add new system file

hc

2024-02-20 102a0743326a03cd1a1202ceda21e175b7d3575c

 kernel/mm/kasan/report.c
..
..
@@ -1,17 +1,12 @@
1
1
 // SPDX-License-Identifier: GPL-2.0
2
2
 /*
3
- * This file contains common generic and tag-based KASAN error reporting code.
3
+ * This file contains common KASAN error reporting code.
4
4
  *
5
5
  * Copyright (c) 2014 Samsung Electronics Co., Ltd.
6
6
  * Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
7
7
  *
8
8
  * Some code borrowed from https://github.com/xairy/kasan-prototype by
9
9
  *        Andrey Konovalov <andreyknvl@gmail.com>
10
- *
11
- * This program is free software; you can redistribute it and/or modify
12
- * it under the terms of the GNU General Public License version 2 as
13
- * published by the Free Software Foundation.
14
- *
15
10
  */
16
11
 
17
12
 #include <linux/bitops.h>
..
..
@@ -28,17 +23,16 @@
28
23
 #include <linux/types.h>
29
24
 #include <linux/kasan.h>
30
25
 #include <linux/module.h>
26
+#include <linux/sched/task_stack.h>
27
+#include <linux/uaccess.h>
28
+#include <trace/events/error_report.h>
31
29
 
32
30
 #include <asm/sections.h>
33
31
 
32
+#include <kunit/test.h>
33
+
34
34
 #include "kasan.h"
35
35
 #include "../slab.h"
36
-
37
-/* Shadow layout customization. */
38
-#define SHADOW_BYTES_PER_BLOCK 1
39
-#define SHADOW_BLOCKS_PER_ROW 16
40
-#define SHADOW_BYTES_PER_ROW (SHADOW_BLOCKS_PER_ROW * SHADOW_BYTES_PER_BLOCK)
41
-#define SHADOW_ROWS_AROUND_ADDR 2
42
36
 
43
37
 static unsigned long kasan_flags;
44
38
 
..
..
@@ -68,10 +62,15 @@
68
62
 static void print_error_description(struct kasan_access_info *info)
69
63
 {
70
64
 	pr_err("BUG: KASAN: %s in %pS\n",
71
-		get_bug_type(info), (void *)info->ip);
72
-	pr_err("%s of size %zu at addr %px by task %s/%d\n",
73
-		info->is_write ? "Write" : "Read", info->access_size,
74
-		info->access_addr, current->comm, task_pid_nr(current));
65
+		kasan_get_bug_type(info), (void *)info->ip);
66
+	if (info->access_size)
67
+		pr_err("%s of size %zu at addr %px by task %s/%d\n",
68
+			info->is_write ? "Write" : "Read", info->access_size,
69
+			info->access_addr, current->comm, task_pid_nr(current));
70
+	else
71
+		pr_err("%s at addr %px by task %s/%d\n",
72
+			info->is_write ? "Write" : "Read",
73
+			info->access_addr, current->comm, task_pid_nr(current));
75
74
 }
76
75
 
77
76
 static DEFINE_SPINLOCK(report_lock);
..
..
@@ -86,30 +85,42 @@
86
85
 	pr_err("==================================================================\n");
87
86
 }
88
87
 
89
-static void end_report(unsigned long *flags)
88
+static void end_report(unsigned long *flags, unsigned long addr)
90
89
 {
90
+	if (!kasan_async_mode_enabled())
91
+		trace_error_report_end(ERROR_DETECTOR_KASAN, addr);
91
92
 	pr_err("==================================================================\n");
92
93
 	add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);
93
94
 	spin_unlock_irqrestore(&report_lock, *flags);
94
-	if (panic_on_warn)
95
-		panic("panic_on_warn set ...\n");
95
+	if (!test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags))
96
+		check_panic_on_warn("KASAN");
97
+#ifdef CONFIG_KASAN_HW_TAGS
98
+	if (kasan_flag_panic)
99
+		panic("kasan.fault=panic set ...\n");
100
+#endif
96
101
 	kasan_enable_current();
102
+}
103
+
104
+static void print_stack(depot_stack_handle_t stack)
105
+{
106
+	unsigned long *entries;
107
+	unsigned int nr_entries;
108
+
109
+	nr_entries = stack_depot_fetch(stack, &entries);
110
+	stack_trace_print(entries, nr_entries, 0);
97
111
 }
98
112
 
