disabled because mem profiling is disabled (!alloctagcttype) 2) alloc tagging is enabled, but not yet initialized (!alloctagcttype) 3) alloc tagging is enabled, but failed initialization (!alloctagcttype or ISERR(alloctag_cttype))

In all cases, alloctagcttype is not allocated, and therefore alloctagtop_users() should not attempt to acquire the semaphore.

This leads to a crash on memory allocation failure by attempting to acquire a non-existent semaphore:

Oops: general protection fault, probably for non-canonical address 0xdffffc000000001b: 0000 [#3] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000000d8-0x00000000000000df] CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G D 6.16.0-rc2 #1 VOLUNTARY Tainted: [D]=DIE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:downreadtrylock+0xaa/0x3b0 Code: d0 7c 08 84 d2 0f 85 a0 02 00 00 8b 0d df 31 dd 04 85 c9 75 29 48 b8 00 00 00 00 00 fc ff df 48 8d 6b 68 48 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 88 02 00 00 48 3b 5b 68 0f 85 53 01 00 00 65 ff RSP: 0000:ffff8881002ce9b8 EFLAGS: 00010016 RAX: dffffc0000000000 RBX: 0000000000000070 RCX: 0000000000000000 RDX: 000000000000001b RSI: 000000000000000a RDI: 0000000000000070 RBP: 00000000000000d8 R08: 0000000000000001 R09: ffffed107dde49d1 R10: ffff8883eef24e8b R11: ffff8881002cec20 R12: 1ffff11020059d37 R13: 00000000003fff7b R14: ffff8881002cec20 R15: dffffc0000000000 FS: 00007f963f21d940(0000) GS:ffff888458ca6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f963f5edf71 CR3: 000000010672c000 CR4: 0000000000350ef0 Call Trace: <TASK> codetagtrylockmodulelist+0xd/0x20 alloctagtopusers+0x369/0x4b0 showmem+0x1cd/0x6e0 warnalloc+0x2b1/0x390 _allocfrozenpagesnoprof+0x12b9/0x21a0 allocpagesmpol+0x135/0x3e0 allocslabpage+0x82/0xe0 newslab+0x212/0x240 _slaballoc+0x82a/0xe00 </TASK>

As David Wang points out, this issue became easier to trigger after commit 780138b12381 ("alloctag: check memprofilingsupport in alloctag_init").

Before the commit, the issue occurred only when it failed to allocate and initialize alloctagcttype or if a memory allocation fails before alloctaginit() is called. After the commit, it can be easily triggered when memory profiling is compiled but disabled at boot.

To properly determine whether alloctaginit() has been called and its data structures initialized, verify that alloctagcttype is a valid pointer before acquiring the semaphore. If the variable is NULL or an error value, it has not been properly initialized. In such a case, just skip and do not attempt to acquire the semaphore.

[harry.yoo@oracle.com: v3]