Re: [PATCH v2 2/3] kasan: skip HW tagging for all kernel thread stacks

Next message: Guangshuo Li: "Re: [PATCH] arm_pmu: acpi: fix reference leak on failed device registration"
Previous message: syzbot: "Re: [syzbot] [dri?] KASAN: slab-use-after-free Read in drm_gem_object_release_handle"
Next in thread: Catalin Marinas: "Re: [PATCH v2 2/3] kasan: skip HW tagging for all kernel thread stacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Hildenbrand (Arm)

Date: Thu Apr 16 2026 - 05:04:10 EST

On 4/10/26 20:36, Catalin Marinas wrote:
> On Fri, Apr 10, 2026 at 07:32:23PM +0100, Catalin Marinas wrote:
>> What the original approach might help with is use-after-realloc in case
>> we had a tagged pointer in a past life of a page and it still works now.
>> Oh well, that's I guess for other types of hardening to address like
>> delayed reallocation.
>
> Another thought (for a separate series) - we could try to map the stack
> as Untagged (unless stack tagging is enabled; needs compiler
> instrumentation) and enable canonical tag checking (newer addition to
> MTE). This way, any stray tagged pointer won't work on the stack since
> it needs a 0xf tag (canonical).

Do you mean mapping it as Untagged in the vmap for CONFIG_VMAP_STACK or
also as Untagged in the directmap?

The latter brings in the set of problems with direct map fragmentation.
--
Cheers,

David