99
113
 static void print_track(struct kasan_track *track, const char *prefix)
100
114
 {
101
115
 	pr_err("%s by task %u:\n", prefix, track->pid);
102
116
 	if (track->stack) {
103
-		struct stack_trace trace;
104
-
105
-		depot_fetch_stack(track->stack, &trace);
106
-		print_stack_trace(&trace, 0);
117
+		print_stack(track->stack);
107
118
 	} else {
108
119
 		pr_err("(stack is not available)\n");
109
120
 	}
110
121
 }
111
122
 
112
-static struct page *addr_to_page(const void *addr)
123
+struct page *kasan_addr_to_page(const void *addr)
113
124
 {
114
125
 	if ((addr >= (void *)PAGE_OFFSET) &&
115
126
 			(addr < high_memory))
..
..
@@ -149,18 +160,45 @@
149
160
 		(void *)(object_addr + cache->object_size));
150
161
 }
151
162
 
152
-static void describe_object(struct kmem_cache *cache, void *object,
153
-				const void *addr)
163
+static void describe_object_stacks(struct kmem_cache *cache, void *object,
164
+					const void *addr, u8 tag)
154
165
 {
155
-	struct kasan_alloc_meta *alloc_info = get_alloc_info(cache, object);
166
+	struct kasan_alloc_meta *alloc_meta;
167
+	struct kasan_track *free_track;
156
168
 
157
-	if (cache->flags & SLAB_KASAN) {
158
-		print_track(&alloc_info->alloc_track, "Allocated");
159
-		pr_err("\n");
160
-		print_track(&alloc_info->free_track, "Freed");
169
+	alloc_meta = kasan_get_alloc_meta(cache, object);
170
+	if (alloc_meta) {
171
+		print_track(&alloc_meta->alloc_track, "Allocated");
161
172
 		pr_err("\n");
162
173
 	}
163
174
 
175
+	free_track = kasan_get_free_track(cache, object, tag);
176
+	if (free_track) {
177
+		print_track(free_track, "Freed");
178
+		pr_err("\n");
179
+	}
180
+
181
+#ifdef CONFIG_KASAN_GENERIC
182
+	if (!alloc_meta)
183
+		return;
184
+	if (alloc_meta->aux_stack[0]) {
185
+		pr_err("Last potentially related work creation:\n");
186
+		print_stack(alloc_meta->aux_stack[0]);
187
+		pr_err("\n");
188
+	}
189
+	if (alloc_meta->aux_stack[1]) {
190
+		pr_err("Second to last potentially related work creation:\n");
191
+		print_stack(alloc_meta->aux_stack[1]);
192
+		pr_err("\n");
193
+	}
194
+#endif
195
+}
196
+
197
+static void describe_object(struct kmem_cache *cache, void *object,
198
+				const void *addr, u8 tag)
199
+{
200
+	if (kasan_stack_collection_enabled())
201
+		describe_object_stacks(cache, object, addr, tag);
164
202
 	describe_object_addr(cache, object, addr);
165
203
 }
166
204
 
..
..
@@ -180,18 +218,18 @@
180
218
 			sizeof(init_thread_union.stack));
181
219
 }
182
220
 
183
-static void print_address_description(void *addr)
221
+static void print_address_description(void *addr, u8 tag)
184
222
 {
185
-	struct page *page = addr_to_page(addr);
223
+	struct page *page = kasan_addr_to_page(addr);
186
224
 
187
-	dump_stack();
225
+	dump_stack_lvl(KERN_ERR);
188
226
 	pr_err("\n");
189
227
 
190
228
 	if (page && PageSlab(page)) {
191
229
 		struct kmem_cache *cache = page->slab_cache;
192
230
 		void *object = nearest_obj(cache, page,	addr);
193
231
 
194
-		describe_object(cache, object, addr);
232
+		describe_object(cache, object, addr, tag);
195
233
 	}
196
234
 
197
235
 	if (kernel_or_module_addr(addr) && !init_task_stack_addr(addr)) {
..
..
@@ -203,102 +241,159 @@
203
241
 		pr_err("The buggy address belongs to the page:\n");
204
242
 		dump_page(page, "kasan: bad access detected");
205
243
 	}
244
+
245
+	kasan_print_address_stack_frame(addr);
206
246
 }
207
247
 
