Hi!
I am working on AddressSanitizer -- a tool that detects use-after-free
and out-of-bounds bugs
(https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel).
Below is one of the bug reports that I got while running trinity syscall fuzzer.
Kernel is built on revision d8efd82eece89
On Wed, Oct 2, 2013 at 10:57 PM, Dave Jones wrote:
> And that's the cause. I wonder what was being opened.
> Do you happen to have a trinity-child log for that thread ?
Unfortunately not.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord
I got one more report of a similar bug:
AddressSanitizer: heap-buffer-overflow on address 8800205f0e40
Write of size 1 by thread T14005:
[] ftrace_event_write+0xe2/0x130
./kernel/trace/trace_events.c:583
[] vfs_write+0x127/0x2f0 ??:0
[] SyS_write+0x72/0xd0 ??:0
[] system_call_fastpath+0x16
in_interrupt() returns a nonzero value when we are either in an
interrupt or have bh disabled via local_bh_disable(). Since we are
interested in only ignoring coverage from actual interrupts, do a
proper check of whether we are really in an interrupt.
Signed-off-by: Andrey Konovalov
---
It would
On Wed, Jun 21, 2017 at 2:08 PM, Andrey Konovalov wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit 9705596d08ac87c18aee32cc97f2783b7d14624e (4.12-rc6+).
>
> It might be related to:
> https://groups.googl
On Wed, Jun 21, 2017 at 3:09 PM, Andrey Konovalov wrote:
> On Wed, Jun 21, 2017 at 2:08 PM, Andrey Konovalov
> wrote:
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit 9705596d08ac87c18aee32cc97f278
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit 5ed02dbb497422bf225783f46e6eadd237d23d6b (4.12-rc3).
==
WARNING: possible circular locking dependency detected
4.12.0-rc3+ #369 Not tainted
-
ff ff 48 8d b8 98 00 00 00 e8 ee 82 89 fe 45 89
e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 40 c0 ea 86 e8 30 1b dc fc <0f>
ff e9 9b f7 ff ff e8 aa 95 25 fd e9 80 f7 ff ff e8 50 74 f3
---[ end trace 6919030503719da6 ]---
Signed-off-by: Andrey Konovalov
---
drivers/media/usb/pvrusb2/pvrusb2-hdw.
On Thu, Nov 2, 2017 at 2:52 PM, Andrey Konovalov wrote:
> As syzkaller detected, pvrusb2 driver submits bulk urb withount checking
> the the endpoint type is actually blunk. Add a check.
>
> usb 1-1: BOGUS urb xfer, pipe 3 != type 1
> [ cut here ]
> W
24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8
de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f>
0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00
RIP: symbol_put_addr+0x54/0x60 RSP: 88006a7ce210
---[ end trace b75b357739e7e116 ]---
Signed-off-by: Andr
On Sat, Oct 7, 2017 at 8:14 PM, Dmitry Torokhov
wrote:
> On Thu, Sep 28, 2017 at 01:35:51PM +0200, Andrey Konovalov wrote:
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit dc972a67cc54585bd83ad811c4e9b6ab
On Thu, Nov 2, 2017 at 5:25 PM, Dmitry Torokhov
wrote:
> Hi Andrey,
>
> On Thu, Nov 2, 2017 at 9:13 AM, Andrey Konovalov
> wrote:
>> On Sat, Oct 7, 2017 at 8:14 PM, Dmitry Torokhov
>> wrote:
>>> On Thu, Sep 28, 2017 at 01:35:51PM +0200, Andrey Konovalov wrote
+0x76/0xc0 RSP: 88006bbae718
---[ end trace dfc4f5649284342c ]---
Signed-off-by: Andrey Konovalov
---
drivers/net/usb/asix_devices.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
index b2ff88e69a81..743416be84f3 100644
On Tue, Oct 24, 2017 at 7:28 AM, Dmitry Torokhov
wrote:
> parse_hid_report_descriptor() has a while (i < length) loop, which
> only guarantees that there's at least 1 byte in the buffer, but the
> loop body can read multiple bytes which causes out-of-bounds access.
