Lines Matching +full:linear +full:- +full:mapping +full:- +full:mode
5 --------
8 designed to find out-of-bound and use-after-free bugs. KASAN has three modes:
11 2. software tag-based KASAN (similar to userspace HWASan),
12 3. hardware tag-based KASAN (based on hardware memory tagging).
14 Software KASAN modes (1 and 2) use compile-time instrumentation to insert
20 out-of-bounds accesses for global variables is only supported since Clang 11.
22 Tag-based KASAN is only supported in Clang.
25 and riscv architectures, and tag-based KASAN modes are supported only for arm64.
28 -----
35 CONFIG_KASAN_SW_TAGS (to enable software tag-based KASAN), and
36 CONFIG_KASAN_HW_TAGS (to enable hardware tag-based KASAN).
40 The former produces smaller binary while the latter is 1.1 - 2 times faster.
43 while the hardware tag-based KASAN currently only support SLUB.
53 A typical out-of-bounds access generic KASAN report looks like this::
56 BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xa8/0xbc [test_kasan]
59 CPU: 1 PID: 2760 Comm: insmod Not tainted 4.19.0-rc3+ #698
60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
107 which belongs to the cache kmalloc-128 of size 128
109 128-byte region [ffff8801f44ec300, ffff8801f44ec380)
111 page:ffffea0007d13b00 count:1 mapcount:0 mapping:ffff8801f7001640 index:0x0
130 freed (in case of a use-after-free bug report). Next comes a description of
135 is either 8 or 16 aligned bytes depending on KASAN mode. Each number in the
144 bytes are accessible, and other (8 - N) bytes are not; any negative value
145 indicates that the entire 8-byte word is inaccessible. KASAN uses different
150 the accessed address is partially accessible. For tag-based KASAN modes this
157 Hardware tag-based KASAN mode (see the section about various modes below) is
162 - ``kasan=off`` or ``=on`` controls whether KASAN is enabled (default: ``on``).
164 - ``kasan.mode=sync`` or ``=async`` controls whether KASAN is configured in
165 synchronous or asynchronous mode of execution (default: ``sync``).
166 Synchronous mode: a bad access is detected immediately when a tag
168 Asynchronous mode: a bad access detection is delayed. When a tag check
173 - ``kasan.stacktrace=off`` or ``=on`` disables or enables alloc and free stack
176 - ``kasan.fault=report`` or ``=panic`` controls whether to only print a KASAN
189 - For a single file (e.g. main.o)::
193 - For all files in one directory::
199 ----------------------
206 memory is safe to access, and use compile-time instrumentation to insert checks
210 to cover 128TB on x86_64) and uses direct mapping with a scale and offset to
224 Compile-time instrumentation is used to insert memory access checks. Compiler
231 This option significantly enlarges kernel but it gives x1.1-x2 performance
238 Generic KASAN is the only mode that delays the reuse of freed object via
241 Software tag-based KASAN
244 Software tag-based KASAN requires software memory tagging support in the form
245 of HWASan-like compiler instrumentation (see HWASan documentation for details).
247 Software tag-based KASAN is currently only implemented for arm64 architecture.
249 Software tag-based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
251 it uses shadow memory to store memory tags associated with each 16-byte memory
254 On each memory allocation software tag-based KASAN generates a random tag, tags
258 Software tag-based KASAN uses compile-time instrumentation to insert checks
261 memory. In case of a tag mismatch software tag-based KASAN prints a bug report.
263 Software tag-based KASAN also has two instrumentation modes (outline, that
265 memory checks inline). With outline instrumentation mode, a bug report is
270 Software tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through
274 Software tag-based KASAN currently only supports tagging of
277 Hardware tag-based KASAN
280 Hardware tag-based KASAN is similar to the software mode in concept, but uses
284 Hardware tag-based KASAN is currently only implemented for arm64 architecture
294 Hardware tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through
298 Hardware tag-based KASAN currently only supports tagging of
301 If the hardware doesn't support MTE (pre ARMv8.5), hardware tag-based KASAN
304 Note, that enabling CONFIG_KASAN_HW_TAGS always results in in-kernel TBI being
305 enabled. Even when kasan.mode=off is provided, or when the hardware doesn't
308 Hardware tag-based KASAN only reports the first found bug. After that MTE tag
312 --------------------------------------------
327 for the linear mapping (and potentially other small areas). For all
328 other areas - such as vmalloc and vmemmap space - a single read-only
329 page is mapped over the shadow area. This read-only shadow page
332 This presents a problem for modules: they do not live in the linear
333 mapping, but in a dedicated module space. By hooking in to the module
339 lives in vmalloc space, it will be shadowed by the read-only page, and
353 page of shadow space. Allocating a full shadow page per mapping would
359 a backing page when a mapping in vmalloc space uses a particular page
369 unmapped. This will require changes in arch-specific code.
375 ----------------------------------------------------
388 Each KUnit-compatible KASAN test prints a KASAN report if an error is detected.
393 ok 28 - kmalloc_double_kzfree
399 not ok 4 - kmalloc_large_oob_right
404 Expected kasan_data->report_expected == kasan_data->report_found, but
405 kasan_data->report_expected == 1
406 kasan_data->report_found == 0
407 not ok 28 - kmalloc_double_kzfree
411 ok 1 - kasan
415 not ok 1 - kasan
418 There are a few ways to run KUnit-compatible KASAN tests.
427 2. Built-In
430 With ``CONFIG_KUNIT`` built-in, ``CONFIG_KASAN_KUNIT_TEST`` can be built-in
432 will run and print the results at boot as a late-init call.
437 With ``CONFIG_KUNIT`` and ``CONFIG_KASAN_KUNIT_TEST`` built-in, it's also
440 passed. Use `KUnit documentation <https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html…
441 for more up-to-date information on ``kunit_tool``.
443 .. _KUnit: https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html