Re: [PATCH v2 2/2] kasan: Unpoison vms[area] addresses with a common tag

[Andrey Konovalov]

On Wed, Dec 3, 2025 at 5:24 PM Maciej Wieczór-Retman
<m.wieczorretman@xxxxx> wrote:
>
> >I'm thinking what you can do here is:
> >
> >vms[area]->addr = set_tag(addr, tag);
> >__kasan_unpoison_vmalloc(addr, size, flags | KASAN_VMALLOC_KEEP_TAG);
>
>
> I noticed that something like this wouldn't work once I started trying
> to rebase my work onto Jiayuan's. The line:
> +       u8 tag = get_tag(vms[0]->addr);
> is wrong and should be
> +       u8 tag = kasan_random_tag();

Ah, right.

> I was sure the vms[0]->addr was already tagged (I recall checking this
> so I'm not sure if something changed or my previous check was wrong) but
> the problem here is that vms[0]->addr, vms[1]->addr ... were unpoisoned
> with random addresses, specifically different random addresses. So then
> later in the pcpu chunk code vms[1] related pointers would get the tag
> from vms[0]->addr.
>
> So I think we still need a separate way to do __kasan_unpoison_vmalloc
> with a specific tag.

Why?

Assuming KASAN_VMALLOC_KEEP_TAG takes the tag from the pointer, just do:

tag = kasan_random_tag();
for (area = 0; ...) {
    vms[area]->addr = set_tag(vms[area]->addr, tag);
    __kasan_unpoison_vmalloc(vms[area]->addr, vms[area]->size, flags |
KASAN_VMALLOC_KEEP_TAG);
}

Or maybe even better:

vms[0]->addr = __kasan_unpoison_vmalloc(vms[0]->addr, vms[0]->size, flags);
tag = get_tag(vms[0]->addr);
for (area = 1; ...) {
    vms[area]->addr = set_tag(vms[area]->addr, tag);
    __kasan_unpoison_vmalloc(vms[area]->addr, vms[area]->size, flags |
KASAN_VMALLOC_KEEP_TAG);
}

This way we won't assign a random tag unless it's actually needed
(i.e. when KASAN_VMALLOC_PROT_NORMAL is not provided; assuming we care
to support that case).