The patch titled Subject: kasan: unpoison vms[area] addresses with a common tag has been added to the -mm mm-hotfixes-unstable branch. Its filename is kasan-unpoison-vms-addresses-with-a-common-tag.patch

This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches...

This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days

------------------------------------------------------ From: Maciej Wieczor-Retman maciej.wieczor-retman@intel.com Subject: kasan: unpoison vms[area] addresses with a common tag Date: Wed, 29 Oct 2025 19:06:03 +0000

The problem presented here is related to NUMA systems and tag-based KASAN modes - software and hardware ones. It can be explained in the following points:

1. There can be more than one virtual memory chunk.

2. Chunk's base address has a tag.

3. The base address points at the first chunk and thus inherits the tag of the first chunk.

4. The subsequent chunks will be accessed with the tag from the first chunk.

5. Thus, the subsequent chunks need to have their tag set to match that of the first chunk.

Unpoison all vms[]->addr memory and pointers with the same tag to resolve the mismatch.

Link: https://lkml.kernel.org/r/932121edc75be8e2038d64ecb4853df2e2b258df.176176368... Fixes: 1d96320f8d53 ("kasan, vmalloc: add vmalloc tagging for SW_TAGS") Signed-off-by: Maciej Wieczor-Retman maciej.wieczor-retman@intel.com Tested-by: Baoquan He bhe@redhat.com Cc: Alexander Potapenko glider@google.com Cc: Andrey Konovalov andreyknvl@gmail.com Cc: Andrey Ryabinin ryabinin.a.a@gmail.com Cc: Andy Lutomirski luto@kernel.org Cc: Ard Biesheuvel ardb@kernel.org Cc: Barry Song baohua@kernel.org Cc: Bill Wendling morbo@google.com Cc: Borislav Betkov bp@alien8.de Cc: Breno Leitao leitao@debian.org Cc: Brian Gerst brgerst@gmail.com Cc: Catalin Marinas catalin.marinas@arm.com Cc: David Hildenbrand david@redhat.com Cc: Dmitriy Vyukov dvyukov@google.com Cc: FUJITA Tomonori fujita.tomonori@gmail.com Cc: Guilherme Giacomo Simoes trintaeoitogc@gmail.com Cc: "H. Peter Anvin" hpa@zytor.com Cc: Ingo Molnar mingo@redhat.com Cc: Jan Kiszka jan.kiszka@siemens.com Cc: Jeremy Linton jeremy.linton@arm.com Cc: John Hubbard jhubbard@nvidia.com Cc: Jonathan Corbet corbet@lwn.net Cc: Josh Poimboeuf jpoimboe@kernel.org Cc: Justin Stitt justinstitt@google.com Cc: Kalesh Singh kaleshsingh@google.com Cc: Kees Cook kees@kernel.org Cc: Kefeng Wang wangkefeng.wang@huawei.com Cc: Kieran Bingham kbingham@kernel.org Cc: levi.yun yeoreum.yun@arm.com Cc: Liam Howlett liam.howlett@oracle.com Cc: Lorenzo Stoakes lorenzo.stoakes@oracle.com Cc: Marco Elver elver@google.com Cc: Marc Rutland mark.rutland@arm.com Cc: Marc Zyngier maz@kernel.org Cc: Mark Brown broonie@kernel.org Cc: Michal Hocko mhocko@suse.com Cc: Miguel Ojeda ojeda@kernel.org Cc: Mike Rapoport rppt@kernel.org Cc: Mostafa Saleh smostafa@google.com Cc: Nathan Chancellor nathan@kernel.org Cc: Pankaj Gupta pankaj.gupta@amd.com Cc: Pasha Tatashin pasha.tatashin@soleen.com Cc: Peter Zijlstra peterz@infradead.org Cc: Samuel Holland samuel.holland@sifive.com Cc: Sebastian Andrzej Siewior bigeasy@linutronix.de Cc: Suren Baghdasaryan surenb@google.com Cc: Thomas Gleinxer tglx@linutronix.de Cc: Thomas Huth thuth@redhat.com Cc: "Uladzislau Rezki (Sony)" urezki@gmail.com Cc: Uros Bizjak ubizjak@gmail.com Cc: Vincenzo Frascino vincenzo.frascino@arm.com Cc: Vlastimil Babka vbabka@suse.cz Cc: Will Deacon will@kernel.org Cc: Xin Li (Intel) xin@zytor.com Cc: Zi Yan ziy@nvidia.com Cc: stable@vger.kernel.org [6.1+] Signed-off-by: Andrew Morton akpm@linux-foundation.org ---

mm/kasan/tags.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/mm/kasan/tags.c~kasan-unpoison-vms-addresses-with-a-common-tag +++ a/mm/kasan/tags.c @@ -148,12 +148,20 @@ void __kasan_save_free_info(struct kmem_ save_stack_info(cache, object, 0, true); }

+/* + * A tag mismatch happens when calculating per-cpu chunk addresses, because + * they all inherit the tag from vms[0]->addr, even when nr_vms is bigger + * than 1. This is a problem because all the vms[]->addr come from separate + * allocations and have different tags so while the calculated address is + * correct the tag isn't. + */ void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms) { int area;

for (area = 0 ; area < nr_vms ; area++) { kasan_poison(vms[area]->addr, vms[area]->size, - arch_kasan_get_tag(vms[area]->addr), false); + arch_kasan_get_tag(vms[0]->addr), false); + arch_kasan_set_tag(vms[area]->addr, arch_kasan_get_tag(vms[0]->addr)); } } _

Patches currently in -mm which might be from maciej.wieczor-retman@intel.com are

kasan-unpoison-pcpu-chunks-with-base-address-tag.patch kasan-unpoison-vms-addresses-with-a-common-tag.patch