From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A0C3317163
	for <linux-kernel@vger.kernel.org>; Thu,  7 May 2026 09:52:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778147567; cv=none; b=MHR6a02/HclLeBsWWqmQcrRWvKxRNtUfr9YU+znkNfnRta3ha/wnHL3occGw8X+9ELON21ONg94iUIsZ3fjzasPVe+UD7Z6mLoH2X+5ZI9I3d55g8rlMfHYqGsHcS8Z/gyQseEi6wkIvChuXXkI7Te/+88TdGQayiNUtCXXIdcM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778147567; c=relaxed/simple;
	bh=Jy1nzpLwrvJB3xDTTvweS2g1RGW6IG27NY7QUmuiA2c=;
	h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=Z3zRlZajLOzP0rWbzIYqtzaJSrRIZ3wu8ZvjrHIPVSJ8LIVOvwyHXEHC/om+qDeaWJKCmRI7Hs4Hn7UsoqklIrBu6ygG/8x/hXLfvQWtQocyI3Yczue0XR4Ij4FeJ0CwFzhaIddOXXjHTFSk730mK8S3edJhdDSv5dxblwFY5fk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--glider.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ubUUcua2; arc=none smtp.client-ip=209.85.128.74
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--glider.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ubUUcua2"
Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-488d3eec9bcso4061825e9.3
        for <linux-kernel@vger.kernel.org>; Thu, 07 May 2026 02:52:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1778147562; x=1778752362; darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=yWeMPigyvPYxl+60ohT4HGLws9GhFdbTgcN+wfrxMEw=;
        b=ubUUcua2tMwSU2YHFzL7KLtlofuvlIVMudK3oWahkpzjB5R8rVtqmXCKOIWsWbgNWf
         AUWdIPaEpCA/sb01FGDnQ3BCF5qOI2V5nGaGZnt1Trav5itk6ubUxr7hmKiQJs+HeOkb
         +BaXsVoPu1O74s4T1Qs/lfQUe3sS3LbcRU1YvFHciyn7Qse/p6fYPb4KHg9YSBc7dh8S
         /+/YtUlfhUJd7RHVlaUSzPV/Xnjuc/63CGoSw9FxPsKJw9tQ5bE5Dm4sYhzOheFf7MCf
         dVBZDz8bkBWVCRI4MKKZ3jFup0SMn+TxjFDfIEwL48hgZ8f7rWK5RnfvsiF5je455J2p
         LKnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778147562; x=1778752362;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=yWeMPigyvPYxl+60ohT4HGLws9GhFdbTgcN+wfrxMEw=;
        b=lUYlqhKUdvarpYkAMQGRqjhRCEU+i0Onyk4UBPyCYvshEtiSo8fQaVYyy6AJpLZ3xF
         cK9UPsv07h+nsgSut6heY2bscGHbh6jGfre4M468P9EBh7B+/zE7s0PU1S8h9vGcVEoM
         jjs0yi3L72xmdqhjChjNpkrCs3NgPuxN/0laTtfM4P9c7TcbeSkgN5/HI1x/7S9KT4Oc
         S7J4rSX8OFewoeAUMb+w358iNbqdJsM8e1SH9YcF0BBCMxBvio02eeVMUe2KbF3i1hPi
         w8cH6qcs00ESxjt5WRwMG7FwCWcPjrJcaPYiWssTyn0rq9X3faaPstSvM7bxH+ZkuoGY
         chZA==
X-Forwarded-Encrypted: i=1; AFNElJ+XRJTE6WpAbb9GSqjn+E1pxykNFaRyXoodRcMHHAGANTp4cb2dL5yQhfgn4k63ivBhtfTnJLqnoagjEk4=@vger.kernel.org
X-Gm-Message-State: AOJu0YydSJJycccqphEozA4VMMjwl70LR/ukTiizo7y1xZGSWFBkI6tD
	W1Y6z+ms6OPwHS8t5YPSiQPW4/a3Xga3ExfNGlE8kbEkpu0AAUJk6zLXtLM2jkewoBZhjqy5Qyt
	v16MonA==
X-Received: from wmba12.prod.google.com ([2002:a05:600c:6dcc:b0:486:f89b:7f29])
 (user=glider job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:3b17:b0:489:5022:39a4
 with SMTP id 5b1f17b1804b1-48e51e20705mr107659835e9.9.1778147561704; Thu, 07
 May 2026 02:52:41 -0700 (PDT)
Date: Thu,  7 May 2026 11:52:37 +0200
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog
Message-ID: <20260507095237.741017-1-glider@google.com>
Subject: [PATCH v1] kfence: fix KASAN HW tags bypass via runtime
 sample_interval change
From: Alexander Potapenko <glider@google.com>
To: glider@google.com
Cc: akpm@linux-foundation.org, linux-mm@kvack.org, 
	linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, pimyn@google.com, 
	Marco Elver <elver@google.com>, Greg Thelen <gthelen@google.com>, 
	Roman Gushchin <roman.gushchin@linux.dev>
Content-Type: text/plain; charset="UTF-8"

If a user writes a non-zero value to the sample_interval module parameter
at runtime, the missing KASAN HW tags check in the late init path allows
KFENCE to be enabled alongside KASAN HW tags, bypassing the boot
restriction.
This patch adds the missing check to param_set_sample_interval() to reject
the parameter change if KASAN HW tags are enabled.

Fixes: 09833d99db36 ("mm/kfence: disable KFENCE upon KASAN HW tags enablement")
Cc: Marco Elver <elver@google.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Signed-off-by: Alexander Potapenko <glider@google.com>
---
 mm/kfence/core.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mm/kfence/core.c b/mm/kfence/core.c
index 655dc5ce3240..ee6ae01de5ae 100644
--- a/mm/kfence/core.c
+++ b/mm/kfence/core.c
@@ -77,6 +77,11 @@ static int param_set_sample_interval(const char *val, const struct kernel_param
 		WRITE_ONCE(kfence_enabled, false);
 	}
 
+	if (num && kasan_hw_tags_enabled()) {
+		pr_info("disabled as KASAN HW tags are enabled\n");
+		return -EINVAL;
+	}
+
 	*((unsigned long *)kp->arg) = num;
 
 	if (num && !READ_ONCE(kfence_enabled) && system_state != SYSTEM_BOOTING)
-- 
2.54.0.545.g6539524ca2-goog