1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * This file contains common KASAN error reporting code. |
4 | * |
5 | * Copyright (c) 2014 Samsung Electronics Co., Ltd. |
6 | * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com> |
7 | * |
8 | * Some code borrowed from https://github.com/xairy/kasan-prototype by |
9 | * Andrey Konovalov <andreyknvl@gmail.com> |
10 | */ |
11 | |
12 | #include <kunit/test.h> |
13 | #include <linux/bitops.h> |
14 | #include <linux/ftrace.h> |
15 | #include <linux/init.h> |
16 | #include <linux/kernel.h> |
17 | #include <linux/lockdep.h> |
18 | #include <linux/mm.h> |
19 | #include <linux/printk.h> |
20 | #include <linux/sched.h> |
21 | #include <linux/slab.h> |
22 | #include <linux/stackdepot.h> |
23 | #include <linux/stacktrace.h> |
24 | #include <linux/string.h> |
25 | #include <linux/types.h> |
26 | #include <linux/vmalloc.h> |
27 | #include <linux/kasan.h> |
28 | #include <linux/module.h> |
29 | #include <linux/sched/task_stack.h> |
30 | #include <linux/uaccess.h> |
31 | #include <trace/events/error_report.h> |
32 | |
33 | #include <asm/sections.h> |
34 | |
35 | #include "kasan.h" |
36 | #include "../slab.h" |
37 | |
38 | static unsigned long kasan_flags; |
39 | |
40 | #define KASAN_BIT_REPORTED 0 |
41 | #define KASAN_BIT_MULTI_SHOT 1 |
42 | |
43 | enum kasan_arg_fault { |
44 | KASAN_ARG_FAULT_DEFAULT, |
45 | KASAN_ARG_FAULT_REPORT, |
46 | KASAN_ARG_FAULT_PANIC, |
47 | KASAN_ARG_FAULT_PANIC_ON_WRITE, |
48 | }; |
49 | |
50 | static enum kasan_arg_fault kasan_arg_fault __ro_after_init = KASAN_ARG_FAULT_DEFAULT; |
51 | |
52 | /* kasan.fault=report/panic */ |
53 | static int __init early_kasan_fault(char *arg) |
54 | { |
55 | if (!arg) |
56 | return -EINVAL; |
57 | |
58 | if (!strcmp(arg, "report" )) |
59 | kasan_arg_fault = KASAN_ARG_FAULT_REPORT; |
60 | else if (!strcmp(arg, "panic" )) |
61 | kasan_arg_fault = KASAN_ARG_FAULT_PANIC; |
62 | else if (!strcmp(arg, "panic_on_write" )) |
63 | kasan_arg_fault = KASAN_ARG_FAULT_PANIC_ON_WRITE; |
64 | else |
65 | return -EINVAL; |
66 | |
67 | return 0; |
68 | } |
69 | early_param("kasan.fault" , early_kasan_fault); |
70 | |
71 | static int __init kasan_set_multi_shot(char *str) |
72 | { |
73 | set_bit(KASAN_BIT_MULTI_SHOT, addr: &kasan_flags); |
74 | return 1; |
75 | } |
76 | __setup("kasan_multi_shot" , kasan_set_multi_shot); |
77 | |
78 | /* |
79 | * This function is used to check whether KASAN reports are suppressed for |
80 | * software KASAN modes via kasan_disable/enable_current() critical sections. |
81 | * |
82 | * This is done to avoid: |
83 | * 1. False-positive reports when accessing slab metadata, |
84 | * 2. Deadlocking when poisoned memory is accessed by the reporting code. |
85 | * |
86 | * Hardware Tag-Based KASAN instead relies on: |
87 | * For #1: Resetting tags via kasan_reset_tag(). |
88 | * For #2: Suppression of tag checks via CPU, see report_suppress_start/end(). |
89 | */ |
90 | static bool report_suppressed_sw(void) |
91 | { |
92 | #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) |
93 | if (current->kasan_depth) |
94 | return true; |
95 | #endif |
96 | return false; |
97 | } |
98 | |
99 | static void report_suppress_start(void) |
100 | { |
101 | #ifdef CONFIG_KASAN_HW_TAGS |
102 | /* |
103 | * Disable preemption for the duration of printing a KASAN report, as |
