12757aafaSJonathan CorbetThe Kernel Address Sanitizer (KASAN) 22757aafaSJonathan Corbet==================================== 32757aafaSJonathan Corbet 42757aafaSJonathan CorbetOverview 52757aafaSJonathan Corbet-------- 62757aafaSJonathan Corbet 7b3b0e6acSAndrey KonovalovKernelAddressSANitizer (KASAN) is a dynamic memory error detector designed to 8b3b0e6acSAndrey Konovalovfind out-of-bound and use-after-free bugs. KASAN has two modes: generic KASAN 9b3b0e6acSAndrey Konovalov(similar to userspace ASan) and software tag-based KASAN (similar to userspace 10b3b0e6acSAndrey KonovalovHWASan). 112757aafaSJonathan Corbet 12b3b0e6acSAndrey KonovalovKASAN uses compile-time instrumentation to insert validity checks before every 13b3b0e6acSAndrey Konovalovmemory access, and therefore requires a compiler version that supports that. 142757aafaSJonathan Corbet 15b3b0e6acSAndrey KonovalovGeneric KASAN is supported in both GCC and Clang. With GCC it requires version 16527f6750SMarco Elver8.3.0 or later. Any supported Clang version is compatible, but detection of 17ac4766beSMarco Elverout-of-bounds accesses for global variables is only supported since Clang 11. 18b3b0e6acSAndrey Konovalov 19527f6750SMarco ElverTag-based KASAN is only supported in Clang. 20b3b0e6acSAndrey Konovalov 21*42101571SLinus WalleijCurrently generic KASAN is supported for the x86_64, arm, arm64, xtensa, s390 22*42101571SLinus Walleijand riscv architectures, and tag-based KASAN is supported only for arm64. 232757aafaSJonathan Corbet 242757aafaSJonathan CorbetUsage 252757aafaSJonathan Corbet----- 262757aafaSJonathan Corbet 272757aafaSJonathan CorbetTo enable KASAN configure kernel with:: 282757aafaSJonathan Corbet 292757aafaSJonathan Corbet CONFIG_KASAN = y 302757aafaSJonathan Corbet 31b3b0e6acSAndrey Konovalovand choose between CONFIG_KASAN_GENERIC (to enable generic KASAN) and 32b3b0e6acSAndrey KonovalovCONFIG_KASAN_SW_TAGS (to enable software tag-based KASAN). 332757aafaSJonathan Corbet 34b3b0e6acSAndrey KonovalovYou also need to choose between CONFIG_KASAN_OUTLINE and CONFIG_KASAN_INLINE. 35b3b0e6acSAndrey KonovalovOutline and inline are compiler instrumentation types. The former produces 36b3b0e6acSAndrey Konovalovsmaller binary while the latter is 1.1 - 2 times faster. 37b3b0e6acSAndrey Konovalov 38b3b0e6acSAndrey KonovalovBoth KASAN modes work with both SLUB and SLAB memory allocators. 392757aafaSJonathan CorbetFor better bug detection and nicer reporting, enable CONFIG_STACKTRACE. 402757aafaSJonathan Corbet 410fe9a448SVlastimil BabkaTo augment reports with last allocation and freeing stack of the physical page, 420fe9a448SVlastimil Babkait is recommended to enable also CONFIG_PAGE_OWNER and boot with page_owner=on. 430fe9a448SVlastimil Babka 442757aafaSJonathan CorbetTo disable instrumentation for specific files or directories, add a line 452757aafaSJonathan Corbetsimilar to the following to the respective kernel Makefile: 462757aafaSJonathan Corbet 472757aafaSJonathan Corbet- For a single file (e.g. main.o):: 482757aafaSJonathan Corbet 492757aafaSJonathan Corbet KASAN_SANITIZE_main.o := n 502757aafaSJonathan Corbet 512757aafaSJonathan Corbet- For all files in one directory:: 522757aafaSJonathan Corbet 532757aafaSJonathan Corbet KASAN_SANITIZE := n 542757aafaSJonathan Corbet 552757aafaSJonathan CorbetError reports 562757aafaSJonathan