kasan.rst - OpenGrok cross reference for /Linux-v6.6/Documentation/dev-tools/kasan.rst

Lines Matching +full:page +full:- +full:based
5 --------
8 designed to find out-of-bounds and use-after-free bugs.
13 2. Software Tag-Based KASAN
14 3. Hardware Tag-Based KASAN
20 Software Tag-Based KASAN or SW_TAGS KASAN, enabled with CONFIG_KASAN_SW_TAGS,
23 using it for testing on memory-restricted devices with real workloads.
25 Hardware Tag-Based KASAN or HW_TAGS KASAN, enabled with CONFIG_KASAN_HW_TAGS,
26 is the mode intended to be used as an in-field memory bug detector or as a
34 The Generic and the Software Tag-Based modes are commonly referred to as the
35 software modes. The Software Tag-Based and the Hardware Tag-Based modes are
36 referred to as the tag-based modes.
39 -------
45 and loongarch, and the tag-based KASAN modes are supported only on arm64.
50 Software KASAN modes use compile-time instrumentation to insert validity checks
52 support for that. The Hardware Tag-Based mode relies on hardware to perform
59 Software Tag-Based KASAN requires GCC 11+
62 Hardware Tag-Based KASAN requires GCC 10+ or Clang 12+.
70 Software Tag-Based KASAN supports slab, page_alloc, vmalloc, and stack memory.
72 Hardware Tag-Based KASAN supports slab, page_alloc, and non-executable vmalloc
76 Hardware Tag-Based KASAN only supports SLUB.
79 -----
86 ``CONFIG_KASAN_SW_TAGS`` (to enable Software Tag-Based KASAN), and
87 ``CONFIG_KASAN_HW_TAGS`` (to enable Hardware Tag-Based KASAN).
110 - ``kasan.fault=report``, ``=panic``, or ``=panic_on_write`` controls whether
114   Hardware Tag-Based KASAN, ``kasan.fault=panic_on_write`` always panics on
117 Software and Hardware Tag-Based KASAN modes (see the section about various
120 - ``kasan.stacktrace=off`` or ``=on`` disables or enables alloc and free stack
122 - ``kasan.stack_ring_size=<number of entries>`` specifies the number of entries
125 Hardware Tag-Based KASAN mode is intended for use in production as a security
129 - ``kasan=off`` or ``=on`` controls whether KASAN is enabled (default: ``on``).
131 - ``kasan.mode=sync``, ``=async`` or ``=asymm`` controls whether KASAN
143 - ``kasan.vmalloc=off`` or ``=on`` disables or enables tagging of vmalloc
146 - ``kasan.page_alloc.sample=<sampling interval>`` makes KASAN tag only every
152   Note that enabling this parameter makes Hardware Tag-Based KASAN skip checks
156 - ``kasan.page_alloc.sample.order=<minimum page order>`` specifies the minimum
169     BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xa8/0xbc [test_kasan]
172     CPU: 1 PID: 2760 Comm: insmod Not tainted 4.19.0-rc3+ #698
173     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
220      which belongs to the cache kmalloc-128 of size 128
222      128-byte region [ffff8801f44ec300, ffff8801f44ec380)
223     The buggy address belongs to the page:
224     page:ffffea0007d13b00 count:1 mapcount:0 mapping:ffff8801f7001640 index:0x0
228     page dumped because: kasan: bad access detected
242 and a stack trace of where the object was freed (in case of a use-after-free
244 information about the accessed memory page.
257 bytes are accessible, and other (8 - N) bytes are not; any negative value
258 indicates that the entire 8-byte word is inaccessible. KASAN uses different
265 For tag-based KASAN modes, this last report section shows the memory tags around
268 Note that KASAN bug titles (like ``slab-out-of-bounds`` or ``use-after-free``)
269 are best-effort: KASAN prints the most probable bug type based on the limited
278 ----------------------
284 safe to access and use compile-time instrumentation to insert shadow memory
302 Compile-time instrumentation is used to insert memory access checks. Compiler
309 enlarges the kernel, but it gives an x1.1-x2 performance boost over the
310 outline-instrumented kernel.
315 Software Tag-Based KASAN
318 Software Tag-Based KASAN uses a software memory tagging approach to checking
321 Software Tag-Based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
323 to store memory tags associated with each 16-byte memory cell (therefore, it
326 On each memory allocation, Software Tag-Based KASAN generates a random tag, tags
330 Software Tag-Based KASAN uses compile-time instrumentation to insert checks
333 this memory. In case of a tag mismatch, Software Tag-Based KASAN prints a bug
336 Software Tag-Based KASAN also has two instrumentation modes (outline, which
343 Software Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
347 Hardware Tag-Based KASAN
350 Hardware Tag-Based KASAN is similar to the software mode in concept but uses
354 Hardware Tag-Based KASAN is currently only implemented for arm64 architecture
355 and based on both arm64 Memory Tagging Extension (MTE) introduced in ARMv8.5
364 Hardware Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
368 If the hardware does not support MTE (pre ARMv8.5), Hardware Tag-Based KASAN
371 Note that enabling CONFIG_KASAN_HW_TAGS always results in in-kernel TBI being
375 Hardware Tag-Based KASAN only reports the first found bug. After that, MTE tag
379 -------------
394 other areas - such as vmalloc and vmemmap space - a single read-only
395 page is mapped over the shadow area. This read-only shadow page
404 lives in vmalloc space, it will be shadowed by the read-only page, and
419 page of shadow space. Allocating a full shadow page per mapping would
425 a backing page when a mapping in vmalloc space uses a particular page
426 of the shadow region. This page can be shared by other vmalloc
434 not be covered by the early shadow page but will be left unmapped.
435 This will require changes in arch-specific code.
441 --------------
458 - For a single file (e.g., main.o)::
462 - For all files in one directory::
466 For software KASAN modes, to disable instrumentation on a per-function basis,
467 use the KASAN-specific ``__no_sanitize_address`` function attribute or the
470 Note that disabling compiler instrumentation (either on a per-file or a
471 per-function basis) makes KASAN ignore the accesses that happen directly in
474 Tag-Based KASAN, which does not use compiler instrumentation.
481 For tag-based KASAN modes, to disable access checking, use
484 restoring the per-page KASAN tag via ``page_kasan_tag``/``page_kasan_tag_set``.
501 Each KUnit-compatible KASAN test prints one of multiple KASAN reports if an
506         ok 28 - kmalloc_double_kzfree
512         not ok 4 - kmalloc_large_oob_right
518         not ok 44 - kmalloc_double_kzfree
523         ok 1 - kasan
527         not ok 1 - kasan
529 There are a few ways to run KUnit-compatible KASAN tests.
533    With ``CONFIG_KUNIT`` enabled, KASAN-KUnit tests can be built as a loadable
536 2. Built-In
538    With ``CONFIG_KUNIT`` built-in, KASAN-KUnit tests can be built-in as well.
539    In this case, the tests will run at boot as a late-init call.
543    With ``CONFIG_KUNIT`` and ``CONFIG_KASAN_KUNIT_TEST`` built-in, it is also
546    See `KUnit documentation <https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html>`_
547    for more up-to-date information on ``kunit_tool``.
549 .. _KUnit: https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html