Re: [PATCH v2 2/3] kasan: skip HW tagging for all kernel thread stacks

From: Catalin Marinas

Date: Fri Apr 10 2026 - 14:33:47 EST

On Tue, Mar 24, 2026 at 01:26:28PM +0000, Muhammad Usama Anjum wrote:
> diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
> index 051e429026904..307b8390fc670 100644
> --- a/include/linux/thread_info.h
> +++ b/include/linux/thread_info.h
> @@ -92,7 +92,7 @@ static inline long set_restart_fn(struct restart_block *restart,
> #define THREAD_ALIGN THREAD_SIZE
> #endif
>
> -#define THREADINFO_GFP (GFP_KERNEL_ACCOUNT | __GFP_ZERO)
> +#define THREADINFO_GFP (GFP_KERNEL_ACCOUNT | __GFP_ZERO | __GFP_SKIP_KASAN)
>
> /*
> * flag set/clear/test wrappers
> diff --git a/kernel/fork.c b/kernel/fork.c
> index bb0c2613a5604..4bc7a03662109 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -207,7 +207,7 @@ static DEFINE_PER_CPU(struct vm_struct *, cached_stacks[NR_CACHED_STACKS]);
> * accounting is performed by the code assigning/releasing stacks to tasks.
> * We need a zeroed memory without __GFP_ACCOUNT.
> */
> -#define GFP_VMAP_STACK (GFP_KERNEL | __GFP_ZERO)
> +#define GFP_VMAP_STACK (GFP_KERNEL | __GFP_ZERO | __GFP_SKIP_KASAN)
>
> struct vm_stack {
> struct rcu_head rcu;
> @@ -345,7 +345,8 @@ static int alloc_thread_stack_node(struct task_struct *tsk, int node)
> }
>
> /* Reset stack metadata. */
> - kasan_unpoison_range(vm_area->addr, THREAD_SIZE);
> + if (!kasan_hw_tags_enabled())
> + kasan_unpoison_range(vm_area->addr, THREAD_SIZE);
>
> stack = kasan_reset_tag(vm_area->addr);

I wonder, since with kasan_reset_tag() returns a match-all pointer even
with KASAN_SW_TAGS, is it worth unpoisoning the range (unless it somehow
interferes with vfree() but I couldn't see how).

What the original approach might help with is use-after-realloc in case
we had a tagged pointer in a past life of a page and it still works now.
Oh well, that's I guess for other types of hardening to address like
delayed reallocation.

--
Catalin