Corbet~~~~~~~~~~~~~ 572757aafaSJonathan Corbet 58b3b0e6acSAndrey KonovalovA typical out-of-bounds access generic KASAN report looks like this:: 592757aafaSJonathan Corbet 602757aafaSJonathan Corbet ================================================================== 61b3b0e6acSAndrey Konovalov BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xa8/0xbc [test_kasan] 62b3b0e6acSAndrey Konovalov Write of size 1 at addr ffff8801f44ec37b by task insmod/2760 632757aafaSJonathan Corbet 64b3b0e6acSAndrey Konovalov CPU: 1 PID: 2760 Comm: insmod Not tainted 4.19.0-rc3+ #698 65b3b0e6acSAndrey Konovalov Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 662757aafaSJonathan Corbet Call Trace: 67b3b0e6acSAndrey Konovalov dump_stack+0x94/0xd8 68b3b0e6acSAndrey Konovalov print_address_description+0x73/0x280 69b3b0e6acSAndrey Konovalov kasan_report+0x144/0x187 70b3b0e6acSAndrey Konovalov __asan_report_store1_noabort+0x17/0x20 71b3b0e6acSAndrey Konovalov kmalloc_oob_right+0xa8/0xbc [test_kasan] 72b3b0e6acSAndrey Konovalov kmalloc_tests_init+0x16/0x700 [test_kasan] 73b3b0e6acSAndrey Konovalov do_one_initcall+0xa5/0x3ae 74b3b0e6acSAndrey Konovalov do_init_module+0x1b6/0x547 75b3b0e6acSAndrey Konovalov load_module+0x75df/0x8070 76b3b0e6acSAndrey Konovalov __do_sys_init_module+0x1c6/0x200 77b3b0e6acSAndrey Konovalov __x64_sys_init_module+0x6e/0xb0 78b3b0e6acSAndrey Konovalov do_syscall_64+0x9f/0x2c0 79b3b0e6acSAndrey Konovalov entry_SYSCALL_64_after_hwframe+0x44/0xa9 80b3b0e6acSAndrey Konovalov RIP: 0033:0x7f96443109da 81b3b0e6acSAndrey Konovalov RSP: 002b:00007ffcf0b51b08 EFLAGS: 00000202 ORIG_RAX: 00000000000000af 82b3b0e6acSAndrey Konovalov RAX: ffffffffffffffda RBX: 000055dc3ee521a0 RCX: 00007f96443109da 83b3b0e6acSAndrey Konovalov RDX: 00007f96445cff88 RSI: 0000000000057a50 RDI: 00007f9644992000 84b3b0e6acSAndrey Konovalov RBP: 000055dc3ee510b0 R08: 0000000000000003 R09: 0000000000000000 85b3b0e6acSAndrey Konovalov R10: 00007f964430cd0a R11: 0000000000000202 R12: 00007f96445cff88 86b3b0e6acSAndrey Konovalov R13: 000055dc3ee51090 R14: 0000000000000000 R15: 0000000000000000 87b3b0e6acSAndrey Konovalov 88b3b0e6acSAndrey Konovalov Allocated by task 2760: 89b3b0e6acSAndrey Konovalov save_stack+0x43/0xd0 90b3b0e6acSAndrey Konovalov kasan_kmalloc+0xa7/0xd0 91b3b0e6acSAndrey Konovalov kmem_cache_alloc_trace+0xe1/0x1b0 92b3b0e6acSAndrey Konovalov kmalloc_oob_right+0x56/0xbc [test_kasan] 93b3b0e6acSAndrey Konovalov kmalloc_tests_init+0x16/0x700 [test_kasan] 94b3b0e6acSAndrey Konovalov do_one_initcall+0xa5/0x3ae 95b3b0e6acSAndrey Konovalov do_init_module+0x1b6/0x547 96b3b0e6acSAndrey Konovalov load_module+0x75df/0x8070 97b3b0e6acSAndrey Konovalov __do_sys_init_module+0x1c6/0x200 98b3b0e6acSAndrey Konovalov __x64_sys_init_module+0x6e/0xb0 99b3b0e6acSAndrey Konovalov do_syscall_64+0x9f/0x2c0 100b3b0e6acSAndrey Konovalov entry_SYSCALL_64_after_hwframe+0x44/0xa9 101b3b0e6acSAndrey Konovalov 102b3b0e6acSAndrey Konovalov Freed by task 815: 103b3b0e6acSAndrey Konovalov save_stack+0x43/0xd0 104b3b0e6acSAndrey Konovalov __kasan_slab_free+0x135/0x190 105b3b0e6acSAndrey Konovalov kasan_slab_free+0xe/0x10 106b3b0e6acSAndrey Konovalov kfree+0x93/0x1a0 107b3b0e6acSAndrey Konovalov umh_complete+0x6a/0xa0 108b3b0e6acSAndrey Konovalov call_usermodehelper_exec_async+0x4c3/0x640 109b3b0e6acSAndrey Konovalov ret_from_fork+0x35/0x40 