104 | * hw_suppress_tag_checks_start() disables checks on the current CPU. |
105 | */ |
106 | preempt_disable(); |
107 | hw_suppress_tag_checks_start(); |
108 | #else |
109 | kasan_disable_current(); |
110 | #endif |
111 | } |
112 | |
113 | static void report_suppress_stop(void) |
114 | { |
115 | #ifdef CONFIG_KASAN_HW_TAGS |
116 | hw_suppress_tag_checks_stop(); |
117 | preempt_enable(); |
118 | #else |
119 | kasan_enable_current(); |
120 | #endif |
121 | } |
122 | |
123 | /* |
124 | * Used to avoid reporting more than one KASAN bug unless kasan_multi_shot |
125 | * is enabled. Note that KASAN tests effectively enable kasan_multi_shot |
126 | * for their duration. |
127 | */ |
128 | static bool report_enabled(void) |
129 | { |
130 | if (test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags)) |
131 | return true; |
132 | return !test_and_set_bit(KASAN_BIT_REPORTED, addr: &kasan_flags); |
133 | } |
134 | |
135 | #if IS_ENABLED(CONFIG_KASAN_KUNIT_TEST) || IS_ENABLED(CONFIG_KASAN_MODULE_TEST) |
136 | |
137 | bool kasan_save_enable_multi_shot(void) |
138 | { |
139 | return test_and_set_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags); |
140 | } |
141 | EXPORT_SYMBOL_GPL(kasan_save_enable_multi_shot); |
142 | |
143 | void kasan_restore_multi_shot(bool enabled) |
144 | { |
145 | if (!enabled) |
146 | clear_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags); |
147 | } |
148 | EXPORT_SYMBOL_GPL(kasan_restore_multi_shot); |
149 | |
150 | #endif |
151 | |
152 | #if IS_ENABLED(CONFIG_KASAN_KUNIT_TEST) |
153 | |
154 | /* |
155 | * Whether the KASAN KUnit test suite is currently being executed. |
156 | * Updated in kasan_test.c. |
157 | */ |
158 | static bool kasan_kunit_executing; |
159 | |
160 | void kasan_kunit_test_suite_start(void) |
161 | { |
162 | WRITE_ONCE(kasan_kunit_executing, true); |
163 | } |
164 | EXPORT_SYMBOL_GPL(kasan_kunit_test_suite_start); |
165 | |
166 | void kasan_kunit_test_suite_end(void) |
167 | { |
168 | WRITE_ONCE(kasan_kunit_executing, false); |
169 | } |
170 | EXPORT_SYMBOL_GPL(kasan_kunit_test_suite_end); |
171 | |
172 | static bool kasan_kunit_test_suite_executing(void) |
173 | { |
174 | return READ_ONCE(kasan_kunit_executing); |
175 | } |
176 | |
177 | #else /* CONFIG_KASAN_KUNIT_TEST */ |
178 | |
179 | static inline bool kasan_kunit_test_suite_executing(void) { return false; } |
180 | |
181 | #endif /* CONFIG_KASAN_KUNIT_TEST */ |
182 | |
183 | #if IS_ENABLED(CONFIG_KUNIT) |
184 | |
185 | static void fail_non_kasan_kunit_test(void) |
186 | { |
187 | struct kunit *test; |
188 | |
189 | if (kasan_kunit_test_suite_executing()) |
190 | return; |
191 | |
192 | test = current->kunit_test; |
193 | if (test) |
194 | kunit_set_failure(test); |
195 | } |
196 | |
197 | #else /* CONFIG_KUNIT */ |
198 | |
199 | static inline void fail_non_kasan_kunit_test(void) { } |
200 | |
201 | #endif /* CONFIG_KUNIT */ |
202 | |
203 | static DEFINE_SPINLOCK(report_lock); |
204 | |
205 | static void start_report(unsigned long *flags, bool sync) |
206 | { |
207 | fail_non_kasan_kunit_test(); |
208 | /* Respect the /proc/sys/kernel/traceoff_on_warning interface. */ |
209 | disable_trace_on_warning(); |
210 | /* Do not allow LOCKDEP mangling KASAN reports. */ |
211 | lockdep_off(); |
212 | /* Make sure we don't end up in loop. */ |
213 | report_suppress_start(); |
