In the Linux kernel, the following vulnerability has been resolved:
mm/alloctag: clear codetag for pages allocated before pageext initialization
Due to initialization ordering, pageext is allocated and initialized relatively late during boot. Some pages have already been allocated and freed before pageext becomes available, leaving their codetag uninitialized.
A clear example is in initsectionpageext(): allocpageext() calls kmemleakalloc(). If the slab cache has no free objects, it falls back to the buddy allocator to allocate memory. However, at this point page_ext is not yet fully initialized, so these newly allocated pages have no codetag set. These pages may later be reclaimed by KASAN, which causes the warning to trigger when they are freed because their codetag ref is still empty.
Use a global array to track pages allocated before pageext is fully initialized. The array size is fixed at 8192 entries, and will emit a warning if this limit is exceeded. When pageext initialization completes, set their codetag to empty to avoid warnings when they are freed later.
This warning is only observed with CONFIGMEMALLOCPROFILINGDEBUG=Y and memprofilingcompressed disabled:
[ 9.582133] ------------[ cut here ]------------ [ 9.582137] alloctag was not set [ 9.582139] WARNING: ./include/linux/alloctag.h:164 at __pgalloctagsub+0x40f/0x550, CPU#5: systemd/1 [ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy) [ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 9.582194] RIP: 0010:__pgalloctagpgalloctagsub+0x40f/0x550 [ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 <67> 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7 [ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246 [ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c [ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460 [ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324 [ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00 [ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360 [ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000 [ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0 [ 9.582211] PKRU: 55555554 [ 9.582212] Call Trace: [ 9.582213] <TASK> [ 9.582214] ? pfxgalloc_tagsub+0x10/0x10 [ 9.582216] ? checkbytesandreport+0x68/0x140 [ 9.582219] __freefrozenpages+0x2e4/0x1150 [ 9.582221] ? __freeslab+0xc2/0x2b0 [ 9.582224] qlistfreeall+0x4c/0xf0 [ 9.582227] kasanquarantine_reduce+0x15d/0x180 [ 9.582229] __kasanslaballoc+0x69/0x90 [ 9.582232] kmemcacheallocnoprof+0x14a/0x500 [ 9.582234] dogetname+0x96/0x310 [ 9.582237] do_readlinkat+0x91/0x2f0 [ 9.582239] ? __pfxdoreadlinkat+0x10/0x10 [ 9.582240] ? getrandombytes_user+0x1df/0x2c0 [ 9.582244] __x64sysreadlinkat+0x96/0x100 [ 9.582246] dosyscall64+0xce/0x650 [ 9.582250] ? __x64sysx64sysgetrandom+0x13a/0x1e0 [ 9.582252] ? pfx64sysgetrandom+0x10/0x10 [ 9.582254] ? dosyscall64+0x114/0x650 [ 9.582255] ? ksys_read+0xfc/0x1d0 [ 9.582258] ? __pfxksysread+0x10/0x10 [ 9.582260] ? dosyscall64+0x114/0x650 [ 9.582262] ? dosyscall64+0x114/0x650 [ 9.582264] ? __pfxfputclosesync+0x10/0x10 [ 9.582266] ? fileclosefdlocked+0x178/0x2a0 [ 9.582268] ? __x64sysfaccessat2+0x96/0x100 [ 9.582269] ? __x64sysclose+0x7d/0xd0 [ 9.582271] ? dosyscall64+0x114/0x650 [ 9.582273] ? dosyscall64+0x114/0x650 [ 9.582275] ? clearbhbloop+0x50/0xa0 [ 9.582277] ? clearbhbl ---truncated---
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46279.json",
"cna_assigner": "Linux"
}