Re: [PATCH] mm/alloc_tag: clear codetag for pages allocated before page_ext initialization

[Hao Ge <hao.ge@linux.dev>]

On 2026/3/20 07:48, Suren Baghdasaryan wrote:
> On Thu, Mar 19, 2026 at 4:44 PM Suren Baghdasaryan <surenb@google.com> wrote:
>> On Thu, Mar 19, 2026 at 3:28 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>>> On Thu, 19 Mar 2026 16:31:53 +0800 Hao Ge <hao.ge@linux.dev> wrote:
>>>
>>>> Due to initialization ordering, page_ext is allocated and initialized
>>>> relatively late during boot. Some pages have already been allocated
>>>> and freed before page_ext becomes available, leaving their codetag
>>>> uninitialized.
>> Hi Hao,
>> Thanks for the report.
>> Hmm. So, we are allocating pages before page_ext is initialized...
>>
>>>> A clear example is in init_section_page_ext(): alloc_page_ext() calls
>>>> kmemleak_alloc().
> Forgot to ask. The example you are using here is for page_ext
> allocation itself. Do you have any other examples where page
> allocation happens before page_ext initialization? If that's the only
> place, then we might be able to fix this in a simpler way by doing
> something special for alloc_page_ext().

Hi Suren

To help illustrate the point, here's the debug log I added:

diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 2d4b6f1a554e..ebfe636f5b07 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1293,6 +1293,9 @@ void __pgalloc_tag_add(struct page *page, struct 
task_struct *task,
                 alloc_tag_add(&ref, task->alloc_tag, PAGE_SIZE * nr);
                 update_page_tag_ref(handle, &ref);
                 put_page_tag_ref(handle);
+       } else {
+               pr_warn("__pgalloc_tag_add: get_page_tag_ref failed! 
page=%p pfn=%lu nr=%u\n", page, page_to_pfn(page), nr);
+               dump_stack();
         }
  }


And I caught the following logs:

[    0.296399] __pgalloc_tag_add: get_page_tag_ref failed! 
page=ffffea000400c700 pfn=1049372 nr=1
[    0.296400] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 
7.0.0-rc4-dirty #12 PREEMPT(lazy)
[    0.296402] Hardware name: Red Hat KVM, BIOS 
rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[    0.296402] Call Trace:
[    0.296403]  <TASK>
[    0.296403]  dump_stack_lvl+0x53/0x70
[    0.296405]  __pgalloc_tag_add+0x3a3/0x6e0
[    0.296406]  ? __pfx___pgalloc_tag_add+0x10/0x10
[    0.296407]  ? kasan_unpoison+0x27/0x60
[    0.296409]  ? __kasan_unpoison_pages+0x2c/0x40
[    0.296411]  get_page_from_freelist+0xa54/0x1310
[    0.296413]  __alloc_frozen_pages_noprof+0x206/0x4c0
[    0.296415]  ? __pfx___alloc_frozen_pages_noprof+0x10/0x10
[    0.296417]  ? stack_depot_save_flags+0x3f/0x680
[    0.296418]  ? ___slab_alloc+0x518/0x530
[    0.296420]  alloc_pages_mpol+0x13a/0x3f0
[    0.296421]  ? __pfx_alloc_pages_mpol+0x10/0x10
[    0.296423]  ? _raw_spin_lock_irqsave+0x8a/0xf0
[    0.296424]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[    0.296426]  alloc_slab_page+0xc2/0x130
[    0.296427]  allocate_slab+0x77/0x2c0
[    0.296429]  ? syscall_enter_define_fields+0x3bb/0x5f0
[    0.296430]  ___slab_alloc+0x125/0x530
[    0.296432]  ? __trace_define_field+0x252/0x3d0
[    0.296433]  __kmalloc_noprof+0x329/0x630
[    0.296435]  ? syscall_enter_define_fields+0x3bb/0x5f0
[    0.296436]  syscall_enter_define_fields+0x3bb/0x5f0
[    0.296438]  ? __pfx_syscall_enter_define_fields+0x10/0x10
[    0.296440]  event_define_fields+0x326/0x540
[    0.296441]  __trace_early_add_events+0xac/0x3c0
[    0.296443]  trace_event_init+0x24c/0x460
[    0.296445]  trace_init+0x9/0x20
[    0.296446]  start_kernel+0x199/0x3c0
[    0.296448]  x86_64_start_reservations+0x18/0x30
[    0.296449]  x86_64_start_kernel+0xe2/0xf0
[    0.296451]  common_startup_64+0x13e/0x141
[    0.296453]  </TASK>