214 | spin_lock_irqsave(&report_lock, *flags); |
215 | pr_err("==================================================================\n" ); |
216 | } |
217 | |
218 | static void end_report(unsigned long *flags, const void *addr, bool is_write) |
219 | { |
220 | if (addr) |
221 | trace_error_report_end(error_detector: ERROR_DETECTOR_KASAN, |
222 | id: (unsigned long)addr); |
223 | pr_err("==================================================================\n" ); |
224 | spin_unlock_irqrestore(lock: &report_lock, flags: *flags); |
225 | if (!test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags)) |
226 | check_panic_on_warn(origin: "KASAN" ); |
227 | switch (kasan_arg_fault) { |
228 | case KASAN_ARG_FAULT_DEFAULT: |
229 | case KASAN_ARG_FAULT_REPORT: |
230 | break; |
231 | case KASAN_ARG_FAULT_PANIC: |
232 | panic(fmt: "kasan.fault=panic set ...\n" ); |
233 | break; |
234 | case KASAN_ARG_FAULT_PANIC_ON_WRITE: |
235 | if (is_write) |
236 | panic(fmt: "kasan.fault=panic_on_write set ...\n" ); |
237 | break; |
238 | } |
239 | add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); |
240 | lockdep_on(); |
241 | report_suppress_stop(); |
242 | } |
243 | |
244 | static void print_error_description(struct kasan_report_info *info) |
245 | { |
246 | pr_err("BUG: KASAN: %s in %pS\n" , info->bug_type, (void *)info->ip); |
247 | |
248 | if (info->type != KASAN_REPORT_ACCESS) { |
249 | pr_err("Free of addr %px by task %s/%d\n" , |
250 | info->access_addr, current->comm, task_pid_nr(current)); |
251 | return; |
252 | } |
253 | |
254 | if (info->access_size) |
255 | pr_err("%s of size %zu at addr %px by task %s/%d\n" , |
256 | info->is_write ? "Write" : "Read" , info->access_size, |
257 | info->access_addr, current->comm, task_pid_nr(current)); |
258 | else |
259 | pr_err("%s at addr %px by task %s/%d\n" , |
260 | info->is_write ? "Write" : "Read" , |
261 | info->access_addr, current->comm, task_pid_nr(current)); |
262 | } |
263 | |
264 | static void print_track(struct kasan_track *track, const char *prefix) |
265 | { |
266 | #ifdef CONFIG_KASAN_EXTRA_INFO |
267 | u64 ts_nsec = track->timestamp; |
268 | unsigned long rem_usec; |
269 | |
270 | ts_nsec <<= 9; |
271 | rem_usec = do_div(ts_nsec, NSEC_PER_SEC) / 1000; |
272 | |
273 | pr_err("%s by task %u on cpu %d at %lu.%06lus:\n" , |
274 | prefix, track->pid, track->cpu, |
275 | (unsigned long)ts_nsec, rem_usec); |
276 | #else |
277 | pr_err("%s by task %u:\n" , prefix, track->pid); |
278 | #endif /* CONFIG_KASAN_EXTRA_INFO */ |
279 | if (track->stack) |
280 | stack_depot_print(stack: track->stack); |
281 | else |
282 | pr_err("(stack is not available)\n" ); |
283 | } |
284 | |
285 | static inline struct page *addr_to_page(const void *addr) |
286 | { |
287 | if (virt_addr_valid(addr)) |
288 | return virt_to_head_page(x: addr); |
289 | return NULL; |
290 | } |
291 | |
292 | static void describe_object_addr(const void *addr, struct kasan_report_info *info) |
293 | { |
294 | unsigned long access_addr = (unsigned long)addr; |
295 | unsigned long object_addr = (unsigned long)info->object; |
296 | const char *rel_type, *region_state = "" ; |
297 | int rel_bytes; |
298 | |
299 | pr_err("The buggy address belongs to the object at %px\n" |
300 | " which belongs to the cache %s of size %d\n" , |
301 | info->object, info->cache->name, info->cache->object_size); |
