Description

In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free(). On ARM64 with MTE (Memory Tagging Extension), kasan_slab_free() poisons the memory and changes the tag from the original (e.g., 0xf3) to a poison tag (0xfe). When defer_free() then tries to write to the freed object to build the deferred free list via llist_add(), the pointer still has the old tag, causing a tag mismatch and triggering a KASAN use-after-free report: BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537 Write at addr f3f000000854f020 by task kworker/u8:6/983 Pointer tag: [f3], memory tag: [fe] Fix this by calling kasan_reset_tag() before accessing the freed memory. This is safe because defer_free() is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes.

Weaknesses 1

Affected Products 10

References 2

• git.kernel.org https://git.kernel.org/stable/c/53ca00a19d345197a37a1bf552e8d1e7b091666c
  Patch
• git.kernel.org https://git.kernel.org/stable/c/65d4e5af2a2e82f4fc50d8259aee208fbc6b2c1d
  Patch

Remediation

• git.kernel.org https://git.kernel.org/stable/c/53ca00a19d345197a37a1bf552e8d1e7b091666c
  Patch
• git.kernel.org https://git.kernel.org/stable/c/65d4e5af2a2e82f4fc50d8259aee208fbc6b2c1d
  Patch