On Fri, Jun 12, 2026 at 04:44:22AM +0000, Dev Jain wrote: >Introduce a boot option to tag only at allocation time of the objects. This >reduces KASAN MTE overhead, the tradeoff being reduced ability of >catching bugs. > >Now, when a memory object will be freed, it will retain the random tag it >had at allocation time. This compromises on catching UAF bugs, till the >time the object is not reallocated, at which point it will have a new >random tag. > >Hence, not catching "use-after-free-before-reallocation" and not catching >"double-free" will be the compromise for reduced KASAN overhead.
Hmm ... do we also need to teach the KASAN KUnit tests about this mode? With kasan.tag_only_on_alloc=on, free-time poisoning is skipped, so some UAF and double-free reports are skipped on purpose, but the tests still expect them :) Cheers, Lance
