======= Introduction
The patchset aims to add a KASAN tag-based mode for the x86 architecture
with the help of the new CPU feature called Linear Address Masking
(LAM). Main improvement introduced by the series is 2x lower memory
usage compared to KASAN's generic mode, the only currently available
mode on x86. The tag based mode may also find errors that the generic
mode couldn't because of differences in how these modes operate.

======= How does KASAN' tag-based mode work?
When enabled, memory accesses and allocations are augmented by the
compiler during kernel compilation. Instrumentation functions are added
to each memory allocation and each pointer dereference.

The allocation related functions generate a random tag and save it in
two places: in shadow memory that maps to the allocated memory, and in
the top bits of the pointer that points to the allocated memory. Storing
the tag in the top of the pointer is possible because of Top-Byte Ignore
(TBI) on arm64 architecture and LAM on x86.

The access related functions are performing a comparison between the tag
stored in the pointer and the one stored in shadow memory. If the tags
don't match an out of bounds error must have occurred and so an error
report is generated.

The general idea for the tag-based mode is very well explained in the
series with the original implementation [1].

[1] https://lore.kernel.org/all/cover.1544099024.git.andreyknvl@google.com/

======= Differences summary compared to the arm64 tag-based mode
- Tag width:
	- Tag width influences the chance of a tag mismatch due to two
	  tags from different allocations having the same value. The
	  bigger the possible range of tag values the lower the chance
	  of that happening.
	- Shortening the tag width from 8 bits to 4, while it can help
	  with memory usage, it also increases the chance of not
	  reporting an error. 4 bit tags have a ~7% chance of a tag
	  mismatch.

- Address masking mechanism
	- TBI in arm64 allows for storing metadata in the top 8 bits of
	  the virtual address.
	- LAM in x86 allows storing tags in bits [62:57] of the pointer.
	  To maximize memory savings the tag width is reduced to bits
	  [60:57].

- Inline mode mismatch reporting
	- Arm64 inserts a BRK instruction to pass metadata about a tag
	  mismatch to the KASAN report.
	- On x86 the INT3 instruction is used for the same purpose.

======= Testing
Checked all the kunits for both software tags and generic KASAN after
making changes.

In generic mode the results were:

kasan: pass:59 fail:0 skip:13 total:72
Totals: pass:59 fail:0 skip:13 total:72
ok 1 kasan

and for software tags:

kasan: pass:63 fail:0 skip:9 total:72
Totals: pass:63 fail:0 skip:9 total:72
ok 1 kasan

======= Benchmarks [1]
All tests were ran on a Sierra Forest server platform. The only
differences between the tests were kernel options:
	- CONFIG_KASAN
	- CONFIG_KASAN_GENERIC
	- CONFIG_KASAN_SW_TAGS
	- CONFIG_KASAN_INLINE [1]
	- CONFIG_KASAN_OUTLINE

Boot time (until login prompt):
* 02:55 for clean kernel
* 05:42 / 06:32 for generic KASAN (inline/outline)
* 05:58 for tag-based KASAN (outline) [2]

Total memory usage (512GB present on the system - MemAvailable just
after boot):
* 12.56 GB for clean kernel
* 81.74 GB for generic KASAN
* 44.39 GB for tag-based KASAN

Kernel size:
* 14 MB for clean kernel
* 24.7 MB / 19.5 MB for generic KASAN (inline/outline)
* 27.1 MB / 18.1 MB for tag-based KASAN (inline/outline)

Compilation time comparison (10 cores):
* 7:27 for clean kernel
* 8:21/7:44 for generic KASAN (inline/outline)
* 8:20/7:41 for tag-based KASAN (inline/outline)

[1] Currently inline mode doesn't work on x86 due to things missing in
the compiler. I have written a patch for clang that seems to fix the
inline mode and I was able to boot and check that all patches regarding
the inline mode work as expected. My hope is to post the patch to LLVM
once this series is completed, and then make inline mode available in
the kernel config.

[2] While I was able to boot the inline tag-based kernel with my
compiler changes in a simulated environment, due to toolchain
difficulties I couldn't get it to boot on the machine I had access to.
Also boot time results from the simulation seem too good to be true, and
they're much too worse for the generic case to be believable. Therefore
I'm posting only results from the physical server platform.

======= Compilation
Clang was used to compile the series (make LLVM=1) since gcc doesn't
seem to have support for KASAN tag-based compiler instrumentation on
x86.

======= Dependencies
The base branch for the series is the mainline kernel, tag 6.17-rc1.

======= Enabling LAM for testing
Since LASS is needed for LAM and it can't be compiled without it I
applied the LASS series [1] first, then applied my patches.

[1] https://lore.kernel.org/all/20250707080317.3791624-1-kirill.shutemov@linux.intel.com/

Changes v4:
- Revert x86 kasan_mem_to_shadow() scheme to the same on used in generic
  KASAN. Keep the arithmetic shift idea for the KASAN in general since
  it makes more sense for arm64 and in risc-v.
- Fix inline mode but leave it unavailable until a complementary
  compiler patch can be merged.
- Apply Dave Hansen's comments on series formatting, patch style and
  code simplifications.

Changes v3:
- Remove the runtime_const patch and setup a unified offset for both 5
  and 4 paging levels.
- Add a fix for inline mode on x86 tag-based KASAN. Add a handler for
  int3 that is generated on inline tag mismatches.
- Fix scripts/gdb/linux/kasan.py so the new signed mem_to_shadow() is
  reflected there.
- Fix Documentation/arch/arm64/kasan-offsets.sh to take new offsets into
  account.
- Made changes to the kasan_non_canonical_hook() according to upstream
  discussion.
- Remove patches 2 and 3 since they related to risc-v and this series
  adds only x86 related things.
- Reorder __tag_*() functions so they're before arch_kasan_*(). Remove
  CONFIG_KASAN condition from __tag_set().

Changes v2:
- Split the series into one adding KASAN tag-based mode (this one) and
  another one that adds the dense mode to KASAN (will post later).
- Removed exporting kasan_poison() and used a wrapper instead in
  kasan_init_64.c
- Prepended series with 4 patches from the risc-v series and applied
  review comments to the first patch as the rest already are reviewed.

Maciej Wieczor-Retman (16):
  kasan: Fix inline mode for x86 tag-based mode
  x86: Add arch specific kasan functions
  kasan: arm64: x86: Make special tags arch specific
  x86: Reset tag for virtual to physical address conversions
  mm: x86: Untag addresses in EXECMEM_ROX related pointer arithmetic
  x86: Physical address comparisons in fill_p*d/pte
  x86: KASAN raw shadow memory PTE init
  x86: LAM compatible non-canonical definition
  x86: LAM initialization
  x86: Minimal SLAB alignment
  kasan: arm64: x86: Handle int3 for inline KASAN reports
  kasan: x86: Apply multishot to the inline report handler
  kasan: x86: Logical bit shift for kasan_mem_to_shadow
  mm: Unpoison pcpu chunks with base address tag
  mm: Unpoison vms[area] addresses with a common tag
  x86: Make software tag-based kasan available

Samuel Holland (2):
  kasan: sw_tags: Use arithmetic shift for shadow computation
  kasan: sw_tags: Support tag widths less than 8 bits

 Documentation/arch/arm64/kasan-offsets.sh |  8 ++-
 Documentation/arch/x86/x86_64/mm.rst      |  6 +-
 MAINTAINERS                               |  4 +-
 arch/arm64/Kconfig                        | 10 ++--
 arch/arm64/include/asm/kasan-tags.h       |  9 +++
 arch/arm64/include/asm/kasan.h            |  6 +-
 arch/arm64/include/asm/memory.h           | 14 ++++-
 arch/arm64/include/asm/uaccess.h          |  1 +
 arch/arm64/kernel/traps.c                 | 17 +-----
 arch/arm64/mm/kasan_init.c                |  7 ++-
 arch/x86/Kconfig                          |  4 +-
 arch/x86/boot/compressed/misc.h           |  1 +
 arch/x86/include/asm/cache.h              |  4 ++
 arch/x86/include/asm/kasan-tags.h         |  9 +++
 arch/x86/include/asm/kasan.h              | 71 ++++++++++++++++++++++-
 arch/x86/include/asm/page.h               | 24 +++++++-
 arch/x86/include/asm/page_64.h            |  2 +-
 arch/x86/kernel/alternative.c             |  4 +-
 arch/x86/kernel/head_64.S                 |  3 +
 arch/x86/kernel/setup.c                   |  2 +
 arch/x86/kernel/traps.c                   |  4 ++
 arch/x86/mm/Makefile                      |  2 +
 arch/x86/mm/init.c                        |  3 +
 arch/x86/mm/init_64.c                     | 11 ++--
 arch/x86/mm/kasan_init_64.c               | 19 +++++-
 arch/x86/mm/kasan_inline.c                | 26 +++++++++
 arch/x86/mm/pat/set_memory.c              |  1 +
 arch/x86/mm/physaddr.c                    |  1 +
 include/linux/kasan-tags.h                | 21 +++++--
 include/linux/kasan.h                     | 51 +++++++++++++++-
 include/linux/mm.h                        |  6 +-
 include/linux/mmzone.h                    |  1 -
 include/linux/page-flags-layout.h         |  9 +--
 lib/Kconfig.kasan                         |  3 +-
 mm/execmem.c                              |  4 +-
 mm/kasan/hw_tags.c                        | 11 ++++
 mm/kasan/report.c                         | 45 ++++++++++++--
 mm/kasan/shadow.c                         | 18 ++++++
 mm/vmalloc.c                              |  8 +--
 scripts/Makefile.kasan                    |  3 +
 scripts/gdb/linux/kasan.py                |  5 +-
 scripts/gdb/linux/mm.py                   |  5 +-
 42 files changed, 381 insertions(+), 82 deletions(-)
 mode change 100644 => 100755 Documentation/arch/arm64/kasan-offsets.sh
 create mode 100644 arch/arm64/include/asm/kasan-tags.h
 create mode 100644 arch/x86/include/asm/kasan-tags.h
 create mode 100644 arch/x86/mm/kasan_inline.c

-- 
2.50.1

On Tue, Aug 12, 2025 at 03:23:36PM +0200, Maciej Wieczor-Retman wrote:
> Compilation time comparison (10 cores):
> * 7:27 for clean kernel
> * 8:21/7:44 for generic KASAN (inline/outline)
> * 8:20/7:41 for tag-based KASAN (inline/outline)

It is not clear if it is compilation time of a kernel with different
config options or compilation time of the same kernel running on machine
with different kernels (KASAN-off/KASAN-generic/KASAN-tagged).

-- 
  Kiryl Shutsemau / Kirill A. Shutemov

On 2025-08-13 at 09:16:29 +0100, Kiryl Shutsemau wrote:
>On Tue, Aug 12, 2025 at 03:23:36PM +0200, Maciej Wieczor-Retman wrote:
>> Compilation time comparison (10 cores):
>> * 7:27 for clean kernel
>> * 8:21/7:44 for generic KASAN (inline/outline)
>> * 8:20/7:41 for tag-based KASAN (inline/outline)
>
>It is not clear if it is compilation time of a kernel with different
>config options or compilation time of the same kernel running on machine
>with different kernels (KASAN-off/KASAN-generic/KASAN-tagged).

It's the first one, I'll reword this accordingly.

When you said a while ago this would be a good thing to measure, did you mean
the first or the second thing? I thought you meant the first one but now I have
doubts.

>
>-- 
>  Kiryl Shutsemau / Kirill A. Shutemov

-- 
Kind regards
Maciej Wieczór-Retman

On Wed, Aug 13, 2025 at 12:39:35PM +0200, Maciej Wieczor-Retman wrote:
> On 2025-08-13 at 09:16:29 +0100, Kiryl Shutsemau wrote:
> >On Tue, Aug 12, 2025 at 03:23:36PM +0200, Maciej Wieczor-Retman wrote:
> >> Compilation time comparison (10 cores):
> >> * 7:27 for clean kernel
> >> * 8:21/7:44 for generic KASAN (inline/outline)
> >> * 8:20/7:41 for tag-based KASAN (inline/outline)
> >
> >It is not clear if it is compilation time of a kernel with different
> >config options or compilation time of the same kernel running on machine
> >with different kernels (KASAN-off/KASAN-generic/KASAN-tagged).
> 
> It's the first one, I'll reword this accordingly.
> 
> When you said a while ago this would be a good thing to measure, did you mean
> the first or the second thing? I thought you meant the first one but now I have
> doubts.

I meant the second. We want to know how slow is it to run a workload
under kernel with KASAN enabled.

-- 
  Kiryl Shutsemau / Kirill A. Shutemov

On 2025-08-13 at 12:05:47 +0100, Kiryl Shutsemau wrote:
>On Wed, Aug 13, 2025 at 12:39:35PM +0200, Maciej Wieczor-Retman wrote:
>> On 2025-08-13 at 09:16:29 +0100, Kiryl Shutsemau wrote:
>> >On Tue, Aug 12, 2025 at 03:23:36PM +0200, Maciej Wieczor-Retman wrote:
>> >> Compilation time comparison (10 cores):
>> >> * 7:27 for clean kernel
>> >> * 8:21/7:44 for generic KASAN (inline/outline)
>> >> * 8:20/7:41 for tag-based KASAN (inline/outline)
>> >
>> >It is not clear if it is compilation time of a kernel with different
>> >config options or compilation time of the same kernel running on machine
>> >with different kernels (KASAN-off/KASAN-generic/KASAN-tagged).
>> 
>> It's the first one, I'll reword this accordingly.
>> 
>> When you said a while ago this would be a good thing to measure, did you mean
>> the first or the second thing? I thought you meant the first one but now I have
>> doubts.
>
>I meant the second. We want to know how slow is it to run a workload
>under kernel with KASAN enabled.

Okay, thanks for confirming, I'll run these compilations on the system with the
tested kernels and attach results to v5 of the series.

>
>-- 
>  Kiryl Shutsemau / Kirill A. Shutemov

-- 
Kind regards
Maciej Wieczór-Retman

Hi,

On 12/08/2025 14:23, Maciej Wieczor-Retman wrote:
> [...]
> ======= Testing
> Checked all the kunits for both software tags and generic KASAN after
> making changes.
>
> In generic mode the results were:
>
> kasan: pass:59 fail:0 skip:13 total:72
> Totals: pass:59 fail:0 skip:13 total:72
> ok 1 kasan
>
> and for software tags:
>
> kasan: pass:63 fail:0 skip:9 total:72
> Totals: pass:63 fail:0 skip:9 total:72
> ok 1 kasan
I tested the series on arm64 and after fixing the build issues mentioned
I was able to boot without issues and did not observe any regressions
in the KASAN KUnit tests with either generic or software tags.

So this is Tested-by: Ada Couprie Diaz <ada.coupriediaz@arm.com> (For arm64)

I will note that the tests `kmalloc_memmove_negative_size` and
`kmalloc_memmove_invalid_size` seem to be able to corrupt memory
and lead to kernel crashes if `memmove()` is not properly instrumented,
which I discovered while investigating [0].
> [...]
> ======= Compilation
> Clang was used to compile the series (make LLVM=1) since gcc doesn't
> seem to have support for KASAN tag-based compiler instrumentation on
> x86.

Interestingly, while investigating [0], this comment slipped by me and
I managed to compile your series for x86 with software tags using GCC,
though it is a bit hacky.
You need to update the CC_HAS_KASAN_SW_TAGS to pass `-mlam=u48`
or `-mlam=u57`, as it is disabled by default, and pass `-march=arrowlake`
for compilation (the support for software tags depends on the arch).
You could then test with GCC (though the issue in [0] also applies to x86).

Best,
Ada

[0]: https://groups.google.com/g/kasan-dev/c/v1PYeoitg88

> ======= Dependencies
> The base branch for the series is the mainline kernel, tag 6.17-rc1.
>
> ======= Enabling LAM for testing
> Since LASS is needed for LAM and it can't be compiled without it I
> applied the LASS series [1] first, then applied my patches.
>
> [1] https://lore.kernel.org/all/20250707080317.3791624-1-kirill.shutemov@linux.intel.com/
>
> Changes v4:
> - Revert x86 kasan_mem_to_shadow() scheme to the same on used in generic
>    KASAN. Keep the arithmetic shift idea for the KASAN in general since
>    it makes more sense for arm64 and in risc-v.
> - Fix inline mode but leave it unavailable until a complementary
>    compiler patch can be merged.
> - Apply Dave Hansen's comments on series formatting, patch style and
>    code simplifications.
>
> Changes v3:
> - Remove the runtime_const patch and setup a unified offset for both 5
>    and 4 paging levels.
> - Add a fix for inline mode on x86 tag-based KASAN. Add a handler for
>    int3 that is generated on inline tag mismatches.
> - Fix scripts/gdb/linux/kasan.py so the new signed mem_to_shadow() is
>    reflected there.
> - Fix Documentation/arch/arm64/kasan-offsets.sh to take new offsets into
>    account.
> - Made changes to the kasan_non_canonical_hook() according to upstream
>    discussion.
> - Remove patches 2 and 3 since they related to risc-v and this series
>    adds only x86 related things.
> - Reorder __tag_*() functions so they're before arch_kasan_*(). Remove
>    CONFIG_KASAN condition from __tag_set().
>
> Changes v2:
> - Split the series into one adding KASAN tag-based mode (this one) and
>    another one that adds the dense mode to KASAN (will post later).
> - Removed exporting kasan_poison() and used a wrapper instead in
>    kasan_init_64.c
> - Prepended series with 4 patches from the risc-v series and applied
>    review comments to the first patch as the rest already are reviewed.
>
> Maciej Wieczor-Retman (16):
>    kasan: Fix inline mode for x86 tag-based mode
>    x86: Add arch specific kasan functions
>    kasan: arm64: x86: Make special tags arch specific
>    x86: Reset tag for virtual to physical address conversions
>    mm: x86: Untag addresses in EXECMEM_ROX related pointer arithmetic
>    x86: Physical address comparisons in fill_p*d/pte
>    x86: KASAN raw shadow memory PTE init
>    x86: LAM compatible non-canonical definition
>    x86: LAM initialization
>    x86: Minimal SLAB alignment
>    kasan: arm64: x86: Handle int3 for inline KASAN reports
>    kasan: x86: Apply multishot to the inline report handler
>    kasan: x86: Logical bit shift for kasan_mem_to_shadow
>    mm: Unpoison pcpu chunks with base address tag
>    mm: Unpoison vms[area] addresses with a common tag
>    x86: Make software tag-based kasan available
>
> Samuel Holland (2):
>    kasan: sw_tags: Use arithmetic shift for shadow computation
>    kasan: sw_tags: Support tag widths less than 8 bits
>
>   Documentation/arch/arm64/kasan-offsets.sh |  8 ++-
>   Documentation/arch/x86/x86_64/mm.rst      |  6 +-
>   MAINTAINERS                               |  4 +-
>   arch/arm64/Kconfig                        | 10 ++--
>   arch/arm64/include/asm/kasan-tags.h       |  9 +++
>   arch/arm64/include/asm/kasan.h            |  6 +-
>   arch/arm64/include/asm/memory.h           | 14 ++++-
>   arch/arm64/include/asm/uaccess.h          |  1 +
>   arch/arm64/kernel/traps.c                 | 17 +-----
>   arch/arm64/mm/kasan_init.c                |  7 ++-
>   arch/x86/Kconfig                          |  4 +-
>   arch/x86/boot/compressed/misc.h           |  1 +
>   arch/x86/include/asm/cache.h              |  4 ++
>   arch/x86/include/asm/kasan-tags.h         |  9 +++
>   arch/x86/include/asm/kasan.h              | 71 ++++++++++++++++++++++-
>   arch/x86/include/asm/page.h               | 24 +++++++-
>   arch/x86/include/asm/page_64.h            |  2 +-
>   arch/x86/kernel/alternative.c             |  4 +-
>   arch/x86/kernel/head_64.S                 |  3 +
>   arch/x86/kernel/setup.c                   |  2 +
>   arch/x86/kernel/traps.c                   |  4 ++
>   arch/x86/mm/Makefile                      |  2 +
>   arch/x86/mm/init.c                        |  3 +
>   arch/x86/mm/init_64.c                     | 11 ++--
>   arch/x86/mm/kasan_init_64.c               | 19 +++++-
>   arch/x86/mm/kasan_inline.c                | 26 +++++++++
>   arch/x86/mm/pat/set_memory.c              |  1 +
>   arch/x86/mm/physaddr.c                    |  1 +
>   include/linux/kasan-tags.h                | 21 +++++--
>   include/linux/kasan.h                     | 51 +++++++++++++++-
>   include/linux/mm.h                        |  6 +-
>   include/linux/mmzone.h                    |  1 -
>   include/linux/page-flags-layout.h         |  9 +--
>   lib/Kconfig.kasan                         |  3 +-
>   mm/execmem.c                              |  4 +-
>   mm/kasan/hw_tags.c                        | 11 ++++
>   mm/kasan/report.c                         | 45 ++++++++++++--
>   mm/kasan/shadow.c                         | 18 ++++++
>   mm/vmalloc.c                              |  8 +--
>   scripts/Makefile.kasan                    |  3 +
>   scripts/gdb/linux/kasan.py                |  5 +-
>   scripts/gdb/linux/mm.py                   |  5 +-
>   42 files changed, 381 insertions(+), 82 deletions(-)
>   mode change 100644 => 100755 Documentation/arch/arm64/kasan-offsets.sh
>   create mode 100644 arch/arm64/include/asm/kasan-tags.h
>   create mode 100644 arch/x86/include/asm/kasan-tags.h
>   create mode 100644 arch/x86/mm/kasan_inline.c
>

