From: Catalin Marinas <catalin.marinas@arm.com>
To: Ryan Roberts <ryan.roberts@arm.com>
Cc: "David Hildenbrand (Arm)" <david@kernel.org>,
Muhammad Usama Anjum <usama.anjum@arm.com>,
Arnd Bergmann <arnd@arndb.de>, Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Juri Lelli <juri.lelli@redhat.com>,
Vincent Guittot <vincent.guittot@linaro.org>,
Dietmar Eggemann <dietmar.eggemann@arm.com>,
Steven Rostedt <rostedt@goodmis.org>,
Ben Segall <bsegall@google.com>, Mel Gorman <mgorman@suse.de>,
Valentin Schneider <vschneid@redhat.com>,
Kees Cook <kees@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Lorenzo Stoakes <ljs@kernel.org>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@kernel.org>,
Mike Rapoport <rppt@kernel.org>,
Suren Baghdasaryan <surenb@google.com>,
Michal Hocko <mhocko@suse.com>,
Uladzislau Rezki <urezki@gmail.com>,
linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, Andrey Konovalov <andreyknvl@gmail.com>,
Marco Elver <elver@google.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Peter Collingbourne <pcc@google.com>,
Will Deacon <will@kernel.org>,
david.hildenbrand@arm.com
Subject: Re: [PATCH v2 2/3] kasan: skip HW tagging for all kernel thread stacks
Date: Wed, 22 Apr 2026 19:00:30 +0100 [thread overview]
Message-ID: <aekMvrcBCUTf3yT4@arm.com> (raw)
In-Reply-To: <e881c79a-fe7c-46b1-a518-febf7a278cc9@arm.com>
On Wed, Apr 22, 2026 at 02:31:14PM +0100, Ryan Roberts wrote:
> On 17/04/2026 09:31, Catalin Marinas wrote:
> > On Thu, Apr 16, 2026 at 11:03:46AM +0200, David Hildenbrand wrote:
> >> On 4/10/26 20:36, Catalin Marinas wrote:
> >>> On Fri, Apr 10, 2026 at 07:32:23PM +0100, Catalin Marinas wrote:
> >>>> What the original approach might help with is use-after-realloc in case
> >>>> we had a tagged pointer in a past life of a page and it still works now.
> >>>> Oh well, that's I guess for other types of hardening to address like
> >>>> delayed reallocation.
> >>>
> >>> Another thought (for a separate series) - we could try to map the stack
> >>> as Untagged (unless stack tagging is enabled; needs compiler
> >>> instrumentation) and enable canonical tag checking (newer addition to
> >>> MTE). This way, any stray tagged pointer won't work on the stack since
> >>> it needs a 0xf tag (canonical).
> >>
> >> Do you mean mapping it as Untagged in the vmap for CONFIG_VMAP_STACK or
> >> also as Untagged in the directmap?
> >>
> >> The latter brings in the set of problems with direct map fragmentation.
> >
> > Just the vmap, there are a lot more problems with the direct map. Not
> > sure how much it does in terms of security, maybe marginally. A
> > match-all tag (0xf) would still be able to access the canonically tagged
> > memory.
>
> I think with the first patch in this series, we are alredy vmapping the stack
> memory as untagged, right? vmalloc only calls arch_vmap_pgprot_tagged() if we
> are not skipping kasan. So I think we already have this protection? (perhaps we
> need to explicitly enable the canonical tag checks?)
Ah, yes, good point. So, we could just enable canonical tag checking so
that untagged memory only uses the 0xf tag while in the kernel (not sure
what might break but in theory these would only happen if we have use
after free bugs etc.)
I think it's just a matter of setting TCR_EL1.MTX1 but it has some
implications on the PAC bits. This setting would affect the kernel
image mapping, modules. Anyway, something to investigate separately.
--
Catalin
next prev parent reply other threads:[~2026-04-22 18:00 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-24 13:26 [PATCH v2 0/3] KASAN: HW_TAGS: Disable tagging for stack and page-tables Muhammad Usama Anjum
2026-03-24 13:26 ` [PATCH v2 1/3] vmalloc: add __GFP_SKIP_KASAN support Muhammad Usama Anjum
2026-04-10 18:10 ` Catalin Marinas
2026-04-16 9:10 ` David Hildenbrand
2026-04-22 13:21 ` Ryan Roberts
2026-04-22 14:23 ` Dev Jain
2026-04-22 14:38 ` Ryan Roberts
2026-04-22 15:59 ` David Hildenbrand (Arm)
2026-03-24 13:26 ` [PATCH v2 2/3] kasan: skip HW tagging for all kernel thread stacks Muhammad Usama Anjum
2026-04-10 18:32 ` Catalin Marinas
2026-04-10 18:36 ` Catalin Marinas
2026-04-16 9:03 ` David Hildenbrand (Arm)
2026-04-17 8:31 ` Catalin Marinas
2026-04-22 13:31 ` Ryan Roberts
2026-04-22 18:00 ` Catalin Marinas [this message]
2026-03-24 13:26 ` [PATCH v2 3/3] mm: skip KASAN tagging for page-allocated page tables Muhammad Usama Anjum
2026-04-10 18:19 ` Catalin Marinas
2026-04-16 8:55 ` David Hildenbrand (Arm)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aekMvrcBCUTf3yT4@arm.com \
--to=catalin.marinas@arm.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=arnd@arndb.de \
--cc=bsegall@google.com \
--cc=david.hildenbrand@arm.com \
--cc=david@kernel.org \
--cc=dietmar.eggemann@arm.com \
--cc=elver@google.com \
--cc=juri.lelli@redhat.com \
--cc=kees@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=mgorman@suse.de \
--cc=mhocko@suse.com \
--cc=mingo@redhat.com \
--cc=pcc@google.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=rppt@kernel.org \
--cc=ryan.roberts@arm.com \
--cc=surenb@google.com \
--cc=urezki@gmail.com \
--cc=usama.anjum@arm.com \
--cc=vbabka@kernel.org \
--cc=vincent.guittot@linaro.org \
--cc=vincenzo.frascino@arm.com \
--cc=vschneid@redhat.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox