Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp736912pxf; Thu, 11 Mar 2021 13:40:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJw4eUDbrAIcsApLrNe733+LghvAFf78dG/pU4k17BMv2qKlP9Nbe5aT5uAF00em4hWAPIDk X-Received: by 2002:a17:906:f88a:: with SMTP id lg10mr5193075ejb.39.1615498849704; Thu, 11 Mar 2021 13:40:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615498849; cv=none; d=google.com; s=arc-20160816; b=eHvofut0+o5skAFvP8iXYFnl0OdzUKnbUx/WjjGeOWUnsBFrrWDppCZFimlUc6EA9P cKy9OLI5CMjAVwhrGQFn8HzvBKmBQGccmpP3iDVl6nscRDLYQCoZ1EkNHYVllQwW1WuK KaqG5T6JWxuhjvUP6sEqd59E+avgKf9Q/iC1FDwObJQIoPQCwrDkjXpoJvk2a/Nq1EfQ MUM0xfArLhpaNgJ4y6NeIdpsMPqNLEZPhiFclZwTmE+tyHUPvZT+GhQvO7h5u2IrKHBF 6LVqvnsH3fpP7nOQAsNCWIV62CdrMqzXsUgFlpxadbvcdDGWGiXl67qR58KNvkA7Oz/w FUYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:references:mime-version :message-id:in-reply-to:date:dkim-signature; bh=Z5eOirVQs3kFMVVYLPwNbYTFfp7Ms1nJ3eBbZNg7oSE=; b=WMhlJVeHW+KgAa3Zdyam+ufNsPvuo85hCX9sA2HpewAJOpUrWic6kCIZ+I18wnf0Ga N93LUJoYS4OGy6/ra/58Wi8ibZ4GBrOxl/sGxZhJhQaLBrjCqMxadB2F+EvmQ6cKgg9D kQli9E2wg4QVa9oELSu8yanujvJ1aG1G/kFSYX9pkEI87/dXtLdT3ED3ydSEKbyUfdDx J2pvWpLZ0atKGNajzpSqXQ8BBV1mEibXcZ5EW3t6ds8jzEnz6gaTwlIO204l2qa8hRW8 E1slsjPh8JtpOMhmxwSeHm+IysrqBCONVxXr89D/HnbnzOQ1fK+dPKsHWbTPPY1HSY7f IP4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ss9oJe0p; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t16si2721522edi.293.2021.03.11.13.40.27; Thu, 11 Mar 2021 13:40:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ss9oJe0p; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231189AbhCKViJ (ORCPT + 99 others); Thu, 11 Mar 2021 16:38:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38998 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231159AbhCKVhf (ORCPT ); Thu, 11 Mar 2021 16:37:35 -0500 Received: from mail-qt1-x84a.google.com (mail-qt1-x84a.google.com [IPv6:2607:f8b0:4864:20::84a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E2FDC061574 for ; Thu, 11 Mar 2021 13:37:35 -0800 (PST) Received: by mail-qt1-x84a.google.com with SMTP id v19so16585425qtw.19 for ; Thu, 11 Mar 2021 13:37:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Z5eOirVQs3kFMVVYLPwNbYTFfp7Ms1nJ3eBbZNg7oSE=; b=ss9oJe0pM2ElU/I3jSTTIlzmBUFKVJwse1lMSmfbJC3heqvzN6V6cu3CVowDOoIys7 rHMW8ZRVxkgSQlriCc4puO8sQCLF4m52Eo7IvUY49QDarKLJYOtK6OA4Ulvgcrs5jMLJ 0frkrdx99oF6gVY8/+c6aadOP0Sm5IPEodDeKW00DgiskPb06OwXLLcaGoFCFAFb02We 4RaGm9dQxKxdpEJ5Smlg67KHtZJ4/ZGTU/9xSWGC5mt8nD8ct0o6fNh5RoUkDWOBFMxZ 4HacTXoIMjA7mgORYCvPh35ywI0iWSlVW8T1j1N8iEmg+PCR69tuDedRH8+TrZPo3mMi Z8nQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Z5eOirVQs3kFMVVYLPwNbYTFfp7Ms1nJ3eBbZNg7oSE=; b=IKKVeZZKL3ANRGSFi3AY7/fmdAlF61JpT19WKXmYpmayLlqiYdZ3+OZkn4Kpp/wdVP nY9oeTlyiwZC78sZ5ZVFVuPusLWH2CC6F3x6hUkzp5ggI4XGBRTEMQRCrSZe5EdXqJK5 7OwjtUshoCnOLT89DP7TObvnj8gA9hsAsaI3ojPieApU6UkiRS8qqmkj5j/Lf6V4rGuk CHW2nHpgpl3e4QiDWdwJxrTXCQyVgfT1awr49W8ThqIqGMXpIZyAUifvsQIUi/WjWIPs 8hilLCACxdv2KKCDbnFkLo6Xpr5SSpKfhJC24u1s8Bct46MebrhrbiFL/JPxsy+NEPo7 iQ3w== X-Gm-Message-State: AOAM532TDJqa91mhv0HsUiqrBaHMhZxJoR7f8hJ/RHHvUW+OYOL2blgy 1KiQfB03+0T3TjJagqbyz67UApvqjnaldyKa X-Received: from andreyknvl3.muc.corp.google.com ([2a00:79e0:15:13:95a:d8a8:4925:42be]) (user=andreyknvl job=sendgmr) by 2002:a0c:c248:: with SMTP id w8mr9669098qvh.58.1615498654537; Thu, 11 Mar 2021 13:37:34 -0800 (PST) Date: Thu, 11 Mar 2021 22:37:16 +0100 In-Reply-To: Message-Id: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.31.0.rc2.261.g7f71774620-goog Subject: [PATCH 04/11] kasan: docs: update error reports section From: Andrey Konovalov To: Andrew Morton , Alexander Potapenko , Marco Elver Cc: Andrey Ryabinin , Dmitry Vyukov , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Update the "Error reports" section in KASAN documentation: - Mention that bug titles are best-effort. - Move and reword the part about auxiliary stacks from "Implementation details". - Punctuation, readability, and other minor clean-ups. Signed-off-by: Andrey Konovalov --- Documentation/dev-tools/kasan.rst | 46 +++++++++++++++++-------------- 1 file changed, 26 insertions(+), 20 deletions(-) diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst index f21c0cbebcb3..5fe43489e94e 100644 --- a/Documentation/dev-tools/kasan.rst +++ b/Documentation/dev-tools/kasan.rst @@ -60,7 +60,7 @@ physical pages, enable ``CONFIG_PAGE_OWNER`` and boot with ``page_owner=on``. Error reports ~~~~~~~~~~~~~ -A typical