Hello, and thanks for testing the series!

On 2025-08-21 at 13:30:28 +0100, Ada Couprie Diaz wrote:
>Hi,
>
>On 12/08/2025 14:23, Maciej Wieczor-Retman wrote:
>> [...]
>> ======= Testing
>> Checked all the kunits for both software tags and generic KASAN after
>> making changes.
>> 
>> In generic mode the results were:
>> 
>> kasan: pass:59 fail:0 skip:13 total:72
>> Totals: pass:59 fail:0 skip:13 total:72
>> ok 1 kasan
>> 
>> and for software tags:
>> 
>> kasan: pass:63 fail:0 skip:9 total:72
>> Totals: pass:63 fail:0 skip:9 total:72
>> ok 1 kasan
>I tested the series on arm64 and after fixing the build issues mentioned
>I was able to boot without issues and did not observe any regressions
>in the KASAN KUnit tests with either generic or software tags.
>
>So this is Tested-by: Ada Couprie Diaz <ada.coupriediaz@arm.com> (For arm64)

Thank you! I'll try to send the fixed series on monday/tuesday.

>I will note that the tests `kmalloc_memmove_negative_size` and
>`kmalloc_memmove_invalid_size` seem to be able to corrupt memory
>and lead to kernel crashes if `memmove()` is not properly instrumented,
>which I discovered while investigating [0].

What do you mean by 'properly instrumented'? Is it the intrinsic prefix thing
for gcc that you mentioned?

>> [...]
>> ======= Compilation
>> Clang was used to compile the series (make LLVM=1) since gcc doesn't
>> seem to have support for KASAN tag-based compiler instrumentation on
>> x86.
>
>Interestingly, while investigating [0], this comment slipped by me and
>I managed to compile your series for x86 with software tags using GCC,
>though it is a bit hacky.
>You need to update the CC_HAS_KASAN_SW_TAGS to pass `-mlam=u48`
>or `-mlam=u57`, as it is disabled by default, and pass `-march=arrowlake`
>for compilation (the support for software tags depends on the arch).
>You could then test with GCC (though the issue in [0] also applies to x86).

Thanks! I'll try it out :)

>
>Best,
>Ada

-- 
Kind regards
Maciej Wieczór-Retman