kasan.rst - OpenGrok cross reference for /Linux-v5.15/Documentation/dev-tools/kasan.rst

Lines Matching +full:linear +full:- +full:mapping +full:- +full:mode
5 --------
8 designed to find out-of-bound and use-after-free bugs. KASAN has three modes:
11 2. software tag-based KASAN (similar to userspace HWASan),
12 3. hardware tag-based KASAN (based on hardware memory tagging).
15 Software tag-based KASAN can be used for dogfood testing as it has a lower
16 memory overhead that allows using it with real workloads. Hardware tag-based
18 used in production. Either as an in-field memory bug detector or as a security
21 Software KASAN modes (#1 and #2) use compile-time instrumentation to insert
27 out-of-bounds accesses for global variables is only supported since Clang 11.
29 Software tag-based KASAN mode is only supported in Clang.
31 The hardware KASAN mode (#3) relies on hardware to perform the checks but
33 This mode is supported in GCC 10+ and Clang 11+.
36 while the hardware tag-based KASAN currently only supports SLUB.
39 and riscv architectures, and tag-based KASAN modes are supported only for arm64.
42 -----
49 ``CONFIG_KASAN_SW_TAGS`` (to enable software tag-based KASAN), and
50 ``CONFIG_KASAN_HW_TAGS`` (to enable hardware tag-based KASAN).
54 The former produces a smaller binary while the latter is 1.1-2 times faster.
66     BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xa8/0xbc [test_kasan]
69     CPU: 1 PID: 2760 Comm: insmod Not tainted 4.19.0-rc3+ #698
70     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
117      which belongs to the cache kmalloc-128 of size 128
119      128-byte region [ffff8801f44ec300, ffff8801f44ec380)
121     page:ffffea0007d13b00 count:1 mapcount:0 mapping:ffff8801f7001640 index:0x0
139 and a stack trace of where the object was freed (in case of a use-after-free
145 is either 8 or 16 aligned bytes depending on KASAN mode. Each number in the
154 bytes are accessible, and other (8 - N) bytes are not; any negative value
155 indicates that the entire 8-byte word is inaccessible. KASAN uses different
162 For tag-based KASAN modes, this last report section shows the memory tags around
165 Note that KASAN bug titles (like ``slab-out-of-bounds`` or ``use-after-free``)
166 are best-effort: KASAN prints the most probable bug type based on the limited
187 - ``kasan.fault=report`` or ``=panic`` controls whether to only print a KASAN
191 Hardware tag-based KASAN mode (see the section about various modes below) is
195 - ``kasan=off`` or ``=on`` controls whether KASAN is enabled (default: ``on``).
197 - ``kasan.mode=sync`` or ``=async`` controls whether KASAN is configured in
198   synchronous or asynchronous mode of execution (default: ``sync``).
199   Synchronous mode: a bad access is detected immediately when a tag
201   Asynchronous mode: a bad access detection is delayed. When a tag check
206 - ``kasan.stacktrace=off`` or ``=on`` disables or enables alloc and free stack
210 ----------------------
216 safe to access and use compile-time instrumentation to insert shadow memory
220 to cover 128TB on x86_64) and uses direct mapping with a scale and offset to
234 Compile-time instrumentation is used to insert memory access checks. Compiler
241 enlarges the kernel, but it gives an x1.1-x2 performance boost over the
242 outline-instrumented kernel.
244 Generic KASAN is the only mode that delays the reuse of freed objects via
247 Software tag-based KASAN
250 Software tag-based KASAN uses a software memory tagging approach to checking
253 Software tag-based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
255 to store memory tags associated with each 16-byte memory cell (therefore, it
258 On each memory allocation, software tag-based KASAN generates a random tag, tags
262 Software tag-based KASAN uses compile-time instrumentation to insert checks
265 this memory. In case of a tag mismatch, software tag-based KASAN prints a bug
268 Software tag-based KASAN also has two instrumentation modes (outline, which
270 memory checks inline). With outline instrumentation mode, a bug report is
275 Software tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through
279 Software tag-based KASAN currently only supports tagging of slab and page_alloc
282 Hardware tag-based KASAN
285 Hardware tag-based KASAN is similar to the software mode in concept but uses
289 Hardware tag-based KASAN is currently only implemented for arm64 architecture
299 Hardware tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through
303 Hardware tag-based KASAN currently only supports tagging of slab and page_alloc
306 If the hardware does not support MTE (pre ARMv8.5), hardware tag-based KASAN
309 Note that enabling CONFIG_KASAN_HW_TAGS always results in in-kernel TBI being
310 enabled. Even when ``kasan.mode=off`` is provided or when the hardware does not
313 Hardware tag-based KASAN only reports the first found bug. After that, MTE tag
317 -------------
329 for the linear mapping (and potentially other small areas). For all
330 other areas - such as vmalloc and vmemmap space - a single read-only
331 page is mapped over the shadow area. This read-only shadow page
334 This presents a problem for modules: they do not live in the linear
335 mapping but in a dedicated module space. By hooking into the module
340 lives in vmalloc space, it will be shadowed by the read-only page, and
355 page of shadow space. Allocating a full shadow page per mapping would
361 a backing page when a mapping in vmalloc space uses a particular page
371 This will require changes in arch-specific code.
377 --------------
394 - For a single file (e.g., main.o)::
398 - For all files in one directory::
402 For software KASAN modes, to disable instrumentation on a per-function basis,
403 use the KASAN-specific ``__no_sanitize_address`` function attribute or the
406 Note that disabling compiler instrumentation (either on a per-file or a
407 per-function basis) makes KASAN ignore the accesses that happen directly in
410 tag-based mode that does not use compiler instrumentation.
417 For tag-based KASAN modes (include the hardware one), to disable access
420 saving and restoring the per-page KASAN tag via
438 Each KUnit-compatible KASAN test prints one of multiple KASAN reports if an
443         ok 28 - kmalloc_double_kzfree
449         not ok 4 - kmalloc_large_oob_right
455         not ok 44 - kmalloc_double_kzfree
460         ok 1 - kasan
464         not ok 1 - kasan
466 There are a few ways to run KUnit-compatible KASAN tests.
470    With ``CONFIG_KUNIT`` enabled, KASAN-KUnit tests can be built as a loadable
473 2. Built-In
475    With ``CONFIG_KUNIT`` built-in, KASAN-KUnit tests can be built-in as well.
476    In this case, the tests will run at boot as a late-init call.
480    With ``CONFIG_KUNIT`` and ``CONFIG_KASAN_KUNIT_TEST`` built-in, it is also
483    See `KUnit documentation <https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html>`_
484    for more up-to-date information on ``kunit_tool``.
486 .. _KUnit: https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html