>
&
On Mon, Oct 23, 2017 at 8:58 PM, Matthias Schwarzott wrote:
> Am 23.10.2017 um 16:41 schrieb Andrey Konovalov:
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-r
contain the commit that seems
to have caused the bug (ead666000a5fe34bdc82d61838e4df2d416ea15e).
Thanks!
>
> Signed-off-by: Arvind Yadav
> ---
> This bug report by Andrey Konovalov (usb/media/dtt200u: use-after-free
> in __dvb_frontend_free).
>
> drivers/media/dvb-core/d
Hi!
While fuzzing the kernel with syzkaller I've been getting kernel hangs
within the asix driver.
On commit 6cff0a118f23b98c604a3604ea9de11338e24fbe (4.14-rc6+).
As far as I can tell the issue is that asix_phy_reset() doesn't
enforce proper timeout.
asix_phy_reset() calls asix_mdio_read() in a
On Tue, Oct 24, 2017 at 4:59 PM, Andrey Konovalov wrote:
> Hi!
>
> While fuzzing the kernel with syzkaller I've been getting kernel hangs
> within the asix driver.
>
> On commit 6cff0a118f23b98c604a3604ea9de11338e24fbe (4.14-rc6+).
>
> As far as I can tell the
On Tue, Oct 24, 2017 at 6:39 PM, Dmitry Torokhov
wrote:
> On Tue, Oct 24, 2017 at 01:04:03PM +0200, Andrey Konovalov wrote:
>> On Tue, Oct 24, 2017 at 7:28 AM, Dmitry Torokhov
>> wrote:
>> > parse_hid_report_descriptor() has a while (i < length) loop, which
>>
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
Looks like there's no check for the actual endpoint types.
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
[ cut here ]
WARNING: CPU: 1 PI
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
pvrusb2: Hardware description: OnAir Creator Hybrid USB tuner
pvrusb2: Invalid write control endpoint
...
pvrusb2: Invalid write control endpoint
pvrusb2: Mo
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
Looks like there's no check for the actual endpoint types.
usb 1-1: BOGUS urb xfer, pipe 0 != type 3
[ cut here ]
WARNING: CPU: 0 PI
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
em28xx 1-1:0.0: analog set to bulk mode.
em28xx 1-1:0.0: Registering V4L2 extension
usb 1-1: USB disconnect, device number 39
em28xx 1-1:0.0: Disconnecting
e
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
The report is a little confusing, as the top stack frame is not
actually present. As far as my debugging showed, the NULL pointer
that's being executed actua
On Mon, Nov 6, 2017 at 10:56 AM, Takashi Iwai wrote:
> On Fri, 03 Nov 2017 20:52:49 +0100,
> Takashi Iwai wrote:
>>
>> On Fri, 03 Nov 2017 15:44:59 +0100,
>> Andrey Konovalov wrote:
>> >
>> > Hi!
>> >
>> > I've got the following re
4d 8b 6d 08 4d 85 ed 74 0b e8 26 2b 51 fd 4c
RIP: asix_suspend+0x76/0xc0 RSP: 88006bbae718
---[ end trace dfc4f5649284342c ]---
Signed-off-by: Andrey Konovalov
---
Changes in v2:
- added asix_resume() fix
---
drivers/net/usb/asix_devices.c | 4 ++--
1 file changed, 2 insertions(+), 2 dele
On Mon, Nov 6, 2017 at 10:49 AM, Oliver Neukum wrote:
> Am Donnerstag, den 02.11.2017, 21:26 +0100 schrieb Andrey Konovalov:
>> When asix_suspend() is called dev->driver_priv might not have been
>> assigned a value, so we need to check that it's not NULL.
>>
>&
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
It seems that type == UVC_ITT_CAMERA | 0x8000, that's why the (type ==
UVC_ITT_CAMERA) check fails and (UVC_ENTITY_TYPE(term) ==
UVC_ITT_CAMERA) passes, so le
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
usb 1-1: USB disconnect, device number 11
tm6000: disconnecting tm6000 #0
xc2028 0-0061: destroying instance
=
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
qmi_wwan 1-1:0.4: cdc-wdm0: USB WDM device
divide error: [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
It seems that there's no check of the received buffer length in
technisat_usb2_get_ir().
==
B
On Mon, Nov 6, 2017 at 3:06 PM, Bjørn Mork wrote:
> Andrey Konovalov writes:
>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>
> Thanks. It would have helped a lot of you said *what* you were fuzzing,
> though But
On Mon, Nov 6, 2017 at 4:20 PM, Oliver Neukum wrote:
> Am Montag, den 06.11.2017, 13:30 +0100 schrieb Andrey Konovalov:
>> On Mon, Nov 6, 2017 at 10:49 AM, Oliver Neukum wrote:
>> >
>> >
>> > 2. Will a device work after that? The appropriate fix may be to wa
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
Looks like usb_get_bos_descriptor() doesn't check that buffer has
enough space for usb_dev_cap_header, which causes out-of-bounds
accesses.
On Wed, Oct 18, 2017 at 5:25 PM, Alan Stern wrote:
> On Wed, 18 Oct 2017, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+)
On Wed, Oct 4, 2017 at 4:40 PM, Greg Kroah-Hartman
wrote:
> On Tue, Oct 03, 2017 at 11:29:40AM +0200, Johan Hovold wrote:
>> On Fri, Sep 29, 2017 at 10:37:55AM +0200, Greg Kroah-Hartman wrote:
>> > On Thu, Sep 28, 2017 at 07:57:46PM +0200, Andrey Konovalov wrote:
>> > &
Hi Yury,
With this patch set 4.3 kernel fails to build with both
arch/arm64/configs/defconfig,
and with arch/arm64/configs/defconfig plus CONFIG_AARCH32_EL0=y and
CONFIG_ARM64_ILP32=y.
See the details below.
Thanks,
Andrey
On 09/30/2015 01:14 AM, Yury Norov wrote:
From: Andrew Pinski
Signe
Hi Yury,
With this patch set 4.3 kernel fails to build with arch/arm64/configs/defconfig
plus CONFIG_AARCH32_EL0=y
and CONFIG_ARM64_ILP32=y giving the following three errors (the 3d one is
warning actually):
-8<-
13:21:16 In file included from ../arch/arm64/kernel/process.c:48:0:
13:21
On 09/30/2015 01:14 AM, Yury Norov wrote:
From: Andrew Pinski
Signed-off-by: Philipp Tomsich
Signed-off-by: Christoph Muellner
Signed-off-by: Yury Norov
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 07d1811..d1dc605 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -6
Hi!
While fuzzing the kernel (4.3-rc4) with KASAN and Trinity I got the
following report:
==
BUG: KASan: use after free in shrink_page_list+0x93a/0xf10 at addr
88003487da80
Read of size 8 by task kswapd0/622
=
Hi!
We are working on a dynamic data race detector for the Linux kernel,
KernelThreadSanitizer (ktsan):
https://github.com/google/ktsan/wiki
We got a report while running ktsan on 4.2:
==
ThreadSanitizer: data-race in __inode_add_by
On Thu, Sep 3, 2015 at 1:49 PM, Andrey Konovalov wrote:
> On Wed, Sep 2, 2015 at 9:40 PM, Tejun Heo wrote:
>> Hello, Andrey.
>
> Hello Tejun,
>
>> On Wed, Sep 02, 2015 at 01:08:52PM +0200, Andrey Konovalov wrote:
>>> While running KASAN on 4.2 with T
On Wed, Oct 14, 2015 at 12:33 AM, Hugh Dickins wrote:
> I think I've found the answer to that at last: we were indeed
> all looking in the wrong direction. Your ktsan tree shows
>
> static __always_inline int atomic_add_negative(int i, atomic_t *v)
> {
> #ifndef CONFIG_KTSAN
> GEN_BINARY_
Hi!
While running KASAN on 4.2 with Trinity I got the following report:
==
BUG: KASan: use after free in page_cache_async_readahead+0x2cb/0x3f0
at addr 880034bf6690
Read of size 8 by task sshd/2571
===
On Wed, Sep 2, 2015 at 9:40 PM, Tejun Heo wrote:
> Hello, Andrey.
Hello Tejun,
> On Wed, Sep 02, 2015 at 01:08:52PM +0200, Andrey Konovalov wrote:
>> While running KASAN on 4.2 with Trinity I got the foll
Signed-off-by: Andrey Konovalov
---
Documentation/kasan.txt | 43 ++-
1 file changed, 22 insertions(+), 21 deletions(-)
diff --git a/Documentation/kasan.txt b/Documentation/kasan.txt
index 0d32355..d2f4c8f 100644
--- a/Documentation/kasan.txt
+++ b
Update the reference to the kasan prototype repository on github,
since it was renamed.