110b3b0e6acSAndrey Konovalov 111b3b0e6acSAndrey Konovalov The buggy address belongs to the object at ffff8801f44ec300 112b3b0e6acSAndrey Konovalov which belongs to the cache kmalloc-128 of size 128 113b3b0e6acSAndrey Konovalov The buggy address is located 123 bytes inside of 114b3b0e6acSAndrey Konovalov 128-byte region [ffff8801f44ec300, ffff8801f44ec380) 115b3b0e6acSAndrey Konovalov The buggy address belongs to the page: 116b3b0e6acSAndrey Konovalov page:ffffea0007d13b00 count:1 mapcount:0 mapping:ffff8801f7001640 index:0x0 117b3b0e6acSAndrey Konovalov flags: 0x200000000000100(slab) 118b3b0e6acSAndrey Konovalov raw: 0200000000000100 ffffea0007d11dc0 0000001a0000001a ffff8801f7001640 119b3b0e6acSAndrey Konovalov raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 120b3b0e6acSAndrey Konovalov page dumped because: kasan: bad access detected 121b3b0e6acSAndrey Konovalov 1222757aafaSJonathan Corbet Memory state around the buggy address: 123b3b0e6acSAndrey Konovalov ffff8801f44ec200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb 124b3b0e6acSAndrey Konovalov ffff8801f44ec280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc 125b3b0e6acSAndrey Konovalov >ffff8801f44ec300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 1262757aafaSJonathan Corbet ^ 127b3b0e6acSAndrey Konovalov ffff8801f44ec380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb 128b3b0e6acSAndrey Konovalov ffff8801f44ec400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc 1292757aafaSJonathan Corbet ================================================================== 1302757aafaSJonathan Corbet 131b3b0e6acSAndrey KonovalovThe header of the report provides a short summary of what kind of bug happened 132b3b0e6acSAndrey Konovalovand what kind of access caused it. It's followed by a stack trace of the bad 133b3b0e6acSAndrey Konovalovaccess, a stack trace of where the accessed memory was allocated (in case bad 134b3b0e6acSAndrey Konovalovaccess happens on a slab object), and a stack trace of where the object was 135b3b0e6acSAndrey Konovalovfreed (in case of a use-after-free bug report). Next comes a description of 136b3b0e6acSAndrey Konovalovthe accessed slab object and information about the accessed memory page. 1372757aafaSJonathan Corbet 1382757aafaSJonathan CorbetIn the last section the report shows memory state around the accessed address. 1392757aafaSJonathan CorbetReading this part requires some understanding of how KASAN works. 1402757aafaSJonathan Corbet 1412757aafaSJonathan CorbetThe state of each 8 aligned bytes of memory is encoded in one shadow byte. 1422757aafaSJonathan CorbetThose 8 bytes can be accessible, partially accessible, freed or be a redzone. 1432757aafaSJonathan CorbetWe use the following encoding for each shadow byte: 0 means that all 8 bytes 1442757aafaSJonathan Corbetof the corresponding memory region are accessible; number N (1 <= N <= 7) means 1452757aafaSJonathan Corbetthat the first N bytes are accessible, and other (8 - N) bytes are not; 1462757aafaSJonathan Corbetany negative value indicates that the entire 8-byte word is inaccessible. 1472757aafaSJonathan CorbetWe use different negative values to distinguish between different kinds of 1482757aafaSJonathan Corbetinaccessible memory like redzones or freed memory (see mm/kasan/kasan.h). 