The patch titled Subject: kasan: unpoison pcpu chunks with base address tag has been added to the -mm mm-hotfixes-unstable branch. Its filename is kasan-unpoison-pcpu-chunks-with-base-address-tag.patch

This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches...

This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days

------------------------------------------------------ From: Maciej Wieczor-Retman maciej.wieczor-retman@intel.com Subject: kasan: unpoison pcpu chunks with base address tag Date: Wed, 29 Oct 2025 19:05:49 +0000

The problem presented here is related to NUMA systems and tag-based KASAN modes - software and hardware ones. It can be explained in the following points:

1. There can be more than one virtual memory chunk.

2. Chunk's base address has a tag.

3. The base address points at the first chunk and thus inherits the tag of the first chunk.

4. The subsequent chunks will be accessed with the tag from the first chunk.

5. Thus, the subsequent chunks need to have their tag set to match that of the first chunk.

Refactor code by moving it into a helper in preparation for the actual fix.

Link: https://lkml.kernel.org/r/fbce40a59b0a22a5735cb6e9b95c5a45a34b23cb.176176368... Fixes: 1d96320f8d53 ("kasan, vmalloc: add vmalloc tagging for SW_TAGS") Signed-off-by: Maciej Wieczor-Retman maciej.wieczor-retman@intel.com Tested-by: Baoquan He bhe@redhat.com Cc: Alexander Potapenko glider@google.com Cc: Andrey Konovalov andreyknvl@gmail.com Cc: Andrey Ryabinin ryabinin.a.a@gmail.com Cc: Andy Lutomirski luto@kernel.org Cc: Ard Biesheuvel ardb@kernel.org Cc: Barry Song baohua@kernel.org Cc: Bill Wendling morbo@google.com Cc: Borislav Betkov bp@alien8.de Cc: Breno Leitao leitao@debian.org Cc: Brian Gerst brgerst@gmail.com Cc: Catalin Marinas catalin.marinas@arm.com Cc: David Hildenbrand david@redhat.com Cc: Dmitriy Vyukov dvyukov@google.com Cc: FUJITA Tomonori fujita.tomonori@gmail.com Cc: Guilherme Giacomo Simoes trintaeoitogc@gmail.com Cc: "H. Peter Anvin" hpa@zytor.com Cc: Ingo Molnar mingo@redhat.com Cc: Jan Kiszka jan.kiszka@siemens.com Cc: Jeremy Linton jeremy.linton@arm.com Cc: John Hubbard jhubbard@nvidia.com Cc: Jonathan Corbet corbet@lwn.net Cc: Josh Poimboeuf jpoimboe@kernel.org Cc: Justin Stitt justinstitt@google.com Cc: Kalesh Singh kaleshsingh@google.com Cc: Kees Cook kees@kernel.org Cc: Kefeng Wang wangkefeng.wang@huawei.com Cc: Kieran Bingham kbingham@kernel.org Cc: levi.yun yeoreum.yun@arm.com Cc: Liam Howlett liam.howlett@oracle.com Cc: Lorenzo Stoakes lorenzo.stoakes@oracle.com Cc: Marco Elver elver@google.com Cc: Marc Rutland mark.rutland@arm.com Cc: Marc Zyngier maz@kernel.org Cc: Mark Brown broonie@kernel.org Cc: Michal Hocko mhocko@suse.com Cc: Miguel Ojeda ojeda@kernel.org Cc: Mike Rapoport rppt@kernel.org Cc: Mostafa Saleh smostafa@google.com Cc: Nathan Chancellor nathan@kernel.org Cc: Pankaj Gupta pankaj.gupta@amd.com Cc: Pasha Tatashin pasha.tatashin@soleen.com Cc: Peter Zijlstra peterz@infradead.org Cc: Samuel Holland samuel.holland@sifive.com Cc: Sebastian Andrzej Siewior bigeasy@linutronix.de Cc: Suren Baghdasaryan surenb@google.com Cc: Thomas Gleinxer tglx@linutronix.de Cc: Thomas Huth thuth@redhat.com Cc: "Uladzislau Rezki (Sony)" urezki@gmail.com Cc: Uros Bizjak ubizjak@gmail.com Cc: Vincenzo Frascino vincenzo.frascino@arm.com Cc: Vlastimil Babka vbabka@suse.cz Cc: Will Deacon will@kernel.org Cc: Xin Li (Intel) xin@zytor.com Cc: Zi Yan ziy@nvidia.com Cc: stable@vger.kernel.org [6.1+] Signed-off-by: Andrew Morton akpm@linux-foundation.org ---

include/linux/kasan.h | 10 ++++++++++ mm/kasan/tags.c | 11 +++++++++++ mm/vmalloc.c | 4 +--- 3 files changed, 22 insertions(+), 3 deletions(-)

--- a/include/linux/kasan.h~kasan-unpoison-pcpu-chunks-with-base-address-tag +++ a/include/linux/kasan.h @@ -614,6 +614,13 @@ static __always_inline void kasan_poison __kasan_poison_vmalloc(start, size); }

+void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms); +static __always_inline void kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms) +{ + if (kasan_enabled()) + __kasan_unpoison_vmap_areas(vms, nr_vms); +} + #else /* CONFIG_KASAN_VMALLOC */

static inline void kasan_populate_early_vm_area_shadow(void *start, @@ -638,6 +645,9 @@ static inline void *kasan_unpoison_vmall static inline void kasan_poison_vmalloc(const void *start, unsigned long size) { }

+static inline void kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms) +{ } + #endif /* CONFIG_KASAN_VMALLOC */

#if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \ --- a/mm/kasan/tags.c~kasan-unpoison-pcpu-chunks-with-base-address-tag +++ a/mm/kasan/tags.c @@ -18,6 +18,7 @@ #include <linux/static_key.h> #include <linux/string.h> #include <linux/types.h> +#include <linux/vmalloc.h>

#include "kasan.h" #include "../slab.h" @@ -146,3 +147,13 @@ void __kasan_save_free_info(struct kmem_ { save_stack_info(cache, object, 0, true); } + +void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms) +{ + int area; + + for (area = 0 ; area < nr_vms ; area++) { + kasan_poison(vms[area]->addr, vms[area]->size, + arch_kasan_get_tag(vms[area]->addr), false); + } +} --- a/mm/vmalloc.c~kasan-unpoison-pcpu-chunks-with-base-address-tag +++ a/mm/vmalloc.c @@ -4870,9 +4870,7 @@ retry: * With hardware tag-based KASAN, marking is skipped for * non-VM_ALLOC mappings, see __kasan_unpoison_vmalloc(). */ - for (area = 0; area < nr_vms; area++) - vms[area]->addr = kasan_unpoison_vmalloc(vms[area]->addr, - vms[area]->size, KASAN_VMALLOC_PROT_NORMAL); + kasan_unpoison_vmap_areas(vms, nr_vms);

kfree(vas); return vms; _

Patches currently in -mm which might be from maciej.wieczor-retman@intel.com are

kasan-unpoison-pcpu-chunks-with-base-address-tag.patch kasan-unpoison-vms-addresses-with-a-common-tag.patch