302 | |
303 | if (access_addr < object_addr) { |
304 | rel_type = "to the left" ; |
305 | rel_bytes = object_addr - access_addr; |
306 | } else if (access_addr >= object_addr + info->alloc_size) { |
307 | rel_type = "to the right" ; |
308 | rel_bytes = access_addr - (object_addr + info->alloc_size); |
309 | } else { |
310 | rel_type = "inside" ; |
311 | rel_bytes = access_addr - object_addr; |
312 | } |
313 | |
314 | /* |
315 | * Tag-Based modes use the stack ring to infer the bug type, but the |
316 | * memory region state description is generated based on the metadata. |
317 | * Thus, defining the region state as below can contradict the metadata. |
318 | * Fixing this requires further improvements, so only infer the state |
319 | * for the Generic mode. |
320 | */ |
321 | if (IS_ENABLED(CONFIG_KASAN_GENERIC)) { |
322 | if (strcmp(info->bug_type, "slab-out-of-bounds" ) == 0) |
323 | region_state = "allocated " ; |
324 | else if (strcmp(info->bug_type, "slab-use-after-free" ) == 0) |
325 | region_state = "freed " ; |
326 | } |
327 | |
328 | pr_err("The buggy address is located %d bytes %s of\n" |
329 | " %s%zu-byte region [%px, %px)\n" , |
330 | rel_bytes, rel_type, region_state, info->alloc_size, |
331 | (void *)object_addr, (void *)(object_addr + info->alloc_size)); |
332 | } |
333 | |
334 | static void describe_object_stacks(struct kasan_report_info *info) |
335 | { |
336 | if (info->alloc_track.stack) { |
337 | print_track(track: &info->alloc_track, prefix: "Allocated" ); |
338 | pr_err("\n" ); |
339 | } |
340 | |
341 | if (info->free_track.stack) { |
342 | print_track(track: &info->free_track, prefix: "Freed" ); |
343 | pr_err("\n" ); |
344 | } |
345 | |
346 | kasan_print_aux_stacks(cache: info->cache, object: info->object); |
347 | } |
348 | |
349 | static void describe_object(const void *addr, struct kasan_report_info *info) |
350 | { |
351 | if (kasan_stack_collection_enabled()) |
352 | describe_object_stacks(info); |
353 | describe_object_addr(addr, info); |
354 | } |
355 | |
356 | static inline bool kernel_or_module_addr(const void *addr) |
357 | { |
358 | if (is_kernel(addr: (unsigned long)addr)) |
359 | return true; |
360 | if (is_module_address(addr: (unsigned long)addr)) |
361 | return true; |
362 | return false; |
363 | } |
364 | |
365 | static inline bool init_task_stack_addr(const void *addr) |
366 | { |
367 | return addr >= (void *)&init_thread_union.stack && |
368 | (addr <= (void *)&init_thread_union.stack + |
369 | sizeof(init_thread_union.stack)); |
370 | } |
371 | |
372 | static void print_address_description(void *addr, u8 tag, |
373 | struct kasan_report_info *info) |
374 | { |
375 | struct page *page = addr_to_page(addr); |
376 | |
377 | dump_stack_lvl(KERN_ERR); |
378 | pr_err("\n" ); |
379 | |
380 | if (info->cache && info->object) { |
381 | describe_object(addr, info); |
382 | pr_err("\n" ); |
383 | } |
384 | |
385 | if (kernel_or_module_addr(addr) && !init_task_stack_addr(addr)) { |
386 | pr_err("The buggy address belongs to the variable:\n" ); |
387 | pr_err(" %pS\n" , addr); |
388 | pr_err("\n" ); |
389 | } |
390 | |
391 | if (object_is_on_stack(obj: addr)) { |
392 | /* |
393 | * Currently, KASAN supports printing frame information only |
394 | * for accesses to the task's own stack. |
395 | */ |
396 | kasan_print_address_stack_frame(addr); |