1492757aafaSJonathan Corbet 1502757aafaSJonathan CorbetIn the report above the arrows point to the shadow byte 03, which means that 1512757aafaSJonathan Corbetthe accessed address is partially accessible. 1522757aafaSJonathan Corbet 153b3b0e6acSAndrey KonovalovFor tag-based KASAN this last report section shows the memory tags around the 154b3b0e6acSAndrey Konovalovaccessed address (see Implementation details section). 155b3b0e6acSAndrey Konovalov 1562757aafaSJonathan Corbet 1572757aafaSJonathan CorbetImplementation details 1582757aafaSJonathan Corbet---------------------- 1592757aafaSJonathan Corbet 160b3b0e6acSAndrey KonovalovGeneric KASAN 161b3b0e6acSAndrey Konovalov~~~~~~~~~~~~~ 162b3b0e6acSAndrey Konovalov 1632757aafaSJonathan CorbetFrom a high level, our approach to memory error detection is similar to that 1642757aafaSJonathan Corbetof kmemcheck: use shadow memory to record whether each byte of memory is safe 165b3b0e6acSAndrey Konovalovto access, and use compile-time instrumentation to insert checks of shadow 166b3b0e6acSAndrey Konovalovmemory on each memory access. 1672757aafaSJonathan Corbet 168b3b0e6acSAndrey KonovalovGeneric KASAN dedicates 1/8th of kernel memory to its shadow memory (e.g. 16TB 169b3b0e6acSAndrey Konovalovto cover 128TB on x86_64) and uses direct mapping with a scale and offset to 170b3b0e6acSAndrey Konovalovtranslate a memory address to its corresponding shadow address. 1712757aafaSJonathan Corbet 1722757aafaSJonathan CorbetHere is the function which translates an address to its corresponding shadow 1732757aafaSJonathan Corbetaddress:: 1742757aafaSJonathan Corbet 1752757aafaSJonathan Corbet static inline void *kasan_mem_to_shadow(const void *addr) 1762757aafaSJonathan Corbet { 1772757aafaSJonathan Corbet return ((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT) 1782757aafaSJonathan Corbet + KASAN_SHADOW_OFFSET; 1792757aafaSJonathan Corbet } 1802757aafaSJonathan Corbet 1812757aafaSJonathan Corbetwhere ``KASAN_SHADOW_SCALE_SHIFT = 3``. 1822757aafaSJonathan Corbet 183b3b0e6acSAndrey KonovalovCompile-time instrumentation is used to insert memory access checks. Compiler 184b3b0e6acSAndrey Konovalovinserts function calls (__asan_load*(addr), __asan_store*(addr)) before each 185b3b0e6acSAndrey Konovalovmemory access of size 1, 2, 4, 8 or 16. These functions check whether memory 186b3b0e6acSAndrey Konovalovaccess is valid or not by checking corresponding shadow memory. 1872757aafaSJonathan Corbet 1882757aafaSJonathan CorbetGCC 5.0 has possibility to perform inline instrumentation. Instead of making 1892757aafaSJonathan Corbetfunction calls GCC directly inserts the code to check the shadow memory. 1902757aafaSJonathan CorbetThis option significantly enlarges kernel but it gives x1.1-x2 performance 1912757aafaSJonathan Corbetboost over outline instrumented kernel. 192b3b0e6acSAndrey Konovalov 1939793b626SWalter WuGeneric KASAN prints up to 2 call_rcu() call stacks in reports, the last one 1949793b626SWalter Wuand the second to last. 1959793b626SWalter Wu 196b3b0e6acSAndrey KonovalovSoftware tag-based KASAN 197b3b0e6acSAndrey Konovalov~~~~~~~~~~~~~~~~~~~~~~~~ 198b3b0e6acSAndrey Konovalov 199b3b0e6acSAndrey KonovalovTag-based KASAN uses the Top Byte Ignore (TBI) feature of modern arm64 CPUs to 200b3b0e6acSAndrey Konovalovstore a pointer tag in the top byte of kernel pointers. Like generic KASAN it 201b3b0e6acSAndrey Konovalovuses shadow memory to store memory tags associated with each 16-byte memory 202b3b0e6acSAndrey Konovalovcell (therefore it dedicates 1/16th of the kernel memory for shadow memory). 