From: Maciej Wieczor-Retman <m.wieczorretman@pm.me>
To: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>, Jonathan Corbet <corbet@lwn.net>,
Alexander Potapenko <glider@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Jan Kiszka <jan.kiszka@siemens.com>,
Kieran Bingham <kbingham@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>,
Samuel Holland <samuel.holland@sifive.com>,
Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>,
linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
workflows@vger.kernel.org, linux-mm@kvack.org,
llvm@lists.linux.dev
Subject: Re: [PATCH v10 01/13] kasan: sw_tags: Use arithmetic shift for shadow computation
Date: Thu, 05 Mar 2026 20:18:49 +0000 [thread overview]
Message-ID: <aanievpHCv0Sz3Bf@wieczorr-mobl1.localdomain> (raw)
In-Reply-To: <CAPAsAGxpHBqzppoKCrqvH0mfhEn6p0aEHR30ZifB3uv81v68EA@mail.gmail.com>
Thanks, that looks really neat! I should've thought of that instead of making
separate arch versions :)
Do you want me to attach the code you posted here to this patchset or do you
intend to post it yourself? I'm working out Dave's comments on the x86 parts and
I wanted to post v11 sometime next week.
Kind regards
Maciej Wieczór-Retman
On 2026-03-05 at 13:05:48 -0600, Andrey Ryabinin wrote:
>Maciej Wieczor-Retman <m.wieczorretman@pm.me> writes:
>
>> --- a/mm/kasan/kasan.h
>> +++ b/mm/kasan/kasan.h
>> @@ -558,6 +558,13 @@ static inline bool kasan_arch_is_ready(void) { return true; }
>> #error kasan_arch_is_ready only works in KASAN generic outline mode!
>> #endif
>>
>> +#ifndef arch_kasan_non_canonical_hook
>> +static inline bool arch_kasan_non_canonical_hook(unsigned long addr)
>> +{
>> + return false;
>> +}
>> +#endif
>> +
>> #if IS_ENABLED(CONFIG_KASAN_KUNIT_TEST)
>>
>> void kasan_kunit_test_suite_start(void);
>> diff --git a/mm/kasan/report.c b/mm/kasan/report.c
>> index 62c01b4527eb..53152d148deb 100644
>> --- a/mm/kasan/report.c
>> +++ b/mm/kasan/report.c
>> @@ -642,10 +642,19 @@ void kasan_non_canonical_hook(unsigned long addr)
>> const char *bug_type;
>>
>> /*
>> - * All addresses that came as a result of the memory-to-shadow mapping
>> - * (even for bogus pointers) must be >= KASAN_SHADOW_OFFSET.
>> + * For Generic KASAN, kasan_mem_to_shadow() uses the logical right shift
>> + * and never overflows with the chosen KASAN_SHADOW_OFFSET values. Thus,
>> + * the possible shadow addresses (even for bogus pointers) belong to a
>> + * single contiguous region that is the result of kasan_mem_to_shadow()
>> + * applied to the whole address space.
>> */
>> - if (addr < KASAN_SHADOW_OFFSET)
>> + if (IS_ENABLED(CONFIG_KASAN_GENERIC)) {
>> + if (addr < (unsigned long)kasan_mem_to_shadow((void *)(0ULL)) ||
>> + addr > (unsigned long)kasan_mem_to_shadow((void *)(~0ULL)))
>> + return;
>> + }
>> +
>> + if (arch_kasan_non_canonical_hook(addr))
>> return;
>>
>
>I've noticed that we currently classify bugs incorrectly in SW_TAGS
>mode. I've sent the fix for it [1] :
> [1] https://lkml.kernel.org/r/20260305185659.20807-1-ryabinin.a.a@gmail.com
>
>While at it, I was thinking whether we can make the logic above more
>arch/mode agnotstic and without per-arch hooks, so I've ended up with
>the following patch (it is on top of [1] fix).
>I think it should work with any arch or mode and both with signed or
>unsigned shifting.
>
>diff --git a/mm/kasan/report.c b/mm/kasan/report.c
>index e804b1e1f886..1e4521b5ef14 100644
>--- a/mm/kasan/report.c
>+++ b/mm/kasan/report.c
>@@ -640,12 +640,20 @@ void kasan_non_canonical_hook(unsigned long addr)
> {
> unsigned long orig_addr, user_orig_addr;
> const char *bug_type;
>+ void *tagged_null = set_tag(NULL, KASAN_TAG_KERNEL);
>+ void *tagged_addr = set_tag((void *)addr, KASAN_TAG_KERNEL);
>
> /*
>- * All addresses that came as a result of the memory-to-shadow mapping
>- * (even for bogus pointers) must be >= KASAN_SHADOW_OFFSET.
>+ * Filter out addresses that cannot be shadow memory accesses generated
>+ * by the compiler.
>+ *
>+ * In SW_TAGS mode, when computing a shadow address, the compiler always
>+ * sets the kernel tag (some top bits) on the pointer *before* computing
>+ * the memory-to-shadow mapping. As a result, valid shadow addresses
>+ * are derived from tagged kernel pointers.
> */
>- if (addr < KASAN_SHADOW_OFFSET)
>+ if (tagged_addr < kasan_mem_to_shadow(tagged_null) ||
>+ tagged_addr > kasan_mem_to_shadow((void *)(~0ULL)))
> return;
>
> orig_addr = (unsigned long)kasan_shadow_to_mem((void *)addr);
>@@ -670,7 +678,7 @@ void kasan_non_canonical_hook(unsigned long addr)
> } else if (user_orig_addr < TASK_SIZE) {
> bug_type = "probably user-memory-access";
> orig_addr = user_orig_addr;
>- } else if (addr_in_shadow((void *)addr))
>+ } else if (addr_in_shadow(tagged_addr))
> bug_type = "probably wild-memory-access";
> else
> bug_type = "maybe wild-memory-access";
>--
>2.52.0
next prev parent reply other threads:[~2026-03-05 20:19 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 19:18 [PATCH v10 00/13] kasan: x86: arm64: KASAN tag-based mode for x86 Maciej Wieczor-Retman
2026-02-04 19:19 ` [PATCH v10 01/13] kasan: sw_tags: Use arithmetic shift for shadow computation Maciej Wieczor-Retman
2026-03-05 19:05 ` Andrey Ryabinin
2026-03-05 20:18 ` Maciej Wieczor-Retman [this message]
2026-03-05 21:22 ` Andrey Ryabinin
2026-03-05 21:25 ` Maciej Wieczor-Retman
2026-02-04 19:19 ` [PATCH v10 02/13] kasan: arm64: x86: Make special tags arch specific Maciej Wieczor-Retman
2026-02-04 19:19 ` [PATCH v10 04/13] x86/kasan: Add arch specific kasan functions Maciej Wieczor-Retman
2026-02-04 19:20 ` [PATCH v10 06/13] mm/execmem: Untag addresses in EXECMEM_ROX related pointer arithmetic Maciej Wieczor-Retman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aanievpHCv0Sz3Bf@wieczorr-mobl1.localdomain \
--to=m.wieczorretman@pm.me \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=jan.kiszka@siemens.com \
--cc=justinstitt@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kbingham@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=llvm@lists.linux.dev \
--cc=maciej.wieczor-retman@intel.com \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=ryabinin.a.a@gmail.com \
--cc=samuel.holland@sifive.com \
--cc=vincenzo.frascino@arm.com \
--cc=will@kernel.org \
--cc=workflows@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox