report.c 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * This file contains common KASAN error reporting code.
  4. *
  5. * Copyright (c) 2014 Samsung Electronics Co., Ltd.
  6. * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
  7. *
  8. * Some code borrowed from https://github.com/xairy/kasan-prototype by
  9. * Andrey Konovalov <andreyknvl@gmail.com>
  10. */
  11. #include <kunit/test.h>
  12. #include <kunit/visibility.h>
  13. #include <linux/bitops.h>
  14. #include <linux/ftrace.h>
  15. #include <linux/init.h>
  16. #include <linux/kernel.h>
  17. #include <linux/lockdep.h>
  18. #include <linux/mm.h>
  19. #include <linux/printk.h>
  20. #include <linux/sched.h>
  21. #include <linux/slab.h>
  22. #include <linux/stackdepot.h>
  23. #include <linux/stacktrace.h>
  24. #include <linux/string.h>
  25. #include <linux/types.h>
  26. #include <linux/vmalloc.h>
  27. #include <linux/kasan.h>
  28. #include <linux/module.h>
  29. #include <linux/sched/task_stack.h>
  30. #include <linux/uaccess.h>
  31. #include <trace/events/error_report.h>
  32. #include <asm/sections.h>
  33. #include "kasan.h"
  34. #include "../slab.h"
  35. static unsigned long kasan_flags;
  36. #define KASAN_BIT_REPORTED 0
  37. #define KASAN_BIT_MULTI_SHOT 1
  38. enum kasan_arg_fault {
  39. KASAN_ARG_FAULT_DEFAULT,
  40. KASAN_ARG_FAULT_REPORT,
  41. KASAN_ARG_FAULT_PANIC,
  42. KASAN_ARG_FAULT_PANIC_ON_WRITE,
  43. };
  44. static enum kasan_arg_fault kasan_arg_fault __ro_after_init = KASAN_ARG_FAULT_DEFAULT;
  45. /* kasan.fault=report/panic */
  46. static int __init early_kasan_fault(char *arg)
  47. {
  48. if (!arg)
  49. return -EINVAL;
  50. if (!strcmp(arg, "report"))
  51. kasan_arg_fault = KASAN_ARG_FAULT_REPORT;
  52. else if (!strcmp(arg, "panic"))
  53. kasan_arg_fault = KASAN_ARG_FAULT_PANIC;
  54. else if (!strcmp(arg, "panic_on_write"))
  55. kasan_arg_fault = KASAN_ARG_FAULT_PANIC_ON_WRITE;
  56. else
  57. return -EINVAL;
  58. return 0;
  59. }
  60. early_param("kasan.fault", early_kasan_fault);
  61. static int __init kasan_set_multi_shot(char *str)
  62. {
  63. set_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags);
  64. return 1;
  65. }
  66. __setup("kasan_multi_shot", kasan_set_multi_shot);
  67. /*
  68. * This function is used to check whether KASAN reports are suppressed for
  69. * software KASAN modes via kasan_disable/enable_current() critical sections.
  70. *
  71. * This is done to avoid:
  72. * 1. False-positive reports when accessing slab metadata,
  73. * 2. Deadlocking when poisoned memory is accessed by the reporting code.
  74. *
  75. * Hardware Tag-Based KASAN instead relies on:
  76. * For #1: Resetting tags via kasan_reset_tag().
  77. * For #2: Suppression of tag checks via CPU, see report_suppress_start/end().
  78. */
  79. static bool report_suppressed_sw(void)
  80. {
  81. #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
  82. if (current->kasan_depth)
  83. return true;
  84. #endif
  85. return false;
  86. }
  87. static void report_suppress_start(void)
  88. {
  89. #ifdef CONFIG_KASAN_HW_TAGS
  90. /*
  91. * Disable preemption for the duration of printing a KASAN report, as
  92. * hw_suppress_tag_checks_start() disables checks on the current CPU.
