From nobody Fri Dec 19 19:03:04 2025 Received: from mail-244122.protonmail.ch (mail-244122.protonmail.ch [109.224.244.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 98560315D3C for ; Thu, 4 Dec 2025 19:00:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=109.224.244.122 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764874847; cv=none; b=srZHESxqpmF8BrT51Pvo8Xnoh0Fpv3VgPEREhLYqlDjTHs0F4bzO+BLcRJi/R5fuayna2GPDHR2MB1VN1VVnhdhKonCZL/t2X5IZaxzpdLbi6hsLgXsUYfgDf7lqpyw/UlzWSAiUxfyUN+VRjeypbyUvzODtWpyq/YuXbPt4ZNg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764874847; c=relaxed/simple; bh=lSB8h/UwqS3wNM+YXAjrnejEoTPkVg0wGq9NbdvpHCw=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=hBVr/U1cqP0eEl2xmdwBOYOHBJMVRXgtqEccaHrKe5d+i9hYQqu0P3FvwXEi/FUFNlPa0E1GKAsQVVMJUnECfAUyeVNonio24E9lsieVlMdkbPAvSznVDNZEyq5O8gg1RDPOf8WQTLhhpBoHui4z/2+B4QuyFg199tVpEgtQaHE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=pm.me; spf=pass smtp.mailfrom=pm.me; dkim=pass (2048-bit key) header.d=pm.me header.i=@pm.me header.b=MGFUiyyI; arc=none smtp.client-ip=109.224.244.122 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=pm.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pm.me Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=pm.me header.i=@pm.me header.b="MGFUiyyI" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pm.me; s=protonmail3; t=1764874815; x=1765134015; bh=OkoBRhgSwjuQLuLgL6yseexB7KxkTDwJEiXAnUMLOgo=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=MGFUiyyIDKtVbJTiczN/PWRSWvLhh11G6a4GRU9xXEEewJkCTZxEmuxNpqmyytJiZ D+HattnA4aU9m28WTAhKFXHgJPLJAXelaYDyr+J79xtORsVLTBbyQoeJCy56B8b30H RPU23LVvrseHJ6PDlrp5wIGFfIB/voK1OsWmC61UvRydlyrdZ1DaxCh7zd2Gboy/Ok uO6okFnUrx4K3A7nutPQLkGK6Je4mIty4LjAsen/CCpZ19YnrFfIGJRROER9xX8082 LhDuEBFtt61LoqKRyWcqrUYhicukpYFPdJYNjQfLEmEPTzNqN217K7xo0vooaXYvsQ z4POOsS7x2YaQ== Date: Thu, 04 Dec 2025 19:00:11 +0000 To: Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Marco Elver From: Maciej Wieczor-Retman Cc: m.wieczorretman@pm.me, jiayuan.chen@linux.dev, stable@vger.kernel.org, Maciej Wieczor-Retman , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 3/3] kasan: Unpoison vms[area] addresses with a common tag Message-ID: <873821114a9f722ffb5d6702b94782e902883fdf.1764874575.git.m.wieczorretman@pm.me> In-Reply-To: References: Feedback-ID: 164464600:user:proton X-Pm-Message-ID: 68527f4c7d069f0e80ad4d48c006acca2241fe68 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Maciej Wieczor-Retman A KASAN tag mismatch, possibly causing a kernel panic, can be observed on systems with a tag-based KASAN enabled and with multiple NUMA nodes. It was reported on arm64 and reproduced on x86. It can be explained in the following points: 1. There can be more than one virtual memory chunk. 2. Chunk's base address has a tag. 3. The base address points at the first chunk and thus inherits the tag of the first chunk. 4. The subsequent chunks will be accessed with the tag from the first chunk. 5. Thus, the subsequent chunks need to have their tag set to match that of the first chunk. Use the new vmalloc flag that disables random tag assignment in __kasan_unpoison_vmalloc() - pass the same random tag to all the vm_structs by tagging the pointers before they go inside __kasan_unpoison_vmalloc(). Assigning a common tag resolves the pcpu chunk address mismatch. Fixes: 1d96320f8d53 ("kasan, vmalloc: add vmalloc tagging for SW_TAGS") Cc: # 6.1+ Signed-off-by: Maciej Wieczor-Retman Reviewed-by: Andrey Konovalov --- Changelog v3: - Redo the patch by using a flag instead of a new argument in __kasan_unpoison_vmalloc() (Andrey Konovalov) Changelog v2: - Revise the whole patch to match the fixed refactorization from the first patch. Changelog v1: - Rewrite the patch message to point at the user impact of the issue. - Move helper to common.c so it can be compiled in all KASAN modes. mm/kasan/common.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/mm/kasan/common.c b/mm/kasan/common.c index 1ed6289d471a..496bb2c56911 100644 --- a/mm/kasan/common.c +++ b/mm/kasan/common.c @@ -591,11 +591,28 @@ void __kasan_unpoison_vmap_areas(struct vm_struct **v= ms, int nr_vms, unsigned long size; void *addr; int area; + u8 tag; + + /* + * If KASAN_VMALLOC_KEEP_TAG was set at this point, all vms[] pointers + * would be unpoisoned with the KASAN_TAG_KERNEL which would disable + * KASAN checks down the line. + */ + if (flags & KASAN_VMALLOC_KEEP_TAG) { + pr_warn("KASAN_VMALLOC_KEEP_TAG flag shouldn't be already set!\n"); + return; + } + + size =3D vms[0]->size; + addr =3D vms[0]->addr; + vms[0]->addr =3D __kasan_unpoison_vmalloc(addr, size, flags); + tag =3D get_tag(vms[0]->addr); =20 - for (area =3D 0 ; area < nr_vms ; area++) { + for (area =3D 1 ; area < nr_vms ; area++) { size =3D vms[area]->size; - addr =3D vms[area]->addr; - vms[area]->addr =3D __kasan_unpoison_vmalloc(addr, size, flags); + addr =3D set_tag(vms[area]->addr, tag); + vms[area]->addr =3D + __kasan_unpoison_vmalloc(addr, size, flags | KASAN_VMALLOC_KEEP_TAG); } } #endif --=20 2.52.0