CVE-2025-68199

In the Linux kernel, the following vulnerability has been resolved:

codetag: debug: handle existing CODETAGEMPTY in markobjextsempty for slabobjext

When allocslabobjexts() fails and then later succeeds in allocating a slab extension vector, it calls handlefailedobjextsalloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY.

Later on if this slabA is used to allocate a slabobjext vector for another slab (slabB), we end up with the slabB->objexts pointing to a slabobjext vector that itself has a non-NULL slabobjext equal to CODETAGEMPTY. When slabB gets freed, freeslabobjexts() is called to free slabB->obj_exts vector.

freeslabobjexts() calls markobjextsempty(slabB->objexts) which will generate a warning because it expects slabobjext vectors to have a NULL objext, not CODETAG_EMPTY.

Modify markobjextsempty() to skip the warning and setting the objext value if it's already set to CODETAGEMPTY.

To quickly detect this WARN, I modified the code from WARNON(slabexts[offs].ref.ct) to BUGON(slabexts[offs].ref.ct == 1);

We then obtained this message:

[21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfioiommutype1 vhostvsock vfio vhostnet vmwvsockvirtiotransportcommon vhost tap vhostiotlb iommufd vsock binfmtmisc nfsv3 nfsacl nfs lockd grace netfs tls rds dnsresolver tun brd overlay ntfs3 exfat btrfs blake2bgeneric xor xorneon raid6pq loop sctp ip6udptunnel udptunnel nftfibinet nftfibipv4 nftfibipv6 nftfib nftrejectinet nfrejectipv4 nfrejectipv6 nftreject nftct nftchainnat nfnat nfconntrack nfdefragipv6 nfdefragipv4 nftables rfkill ipset sunrpc vfat fat joydev sg schfqcodel nfnetlink virtiogpu srmod cdrom drmclientlib virtiodmabuf drmshmemhelper drmkmshelper drm ghashce backlight virtionet virtioblk virtioscsi netfailover virtioconsole failover virtiommio dmmirror dmregionhash dmlog dmmultipath dmmod fuse i2cdev virtiopci virtiopcilegacydev virtiopcimoderndev virtio virtioring autofs4 aesneonbs aesceblk [last unloaded: hwpoisoninject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : freeslab+0x228/0x250 [21630.912868] lr : _freeslab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  _freeslab+0x228/0x250 (P) [21630.922669]  freeslab+0x38/0x118 [21630.923079]  freetopartiallist+0x1d4/0x340 [21630.923591]  _slabfree+0x24c/0x348 [21630.924024]  _cachefree+0xf0/0x110 [21630.924468]  qlistfreeall+0x78/0x130 [21630.924922]  kasanquarantinereduce+0x11 ---truncated---