  93. */
  94. preempt_disable();
  95. hw_suppress_tag_checks_start();
  96. #else
  97. kasan_disable_current();
  98. #endif
  99. }
  100. static void report_suppress_stop(void)
  101. {
  102. #ifdef CONFIG_KASAN_HW_TAGS
  103. hw_suppress_tag_checks_stop();
  104. preempt_enable();
  105. #else
  106. kasan_enable_current();
  107. #endif
  108. }
  109. /*
  110. * Used to avoid reporting more than one KASAN bug unless kasan_multi_shot
  111. * is enabled. Note that KASAN tests effectively enable kasan_multi_shot
  112. * for their duration.
  113. */
  114. static bool report_enabled(void)
  115. {
  116. if (test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags))
  117. return true;
  118. return !test_and_set_bit(KASAN_BIT_REPORTED, &kasan_flags);
  119. }
  120. #if IS_ENABLED(CONFIG_KASAN_KUNIT_TEST)
  121. VISIBLE_IF_KUNIT bool kasan_save_enable_multi_shot(void)
  122. {
  123. return test_and_set_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags);
  124. }
  125. EXPORT_SYMBOL_IF_KUNIT(kasan_save_enable_multi_shot);
  126. VISIBLE_IF_KUNIT void kasan_restore_multi_shot(bool enabled)
  127. {
  128. if (!enabled)
  129. clear_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags);
  130. }
  131. EXPORT_SYMBOL_IF_KUNIT(kasan_restore_multi_shot);
  132. #endif
  133. #if IS_ENABLED(CONFIG_KASAN_KUNIT_TEST)
  134. /*
  135. * Whether the KASAN KUnit test suite is currently being executed.
  136. * Updated in kasan_test.c.
  137. */
  138. static bool kasan_kunit_executing;
  139. VISIBLE_IF_KUNIT void kasan_kunit_test_suite_start(void)
  140. {
  141. WRITE_ONCE(kasan_kunit_executing, true);
  142. }
  143. EXPORT_SYMBOL_IF_KUNIT(kasan_kunit_test_suite_start);
  144. VISIBLE_IF_KUNIT void kasan_kunit_test_suite_end(void)
  145. {
  146. WRITE_ONCE(kasan_kunit_executing, false);
  147. }
  148. EXPORT_SYMBOL_IF_KUNIT(kasan_kunit_test_suite_end);
  149. static bool kasan_kunit_test_suite_executing(void)
  150. {
  151. return READ_ONCE(kasan_kunit_executing);
  152. }
  153. #else /* CONFIG_KASAN_KUNIT_TEST */
  154. static inline bool kasan_kunit_test_suite_executing(void) { return false; }
  155. #endif /* CONFIG_KASAN_KUNIT_TEST */
  156. #if IS_ENABLED(CONFIG_KUNIT)
  157. static void fail_non_kasan_kunit_test(void)
  158. {
  159. struct kunit *test;
  160. if (kasan_kunit_test_suite_executing())
  161. return;
  162. test = current->kunit_test;
  163. if (test)
  164. kunit_set_failure(test);
  165. }
  166. #else /* CONFIG_KUNIT */
  167. static inline void fail_non_kasan_kunit_test(void) { }
  168. #endif /* CONFIG_KUNIT */
  169. static DEFINE_RAW_SPINLOCK(report_lock);
  170. static void start_report(unsigned long *flags)
  171. {
  172. fail_non_kasan_kunit_test();
  173. /* Respect the /proc/sys/kernel/traceoff_on_warning interface. */
  174. disable_trace_on_warning();
  175. /* Do not allow LOCKDEP mangling KASAN reports. */
  176. lockdep_off();
  177. /* Make sure we don't end up in loop. */
  178. report_suppress_start();
  179. raw_spin_lock_irqsave(&report_lock, *flags);
  180. pr_err("==================================================================\n");
  181. }
  182. static void end_report(unsigned long *flags, const void *addr, bool is_write)
  183. {
  184. if (addr)
  185. trace_error_report_end(ERROR_DETECTOR_KASAN,
  186. (unsigned long)addr);
  187. pr_err("==================================================================\n");