Signed-off-by: Andrey Konovalov
---
mm/kasan/kasan.c | 2 +-
mm/kasan/report.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 61c9620
We decided to use KASAN as the short name of the tool and
KernelAddressSanitizer as the full one.
Update log messages according to that.
Signed-off-by: Andrey Konovalov
---
arch/x86/mm/kasan_init_64.c | 2 +-
mm/kasan/kasan.c| 2 +-
mm/kasan/report.c | 4 ++--
3 files
Update the names of the bad access types to better reflect the type of
the access that happended and make these error types "literals" that can
be used for classification and deduplication in scripts.
Signed-off-by: Andrey Konovalov
---
mm/kasan/report.c | 18 +++---
1 fi
this change. For userspace ASan we have a bunch
of systems that analyze error types for the purpose of classification
and deduplication. Sooner of later we will write them to KASAN as well.
Then clearly and explicitly stated error types will bring value.
Signed-off-by: Andrey Konovalov
---
mm/
Move KASAN_SANITIZE in arch/x86/boot/Makefile above the comment
related to SVGA_MODE, since the comment refers to 'the next line'.
Signed-off-by: Andrey Konovalov
---
arch/x86/boot/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/boot/Makefile
.
2. Making references to the tool name consistent.
We decided to use KASAN as the short name of the tool since a lot of
people already use it, and KernelAddressSanitizer as the full name
to be consistent with the userspace AddressSantizer.
Andrey Konovalov (7):
kasan: update reported bug types
Makes KASAN accurately determine the type of the bad access. If the shadow
byte value is in the [0, KASAN_SHADOW_SCALE_SIZE) range we can look at
the next shadow byte to determine the type of the access.
Signed-off-by: Andrey Konovalov
---
mm/kasan/report.c | 17 ++---
1 file
Hi!
We are working on a dynamic data race detector for the Linux kernel,
KernelThreadSanitizer (ktsan):
https://github.com/google/ktsan/wiki
We got a report while running ktsan on 4.2:
==
ThreadSanitizer: data-race in ext4_writepage
On 10/01/2015 02:36 PM, Mark Brown wrote:
On Thu, Oct 01, 2015 at 12:19:31PM +0100, Catalin Marinas wrote:
On Wed, Sep 30, 2015 at 05:41:03PM +0100, Mark Brown wrote:
Indeed. On that subject there was some discussion at Linaro Connect
last week about work (being done outside Linaro, not sure
This patch adds a simple test, that calls the uname syscall with a
tagged user pointer as an argument. Without the kernel accepting tagged
user pointers the test fails with EFAULT.
Signed-off-by: Andrey Konovalov
---
tools/testing/selftests/arm64/.gitignore | 1 +
tools/testing/selftests
arm64.
Signed-off-by: Andrey Konovalov
---
include/linux/uaccess.h | 4
1 file changed, 4 insertions(+)
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index efe79c1cdd47..c045b4eff95e 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -13,6 +13,10
tagged, we might compare tagged and untagged addresses during the
search.
Untag the provided addresses before searching.
Signed-off-by: Andrey Konovalov
---
drivers/usb/core/devio.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/core/devio.c b/drivers/usb
strncpy_from_user and strnlen_user accept user addresses as arguments, and
do not go through the same path as copy_from_user and others, so here we
need to handle the case of tagged user addresses separately.
Untag user pointers passed to these functions.
Signed-off-by: Andrey Konovalov
Add a note that work on passing tagged user pointers to the kernel via
syscalls has started, but might not be complete yet.
Signed-off-by: Andrey Konovalov
---
Documentation/arm64/tagged-pointers.txt | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/Documentation/arm64
for vma lookup.
Signed-off-by: Andrey Konovalov
---
mm/gup.c | 4
1 file changed, 4 insertions(+)
diff --git a/mm/gup.c b/mm/gup.c
index fc5f98069f4e..ebb87fb56709 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -666,6 +666,8 @@ static long __get_user_pages(struct task_struct *tsk,
struct mm_struct
On Tue, Jan 23, 2018 at 11:44 AM, Andrey Ryabinin
wrote:
> On 01/19/2018 08:44 PM, Andrey Konovalov wrote:
>> Instead of __asan_report_load_n_noabort and __asan_report_store_n_noabort
>> callbacks Clang emits differently named __asan_report_loadN_noabort and
>> __asan_
On Tue, Jan 23, 2018 at 3:20 AM, Andrew Morton
wrote:
> On Fri, 19 Jan 2018 18:58:12 +0100 Andrey Konovalov
> wrote:
>
>> With KASAN enabled the kernel has two different memset() functions, one
>> with KASAN checks (memset) and one without (__memset). KASAN uses some
>&
On Tue, Jan 23, 2018 at 10:24 AM, Andrey Ryabinin
wrote:
>
>
> On 01/19/2018 08:58 PM, Andrey Konovalov wrote:
>> With KASAN enabled the kernel has two different memset() functions, one
>> with KASAN checks (memset) and one without (__memset). KASAN uses some
>> mac
Clean up usage of KASAN_SHADOW_SCALE_SHIFT and fix prototype author email
address.
Andrey Konovalov (2):
kasan: fix prototype author email address
kasan: clean up KASAN_SHADOW_SCALE_SHIFT usage
arch/arm64/include/asm/kasan.h | 3 ++-
arch/arm64/include/asm/memory.h | 3 ++-
arch/arm64/mm
Right now the fact that KASAN uses a single shadow byte for 8 bytes of
memory is scattered all over the code.
This change defines KASAN_SHADOW_SCALE_SHIFT early in asm include files
and makes use of this constant where necessary.
Signed-off-by: Andrey Konovalov
---
arch/arm64/include/asm
Use the new one.
Signed-off-by: Andrey Konovalov
---
mm/kasan/kasan.c | 2 +-
mm/kasan/report.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 405bba487df5..cb4065f31f7f 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
Clean up usage of KASAN_SHADOW_SCALE_SHIFT and fix prototype author email
address.
Changes in v2:
- fix comments as well.
Andrey Konovalov (2):
kasan: fix prototype author email address
kasan: clean up KASAN_SHADOW_SCALE_SHIFT usage
arch/arm64/include/asm/kasan.h | 17
On Thu, Jan 11, 2018 at 10:59 PM, Andrey Ryabinin
wrote:
>
>
> On 01/11/2018 06:29 PM, Andrey Konovalov wrote:
>
>> diff --git a/arch/arm64/include/asm/kasan.h b/arch/arm64/include/asm/kasan.h
>> index e266f80e45b7..811643fe7640 100644
>> --- a/arch/arm64/include/a
Right now the fact that KASAN uses a single shadow byte for 8 bytes of
memory is scattered all over the code.
This change defines KASAN_SHADOW_SCALE_SHIFT early in asm include files
and makes use of this constant where necessary.
Signed-off-by: Andrey Konovalov
---
arch/arm64/include/asm
Use the new one.
Signed-off-by: Andrey Konovalov
---
mm/kasan/kasan.c | 2 +-
mm/kasan/report.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index 405bba487df5..cb4065f31f7f 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
On Wed, Jan 31, 2018 at 8:27 AM, Eric Biggers wrote:
>
> Also Dmitry, syzbot seems to be grouping together unrelated bugs under the
> refcount_t WARNINGs; maybe those should be on a blacklist?
Not a blacklist, we need a proper way of extracting the offending
caller like it's done for reports from
flag for files with KASAN_SANITIZE := n
marker.
Signed-off-by: Andrey Konovalov
---
This patch should be applied on top of the v4 "kasan: support alloca, LLVM"
patchset from Paul Lawrence.
Makefile | 3 ++-
scripts/Makefile.kasan | 3 +++
scripts/Makefile.lib | 2 +
__asan_report_loadN/storeN_noabort.
Signed-off-by: Andrey Konovalov
---
mm/kasan/report.c | 12
1 file changed, 12 insertions(+)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index eff12e040498..caf4c9e948c6 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -450,3 +450,15
flag for files with KASAN_SANITIZE := n
marker.
