From 5fcd5513072b09f6533e22a779183fa2818bce81 Mon Sep 17 00:00:00 2001 From: Jiayuan Chen Date: Sun, 4 Jan 2026 20:35:27 +0800 Subject: arm64: mm: Fix incomplete tag reset in change_memory_common() Running KASAN KUnit tests with {HW,SW}_TAGS mode triggers a fault in change_memory_common(): Call trace: change_memory_common+0x168/0x210 (P) set_memory_ro+0x20/0x48 vmalloc_helpers_tags+0xe8/0x338 kunit_try_run_case+0x74/0x188 kunit_generic_run_threadfn_adapter+0x30/0x70 kthread+0x11c/0x200 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- # vmalloc_helpers_tags: try faulted not ok 67 vmalloc_helpers_tags Commit a06494adb7ef ("arm64: mm: use untagged address to calculate page index") fixed a KASAN warning in the BPF subsystem by adding kasan_reset_tag() to the index calculation. In the execmem flow: bpf_prog_pack_alloc() -> bpf_jit_alloc_exec() -> execmem_alloc() The returned address from execmem_vmalloc/execmem_cache_alloc is passed through kasan_reset_tag(), so start has no tag while area->addr still retains the original tag. The fix correctly handled this case by resetting the tag on area->addr: (start - (unsigned long)kasan_reset_tag(area->addr)) >> PAGE_SHIFT However, in normal vmalloc paths, both start and area->addr have matching tags(or no tags). Resetting only area->addr causes a mismatch when subtracting a tagged address from an untagged one, resulting in an incorrect index. Fix this by resetting tags on both addresses in the index calculation. This ensures correct results regardless of the tag state of either address. Tested with KASAN KUnit tests under CONFIG_KASAN_GENERIC, CONFIG_KASAN_SW_TAGS, and CONFIG_KASAN_HW_TAGS - all pass. Also verified the original BPF KASAN warning from [1] is still fixed. [1] https://lore.kernel.org/all/20251118164115.GA3977565@ax162/ Fixes: a06494adb7ef ("arm64: mm: use untagged address to calculate page index") Signed-off-by: Jiayuan Chen Signed-off-by: Jiayuan Chen Signed-off-by: Catalin Marinas --- arch/arm64/mm/pageattr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/arm64/mm/pageattr.c b/arch/arm64/mm/pageattr.c index f0e784b963e6..7176ff39cb87 100644 --- a/arch/arm64/mm/pageattr.c +++ b/arch/arm64/mm/pageattr.c @@ -171,7 +171,8 @@ static int change_memory_common(unsigned long addr, int numpages, */ area = find_vm_area((void *)addr); if (!area || - end > (unsigned long)kasan_reset_tag(area->addr) + area->size || + ((unsigned long)kasan_reset_tag((void *)end) > + (unsigned long)kasan_reset_tag(area->addr) + area->size) || ((area->flags & (VM_ALLOC | VM_ALLOW_HUGE_VMAP)) != VM_ALLOC)) return -EINVAL; @@ -184,7 +185,8 @@ static int change_memory_common(unsigned long addr, int numpages, */ if (rodata_full && (pgprot_val(set_mask) == PTE_RDONLY || pgprot_val(clear_mask) == PTE_RDONLY)) { - unsigned long idx = (start - (unsigned long)kasan_reset_tag(area->addr)) + unsigned long idx = ((unsigned long)kasan_reset_tag((void *)start) - + (unsigned long)kasan_reset_tag(area->addr)) >> PAGE_SHIFT; for (; numpages; idx++, numpages--) { ret = __change_memory_common((u64)page_address(area->pages[idx]), -- cgit v1.2.3