  188. raw_spin_unlock_irqrestore(&report_lock, *flags);
  189. if (!test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags))
  190. check_panic_on_warn("KASAN");
  191. switch (kasan_arg_fault) {
  192. case KASAN_ARG_FAULT_DEFAULT:
  193. case KASAN_ARG_FAULT_REPORT:
  194. break;
  195. case KASAN_ARG_FAULT_PANIC:
  196. panic("kasan.fault=panic set ...\n");
  197. break;
  198. case KASAN_ARG_FAULT_PANIC_ON_WRITE:
  199. if (is_write)
  200. panic("kasan.fault=panic_on_write set ...\n");
  201. break;
  202. }
  203. add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
  204. lockdep_on();
  205. report_suppress_stop();
  206. }
  207. static void print_error_description(struct kasan_report_info *info)
  208. {
  209. pr_err("BUG: KASAN: %s in %pS\n", info->bug_type, (void *)info->ip);
  210. if (info->type != KASAN_REPORT_ACCESS) {
  211. pr_err("Free of addr %px by task %s/%d\n",
  212. info->access_addr, current->comm, task_pid_nr(current));
  213. return;
  214. }
  215. if (info->access_size)
  216. pr_err("%s of size %zu at addr %px by task %s/%d\n",
  217. info->is_write ? "Write" : "Read", info->access_size,
  218. info->access_addr, current->comm, task_pid_nr(current));
  219. else
  220. pr_err("%s at addr %px by task %s/%d\n",
  221. info->is_write ? "Write" : "Read",
  222. info->access_addr, current->comm, task_pid_nr(current));
  223. }
  224. static void print_track(struct kasan_track *track, const char *prefix)
  225. {
  226. #ifdef CONFIG_KASAN_EXTRA_INFO
  227. u64 ts_nsec = track->timestamp;
  228. unsigned long rem_usec;
  229. ts_nsec <<= 9;
  230. rem_usec = do_div(ts_nsec, NSEC_PER_SEC) / 1000;
  231. pr_err("%s by task %u on cpu %d at %lu.%06lus:\n",
  232. prefix, track->pid, track->cpu,
  233. (unsigned long)ts_nsec, rem_usec);
  234. #else
  235. pr_err("%s by task %u:\n", prefix, track->pid);
  236. #endif /* CONFIG_KASAN_EXTRA_INFO */
  237. if (track->stack)
  238. stack_depot_print(track->stack);
  239. else
  240. pr_err("(stack is not available)\n");
  241. }
  242. static inline struct page *addr_to_page(const void *addr)
  243. {
  244. if (virt_addr_valid(addr))
  245. return virt_to_head_page(addr);
  246. return NULL;
  247. }
  248. static void describe_object_addr(const void *addr, struct kasan_report_info *info)
  249. {
  250. unsigned long access_addr = (unsigned long)addr;
  251. unsigned long object_addr = (unsigned long)info->object;
  252. const char *rel_type, *region_state = "";
  253. int rel_bytes;
  254. pr_err("The buggy address belongs to the object at %px\n"
  255. " which belongs to the cache %s of size %d\n",
  256. info->object, info->cache->name, info->cache->object_size);
  257. if (access_addr < object_addr) {
  258. rel_type = "to the left";
  259. rel_bytes = object_addr - access_addr;
  260. } else if (access_addr >= object_addr + info->alloc_size) {
  261. rel_type = "to the right";
  262. rel_bytes = access_addr - (object_addr + info->alloc_size);
  263. } else {
  264. rel_type = "inside";
  265. rel_bytes = access_addr - object_addr;
  266. }
  267. /*
  268. * Tag-Based modes use the stack ring to infer the bug type, but the
  269. * memory region state description is generated based on the metadata.
  270. * Thus, defining the region state as below can contradict the metadata.
  271. * Fixing this requires further improvements, so only infer the state
  272. * for the Generic mode.
