Enable virtually mapped kernel stacks for ARM64. This provides better
stack overflow detection and improved security by mapping kernel stacks
in vmalloc space rather than using direct mapping.

VMAP_STACK helps catch stack overflows early by placing guard pages
around kernel stacks, and also provides better isolation between
kernel stacks and other kernel data structures.

All dependencies are satisfied for arm64: HAVE_ARCH_VMAP_STACK is
already selected above, and KASAN_VMALLOC is selected when KASAN is
enabled, meeting the KASAN dependency requirements.

Suggested-by: Will Deacon <will@kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
---
 arch/arm64/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 393d71124f5d..179b302f43c2 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -280,6 +280,7 @@ config ARM64
 	select HAVE_SOFTIRQ_ON_OWN_STACK
 	select USER_STACKTRACE_SUPPORT
 	select VDSO_GETRANDOM
+	select VMAP_STACK
 	help
 	  ARM 64-bit (AArch64) Linux support.
 

-- 
2.47.1

Hi Breno,

On Mon, Jul 07, 2025 at 09:01:01AM -0700, Breno Leitao wrote:
> Enable virtually mapped kernel stacks for ARM64. This provides better
> stack overflow detection and improved security by mapping kernel stacks
> in vmalloc space rather than using direct mapping.
> 
> VMAP_STACK helps catch stack overflows early by placing guard pages
> around kernel stacks, and also provides better isolation between
> kernel stacks and other kernel data structures.
> 
> All dependencies are satisfied for arm64: HAVE_ARCH_VMAP_STACK is
> already selected above, and KASAN_VMALLOC is selected when KASAN is
> enabled, meeting the KASAN dependency requirements.

I reckon it might be better to say something like:

| arm64: Mandate VMAP_STACK
|
| On arm64, VMAP_STACK has been enabled by default for a while now, and
| the only reason to disable it was a historical lack of support for
| KASAN_VMALLOC. Today there's no good reason to disable VMAP_STACK.
|
| Mandate VMAP_STACK, which will allow code to be simplified in
| subsequent patches.

... to make it clear that we're not changing the default, and we are
removing the ability to deselect VMAP_STACK.

Either way, the patch itself looks good to me.

Mark.

> 
> Suggested-by: Will Deacon <will@kernel.org>
> Signed-off-by: Breno Leitao <leitao@debian.org>
> ---
>  arch/arm64/Kconfig | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 393d71124f5d..179b302f43c2 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -280,6 +280,7 @@ config ARM64
>  	select HAVE_SOFTIRQ_ON_OWN_STACK
>  	select USER_STACKTRACE_SUPPORT
>  	select VDSO_GETRANDOM
> +	select VMAP_STACK
>  	help
>  	  ARM 64-bit (AArch64) Linux support.
>  
> 
> -- 
> 2.47.1
>

Hello Mark,

On Mon, Jul 07, 2025 at 06:23:09PM +0100, Mark Rutland wrote:
> On Mon, Jul 07, 2025 at 09:01:01AM -0700, Breno Leitao wrote:
> > Enable virtually mapped kernel stacks for ARM64. This provides better
> > stack overflow detection and improved security by mapping kernel stacks
> > in vmalloc space rather than using direct mapping.
> > 
> > VMAP_STACK helps catch stack overflows early by placing guard pages
> > around kernel stacks, and also provides better isolation between
> > kernel stacks and other kernel data structures.
> > 
> > All dependencies are satisfied for arm64: HAVE_ARCH_VMAP_STACK is
> > already selected above, and KASAN_VMALLOC is selected when KASAN is
> > enabled, meeting the KASAN dependency requirements.
> 
> I reckon it might be better to say something like:
> 
> | arm64: Mandate VMAP_STACK
> |
> | On arm64, VMAP_STACK has been enabled by default for a while now, and
> | the only reason to disable it was a historical lack of support for
> | KASAN_VMALLOC. Today there's no good reason to disable VMAP_STACK.
> |
> | Mandate VMAP_STACK, which will allow code to be simplified in
> | subsequent patches.
> 
> ... to make it clear that we're not changing the default, and we are
> removing the ability to deselect VMAP_STACK.
> 
> Either way, the patch itself looks good to me.

Thanks for the suggestion. I will update and respin.

Thanks for the review,
--breno

Hey Breno,

Thanks for doing this.

On Tue, Jul 08, 2025 at 02:39:56AM -0700, Breno Leitao wrote:
> On Mon, Jul 07, 2025 at 06:23:09PM +0100, Mark Rutland wrote:
> > On Mon, Jul 07, 2025 at 09:01:01AM -0700, Breno Leitao wrote:
> > > Enable virtually mapped kernel stacks for ARM64. This provides better
> > > stack overflow detection and improved security by mapping kernel stacks
> > > in vmalloc space rather than using direct mapping.
> > > 
> > > VMAP_STACK helps catch stack overflows early by placing guard pages
> > > around kernel stacks, and also provides better isolation between
> > > kernel stacks and other kernel data structures.
> > > 
> > > All dependencies are satisfied for arm64: HAVE_ARCH_VMAP_STACK is
> > > already selected above, and KASAN_VMALLOC is selected when KASAN is
> > > enabled, meeting the KASAN dependency requirements.
> > 
> > I reckon it might be better to say something like:
> > 
> > | arm64: Mandate VMAP_STACK
> > |
> > | On arm64, VMAP_STACK has been enabled by default for a while now, and
> > | the only reason to disable it was a historical lack of support for
> > | KASAN_VMALLOC. Today there's no good reason to disable VMAP_STACK.
> > |
> > | Mandate VMAP_STACK, which will allow code to be simplified in
> > | subsequent patches.
> > 
> > ... to make it clear that we're not changing the default, and we are
> > removing the ability to deselect VMAP_STACK.
> > 
> > Either way, the patch itself looks good to me.
> 
> Thanks for the suggestion. I will update and respin.

No need to respin just for that; I can fold the above when I apply.

Cheers,

Will