[    0.312234] __pgalloc_tag_add: get_page_tag_ref failed! 
page=ffffea000400f900 pfn=1049572 nr=1
[    0.312234] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 
7.0.0-rc4-dirty #12 PREEMPT(lazy)
[    0.312236] Hardware name: Red Hat KVM, BIOS 
rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[    0.312236] Call Trace:
[    0.312237]  <TASK>
[    0.312237]  dump_stack_lvl+0x53/0x70
[    0.312239]  __pgalloc_tag_add+0x3a3/0x6e0
[    0.312240]  ? __pfx___pgalloc_tag_add+0x10/0x10
[    0.312241]  ? rmqueue.constprop.0+0x4fc/0x1ce0
[    0.312243]  ? kasan_unpoison+0x27/0x60
[    0.312244]  ? __kasan_unpoison_pages+0x2c/0x40
[    0.312246]  get_page_from_freelist+0xa54/0x1310
[    0.312248]  __alloc_frozen_pages_noprof+0x206/0x4c0
[    0.312250]  ? __pfx___alloc_frozen_pages_noprof+0x10/0x10
[    0.312253]  alloc_slab_page+0x39/0x130
[    0.312254]  allocate_slab+0x77/0x2c0
[    0.312255]  ? alloc_cpumask_var_node+0xc7/0x230
[    0.312257]  ___slab_alloc+0x46d/0x530
[    0.312259]  __kmalloc_node_noprof+0x2fa/0x680
[    0.312261]  ? alloc_cpumask_var_node+0xc7/0x230
[    0.312263]  alloc_cpumask_var_node+0xc7/0x230
[    0.312264]  init_desc+0x141/0x6b0
[    0.312266]  alloc_desc+0x108/0x1b0
[    0.312267]  early_irq_init+0xee/0x1c0
[    0.312268]  ? __pfx_early_irq_init+0x10/0x10
[    0.312271]  start_kernel+0x1ab/0x3c0
[    0.312272]  x86_64_start_reservations+0x18/0x30
[    0.312274]  x86_64_start_kernel+0xe2/0xf0
[    0.312275]  common_startup_64+0x13e/0x141
[    0.312277]  </TASK>