Signed-off-by: Andrey Konovalov
---
Changed in v2:
- dropped cc-option for -fno-builtin
Makefile | 3 ++-
scripts/Makefile.kasan | 3 +++
scripts/Makefile.lib | 2 +-
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a
On Fri, Jan 19, 2018 at 4:57 PM, Andrey Ryabinin
wrote:
>
>
> On 01/19/2018 05:54 PM, Andrey Konovalov wrote:
>
>> diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan
>> index dbbd4382f15a..db473309f136 100644
>> --- a/scripts/Makefile.kasan
>> +++
On Fri, Jan 19, 2018 at 8:06 PM, Nick Desaulniers
wrote:
> Hmm... I had mentioned this patch to some coworkers who have much more
> knowledge about LLVM than me. They had concern that LLVM needs memset
> to be defined, and that there were discussions on the llvm mailing
> list about this.
>
> I'm
On Fri, Mar 2, 2018 at 1:10 PM, Andrey Ryabinin wrote:
> On 02/23/2018 06:53 PM, Andrey Konovalov wrote:
>> The kasan_slab_free hook's return value denotes whether the reuse of a
>> slab object must be delayed (e.g. when the object is put into memory
>> qurantine).
On Tue, Mar 6, 2018 at 6:42 PM, Andrey Konovalov wrote:
> On Fri, Mar 2, 2018 at 1:10 PM, Andrey Ryabinin
> wrote:
>> On 02/23/2018 06:53 PM, Andrey Konovalov wrote:
>>> The kasan_slab_free hook's return value denotes whether the reuse of a
>>> slab object mu
es this by:
1. taking into account the return value of kasan_slab_free for each of
the objects, that are being freed;
2. reconstructing the freelist of objects to exclude the ones, whose
reuse must be delayed.
Signed-off-by: Andrey Konovalov
---
Changes in v2:
- Made slab_free_freelist_hook r
ff-by: Andrey Konovalov
---
net/nfc/netlink.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index f018eafc2a0d..58adfb0c90f6 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -936,7 +936,8 @@ static int nfc_genl_deactivate_t
Signed-off-by: Andrey Konovalov
---
include/linux/compiler-clang.h | 5 +
1 file changed, 5 insertions(+)
diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
index ceb96ecab96e..5a1d8580febe 100644
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compil
On Fri, Mar 16, 2018 at 3:31 PM, Mark Rutland wrote:
> On Fri, Mar 16, 2018 at 02:13:14PM +, Mark Rutland wrote:
>> On Fri, Mar 16, 2018 at 02:49:00PM +0100, Andrey Konovalov wrote:
>> > Hi!
>>
>> Hi,
>>
>> > I've recently tried to boot c
On Fri, Mar 9, 2018 at 4:53 PM, Catalin Marinas wrote:
> On Fri, Mar 09, 2018 at 03:02:01PM +0100, Andrey Konovalov wrote:
>> Memory subsystem syscalls accept user addresses as arguments, but don't use
>> copy_from_user and other similar functions, so we need to handle thi
On Fri, Mar 9, 2018 at 4:58 PM, Catalin Marinas wrote:
> On Fri, Mar 09, 2018 at 03:03:09PM +, Mark Rutland wrote:
>> On Fri, Mar 09, 2018 at 03:02:00PM +0100, Andrey Konovalov wrote:
>> > copy_from_user (and a few other similar functions) are used to copy data
>> >
On Fri, Mar 9, 2018 at 3:55 PM, Mark Rutland wrote:
> Hi,
>
> [trimming Ccs]
>
> On Fri, Mar 09, 2018 at 03:01:58PM +0100, Andrey Konovalov wrote:
>> arm64 has a feature called Top Byte Ignore, which allows to embed pointer
>> tags into the top byte of each pointer.
On Fri, Mar 9, 2018 at 6:42 PM, Evgenii Stepanov wrote:
> On Fri, Mar 9, 2018 at 9:31 AM, Andrey Konovalov
> wrote:
>> On Fri, Mar 9, 2018 at 4:53 PM, Catalin Marinas
>> wrote:
>>> I'm not yet convinced these functions need to allow tagged pointers.
>>&g
to the brk instructions (to extract information
about the memory access that triggered the mismatch), reads the register
values (x0 contains the guilty address) and reports the bug.
