Commit 09833d99 authored by Alexander Potapenko's avatar Alexander Potapenko Committed by Andrew Morton
Browse files

mm/kfence: disable KFENCE upon KASAN HW tags enablement 

KFENCE does not currently support KASAN hardware tags.  As a result, the
two features are incompatible when enabled simultaneously.

Given that MTE provides deterministic protection and KFENCE is a
sampling-based debugging tool, prioritize the stronger hardware
protections.  Disable KFENCE initialization and free the pre-allocated
pool if KASAN hardware tags are detected to ensure the system maintains
the security guarantees provided by MTE.

Link: https://lkml.kernel.org/r/20260213095410.1862978-1-glider@google.com


Fixes: 0ce20dd8 ("mm: add Kernel Electric-Fence infrastructure")
Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
Suggested-by: default avatarMarco Elver <elver@google.com>
Reviewed-by: default avatarMarco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ernesto Martinez Garcia <ernesto.martinezgarcia@tugraz.at>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Kees Cook <kees@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
parent 6de23f81

mm/kfence/core.c

+15 −0
Original line number Diff line number Diff line
@@ -13,6 +13,7 @@ 
#include <linux/hash.h>

#include <linux/irq_work.h>

#include <linux/jhash.h>

#include <linux/kasan-enabled.h>

#include <linux/kcsan-checks.h>

#include <linux/kfence.h>

#include <linux/kmemleak.h>
@@ -916,6 +917,20 @@ void __init kfence_alloc_pool_and_metadata(void) 
	if (!kfence_sample_interval)

		return;



	/*

	 * If KASAN hardware tags are enabled, disable KFENCE, because it

	 * does not support MTE yet.

	 */

	if (kasan_hw_tags_enabled()) {

		pr_info("disabled as KASAN HW tags are enabled\n");

		if (__kfence_pool) {

			memblock_free(__kfence_pool, KFENCE_POOL_SIZE);

			__kfence_pool = NULL;

		}

		kfence_sample_interval = 0;

		return;

	}



	/*

	 * If the pool has already been initialized by arch, there is no need to

	 * re-allocate the memory pool.