kasan.rst - OpenGrok cross reference for /linux/Documentation/dev-tools/kasan.rst

Lines Matching +full:over +full:- +full:sampling
1 .. SPDX-License-Identifier: GPL-2.0
8 --------
11 designed to find out-of-bounds and use-after-free bugs.
16 2. Software Tag-Based KASAN
17 3. Hardware Tag-Based KASAN
23 Software Tag-Based KASAN or SW_TAGS KASAN, enabled with CONFIG_KASAN_SW_TAGS,
26 using it for testing on memory-restricted devices with real workloads.
28 Hardware Tag-Based KASAN or HW_TAGS KASAN, enabled with CONFIG_KASAN_HW_TAGS,
29 is the mode intended to be used as an in-field memory bug detector or as a
37 The Generic and the Software Tag-Based modes are commonly referred to as the
38 software modes. The Software Tag-Based and the Hardware Tag-Based modes are
39 referred to as the tag-based modes.
42 -------
48 and loongarch, and the tag-based KASAN modes are supported only on arm64.
53 Software KASAN modes use compile-time instrumentation to insert validity checks
55 support for that. The Hardware Tag-Based mode relies on hardware to perform
62 Software Tag-Based KASAN requires GCC 11+
65 Hardware Tag-Based KASAN requires GCC 10+ or Clang 12+.
73 Software Tag-Based KASAN supports slab, page_alloc, vmalloc, and stack memory.
75 Hardware Tag-Based KASAN supports slab, page_alloc, and non-executable vmalloc
79 Hardware Tag-Based KASAN only supports SLUB.
82 -----
89 ``CONFIG_KASAN_SW_TAGS`` (to enable Software Tag-Based KASAN), and
90 ``CONFIG_KASAN_HW_TAGS`` (to enable Hardware Tag-Based KASAN).
113 - ``kasan.fault=report``, ``=panic``, or ``=panic_on_write`` controls whether
117   Hardware Tag-Based KASAN, ``kasan.fault=panic_on_write`` always panics on
120 Software and Hardware Tag-Based KASAN modes (see the section about various
123 - ``kasan.stacktrace=off`` or ``=on`` disables or enables alloc and free stack
125 - ``kasan.stack_ring_size=<number of entries>`` specifies the number of entries
128 Hardware Tag-Based KASAN mode is intended for use in production as a security
132 - ``kasan=off`` or ``=on`` controls whether KASAN is enabled (default: ``on``).
134 - ``kasan.mode=sync``, ``=async`` or ``=asymm`` controls whether KASAN
146 - ``kasan.write_only=off`` or ``kasan.write_only=on`` controls whether KASAN
149 - ``kasan.vmalloc=off`` or ``=on`` disables or enables tagging of vmalloc
152 - ``kasan.page_alloc.sample=<sampling interval>`` makes KASAN tag only every
158   Note that enabling this parameter makes Hardware Tag-Based KASAN skip checks
159   of allocations chosen by sampling and thus miss bad accesses to these
162 - ``kasan.page_alloc.sample.order=<minimum page order>`` specifies the minimum
163   order of allocations that are affected by sampling (default: ``3``).
166   This parameter is intended to allow sampling only large page_alloc
175     BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xa8/0xbc [kasan_test]
178     CPU: 1 PID: 2760 Comm: insmod Not tainted 4.19.0-rc3+ #698
179     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
226      which belongs to the cache kmalloc-128 of size 128
228      128-byte region [ffff8801f44ec300, ffff8801f44ec380)
248 and a stack trace of where the object was freed (in case of a use-after-free
263 bytes are accessible, and other (8 - N) bytes are not; any negative value
264 indicates that the entire 8-byte word is inaccessible. KASAN uses different
271 For tag-based KASAN modes, this last report section shows the memory tags around
274 Note that KASAN bug titles (like ``slab-out-of-bounds`` or ``use-after-free``)
275 are best-effort: KASAN prints the most probable bug type based on the limited
305 ----------------------
311 safe to access and use compile-time instrumentation to insert shadow memory
329 Compile-time instrumentation is used to insert memory access checks. Compiler
336 enlarges the kernel, but it gives an x1.1-x2 performance boost over the
337 outline-instrumented kernel.
342 Software Tag-Based KASAN
345 Software Tag-Based KASAN uses a software memory tagging approach to checking
348 Software Tag-Based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
350 to store memory tags associated with each 16-byte memory cell (therefore, it
353 On each memory allocation, Software Tag-Based KASAN generates a random tag, tags
357 Software Tag-Based KASAN uses compile-time instrumentation to insert checks
360 this memory. In case of a tag mismatch, Software Tag-Based KASAN prints a bug
363 Software Tag-Based KASAN also has two instrumentation modes (outline, which
370 Software Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
374 Hardware Tag-Based KASAN
377 Hardware Tag-Based KASAN is similar to the software mode in concept but uses
381 Hardware Tag-Based KASAN is currently only implemented for arm64 architecture
391 Hardware Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through
395 If the hardware does not support MTE (pre ARMv8.5), Hardware Tag-Based KASAN
398 Note that enabling CONFIG_KASAN_HW_TAGS always results in in-kernel TBI being
402 Hardware Tag-Based KASAN only reports the first found bug. After that, MTE tag
406 -------------
419 By default, architectures only map real memory over the shadow region
421 other areas - such as vmalloc and vmemmap space - a single read-only
422 page is mapped over the shadow area. This read-only shadow page
431 lives in vmalloc space, it will be shadowed by the read-only page, and
462 This will require changes in arch-specific code.
468 --------------
485 - For a single file (e.g., main.o)::
489 - For all files in one directory::
493 For software KASAN modes, to disable instrumentation on a per-function basis,
494 use the KASAN-specific ``__no_sanitize_address`` function attribute or the
497 Note that disabling compiler instrumentation (either on a per-file or a
498 per-function basis) makes KASAN ignore the accesses that happen directly in
501 Tag-Based KASAN, which does not use compiler instrumentation.
508 For tag-based KASAN modes, to disable access checking, use
511 restoring the per-page KASAN tag via ``page_kasan_tag``/``page_kasan_tag_set``.
528         ok 28 - kmalloc_double_kzfree
534         not ok 5 - kmalloc_large_oob_right
540         not ok 28 - kmalloc_double_kzfree
545         ok 1 - kasan
549         not ok 1 - kasan
558 2. Built-In
560    With ``CONFIG_KUNIT`` built-in, the tests can be built-in as well.
561    In this case, the tests will run at boot as a late-init call.
565    With ``CONFIG_KUNIT`` and ``CONFIG_KASAN_KUNIT_TEST`` built-in, it is also
568    See `KUnit documentation <https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html>`_
569    for more up-to-date information on ``kunit_tool``.
571 .. _KUnit: https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html