208
-static bool row_is_guilty(const void *row, const void *guilty)
248
+static bool meta_row_is_guilty(const void *row, const void *addr)
209
249
 {
210
-	return (row <= guilty) && (guilty < row + SHADOW_BYTES_PER_ROW);
250
+	return (row <= addr) && (addr < row + META_MEM_BYTES_PER_ROW);
211
251
 }
212
252
 
213
-static int shadow_pointer_offset(const void *row, const void *shadow)
253
+static int meta_pointer_offset(const void *row, const void *addr)
214
254
 {
215
-	/* The length of ">ff00ff00ff00ff00: " is
216
-	 *    3 + (BITS_PER_LONG/8)*2 chars.
255
+	/*
256
+	 * Memory state around the buggy address:
257
+	 *  ff00ff00ff00ff00: 00 00 00 05 fe fe fe fe fe fe fe fe fe fe fe fe
258
+	 *  ...
259
+	 *
260
+	 * The length of ">ff00ff00ff00ff00: " is
261
+	 *    3 + (BITS_PER_LONG / 8) * 2 chars.
262
+	 * The length of each granule metadata is 2 bytes
263
+	 *    plus 1 byte for space.
217
264
 	 */
218
-	return 3 + (BITS_PER_LONG/8)*2 + (shadow - row)*2 +
219
-		(shadow - row) / SHADOW_BYTES_PER_BLOCK + 1;
265
+	return 3 + (BITS_PER_LONG / 8) * 2 +
266
+		(addr - row) / KASAN_GRANULE_SIZE * 3 + 1;
220
267
 }
221
268
 
222
-static void print_shadow_for_address(const void *addr)
269
+static void print_memory_metadata(const void *addr)
223
270
 {
224
271
 	int i;
225
-	const void *shadow = kasan_mem_to_shadow(addr);
226
-	const void *shadow_row;
272
+	void *row;
227
273
 
228
-	shadow_row = (void *)round_down((unsigned long)shadow,
229
-					SHADOW_BYTES_PER_ROW)
230
-		- SHADOW_ROWS_AROUND_ADDR * SHADOW_BYTES_PER_ROW;
274
+	row = (void *)round_down((unsigned long)addr, META_MEM_BYTES_PER_ROW)
275
+			- META_ROWS_AROUND_ADDR * META_MEM_BYTES_PER_ROW;
231
276
 
232
277
 	pr_err("Memory state around the buggy address:\n");
233
278
 
234
-	for (i = -SHADOW_ROWS_AROUND_ADDR; i <= SHADOW_ROWS_AROUND_ADDR; i++) {
235
-		const void *kaddr = kasan_shadow_to_mem(shadow_row);
236
-		char buffer[4 + (BITS_PER_LONG/8)*2];
237
-		char shadow_buf[SHADOW_BYTES_PER_ROW];
279
+	for (i = -META_ROWS_AROUND_ADDR; i <= META_ROWS_AROUND_ADDR; i++) {
280
+		char buffer[4 + (BITS_PER_LONG / 8) * 2];
281
+		char metadata[META_BYTES_PER_ROW];
238
282
 
239
283
 		snprintf(buffer, sizeof(buffer),
240
-			(i == 0) ? ">%px: " : " %px: ", kaddr);
284
+				(i == 0) ? ">%px: " : " %px: ", row);
285
+
241
286
 		/*
242
287
 		 * We should not pass a shadow pointer to generic
243
288
 		 * function, because generic functions may try to
244
289
 		 * access kasan mapping for the passed address.
245
290
 		 */
246
-		memcpy(shadow_buf, shadow_row, SHADOW_BYTES_PER_ROW);
291
+		kasan_metadata_fetch_row(&metadata[0], row);
292
+
247
293
 		print_hex_dump(KERN_ERR, buffer,
248
-			DUMP_PREFIX_NONE, SHADOW_BYTES_PER_ROW, 1,
249
-			shadow_buf, SHADOW_BYTES_PER_ROW, 0);
294
+			DUMP_PREFIX_NONE, META_BYTES_PER_ROW, 1,
295
+			metadata, META_BYTES_PER_ROW, 0);
250
296
 