Reviewed-by: Andrey Ryabinin
Reviewed-by: Dmitry Vyukov
Signed-off-by: Andrey Konovalov
---
arch/arm64/include
tag.
2. Tag-based KASAN reports all bugs with the "KASAN: invalid-access"
header.
Also simplify generic KASAN find_first_bad_addr.
Reviewed-by: Andrey Ryabinin
Reviewed-by: Dmitry Vyukov
Signed-off-by: Andrey Konovalov
---
mm/kasan/generic_report.c | 16 ---
mm/kas
This patch moves generic KASAN specific error reporting routines to
generic_report.c without any functional changes, leaving common error
reporting code in report.c to be later reused by tag-based KASAN.
Reviewed-by: Andrey Ryabinin
Reviewed-by: Dmitry Vyukov
Signed-off-by: Andrey Konovalov
Tag-based KASAN reuses a significant part of the generic KASAN code, so
move the common parts to common.c without any functional changes.
Reviewed-by: Andrey Ryabinin
Reviewed-by: Dmitry Vyukov
Signed-off-by: Andrey Konovalov
---
mm/kasan/Makefile | 5 +-
mm/kasan/common.c | 603
is assigned by kasan_kmalloc.
Signed-off-by: Andrey Konovalov
---
mm/slub.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/mm/slub.c b/mm/slub.c
index fdd4a86aa882..8561a32910dd 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -3364,16 +3364,16 @@ static void
virt_addr_is_linear (which is used by virt_addr_valid) assumes that the
top byte of the address is 0xff, which isn't always the case with
tag-based KASAN.
This patch resets the tag in this macro.
Reviewed-by: Andrey Ryabinin
Reviewed-by: Dmitry Vyukov
Signed-off-by: Andrey Konovalov
---
With tag based KASAN mode the early shadow value is 0xff and not 0x00,
so this patch renames kasan_zero_(page|pte|pmd|pud|p4d) to
kasan_early_shadow_(page|pte|pmd|pud|p4d) to avoid confusion.
Suggested-by: Mark Rutland
Signed-off-by: Andrey Konovalov
---
arch/arm64/mm/kasan_init.c | 43
We now have two KASAN modes: generic KASAN and tag-based KASAN. Rename
kasan.c to generic.c to reflect that. Also rename kasan_init.c to init.c
as it contains initialization code for both KASAN modes.
Reviewed-by: Andrey Ryabinin
Reviewed-by: Dmitry Vyukov
Signed-off-by: Andrey Konovalov
commit adds the CONFIG_KASAN_SW_TAGS config option, this option
is not selectable, as it depends on HAVE_ARCH_KASAN_SW_TAGS, which we will
enable once all the infrastracture code has been added.
Reviewed-by: Andrey Ryabinin
Reviewed-by: Dmitry Vyukov
Signed-off-by: Andrey Konovalov
---
include/linux
on in KHWASAN brk handler.
- Added a comment about the -recover flag.
- Some minor cleanups and fixes.
- Rebased onto 3215b9d5 (4.16-rc6+).
- Tested on real hardware (Odroid C2 board).
- Added better benchmarks.
[1] https://lkml.org/lkml/2018/7/18/765
[2] https://lkml.org/lkml/2018/4/19/775
This patch adds __must_check annotations to kasan hooks that return a
pointer to make sure that a tagged pointer always gets propagated.
Suggested-by: Andrey Ryabinin
Signed-off-by: Andrey Konovalov
---
include/linux/kasan.h | 16 ++--
mm/kasan/common.c | 14 --
2
tag.
2. Tag-based KASAN reports all bugs with the "KASAN: invalid-access"
header.
Also simplify generic KASAN find_first_bad_addr.
Reviewed-by: Andrey Ryabinin
Reviewed-by: Dmitry Vyukov
Signed-off-by: Andrey Konovalov
---
mm/kasan/generic_report.c | 16 ---
mm/kas
to the brk instructions (to extract information
about the memory access that triggered the mismatch), reads the register
values (x0 contains the guilty address) and reports the bug.
Reviewed-by: Andrey Ryabinin
Reviewed-by: Dmitry Vyukov
Signed-off-by: Andrey Konovalov
---
arch/arm64/include
1 - 100 of 2085 matches
Mail list logo