[    0.312834] __pgalloc_tag_add: get_page_tag_ref failed! 
page=ffffea000400fc00 pfn=1049584 nr=1
[    0.312835] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 
7.0.0-rc4-dirty #12 PREEMPT(lazy)
[    0.312836] Hardware name: Red Hat KVM, BIOS 
rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[    0.312837] Call Trace:
[    0.312837]  <TASK>
[    0.312838]  dump_stack_lvl+0x53/0x70
[    0.312840]  __pgalloc_tag_add+0x3a3/0x6e0
[    0.312841]  ? __pfx___pgalloc_tag_add+0x10/0x10
[    0.312842]  ? rmqueue.constprop.0+0x4fc/0x1ce0
[    0.312844]  ? kasan_unpoison+0x27/0x60
[    0.312845]  ? __kasan_unpoison_pages+0x2c/0x40
[    0.312847]  get_page_from_freelist+0xa54/0x1310
[    0.312849]  __alloc_frozen_pages_noprof+0x206/0x4c0
[    0.312851]  ? __pfx___alloc_frozen_pages_noprof+0x10/0x10
[    0.312853]  alloc_pages_mpol+0x13a/0x3f0
[    0.312855]  ? __pfx_alloc_pages_mpol+0x10/0x10
[    0.312856]  ? xas_find+0x2d8/0x450
[    0.312858]  ? _raw_spin_lock+0x84/0xe0
[    0.312859]  ? __pfx__raw_spin_lock+0x10/0x10
[    0.312861]  alloc_pages_noprof+0xf6/0x2b0
[    0.312862]  __change_page_attr+0x293/0x850
[    0.312864]  ? __pfx___change_page_attr+0x10/0x10
[    0.312865]  ? _vm_unmap_aliases+0x2d0/0x650
[    0.312868]  ? __pfx__vm_unmap_aliases+0x10/0x10
[    0.312869]  __change_page_attr_set_clr+0x16c/0x360
[    0.312871]  ? spp_getpage+0xbb/0x1e0
[    0.312872]  change_page_attr_set_clr+0x220/0x3c0
[    0.312873]  ? flush_tlb_one_kernel+0xf/0x30
[    0.312875]  ? set_pte_vaddr_p4d+0x110/0x180
[    0.312877]  ? __pfx_change_page_attr_set_clr+0x10/0x10
[    0.312878]  ? __pfx_set_pte_vaddr_p4d+0x10/0x10
[    0.312881]  ? __pfx_mtree_load+0x10/0x10
[    0.312883]  ? __pfx_mtree_load+0x10/0x10
[    0.312884]  ? __asan_memcpy+0x3c/0x60
[    0.312886]  ? set_intr_gate+0x10c/0x150
[    0.312888]  set_memory_ro+0x76/0xa0
[    0.312889]  ? __pfx_set_memory_ro+0x10/0x10
[    0.312891]  idt_setup_apic_and_irq_gates+0x2c1/0x390

and more.

off topic -  if we were to handle only alloc_page_ext() specifically, 
what would be the most straightforward

solution in your mind? I'd really appreciate your insight.

Thanks.