203b3b0e6acSAndrey Konovalov 204b3b0e6acSAndrey KonovalovOn each memory allocation tag-based KASAN generates a random tag, tags the 205b3b0e6acSAndrey Konovalovallocated memory with this tag, and embeds this tag into the returned pointer. 206b3b0e6acSAndrey KonovalovSoftware tag-based KASAN uses compile-time instrumentation to insert checks 207b3b0e6acSAndrey Konovalovbefore each memory access. These checks make sure that tag of the memory that 208b3b0e6acSAndrey Konovalovis being accessed is equal to tag of the pointer that is used to access this 209b3b0e6acSAndrey Konovalovmemory. In case of a tag mismatch tag-based KASAN prints a bug report. 210b3b0e6acSAndrey Konovalov 211b3b0e6acSAndrey KonovalovSoftware tag-based KASAN also has two instrumentation modes (outline, that 212b3b0e6acSAndrey Konovalovemits callbacks to check memory accesses; and inline, that performs the shadow 213b3b0e6acSAndrey Konovalovmemory checks inline). With outline instrumentation mode, a bug report is 214b3b0e6acSAndrey Konovalovsimply printed from the function that performs the access check. With inline 215b3b0e6acSAndrey Konovalovinstrumentation a brk instruction is emitted by the compiler, and a dedicated 216b3b0e6acSAndrey Konovalovbrk handler is used to print bug reports. 217b3b0e6acSAndrey Konovalov 218b3b0e6acSAndrey KonovalovA potential expansion of this mode is a hardware tag-based mode, which would 219b3b0e6acSAndrey Konovalovuse hardware memory tagging support instead of compiler instrumentation and 220b3b0e6acSAndrey Konovalovmanual shadow memory manipulation. 2213c5c3cfbSDaniel Axtens 2223c5c3cfbSDaniel AxtensWhat memory accesses are sanitised by KASAN? 2233c5c3cfbSDaniel Axtens-------------------------------------------- 2243c5c3cfbSDaniel Axtens 2253c5c3cfbSDaniel AxtensThe kernel maps memory in a number of different parts of the address 2263c5c3cfbSDaniel Axtensspace. This poses something of a problem for KASAN, which requires 2273c5c3cfbSDaniel Axtensthat all addresses accessed by instrumented code have a valid shadow 2283c5c3cfbSDaniel Axtensregion. 2293c5c3cfbSDaniel Axtens 2303c5c3cfbSDaniel AxtensThe range of kernel virtual addresses is large: there is not enough 2313c5c3cfbSDaniel Axtensreal memory to support a real shadow region for every address that 2323c5c3cfbSDaniel Axtenscould be accessed by the kernel. 2333c5c3cfbSDaniel Axtens 2343c5c3cfbSDaniel AxtensBy default 2353c5c3cfbSDaniel Axtens~~~~~~~~~~ 2363c5c3cfbSDaniel Axtens 2373c5c3cfbSDaniel AxtensBy default, architectures only map real memory over the shadow region 2383c5c3cfbSDaniel Axtensfor the linear mapping (and potentially other small areas). For all 2393c5c3cfbSDaniel Axtensother areas - such as vmalloc and vmemmap space - a single read-only 2403c5c3cfbSDaniel Axtenspage is mapped over the shadow area. This read-only shadow page 2413c5c3cfbSDaniel Axtensdeclares all memory accesses as permitted. 2423c5c3cfbSDaniel Axtens 2433c5c3cfbSDaniel AxtensThis presents a problem for modules: they do not live in the linear 2443c5c3cfbSDaniel Axtensmapping, but in a dedicated module space. By hooking in to the module 2453c5c3cfbSDaniel Axtensallocator, KASAN can temporarily map real shadow memory to cover 2463c5c3cfbSDaniel Axtensthem. This allows detection of invalid accesses to module globals, for 2473c5c3cfbSDaniel Axtensexample. 