On 12/06/2026 05:44, Dev Jain wrote: > Introduce a boot option to tag only at allocation time of the objects. This > reduces KASAN MTE overhead, the tradeoff being reduced ability of > catching bugs. > > Now, when a memory object will be freed, it will retain the random tag it > had at allocation time. This compromises on catching UAF bugs, till the > time the object is not reallocated, at which point it will have a new > random tag. > > Hence, not catching "use-after-free-before-reallocation" and not catching > "double-free" will be the compromise for reduced KASAN overhead.
Does standard KASAN with HW_TAGS really detect double-free? How does it do that? I could imagine it testing the tags of memory being freed to see if they are set to the poison tag, but that would lead to false positives for the GFP_SKIP_KASAN case, surely? If I'm right, then the only downgrade this new mode causes is that if freed-but-not-yet-reallocated memory is accessed via it's dangling pointer, then that bad access is not detected. I think that would be benign in all the cases I can think of, so while it would be a problem for a debugging use case, it would unlikely be a problem for security enforcement? Thanks, Ryan > > This is an RFC because we are not clear about the performance benefit. > > Android folks, please help with testing! > > --- > Applies on Linus master (9716c086c8e8). > > Dev Jain (2): > kasan: hw_tags: Use KASAN_PAGE_REDZONE for vmalloc redzoning > kasan: hw_tags: Add boot option to elide free time poisoning > > Documentation/dev-tools/kasan.rst | 4 +++ > mm/kasan/hw_tags.c | 45 +++++++++++++++++++++++++++++-- > mm/kasan/kasan.h | 23 +++++++++++++++- > 3 files changed, 69 insertions(+), 3 deletions(-) >