251
-		if (row_is_guilty(shadow_row, shadow))
252
-			pr_err("%*c\n",
253
-				shadow_pointer_offset(shadow_row, shadow),
254
-				'^');
297
+		if (meta_row_is_guilty(row, addr))
298
+			pr_err("%*c\n", meta_pointer_offset(row, addr), '^');
255
299
 
256
-		shadow_row += SHADOW_BYTES_PER_ROW;
300
+		row += META_MEM_BYTES_PER_ROW;
257
301
 	}
258
302
 }
259
303
 
260
304
 static bool report_enabled(void)
261
305
 {
306
+#if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)
262
307
 	if (current->kasan_depth)
263
308
 		return false;
309
+#endif
264
310
 	if (test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags))
265
311
 		return true;
266
312
 	return !test_and_set_bit(KASAN_BIT_REPORTED, &kasan_flags);
267
313
 }
268
314
 
315
+#if IS_ENABLED(CONFIG_KUNIT)
316
+static void kasan_update_kunit_status(struct kunit *cur_test)
317
+{
318
+	struct kunit_resource *resource;
319
+	struct kunit_kasan_expectation *kasan_data;
320
+
321
+	resource = kunit_find_named_resource(cur_test, "kasan_data");
322
+
323
+	if (!resource) {
324
+		kunit_set_failure(cur_test);
325
+		return;
326
+	}
327
+
328
+	kasan_data = (struct kunit_kasan_expectation *)resource->data;
329
+	WRITE_ONCE(kasan_data->report_found, true);
330
+	kunit_put_resource(resource);
331
+}
332
+#endif /* IS_ENABLED(CONFIG_KUNIT) */
333
+
269
334
 void kasan_report_invalid_free(void *object, unsigned long ip)
270
335
 {
271
336
 	unsigned long flags;
337
+	u8 tag = get_tag(object);
338
+
339
+	object = kasan_reset_tag(object);
340
+
341
+#if IS_ENABLED(CONFIG_KUNIT)
342
+	if (current->kunit_test)
343
+		kasan_update_kunit_status(current->kunit_test);
344
+#endif /* IS_ENABLED(CONFIG_KUNIT) */
272
345
 
273
346
 	start_report(&flags);
274
347
 	pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", (void *)ip);
275
-	print_tags(get_tag(object), reset_tag(object));
276
-	object = reset_tag(object);
348
+	kasan_print_tags(tag, object);
277
349
 	pr_err("\n");
278
-	print_address_description(object);
350
+	print_address_description(object, tag);
279
351
 	pr_err("\n");
280
-	print_shadow_for_address(object);
281
-	end_report(&flags);
352
+	print_memory_metadata(object);
353
+	end_report(&flags, (unsigned long)object);
282
354
 }
283
355
 
284
-void __kasan_report(unsigned long addr, size_t size, bool is_write, unsigned long ip)
356
+#ifdef CONFIG_KASAN_HW_TAGS
357
+void kasan_report_async(void)
358
+{
359
+	unsigned long flags;
360
+
361
+#if IS_ENABLED(CONFIG_KUNIT)
362
+	if (current->kunit_test)
363
+		kasan_update_kunit_status(current->kunit_test);
364
+#endif /* IS_ENABLED(CONFIG_KUNIT) */
365
+
366
+	start_report(&flags);
367
+	pr_err("BUG: KASAN: invalid-access\n");
368
+	pr_err("Asynchronous mode enabled: no access details available\n");
369
+	pr_err("\n");
370
+	dump_stack_lvl(KERN_ERR);
371
+	end_report(&flags, 0);
372
+}
373
+#endif /* CONFIG_KASAN_HW_TAGS */
374
+
375
+static void __kasan_report(unsigned long addr, size_t size, bool is_write,
376
+				unsigned long ip)
285
377
 {
286
378
 	struct kasan_access_info info;
287
379
 	void *tagged_addr;
288
380
 	void *untagged_addr;
289
381
 	unsigned long flags;
290
382
 
291
-	if (likely(!report_enabled()))
292
-		return;
383
+#if IS_ENABLED(CONFIG_KUNIT)
384
+	if (current->kunit_test)
385
+		kasan_update_kunit_status(current->kunit_test);
386
+#endif /* IS_ENABLED(CONFIG_KUNIT) */
293
387
 
