CVE-2026-43292

Summary

In the Linux kernel, the following vulnerability has been resolved:

mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node

When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions.

The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes:

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l … task:kworker/0:17 state:R running task stack:28840 pid:6229 … kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299

Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section.

Add periodic cond_resched() calls within the loop to allow:

  • RCU grace periods to complete
  • Other tasks to run
  • Scheduler to preempt when needed

The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux282631cb2447318e2a55b41a665dbe8571c46d70 < 2efa9c02c9b4c0d6866aa445f11056809b25ca28affected
LinuxLinux282631cb2447318e2a55b41a665dbe8571c46d70 < 1afe45f89d54b7183768ebbbbf14238ec187ab5caffected
LinuxLinux282631cb2447318e2a55b41a665dbe8571c46d70 < b351fbe71091f7c8676c8ba597653d08b6719447affected
LinuxLinux282631cb2447318e2a55b41a665dbe8571c46d70 < 5747435e0fd474c24530ef1a6822f47e7d264b27affected
LinuxLinux6.9affected
LinuxLinux0 < 6.9unaffected
LinuxLinux6.12.75 <= 6.12.*unaffected
LinuxLinux6.18.16 <= 6.18.*unaffected
LinuxLinux6.19.6 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References