  273. */
  274. if (IS_ENABLED(CONFIG_KASAN_GENERIC)) {
  275. if (strcmp(info->bug_type, "slab-out-of-bounds") == 0)
  276. region_state = "allocated ";
  277. else if (strcmp(info->bug_type, "slab-use-after-free") == 0)
  278. region_state = "freed ";
  279. }
  280. pr_err("The buggy address is located %d bytes %s of\n"
  281. " %s%zu-byte region [%px, %px)\n",
  282. rel_bytes, rel_type, region_state, info->alloc_size,
  283. (void *)object_addr, (void *)(object_addr + info->alloc_size));
  284. }
  285. static void describe_object_stacks(struct kasan_report_info *info)
  286. {
  287. if (info->alloc_track.stack) {
  288. print_track(&info->alloc_track, "Allocated");
  289. pr_err("\n");
  290. }
  291. if (info->free_track.stack) {
  292. print_track(&info->free_track, "Freed");
  293. pr_err("\n");
  294. }
  295. kasan_print_aux_stacks(info->cache, info->object);
  296. }
  297. static void describe_object(const void *addr, struct kasan_report_info *info)
  298. {
  299. if (kasan_stack_collection_enabled())
  300. describe_object_stacks(info);
  301. describe_object_addr(addr, info);
  302. }
  303. static inline bool kernel_or_module_addr(const void *addr)
  304. {
  305. if (is_kernel((unsigned long)addr))
  306. return true;
  307. if (is_module_address((unsigned long)addr))
  308. return true;
  309. return false;
  310. }
  311. static inline bool init_task_stack_addr(const void *addr)
  312. {
  313. return addr >= (void *)&init_thread_union.stack &&
  314. (addr <= (void *)&init_thread_union.stack +
  315. sizeof(init_thread_union.stack));
  316. }
  317. static void print_address_description(void *addr, u8 tag,
  318. struct kasan_report_info *info)
  319. {
  320. struct page *page = addr_to_page(addr);
  321. dump_stack_lvl(KERN_ERR);
  322. pr_err("\n");
  323. if (info->cache && info->object) {
  324. describe_object(addr, info);
  325. pr_err("\n");
  326. }
  327. if (kernel_or_module_addr(addr) && !init_task_stack_addr(addr)) {
  328. pr_err("The buggy address belongs to the variable:\n");
  329. pr_err(" %pS\n", addr);
  330. pr_err("\n");
  331. }
  332. if (object_is_on_stack(addr)) {
  333. /*
  334. * Currently, KASAN supports printing frame information only
  335. * for accesses to the task's own stack.
  336. */
  337. kasan_print_address_stack_frame(addr);
  338. pr_err("\n");
  339. }
  340. if (is_vmalloc_addr(addr)) {
  341. pr_err("The buggy address belongs to a");
  342. if (!vmalloc_dump_obj(addr))
  343. pr_cont(" vmalloc virtual mapping\n");
  344. page = vmalloc_to_page(addr);
  345. }
  346. if (page) {
  347. pr_err("The buggy address belongs to the physical page:\n");
  348. dump_page(page, "kasan: bad access detected");
  349. pr_err("\n");
  350. }
  351. }
  352. static bool meta_row_is_guilty(const void *row, const void *addr)
  353. {
  354. return (row <= addr) && (addr < row + META_MEM_BYTES_PER_ROW);
  355. }
  356. static int meta_pointer_offset(const void *row, const void *addr)
  357. {
  358. /*
  359. * Memory state around the buggy address:
  360. * ff00ff00ff00ff00: 00 00 00 05 fe fe fe fe fe fe fe fe fe fe fe fe
  361. * ...
  362. *
  363. * The length of ">ff00ff00ff00ff00: " is
  364. * 3 + (BITS_PER_LONG / 8) * 2 chars.
  365. * The length of each granule metadata is 2 bytes
  366. * plus 1 byte for space.
  367. */
  368. return 3 + (BITS_PER_LONG / 8) * 2 +
  369. (addr - row) / KASAN_GRANULE_SIZE * 3 + 1;
  370. }
  371. static void print_memory_metadata(const void *addr)
  372. {
  373. int i;
  374. void *row;
  375. row = (void *)round_down((unsigned long)addr, META_MEM_BYTES_PER_ROW)
  376. - META_ROWS_AROUND_ADDR * META_MEM_BYTES_PER_ROW;
  377. pr_err("Memory state around the buggy address:\n");
  378. for (i = -META_ROWS_AROUND_ADDR; i <= META_ROWS_AROUND_ADDR; i++) {
  379. char buffer[4 + (BITS_PER_LONG / 8) * 2];
  380. char metadata[META_BYTES_PER_ROW];
  381. snprintf(buffer, sizeof(buffer),
  382. (i == 0) ? ">%px: " : " %px: ", row);
  383. /*
  384. * We should not pass a shadow pointer to generic
  385. * function, because generic functions may try to
  386. * access kasan mapping for the passed address.
