From nobody Fri Jun 12 20:19:42 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C5D783DC877 for ; Tue, 12 May 2026 17:36:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778607390; cv=none; b=WW+csJ1XWh9D3LkysS2tGtYsEz5W8GTg7eauqAN/BABW9qRYnpLc5u1G+eQVVVkzACP7c2juMm9/5KWyTpXuEjHf1xIwLDeJw179qlcPQnmHjWMG/9QamM50gSEFZ84ZiM9yMPLn7S71vzTJmp4fu+/FUGpun5Dj2FrM845pf58= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778607390; c=relaxed/simple; bh=9uHXI+IUdXJGhO0SbSvV3iaivCo0yH+io8U1Lq5lcqA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=hqyF/LeRhXoQuX+YToY/RJQ4W/DHEwRuiW6Gw1D1qgTkjPxmXbPTzaKy01D6dkyw0DFpy0tUUbGKD6mtUkoZ7ZwvgWGkJNEJSH6CNbMqBSjd7AR1BPbfDzeExx1Sq3rnCyhnwvgjYX6rt83pbyLuUVYlIep22cnsQy8Ts+vUhOU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=seeHbiOP; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="seeHbiOP" Received: by smtp.kernel.org (Postfix) with ESMTPS id 8F0E2C2BCB0; Tue, 12 May 2026 17:36:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1778607390; bh=9uHXI+IUdXJGhO0SbSvV3iaivCo0yH+io8U1Lq5lcqA=; h=From:Date:Subject:To:Cc:Reply-To:From; b=seeHbiOPe5ud1PKf9mZecjxOQC/cjkQxYwcCQ5KH+hMLMeHKzG617isjxTMH3YqmF nLx5VEQj+BYKhfs+g3JKUZoknDIV4RlJUe5XLG95YAzRL7S4cvsObAt4hmm1+dEt2l sucD/8Ob8EH05DMdyh1wkRSaA3adFV0m3ezJfCs/1hbUd9jY31JnsJXyPkJLuw+zkA 21ssRwsNAaecPwRaWQuOvro1TWFc2unogqBn62KJFOAsM/JyDQXhR/EeZwuFsHyE8K P0yaLIxEjnifWJhYWXpLlk+JG5edFINKSWkZEng2PEtMUwo6IaoQzZJZ6bAIeOM7sj 1wgcjGCl388lg== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81961CD4F25; Tue, 12 May 2026 17:36:30 +0000 (UTC) From: Chia-I Wu via B4 Relay Date: Tue, 12 May 2026 10:36:28 -0700 Subject: [PATCH] drm/panthor: set __GFP_SKIP_KASAN Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260512-panthor-kasan-v1-1-d8d3e275d71b@gmail.com> X-B4-Tracking: v=1; b=H4sIABtlA2oC/yXMzQ5FMBBA4VeRWWvS1l94FbEYDIakpIPcRLz7L Zbf4pwLhDyTQBVd4Olk4dUFmDiCbkI3kuI+GKy2uc6MVRu6fVq9WlDQKaPTorBJ2WJvIDSbp4F /769uPsvRztTtzwTu+w/4oywpcQAAAA== X-Change-ID: 20260512-panthor-kasan-10477239bad1 To: Boris Brezillon , Steven Price , Liviu Dudau , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Rob Clark , Chia-I Wu X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=2047; i=olvaffe@gmail.com; h=from:subject:message-id; bh=ASiB3HunlPGvoW9uuO3lUbsW+ch1/3mXojcsoRe+zik=; b=owGbwMvMwCV2uuv6dHcvAWnG02pJDFnMqbL1Pebrfpx8uyloobn8sZj7fL0r47uNtzUZW+YnM avPmcXZUcrCIMbFICumyLJT6fPXwIzCy3eEG9fBzGFlAhnCwMUpABORXMnwP+LmBr44/VUCwtKf bFe/WZOrLOxsoVPTsKP6zuc9ZzJ+ZzH8LyqyeB+omLZcm8Xpbf60k86/o9xUF04LeK/tpSf8/Ec sNwA= X-Developer-Key: i=olvaffe@gmail.com; a=openpgp; fpr=8C8F791802BBB330399230F27CB6CD58BE1B6831 X-Endpoint-Received: by B4 Relay for olvaffe@gmail.com/default with auth_id=776 X-Original-From: Chia-I Wu Reply-To: olvaffe@gmail.com From: Chia-I Wu Pages that can be swapped out should be allocated with __GFP_SKIP_KASAN. Rather than setting the flag directly, replace GFP_HIGHUSER by (GFP_HIGHUSER_MOVABLE & ~__GFP_MOVABLE) instead, which should match the preceding comment better. On a CONFIG_KASAN_HW_TAGS=3Dy system, without __GFP_SKIP_KASAN, the page allocator assigns a valid tag to both the kernel mapping and MTE, instead of assigning the match-all KASAN_TAG_KERNEL tag to the kernel mapping. If userspace also maps the page with PROT_MTE and modifies the MTE tag, accessing the page via the kernel mapping results in KASAN invalid-access, such as BUG: KASAN: invalid-access in swap_writepage+0xb0/0x21c Read at addr f5ffff81aa71dff8 by task WM.task-4/6956 Pointer tag: [f5], memory tag: [f9] While userspace cannot map drm gem objects with PROT_MTE, the problem is shmem_swapin_cluster. When it swaps in a cluster of pages using our gfp flags, some of the pages might belong to other mappings that have PROT_MTE. Signed-off-by: Chia-I Wu --- The latest snapdragons appear to have MTE support. drm/msm might need the same treatment. --- drivers/gpu/drm/panthor/panthor_gem.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/panthor/panthor_gem.c b/drivers/gpu/drm/pantho= r/panthor_gem.c index 13295d7a593df..08c03aa0db2f7 100644 --- a/drivers/gpu/drm/panthor/panthor_gem.c +++ b/drivers/gpu/drm/panthor/panthor_gem.c @@ -1013,7 +1013,8 @@ panthor_gem_create(struct drm_device *dev, size_t siz= e, uint32_t flags, * going to pin these pages. */ mapping_set_gfp_mask(bo->base.filp->f_mapping, - GFP_HIGHUSER | __GFP_RETRY_MAYFAIL | __GFP_NOWARN); + (GFP_HIGHUSER_MOVABLE & ~__GFP_MOVABLE) | + __GFP_RETRY_MAYFAIL | __GFP_NOWARN); =20 ret =3D drm_gem_create_mmap_offset(&bo->base); if (ret) --- base-commit: 6101f78b684895d5860a96322e607e0f46f433ad change-id: 20260512-panthor-kasan-10477239bad1 Best regards, -- =20 Chia-I Wu