out-of-bounds access generic KASAN report looks like this:: +A typical KASAN report looks like this:: ================================================================== BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xa8/0xbc [test_kasan] @@ -133,33 +133,43 @@ A typical out-of-bounds access generic KASAN report looks like this:: ffff8801f44ec400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ================================================================== -The header of the report provides a short summary of what kind of bug happened -and what kind of access caused it. It's followed by a stack trace of the bad -access, a stack trace of where the accessed memory was allocated (in case bad -access happens on a slab object), and a stack trace of where the object was -freed (in case of a use-after-free bug report). Next comes a description of -the accessed slab object and information about the accessed memory page. +The report header summarizes what kind of bug happened and what kind of access +caused it. It is followed by a stack trace of the bad access, a stack trace of +where the accessed memory was allocated (in case a slab object was accessed), +and a stack trace of where the object was freed (in case of a use-after-free +bug report). Next comes a description of the accessed slab object and the +information about the accessed memory page. -In the last section the report shows memory state around the accessed address. -Internally KASAN tracks memory state separately for each memory granule, which +In the end, the report shows the memory state around the accessed address. +Internally, KASAN tracks memory state separately for each memory granule, which is either 8 or 16 aligned bytes depending on KASAN mode. Each number in the memory state section of the report shows the state of one of the memory granules that surround the accessed address. -For generic KASAN the size of each memory granule is 8. The state of each +For generic KASAN, the size of each memory granule is 8. The state of each granule is encoded in one shadow byte. Those 8 bytes can be accessible, -partially accessible, freed or be a part of a redzone. KASAN uses the following -encoding for each shadow byte: 0 means that all 8 bytes of the corresponding +partially accessible, freed, or be a part of a redzone. KASAN uses the following +encoding for each shadow byte: 00 means that all 8 bytes of the corresponding memory region are accessible; number N (1 <= N <= 7) means that the first N bytes are accessible, and other (8 - N) bytes are not; any negative value indicates that the entire 8-byte word is inaccessible. KASAN uses different negative values to distinguish between different kinds of inaccessible memory like redzones or freed memory (see mm/kasan/kasan.h). -In the report above the arrows point to the shadow byte 03, which means that -the accessed address is partially accessible. For tag-based KASAN modes this -last report section shows the memory tags around the accessed address -(see the `Implementation details`_ section). +In the report above, the arrow points to the shadow byte ``03``, which means +that the accessed address is partially accessible. + +For tag-based KASAN modes, this last report section shows the memory tags around +the accessed address (see the `Implementation details`_ section). + +Note that KASAN bug titles (like ``slab-out-of-bounds`` or ``use-after-free``) +are best-effort: KASAN prints the most probable bug type based on the limited +information it has. The actual type of the bug might be different. + +Generic KASAN also reports up to two auxiliary call stack traces. These stack +traces point to places in code that interacted with the object but that are not +directly present in the bad access stack trace. Currently, this includes +call_rcu() and workqueue queuing. Boot parameters ~~~~~~~~~~~~~~~ @@ -214,10 +224,6 @@ function calls GCC directly inserts the code to check the shadow memory. This option significantly enlarges kernel but it gives x1.1-x2 performance boost over outline instrumented kernel. -Generic KASAN also reports the last 2 call stacks to creation of work that -potentially has access to an object. Call stacks for the following are shown: -call_rcu() and workqueue queuing. - Generic KASAN is the only mode that delays the reuse of freed object via quarantine (see mm/kasan/quarantine.c for implementation). -- 2.31.0.rc2.261.g7f71774620-goog