In the Linux kernel, the following vulnerability has been resolved:

mm: krealloc: Fix MTE false alarm in _dokrealloc

This patch addresses an issue introduced by commit 1a83a716ec233 ("mm: krealloc: consider spare memory for _GFPZERO") which causes MTE (Memory Tagging Extension) to falsely report a slab-out-of-bounds error.

The problem occurs when zeroing out spare memory in _dokrealloc. The original code only considered software-based KASAN and did not account for MTE. It does not reset the KASAN tag before calling memset, leading to a mismatch between the pointer tag and the memory tag, resulting in a false positive.

Example of the error:

swapper/0: BUG: KASAN: slab-out-of-bounds in _memset+0x84/0x188 swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1 swapper/0: Pointer tag: [f4], memory tag: [fe] swapper/0: swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12. swapper/0: Hardware name: MT6991(ENG) (DT) swapper/0: Call trace: swapper/0: dumpbacktrace+0xfc/0x17c swapper/0: showstack+0x18/0x28 swapper/0: dumpstacklvl+0x40/0xa0 swapper/0: printreport+0x1b8/0x71c swapper/0: kasanreport+0xec/0x14c swapper/0: _dokernelfault+0x60/0x29c swapper/0: dobadarea+0x30/0xdc swapper/0: dotagcheckfault+0x20/0x34 swapper/0: domemabort+0x58/0x104 swapper/0: el1abort+0x3c/0x5c swapper/0: el1h64synchandler+0x80/0xcc swapper/0: el1h64sync+0x68/0x6c swapper/0: _memset+0x84/0x188 swapper/0: btfpopulatekfuncset+0x280/0x3d8 swapper/0: _registerbtfkfuncidset+0x43c/0x468 swapper/0: registerbtfkfuncidset+0x48/0x60 swapper/0: registernfnatbpf+0x1c/0x40 swapper/0: nfnatinit+0xc0/0x128 swapper/0: dooneinitcall+0x184/0x464 swapper/0: doinitcalllevel+0xdc/0x1b0 swapper/0: doinitcalls+0x70/0xc0 swapper/0: dobasicsetup+0x1c/0x28 swapper/0: kernelinitfreeable+0x144/0x1b8 swapper/0: kernel_init+0x20/0x1a8

swapper/0: retfromfork+0x10/0x20