  387. */
  388. kasan_metadata_fetch_row(&metadata[0], row);
  389. print_hex_dump(KERN_ERR, buffer,
  390. DUMP_PREFIX_NONE, META_BYTES_PER_ROW, 1,
  391. metadata, META_BYTES_PER_ROW, 0);
  392. if (meta_row_is_guilty(row, addr))
  393. pr_err("%*c\n", meta_pointer_offset(row, addr), '^');
  394. row += META_MEM_BYTES_PER_ROW;
  395. }
  396. }
  397. static void print_report(struct kasan_report_info *info)
  398. {
  399. void *addr = kasan_reset_tag((void *)info->access_addr);
  400. u8 tag = get_tag((void *)info->access_addr);
  401. print_error_description(info);
  402. if (addr_has_metadata(addr))
  403. kasan_print_tags(tag, info->first_bad_addr);
  404. pr_err("\n");
  405. if (addr_has_metadata(addr)) {
  406. print_address_description(addr, tag, info);
  407. print_memory_metadata(info->first_bad_addr);
  408. } else {
  409. dump_stack_lvl(KERN_ERR);
  410. }
  411. }
  412. static void complete_report_info(struct kasan_report_info *info)
  413. {
  414. void *addr = kasan_reset_tag((void *)info->access_addr);
  415. struct slab *slab;
  416. if (info->type == KASAN_REPORT_ACCESS)
  417. info->first_bad_addr = kasan_find_first_bad_addr(
  418. (void *)info->access_addr, info->access_size);
  419. else
  420. info->first_bad_addr = addr;
  421. slab = kasan_addr_to_slab(addr);
  422. if (slab) {
  423. info->cache = slab->slab_cache;
  424. info->object = nearest_obj(info->cache, slab, addr);
  425. /* Try to determine allocation size based on the metadata. */
  426. info->alloc_size = kasan_get_alloc_size(info->object, info->cache);
  427. /* Fallback to the object size if failed. */
  428. if (!info->alloc_size)
  429. info->alloc_size = info->cache->object_size;
  430. } else
  431. info->cache = info->object = NULL;
  432. switch (info->type) {
  433. case KASAN_REPORT_INVALID_FREE:
  434. info->bug_type = "invalid-free";
  435. break;
  436. case KASAN_REPORT_DOUBLE_FREE:
  437. info->bug_type = "double-free";
  438. break;
  439. default:
  440. /* bug_type filled in by kasan_complete_mode_report_info. */
  441. break;
  442. }
  443. /* Fill in mode-specific report info fields. */
  444. kasan_complete_mode_report_info(info);
  445. }
  446. void kasan_report_invalid_free(void *ptr, unsigned long ip, enum kasan_report_type type)
  447. {
  448. unsigned long flags;
  449. struct kasan_report_info info;
  450. /*
  451. * Do not check report_suppressed_sw(), as an invalid-free cannot be
  452. * caused by accessing poisoned memory and thus should not be suppressed
  453. * by kasan_disable/enable_current() critical sections.
  454. *
  455. * Note that for Hardware Tag-Based KASAN, kasan_report_invalid_free()
  456. * is triggered by explicit tag checks and not by the ones performed by
  457. * the CPU. Thus, reporting invalid-free is not suppressed as well.
  458. */
  459. if (unlikely(!report_enabled()))
  460. return;
  461. start_report(&flags);
  462. __memset(&info, 0, sizeof(info));
  463. info.type = type;
  464. info.access_addr = ptr;
  465. info.access_size = 0;
  466. info.is_write = false;
  467. info.ip = ip;
  468. complete_report_info(&info);
  469. print_report(&info);
  470. /*
  471. * Invalid free is considered a "write" since the allocator's metadata
  472. * updates involves writes.
