CVE-2025-37774

In the Linux kernel, the following vulnerability has been resolved:

slab: ensure slab->obj_exts is clear in a newly allocated slab page

ktest recently reported crashes while running several buffered io tests with _alloctaggingslaballochook() at the top of the crash call stack. The signature indicates an invalid address dereference with low bits of slab->objexts being set. The bits were outside of the range used by pagememcgdataflags and objextflags and hence were not masked out by slabobjexts() when obtaining the pointer stored in slab->obj_exts. The typical crash log looks like this:

00510 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 00510 Mem abort info: 00510 ESR = 0x0000000096000045 00510 EC = 0x25: DABT (current EL), IL = 32 bits 00510 SET = 0, FnV = 0 00510 EA = 0, S1PTW = 0 00510 FSC = 0x05: level 1 translation fault 00510 Data abort info: 00510 ISV = 0, ISS = 0x00000045, ISS2 = 0x00000000 00510 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 00510 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 00510 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000104175000 00510 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 00510 Internal error: Oops: 0000000096000045 [#1] SMP 00510 Modules linked in: 00510 CPU: 10 UID: 0 PID: 7692 Comm: cat Not tainted 6.15.0-rc1-ktest-g189e17946605 #19327 NONE 00510 Hardware name: linux,dummy-virt (DT) 00510 pstate: 20001005 (nzCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 00510 pc : _alloctaggingslaballochook+0xe0/0x190 00510 lr : _kmallocnoprof+0x150/0x310 00510 sp : ffffff80c87df6c0 00510 x29: ffffff80c87df6c0 x28: 000000000013d1ff x27: 000000000013d200 00510 x26: ffffff80c87df9e0 x25: 0000000000000000 x24: 0000000000000001 00510 x23: ffffffc08041953c x22: 000000000000004c x21: ffffff80c0002180 00510 x20: fffffffec3120840 x19: ffffff80c4821000 x18: 0000000000000000 00510 x17: fffffffec3d02f00 x16: fffffffec3d02e00 x15: fffffffec3d00700 00510 x14: fffffffec3d00600 x13: 0000000000000200 x12: 0000000000000006 00510 x11: ffffffc080bb86c0 x10: 0000000000000000 x9 : ffffffc080201e58 00510 x8 : ffffff80c4821060 x7 : 0000000000000000 x6 : 0000000055555556 00510 x5 : 0000000000000001 x4 : 0000000000000010 x3 : 0000000000000060 00510 x2 : 0000000000000000 x1 : ffffffc080f50cf8 x0 : ffffff80d801d000 00510 Call trace: 00510 _alloctaggingslaballochook+0xe0/0x190 (P) 00510 _kmallocnoprof+0x150/0x310 00510 _bch2foliocreate+0x5c/0xf8 00510 bch2foliocreate+0x2c/0x40 00510 bch2readahead+0xc0/0x460 00510 readpages+0x7c/0x230 00510 pagecacheraorder+0x244/0x3a8 00510 pagecacheasyncra+0x124/0x170 00510 filemapreadahead.isra.0+0x58/0xa0 00510 filemapgetpages+0x454/0x7b0 00510 filemapread+0xdc/0x418 00510 bch2readiter+0x100/0x1b0 00510 vfsread+0x214/0x300 00510 ksysread+0x6c/0x108 00510 _arm64sysread+0x20/0x30 00510 invokesyscall.constprop.0+0x54/0xe8 00510 doel0svc+0x44/0xc8 00510 el0svc+0x18/0x58 00510 el0t64synchandler+0x104/0x130 00510 el0t64_sync+0x154/0x158 00510 Code: d5384100 f9401c01 b9401aa3 b40002e1 (f8227881) 00510 ---[ end trace 0000000000000000 ]--- 00510 Kernel panic - not syncing: Oops: Fatal exception 00510 SMP: stopping secondary CPUs 00510 Kernel Offset: disabled 00510 CPU features: 0x0000,000000e0,00000410,8240500b 00510 Memory Limit: none

Investigation indicates that these bits are already set when we allocate slab page and are not zeroed out after allocation. We are not yet sure why these crashes start happening only recently but regardless of the reason, not initializing a field that gets used later is wrong. Fix it by initializing slab->obj_exts during slab page allocation.