HIGH
mm SLUB DeferFree Tag Mismatch
CVE-2025-71110
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free(). On ARM64 with MTE (Memory Tagging Extension), kasan_slab_free() poisons the memory and changes the tag from the original (e.g., 0xf3) to a poison tag (0xfe). When defer_free() then tries to write to the freed object to build the deferred free list via llist_add(), the pointer still has the old tag, causing a tag mismatch and triggering a KASAN use-after-free report: BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537 Write at addr f3f000000854f020 by task kworker/u8:6/983 Pointer tag: [f3], memory tag: [fe] Fix this by calling kasan_reset_tag() before accessing the freed memory. This is safe because defer_free() is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes.
02KernelScan AI Analysis
Risk summary
This vulnerability causes false positive KASAN use-after-free reports in the SLUB allocator on ARM64 systems with Memory Tagging Extension (MTE) when CONFIG_SLUB_TINY is enabled. While classified as a use-after-free, this is actually a tag mismatch issue in the allocator's internal bookkeeping that doesn't represent a real security vulnerability but can cause system instability due to incorrect KASAN reports.
Vulnerability analysis
Root Cause: In the SLUB allocator with CONFIG_SLUB_TINY enabled, when kfree_nolock() calls kasan_slab_free() before defer_free(), KASAN poisons the memory and changes the ARM64 MTE tag from the original tag to a poison tag (0xfe). However, defer_free() still uses the original pointer with the old tag when trying to write to the freed object via llist_add() to build the deferred free list, causing a tag mismatch.
Attack Surface: This is a false positive KASAN report rather than an exploitable vulnerability. It occurs during normal allocator operation when CONFIG_SLUB_TINY is enabled on ARM64 systems with MTE. The issue is triggered by legitimate allocator bookkeeping operations, not by external input or malicious code.
Fix Mechanism: The fix adds a call to kasan_reset_tag() in defer_free() before accessing the freed memory. This removes the MTE tag from the pointer, allowing the allocator to safely manipulate the freed memory for bookkeeping purposes without triggering KASAN tag mismatch errors.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.3 | 65d4e5af2a2e |
| mainline | 6.19 | 53ca00a19d34 |