In the Linux kernel, the following vulnerability has been resolved:
codetag: debug: mark codetags for poisoned page as empty
When PGhwpoison pages are freed they are treated differently in freepages_prepare() and instead of being released they are isolated.
Page allocation tag counters are decremented at this point since the page is considered not in use. Later on when such pages are released by unpoison_memory(), the allocation tag counters will be decremented again and the following warning gets reported:
[ 113.930443][ T3282] ------------[ cut here ]------------ [ 113.931105][ T3282] alloctag was not set [ 113.931576][ T3282] WARNING: CPU: 2 PID: 3282 at ./include/linux/alloctag.h:130 pgalloctagsub.part.66+0x154/0x164 [ 113.932866][ T3282] Modules linked in: hwpoisoninject fuse ip6trpfilter ip6tREJECT nfrejectipv6 iptREJECT nfrejectipv4 xtconntrack ebtablenat ebtablebroute ip6tablenat ip6tableman4 [ 113.941638][ T3282] CPU: 2 UID: 0 PID: 3282 Comm: madvise11 Kdump: loaded Tainted: G W 6.11.0-rc4-dirty #18 [ 113.943003][ T3282] Tainted: [W]=WARN [ 113.943453][ T3282] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [ 113.944378][ T3282] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 113.945319][ T3282] pc : pgalloctagsub.part.66+0x154/0x164 [ 113.946016][ T3282] lr : pgalloctagsub.part.66+0x154/0x164 [ 113.946706][ T3282] sp : ffff800087093a10 [ 113.947197][ T3282] x29: ffff800087093a10 x28: ffff0000d7a9d400 x27: ffff80008249f0a0 [ 113.948165][ T3282] x26: 0000000000000000 x25: ffff80008249f2b0 x24: 0000000000000000 [ 113.949134][ T3282] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000000 [ 113.950597][ T3282] x20: ffff0000c08fcad8 x19: ffff80008251e000 x18: ffffffffffffffff [ 113.952207][ T3282] x17: 0000000000000000 x16: 0000000000000000 x15: ffff800081746210 [ 113.953161][ T3282] x14: 0000000000000000 x13: 205d323832335420 x12: 5b5d353031313339 [ 113.954120][ T3282] x11: ffff800087093500 x10: 000000000000005d x9 : 00000000ffffffd0 [ 113.955078][ T3282] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008236ba90 x6 : c0000000ffff7fff [ 113.956036][ T3282] x5 : ffff000b34bf4dc8 x4 : ffff8000820aba90 x3 : 0000000000000001 [ 113.956994][ T3282] x2 : ffff800ab320f000 x1 : 841d1e35ac932e00 x0 : 0000000000000000 [ 113.957962][ T3282] Call trace: [ 113.958350][ T3282] pgalloctagsub.part.66+0x154/0x164 [ 113.959000][ T3282] pgalloctagsub+0x14/0x1c [ 113.959539][ T3282] freeunrefpage+0xf4/0x4b8 [ 113.960096][ T3282] _folioput+0xd4/0x120 [ 113.960614][ T3282] folioput+0x24/0x50 [ 113.961103][ T3282] unpoisonmemory+0x4f0/0x5b0 [ 113.961678][ T3282] hwpoisonunpoison+0x30/0x48 [hwpoisoninject] [ 113.962436][ T3282] simpleattrwritexsigned.isra.34+0xec/0x1cc [ 113.963183][ T3282] simpleattrwrite+0x38/0x48 [ 113.963750][ T3282] debugfsattrwrite+0x54/0x80 [ 113.964330][ T3282] fullproxywrite+0x68/0x98 [ 113.964880][ T3282] vfswrite+0xdc/0x4d0 [ 113.965372][ T3282] ksyswrite+0x78/0x100 [ 113.965875][ T3282] _arm64syswrite+0x24/0x30 [ 113.966440][ T3282] invokesyscall+0x7c/0x104 [ 113.966984][ T3282] el0svccommon.constprop.1+0x88/0x104 [ 113.967652][ T3282] doel0svc+0x2c/0x38 [ 113.968893][ T3282] el0svc+0x3c/0x1b8 [ 113.969379][ T3282] el0t64synchandler+0x98/0xbc [ 113.969980][ T3282] el0t64sync+0x19c/0x1a0 [ 113.970511][ T3282] ---[ end trace 0000000000000000 ]---
To fix this, clear the page tag reference after the page got isolated and accounted for.