xref: /linux/include/linux/poison.h (revision a1ff5a7d78a036d6c2178ee5acd6ba4946243800) 
1b2441318SGreg Kroah-Hartman /* SPDX-License-Identifier: GPL-2.0 */
2c9cf5528SRandy Dunlap #ifndef _LINUX_POISON_H
3c9cf5528SRandy Dunlap #define _LINUX_POISON_H
4c9cf5528SRandy Dunlap 
5c9cf5528SRandy Dunlap /********** include/linux/list.h **********/
6a29815a3SAvi Kivity 
7a29815a3SAvi Kivity /*
8a29815a3SAvi Kivity  * Architectures might want to move the poison pointer offset
9a29815a3SAvi Kivity  * into some well-recognized area such as 0xdead000000000000,
10a29815a3SAvi Kivity  * that is also not mappable by user-space exploits:
11a29815a3SAvi Kivity  */
12a29815a3SAvi Kivity #ifdef CONFIG_ILLEGAL_POINTER_VALUE
13a29815a3SAvi Kivity # define POISON_POINTER_DELTA _AC(CONFIG_ILLEGAL_POINTER_VALUE, UL)
14a29815a3SAvi Kivity #else
15a29815a3SAvi Kivity # define POISON_POINTER_DELTA 0
16a29815a3SAvi Kivity #endif
17a29815a3SAvi Kivity 
18c9cf5528SRandy Dunlap /*
19c9cf5528SRandy Dunlap  * These are non-NULL pointers that will result in page faults
20c9cf5528SRandy Dunlap  * under normal circumstances, used to verify that nobody uses
21c9cf5528SRandy Dunlap  * non-initialized list entries.
22c9cf5528SRandy Dunlap  */
238a5e5e02SVasily Kulikov #define LIST_POISON1  ((void *) 0x100 + POISON_POINTER_DELTA)
244c6080cdSAlexey Dobriyan #define LIST_POISON2  ((void *) 0x122 + POISON_POINTER_DELTA)
25c9cf5528SRandy Dunlap 
26c6f3a97fSThomas Gleixner /********** include/linux/timer.h **********/
27b8a0255dSVasily Kulikov #define TIMER_ENTRY_STATIC	((void *) 0x300 + POISON_POINTER_DELTA)
28c6f3a97fSThomas Gleixner 
296d2bef9dSMichael S. Tsirkin /********** mm/page_poison.c **********/
306a11f75bSAkinobu Mita #define PAGE_POISON 0xaa
316a11f75bSAkinobu Mita 
321c290f64SKirill A. Shutemov /********** mm/page_alloc.c ************/
331c290f64SKirill A. Shutemov 
34b8a0255dSVasily Kulikov #define TAIL_MAPPING	((void *) 0x400 + POISON_POINTER_DELTA)
351c290f64SKirill A. Shutemov 
36c9cf5528SRandy Dunlap /********** mm/slab.c **********/
37c9cf5528SRandy Dunlap /*
38c9cf5528SRandy Dunlap  * Magic nums for obj red zoning.
39c9cf5528SRandy Dunlap  * Placed in the first word before and the first word after an obj.
40c9cf5528SRandy Dunlap  */
41*4a24bbabSChengming Zhou #define SLUB_RED_INACTIVE	0xbb	/* when obj is inactive */
42*4a24bbabSChengming Zhou #define SLUB_RED_ACTIVE		0xcc	/* when obj is active */
4381819f0fSChristoph Lameter 
44c9cf5528SRandy Dunlap /* ...and for poisoning */
45c9cf5528SRandy Dunlap #define	POISON_INUSE	0x5a	/* for use-uninitialised poisoning */
46c9cf5528SRandy Dunlap #define POISON_FREE	0x6b	/* for use-after-free poisoning */
47c9cf5528SRandy Dunlap #define	POISON_END	0xa5	/* end-byte of poisoning */
48c9cf5528SRandy Dunlap 
49c9cf5528SRandy Dunlap /********** arch/$ARCH/mm/init.c **********/
50c9cf5528SRandy Dunlap #define POISON_FREE_INITMEM	0xcc
51c9cf5528SRandy Dunlap 
52c9cf5528SRandy Dunlap /********** fs/jbd/journal.c **********/
53c9cf5528SRandy Dunlap #define JBD_POISON_FREE		0x5b
54cd02ff0bSMingming Cao #define JBD2_POISON_FREE	0x5c
55c9cf5528SRandy Dunlap 
56c9cf5528SRandy Dunlap /********** drivers/base/dmapool.c **********/
57c9cf5528SRandy Dunlap #define	POOL_POISON_FREED	0xa7	/* !inuse */
58c9cf5528SRandy Dunlap #define	POOL_POISON_ALLOCATED	0xa9	/* !initted */
59c9cf5528SRandy Dunlap 
60b3c681e0SRandy Dunlap /********** drivers/atm/ **********/
61b3c681e0SRandy Dunlap #define ATM_POISON_FREE		0x12
623c6b3773SRandy Dunlap #define ATM_POISON		0xdeadbeef
63b3c681e0SRandy Dunlap 
64a7807a32SRandy Dunlap /********** kernel/mutexes **********/
65a7807a32SRandy Dunlap #define MUTEX_DEBUG_INIT	0x11
66a7807a32SRandy Dunlap #define MUTEX_DEBUG_FREE	0x22
67977625a6SNicolai Hähnle #define MUTEX_POISON_WW_CTX	((void *) 0x500 + POISON_POINTER_DELTA)
68a7807a32SRandy Dunlap 
69a7807a32SRandy Dunlap /********** security/ **********/
70a7807a32SRandy Dunlap #define KEY_DESTROY		0xbd
71a7807a32SRandy Dunlap 
72c07aea3eSMatteo Croce /********** net/core/page_pool.c **********/
73c07aea3eSMatteo Croce #define PP_SIGNATURE		(0x40 + POISON_POINTER_DELTA)
74c07aea3eSMatteo Croce 
759dde0cd3SJesper Dangaard Brouer /********** net/core/skbuff.c **********/
769dde0cd3SJesper Dangaard Brouer #define SKB_LIST_POISON_NEXT	((void *)(0x800 + POISON_POINTER_DELTA))
77083772c9SJakub Kicinski /********** net/ **********/
78083772c9SJakub Kicinski #define NET_PTR_POISON		((void *)(0x801 + POISON_POINTER_DELTA))
799dde0cd3SJesper Dangaard Brouer 
8047e34cb7SDave Marchevsky /********** kernel/bpf/ **********/
8147e34cb7SDave Marchevsky #define BPF_PTR_POISON ((void *)(0xeB9FUL + POISON_POINTER_DELTA))
8247e34cb7SDave Marchevsky 
8347d58691SJann Horn /********** VFS **********/
8447d58691SJann Horn #define VFS_PTR_POISON ((void *)(0xF5 + POISON_POINTER_DELTA))
8547d58691SJann Horn 
8631639fd6SMarco Elver /********** lib/stackdepot.c **********/
8731639fd6SMarco Elver #define STACK_DEPOT_POISON ((void *)(0xD390 + POISON_POINTER_DELTA))
8831639fd6SMarco Elver 
89c9cf5528SRandy Dunlap #endif
90