397 | pr_err("\n" ); |
398 | } |
399 | |
400 | if (is_vmalloc_addr(x: addr)) { |
401 | struct vm_struct *va = find_vm_area(addr); |
402 | |
403 | if (va) { |
404 | pr_err("The buggy address belongs to the virtual mapping at\n" |
405 | " [%px, %px) created by:\n" |
406 | " %pS\n" , |
407 | va->addr, va->addr + va->size, va->caller); |
408 | pr_err("\n" ); |
409 | |
410 | page = vmalloc_to_page(addr); |
411 | } |
412 | } |
413 | |
414 | if (page) { |
415 | pr_err("The buggy address belongs to the physical page:\n" ); |
416 | dump_page(page, reason: "kasan: bad access detected" ); |
417 | pr_err("\n" ); |
418 | } |
419 | } |
420 | |
421 | static bool meta_row_is_guilty(const void *row, const void *addr) |
422 | { |
423 | return (row <= addr) && (addr < row + META_MEM_BYTES_PER_ROW); |
424 | } |
425 | |
426 | static int meta_pointer_offset(const void *row, const void *addr) |
427 | { |
428 | /* |
429 | * Memory state around the buggy address: |
430 | * ff00ff00ff00ff00: 00 00 00 05 fe fe fe fe fe fe fe fe fe fe fe fe |
431 | * ... |
432 | * |
433 | * The length of ">ff00ff00ff00ff00: " is |
434 | * 3 + (BITS_PER_LONG / 8) * 2 chars. |
435 | * The length of each granule metadata is 2 bytes |
436 | * plus 1 byte for space. |
437 | */ |
438 | return 3 + (BITS_PER_LONG / 8) * 2 + |
439 | (addr - row) / KASAN_GRANULE_SIZE * 3 + 1; |
440 | } |
441 | |
442 | static void print_memory_metadata(const void *addr) |
443 | { |
444 | int i; |
445 | void *row; |
446 | |
447 | row = (void *)round_down((unsigned long)addr, META_MEM_BYTES_PER_ROW) |
448 | - META_ROWS_AROUND_ADDR * META_MEM_BYTES_PER_ROW; |
449 | |
450 | pr_err("Memory state around the buggy address:\n" ); |
451 | |
452 | for (i = -META_ROWS_AROUND_ADDR; i <= META_ROWS_AROUND_ADDR; i++) { |
453 | char buffer[4 + (BITS_PER_LONG / 8) * 2]; |
454 | char metadata[META_BYTES_PER_ROW]; |
455 | |
456 | snprintf(buf: buffer, size: sizeof(buffer), |
457 | fmt: (i == 0) ? ">%px: " : " %px: " , row); |
458 | |
459 | /* |
460 | * We should not pass a shadow pointer to generic |
461 | * function, because generic functions may try to |
462 | * access kasan mapping for the passed address. |
463 | */ |
464 | kasan_metadata_fetch_row(buffer: &metadata[0], row); |
465 | |
466 | print_hex_dump(KERN_ERR, prefix_str: buffer, |
467 | prefix_type: DUMP_PREFIX_NONE, META_BYTES_PER_ROW, groupsize: 1, |
468 | buf: metadata, META_BYTES_PER_ROW, ascii: 0); |
469 | |
470 | if (meta_row_is_guilty(row, addr)) |
471 | pr_err("%*c\n" , meta_pointer_offset(row, addr), '^'); |
472 | |
473 | row += META_MEM_BYTES_PER_ROW; |
474 | } |
475 | } |
476 | |
477 | static void print_report(struct kasan_report_info *info) |
478 | { |
479 | void *addr = kasan_reset_tag(addr: (void *)info->access_addr); |
480 | u8 tag = get_tag((void *)info->access_addr); |
481 | |
482 | print_error_description(info); |
483 | if (addr_has_metadata(addr)) |
484 | kasan_print_tags(addr_tag: tag, addr: info->first_bad_addr); |
485 | pr_err("\n" ); |
486 | |
487 | if (addr_has_metadata(addr)) { |
488 | print_address_description(addr, tag, info); |
489 | print_memory_metadata(addr: info->first_bad_addr); |
490 | } else { |
491 | dump_stack_lvl(KERN_ERR); |
492 | } |
493 | } |
494 | |
495 | static void complete_report_info(struct kasan_report_info *info) |
496 | { |
497 | void *addr = kasan_reset_tag(addr: (void *)info->access_addr); |