>>>> If the slab cache has no free objects, it falls back
>>>> to the buddy allocator to allocate memory. However, at this point page_ext
>>>> is not yet fully initialized, so these newly allocated pages have no
>>>> codetag set. These pages may later be reclaimed by KASAN,which causes
>>>> the warning to trigger when they are freed because their codetag ref is
>>>> still empty.
>>>>
>>>> Use a global array to track pages allocated before page_ext is fully
>>>> initialized, similar to how kmemleak tracks early allocations.
>>>> When page_ext initialization completes, set their codetag
>>>> to empty to avoid warnings when they are freed later.
>>>>
>>>> ...
>>>>
>>>> --- a/include/linux/alloc_tag.h
>>>> +++ b/include/linux/alloc_tag.h
>>>> @@ -74,6 +74,9 @@ static inline void set_codetag_empty(union codetag_ref *ref)
>>>>
>>>>   #ifdef CONFIG_MEM_ALLOC_PROFILING
>>>>
>>>> +bool mem_profiling_is_available(void);
>>>> +void alloc_tag_add_early_pfn(unsigned long pfn);
>>>> +
>>>>   #define ALLOC_TAG_SECTION_NAME       "alloc_tags"
>>>>
>>>>   struct codetag_bytes {
>>>> diff --git a/lib/alloc_tag.c b/lib/alloc_tag.c
>>>> index 58991ab09d84..a5bf4e72c154 100644
>>>> --- a/lib/alloc_tag.c
>>>> +++ b/lib/alloc_tag.c
>>>> @@ -6,6 +6,7 @@
>>>>   #include <linux/kallsyms.h>
>>>>   #include <linux/module.h>
>>>>   #include <linux/page_ext.h>
>>>> +#include <linux/pgalloc_tag.h>
>>>>   #include <linux/proc_fs.h>
>>>>   #include <linux/seq_buf.h>
>>>>   #include <linux/seq_file.h>
>>>> @@ -26,6 +27,82 @@ static bool mem_profiling_support;
>>>>
>>>>   static struct codetag_type *alloc_tag_cttype;
>>>>
>>>> +/*
>>>> + * State of the alloc_tag
>>>> + *
>>>> + * This is used to describe the states of the alloc_tag during bootup.
>>>> + *
>>>> + * When we need to allocate page_ext to store codetag, we face an
>>>> + * initialization timing problem:
>>>> + *
>>>> + * Due to initialization order, pages may be allocated via buddy system
>>>> + * before page_ext is fully allocated and initialized. Although these
>>>> + * pages call the allocation hooks, the codetag will not be set because
>>>> + * page_ext is not yet available.
>>>> + *
>>>> + * When these pages are later free to the buddy system, it triggers
>>>> + * warnings because their codetag is actually empty if
>>>> + * CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled.
>>>> + *
>>>> + * Additionally, in this situation, we cannot record detailed allocation
>>>> + * information for these pages.
>>>> + */
>>>> +enum mem_profiling_state {
>>>> +     DOWN,                   /* No mem_profiling functionality yet */
>>>> +     UP                      /* Everything is working */
>>>> +};
>>>> +
>>>> +static enum mem_profiling_state mem_profiling_state = DOWN;
>>>> +
>>>> +bool mem_profiling_is_available(void)
>>>> +{
>>>> +     return mem_profiling_state == UP;
>>>> +}
>>>> +
>>>> +#ifdef CONFIG_MEM_ALLOC_PROFILING_DEBUG
>>>> +
>>>> +#define EARLY_ALLOC_PFN_MAX          256
>>>> +
>>>> +static unsigned long early_pfns[EARLY_ALLOC_PFN_MAX];
>>> It's unfortunate that this isn't __initdata.
>>>
>>>> +static unsigned int early_pfn_count;
>>>> +static DEFINE_SPINLOCK(early_pfn_lock);
>>>> +
>>>>
>>>> ...
>>>>
>>>> --- a/mm/page_alloc.c
>>>> +++ b/mm/page_alloc.c
>>>> @@ -1293,6 +1293,13 @@ void __pgalloc_tag_add(struct page *page, struct task_struct *task,
>>>>                alloc_tag_add(&ref, task->alloc_tag, PAGE_SIZE * nr);
>>>>                update_page_tag_ref(handle, &ref);
>>>>                put_page_tag_ref(handle);
>>>> +     } else {
>> This branch can be marked as "unlikely".
>>
>>>> +             /*
>>>> +              * page_ext is not available yet, record the pfn so we can
>>>> +              * clear the tag ref later when page_ext is initialized.
>>>> +              */
>>>> +             if (!mem_profiling_is_available())
>>>> +                     alloc_tag_add_early_pfn(page_to_pfn(page));
>>>>        }
>>>>   }
>>> All because of this, I believe.  Is this fixable?
>>>
>>> If we take that `else', we know we're running in __init code, yes?  I
>>> don't see how `__init pgalloc_tag_add_early()' could be made to work.
>>> hrm.  Something clever, please.
>> We can have a pointer to a function that is initialized to point to
>> alloc_tag_add_early_pfn, which is defined as __init and uses
>> early_pfns which now can be defined as __initdata. After
>> clear_early_alloc_pfn_tag_refs() is done we reset that pointer to
>> NULL. __pgalloc_tag_add() instead of calling alloc_tag_add_early_pfn()
>> directly checks that pointer and if it's not NULL then calls the
>> function that it points to. This way __pgalloc_tag_add() which is not
>> an __init function will be invoking alloc_tag_add_early_pfn() __init
>> function only until we are done with initialization. I haven't tried
>> this but I think that should work. This also eliminates the need for
>> mem_profiling_state variable since we can use this function pointer
>> instead.
>>
>>