294
388
 	disable_trace_on_warning();
295
389
 
296
390
 	tagged_addr = (void *)addr;
297
-	untagged_addr = reset_tag(tagged_addr);
391
+	untagged_addr = kasan_reset_tag(tagged_addr);
298
392
 
299
393
 	info.access_addr = tagged_addr;
300
-	if (addr_has_shadow(untagged_addr))
301
-		info.first_bad_addr = find_first_bad_addr(tagged_addr, size);
394
+	if (addr_has_metadata(untagged_addr))
395
+		info.first_bad_addr =
396
+			kasan_find_first_bad_addr(tagged_addr, size);
302
397
 	else
303
398
 		info.first_bad_addr = untagged_addr;
304
399
 	info.access_size = size;
..
..
@@ -308,17 +403,73 @@
308
403
 	start_report(&flags);
309
404
 
310
405
 	print_error_description(&info);
311
-	if (addr_has_shadow(untagged_addr))
312
-		print_tags(get_tag(tagged_addr), info.first_bad_addr);
406
+	if (addr_has_metadata(untagged_addr))
407
+		kasan_print_tags(get_tag(tagged_addr), info.first_bad_addr);
313
408
 	pr_err("\n");
314
409
 
315
-	if (addr_has_shadow(untagged_addr)) {
316
-		print_address_description(untagged_addr);
410
+	if (addr_has_metadata(untagged_addr)) {
411
+		print_address_description(untagged_addr, get_tag(tagged_addr));
317
412
 		pr_err("\n");
318
-		print_shadow_for_address(info.first_bad_addr);
413
+		print_memory_metadata(info.first_bad_addr);
319
414
 	} else {
320
-		dump_stack();
415
+		dump_stack_lvl(KERN_ERR);
321
416
 	}
322
417
 
323
-	end_report(&flags);
418
+	end_report(&flags, addr);
324
419
 }
420
+
421
+bool kasan_report(unsigned long addr, size_t size, bool is_write,
422
+			unsigned long ip)
423
+{
424
+	unsigned long flags = user_access_save();
425
+	bool ret = false;
426
+
427
+	if (likely(report_enabled())) {
428
+		__kasan_report(addr, size, is_write, ip);
429
+		ret = true;
430
+	}
431
+
432
+	user_access_restore(flags);
433
+
434
+	return ret;
435
+}
436
+
437
+#ifdef CONFIG_KASAN_INLINE
438
+/*
439
+ * With CONFIG_KASAN_INLINE, accesses to bogus pointers (outside the high
440
+ * canonical half of the address space) cause out-of-bounds shadow memory reads
441
+ * before the actual access. For addresses in the low canonical half of the
442
+ * address space, as well as most non-canonical addresses, that out-of-bounds
443
+ * shadow memory access lands in the non-canonical part of the address space.
444
+ * Help the user figure out what the original bogus pointer was.
445
+ */
446
+void kasan_non_canonical_hook(unsigned long addr)
447
+{
448
+	unsigned long orig_addr;
449
+	const char *bug_type;
450
+
451
+	if (addr < KASAN_SHADOW_OFFSET)
452
+		return;
453
+
454
+	orig_addr = (addr - KASAN_SHADOW_OFFSET) << KASAN_SHADOW_SCALE_SHIFT;
455
+	/*
456
+	 * For faults near the shadow address for NULL, we can be fairly certain
457
+	 * that this is a KASAN shadow memory access.
458
+	 * For faults that correspond to shadow for low canonical addresses, we
459
+	 * can still be pretty sure - that shadow region is a fairly narrow
460
+	 * chunk of the non-canonical address space.
461
+	 * But faults that look like shadow for non-canonical addresses are a
462
+	 * really large chunk of the address space. In that case, we still
463
+	 * print the decoded address, but make it clear that this is not
464
+	 * necessarily what's actually going on.
465
+	 */
466
+	if (orig_addr < PAGE_SIZE)
467
+		bug_type = "null-ptr-deref";
468
+	else if (orig_addr < TASK_SIZE)
469
+		bug_type = "probably user-memory-access";
470
+	else
471
+		bug_type = "maybe wild-memory-access";
472
+	pr_alert("KASAN: %s in range [0x%016lx-0x%016lx]\n", bug_type,
473
+		 orig_addr, orig_addr + KASAN_GRANULE_SIZE - 1);
474
+}
475
+#endif