498 | struct slab *slab; |
499 | |
500 | if (info->type == KASAN_REPORT_ACCESS) |
501 | info->first_bad_addr = kasan_find_first_bad_addr( |
502 | addr: (void *)info->access_addr, size: info->access_size); |
503 | else |
504 | info->first_bad_addr = addr; |
505 | |
506 | slab = kasan_addr_to_slab(addr); |
507 | if (slab) { |
508 | info->cache = slab->slab_cache; |
509 | info->object = nearest_obj(cache: info->cache, slab, x: addr); |
510 | |
511 | /* Try to determine allocation size based on the metadata. */ |
512 | info->alloc_size = kasan_get_alloc_size(object: info->object, cache: info->cache); |
513 | /* Fallback to the object size if failed. */ |
514 | if (!info->alloc_size) |
515 | info->alloc_size = info->cache->object_size; |
516 | } else |
517 | info->cache = info->object = NULL; |
518 | |
519 | switch (info->type) { |
520 | case KASAN_REPORT_INVALID_FREE: |
521 | info->bug_type = "invalid-free" ; |
522 | break; |
523 | case KASAN_REPORT_DOUBLE_FREE: |
524 | info->bug_type = "double-free" ; |
525 | break; |
526 | default: |
527 | /* bug_type filled in by kasan_complete_mode_report_info. */ |
528 | break; |
529 | } |
530 | |
531 | /* Fill in mode-specific report info fields. */ |
532 | kasan_complete_mode_report_info(info); |
533 | } |
534 | |
535 | void kasan_report_invalid_free(void *ptr, unsigned long ip, enum kasan_report_type type) |
536 | { |
537 | unsigned long flags; |
538 | struct kasan_report_info info; |
539 | |
540 | /* |
541 | * Do not check report_suppressed_sw(), as an invalid-free cannot be |
542 | * caused by accessing poisoned memory and thus should not be suppressed |
543 | * by kasan_disable/enable_current() critical sections. |
544 | * |
545 | * Note that for Hardware Tag-Based KASAN, kasan_report_invalid_free() |
546 | * is triggered by explicit tag checks and not by the ones performed by |
547 | * the CPU. Thus, reporting invalid-free is not suppressed as well. |
548 | */ |
549 | if (unlikely(!report_enabled())) |
550 | return; |
551 | |
552 | start_report(flags: &flags, sync: true); |
553 | |
554 | __memset(s: &info, c: 0, n: sizeof(info)); |
555 | info.type = type; |
556 | info.access_addr = ptr; |
557 | info.access_size = 0; |
558 | info.is_write = false; |
559 | info.ip = ip; |
560 | |
561 | complete_report_info(info: &info); |
562 | |
563 | print_report(info: &info); |
564 | |
565 | /* |
566 | * Invalid free is considered a "write" since the allocator's metadata |
567 | * updates involves writes. |
568 | */ |
569 | end_report(flags: &flags, addr: ptr, is_write: true); |
570 | } |
571 | |
572 | /* |
573 | * kasan_report() is the only reporting function that uses |
574 | * user_access_save/restore(): kasan_report_invalid_free() cannot be called |
575 | * from a UACCESS region, and kasan_report_async() is not used on x86. |
576 | */ |
577 | bool kasan_report(const void *addr, size_t size, bool is_write, |
578 | unsigned long ip) |
579 | { |
580 | bool ret = true; |
581 | unsigned long ua_flags = user_access_save(); |
582 | unsigned long irq_flags; |
583 | struct kasan_report_info info; |
584 | |
585 | if (unlikely(report_suppressed_sw()) || unlikely(!report_enabled())) { |
586 | ret = false; |
587 | goto out; |
588 | } |
589 | |
590 | start_report(flags: &irq_flags, sync: true); |
591 | |
592 | __memset(s: &info, c: 0, n: sizeof(info)); |
