Re: [PATCH v2 2/3] kasan: skip HW tagging for all kernel thread stacks

Next message: Alexis Czezar Torreno: "[PATCH v8 1/2] dt-bindings: iio: dac: Add ADI AD5706R"
Previous message: Alexis Czezar Torreno: "[PATCH v8 0/2] Add support for AD5706R DAC"
In reply to: David Hildenbrand (Arm): "Re: [PATCH v2 2/3] kasan: skip HW tagging for all kernel thread stacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Catalin Marinas

Date: Fri Apr 17 2026 - 04:31:25 EST

On Thu, Apr 16, 2026 at 11:03:46AM +0200, David Hildenbrand wrote:
> On 4/10/26 20:36, Catalin Marinas wrote:
> > On Fri, Apr 10, 2026 at 07:32:23PM +0100, Catalin Marinas wrote:
> >> What the original approach might help with is use-after-realloc in case
> >> we had a tagged pointer in a past life of a page and it still works now.
> >> Oh well, that's I guess for other types of hardening to address like
> >> delayed reallocation.
> >
> > Another thought (for a separate series) - we could try to map the stack
> > as Untagged (unless stack tagging is enabled; needs compiler
> > instrumentation) and enable canonical tag checking (newer addition to
> > MTE). This way, any stray tagged pointer won't work on the stack since
> > it needs a 0xf tag (canonical).
>
> Do you mean mapping it as Untagged in the vmap for CONFIG_VMAP_STACK or
> also as Untagged in the directmap?
>
> The latter brings in the set of problems with direct map fragmentation.

Just the vmap, there are a lot more problems with the direct map. Not
sure how much it does in terms of security, maybe marginally. A
match-all tag (0xf) would still be able to access the canonically tagged
memory.

--
Catalin