  473. */
  474. end_report(&flags, ptr, true);
  475. }
  476. /*
  477. * kasan_report() is the only reporting function that uses
  478. * user_access_save/restore(): kasan_report_invalid_free() cannot be called
  479. * from a UACCESS region, and kasan_report_async() is not used on x86.
  480. */
  481. bool kasan_report(const void *addr, size_t size, bool is_write,
  482. unsigned long ip)
  483. {
  484. bool ret = true;
  485. unsigned long ua_flags = user_access_save();
  486. unsigned long irq_flags;
  487. struct kasan_report_info info;
  488. if (unlikely(report_suppressed_sw()) || unlikely(!report_enabled())) {
  489. ret = false;
  490. goto out;
  491. }
  492. start_report(&irq_flags);
  493. __memset(&info, 0, sizeof(info));
  494. info.type = KASAN_REPORT_ACCESS;
  495. info.access_addr = addr;
  496. info.access_size = size;
  497. info.is_write = is_write;
  498. info.ip = ip;
  499. complete_report_info(&info);
  500. print_report(&info);
  501. end_report(&irq_flags, (void *)addr, is_write);
  502. out:
  503. user_access_restore(ua_flags);
  504. return ret;
  505. }
  506. #ifdef CONFIG_KASAN_HW_TAGS
  507. void kasan_report_async(void)
  508. {
  509. unsigned long flags;
  510. /*
  511. * Do not check report_suppressed_sw(), as
  512. * kasan_disable/enable_current() critical sections do not affect
  513. * Hardware Tag-Based KASAN.
  514. */
  515. if (unlikely(!report_enabled()))
  516. return;
  517. start_report(&flags);
  518. pr_err("BUG: KASAN: invalid-access\n");
  519. pr_err("Asynchronous fault: no details available\n");
  520. pr_err("\n");
  521. dump_stack_lvl(KERN_ERR);
  522. /*
  523. * Conservatively set is_write=true, because no details are available.
  524. * In this mode, kasan.fault=panic_on_write is like kasan.fault=panic.
  525. */
  526. end_report(&flags, NULL, true);
  527. }
  528. #endif /* CONFIG_KASAN_HW_TAGS */
  529. #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
  530. /*
  531. * With compiler-based KASAN modes, accesses to bogus pointers (outside of the
  532. * mapped kernel address space regions) cause faults when KASAN tries to check
  533. * the shadow memory before the actual memory access. This results in cryptic
  534. * GPF reports, which are hard for users to interpret. This hook helps users to
  535. * figure out what the original bogus pointer was.
  536. */
  537. void kasan_non_canonical_hook(unsigned long addr)
  538. {
  539. unsigned long orig_addr;
  540. const char *bug_type;
  541. /*
  542. * All addresses that came as a result of the memory-to-shadow mapping
  543. * (even for bogus pointers) must be >= KASAN_SHADOW_OFFSET.
  544. */
  545. if (addr < KASAN_SHADOW_OFFSET)
  546. return;
  547. orig_addr = (unsigned long)kasan_shadow_to_mem((void *)addr);
  548. /*
  549. * For faults near the shadow address for NULL, we can be fairly certain
  550. * that this is a KASAN shadow memory access.
  551. * For faults that correspond to the shadow for low or high canonical
  552. * addresses, we can still be pretty sure: these shadow regions are a
  553. * fairly narrow chunk of the address space.
  554. * But the shadow for non-canonical addresses is a really large chunk
  555. * of the address space. For this case, we still print the decoded
  556. * address, but make it clear that this is not necessarily what's
  557. * actually going on.
  558. */
  559. if (orig_addr < PAGE_SIZE)
  560. bug_type = "null-ptr-deref";
  561. else if (orig_addr < TASK_SIZE)
  562. bug_type = "probably user-memory-access";
  563. else if (addr_in_shadow((void *)addr))
  564. bug_type = "probably wild-memory-access";
  565. else
  566. bug_type = "maybe wild-memory-access";
  567. pr_alert("KASAN: %s in range [0x%016lx-0x%016lx]\n", bug_type,
  568. orig_addr, orig_addr + KASAN_GRANULE_SIZE - 1);
  569. }
  570. #endif