593 | info.type = KASAN_REPORT_ACCESS; |
594 | info.access_addr = addr; |
595 | info.access_size = size; |
596 | info.is_write = is_write; |
597 | info.ip = ip; |
598 | |
599 | complete_report_info(info: &info); |
600 | |
601 | print_report(info: &info); |
602 | |
603 | end_report(flags: &irq_flags, addr: (void *)addr, is_write); |
604 | |
605 | out: |
606 | user_access_restore(ua_flags); |
607 | |
608 | return ret; |
609 | } |
610 | |
611 | #ifdef CONFIG_KASAN_HW_TAGS |
612 | void kasan_report_async(void) |
613 | { |
614 | unsigned long flags; |
615 | |
616 | /* |
617 | * Do not check report_suppressed_sw(), as |
618 | * kasan_disable/enable_current() critical sections do not affect |
619 | * Hardware Tag-Based KASAN. |
620 | */ |
621 | if (unlikely(!report_enabled())) |
622 | return; |
623 | |
624 | start_report(&flags, false); |
625 | pr_err("BUG: KASAN: invalid-access\n" ); |
626 | pr_err("Asynchronous fault: no details available\n" ); |
627 | pr_err("\n" ); |
628 | dump_stack_lvl(KERN_ERR); |
629 | /* |
630 | * Conservatively set is_write=true, because no details are available. |
631 | * In this mode, kasan.fault=panic_on_write is like kasan.fault=panic. |
632 | */ |
633 | end_report(&flags, NULL, true); |
634 | } |
635 | #endif /* CONFIG_KASAN_HW_TAGS */ |
636 | |
637 | #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) |
638 | /* |
639 | * With compiler-based KASAN modes, accesses to bogus pointers (outside of the |
640 | * mapped kernel address space regions) cause faults when KASAN tries to check |
641 | * the shadow memory before the actual memory access. This results in cryptic |
642 | * GPF reports, which are hard for users to interpret. This hook helps users to |
643 | * figure out what the original bogus pointer was. |
644 | */ |
645 | void kasan_non_canonical_hook(unsigned long addr) |
646 | { |
647 | unsigned long orig_addr; |
648 | const char *bug_type; |
649 | |
650 | /* |
651 | * All addresses that came as a result of the memory-to-shadow mapping |
652 | * (even for bogus pointers) must be >= KASAN_SHADOW_OFFSET. |
653 | */ |
654 | if (addr < KASAN_SHADOW_OFFSET) |
655 | return; |
656 | |
657 | orig_addr = (unsigned long)kasan_shadow_to_mem((void *)addr); |
658 | |
659 | /* |
660 | * For faults near the shadow address for NULL, we can be fairly certain |
661 | * that this is a KASAN shadow memory access. |
662 | * For faults that correspond to the shadow for low or high canonical |
663 | * addresses, we can still be pretty sure: these shadow regions are a |
664 | * fairly narrow chunk of the address space. |
665 | * But the shadow for non-canonical addresses is a really large chunk |
666 | * of the address space. For this case, we still print the decoded |
667 | * address, but make it clear that this is not necessarily what's |
668 | * actually going on. |
669 | */ |
670 | if (orig_addr < PAGE_SIZE) |
671 | bug_type = "null-ptr-deref" ; |
672 | else if (orig_addr < TASK_SIZE) |
673 | bug_type = "probably user-memory-access" ; |
674 | else if (addr_in_shadow((void *)addr)) |
675 | bug_type = "probably wild-memory-access" ; |
676 | else |
677 | bug_type = "maybe wild-memory-access" ; |
678 | pr_alert("KASAN: %s in range [0x%016lx-0x%016lx]\n" , bug_type, |
679 | orig_addr, orig_addr + KASAN_GRANULE_SIZE - 1); |
680 | } |
681 | #endif |
682 | |