2483c5c3cfbSDaniel Axtens 2493c5c3cfbSDaniel AxtensThis also creates an incompatibility with ``VMAP_STACK``: if the stack 2503c5c3cfbSDaniel Axtenslives in vmalloc space, it will be shadowed by the read-only page, and 2513c5c3cfbSDaniel Axtensthe kernel will fault when trying to set up the shadow data for stack 2523c5c3cfbSDaniel Axtensvariables. 2533c5c3cfbSDaniel Axtens 2543c5c3cfbSDaniel AxtensCONFIG_KASAN_VMALLOC 2553c5c3cfbSDaniel Axtens~~~~~~~~~~~~~~~~~~~~ 2563c5c3cfbSDaniel Axtens 2573c5c3cfbSDaniel AxtensWith ``CONFIG_KASAN_VMALLOC``, KASAN can cover vmalloc space at the 2583c5c3cfbSDaniel Axtenscost of greater memory usage. Currently this is only supported on x86. 2593c5c3cfbSDaniel Axtens 2603c5c3cfbSDaniel AxtensThis works by hooking into vmalloc and vmap, and dynamically 2613c5c3cfbSDaniel Axtensallocating real shadow memory to back the mappings. 2623c5c3cfbSDaniel Axtens 2633c5c3cfbSDaniel AxtensMost mappings in vmalloc space are small, requiring less than a full 2643c5c3cfbSDaniel Axtenspage of shadow space. Allocating a full shadow page per mapping would 2653c5c3cfbSDaniel Axtenstherefore be wasteful. Furthermore, to ensure that different mappings 2663c5c3cfbSDaniel Axtensuse different shadow pages, mappings would have to be aligned to 2673c5c3cfbSDaniel Axtens``KASAN_SHADOW_SCALE_SIZE * PAGE_SIZE``. 2683c5c3cfbSDaniel Axtens 2693c5c3cfbSDaniel AxtensInstead, we share backing space across multiple mappings. We allocate 2703c5c3cfbSDaniel Axtensa backing page when a mapping in vmalloc space uses a particular page 2713c5c3cfbSDaniel Axtensof the shadow region. This page can be shared by other vmalloc 2723c5c3cfbSDaniel Axtensmappings later on. 2733c5c3cfbSDaniel Axtens 2743c5c3cfbSDaniel AxtensWe hook in to the vmap infrastructure to lazily clean up unused shadow 2753c5c3cfbSDaniel Axtensmemory. 2763c5c3cfbSDaniel Axtens 2773c5c3cfbSDaniel AxtensTo avoid the difficulties around swapping mappings around, we expect 2783c5c3cfbSDaniel Axtensthat the part of the shadow region that covers the vmalloc space will 2793c5c3cfbSDaniel Axtensnot be covered by the early shadow page, but will be left 2803c5c3cfbSDaniel Axtensunmapped. This will require changes in arch-specific code. 2813c5c3cfbSDaniel Axtens 2823c5c3cfbSDaniel AxtensThis allows ``VMAP_STACK`` support on x86, and can simplify support of 2833c5c3cfbSDaniel Axtensarchitectures that do not have a fixed module region. 2849ab5be97SPatricia Alfonso 2859ab5be97SPatricia AlfonsoCONFIG_KASAN_KUNIT_TEST & CONFIG_TEST_KASAN_MODULE 2869ab5be97SPatricia Alfonso-------------------------------------------------- 2879ab5be97SPatricia Alfonso 2889ab5be97SPatricia Alfonso``CONFIG_KASAN_KUNIT_TEST`` utilizes the KUnit Test Framework for testing. 2899ab5be97SPatricia AlfonsoThis means each test focuses on a small unit of functionality and 2909ab5be97SPatricia Alfonsothere are a few ways these tests can be run. 2919ab5be97SPatricia Alfonso 2929ab5be97SPatricia AlfonsoEach test will print the KASAN report if an error is detected and then 2939ab5be97SPatricia Alfonsoprint the number of the test and the status of the test: 2949ab5be97SPatricia Alfonso 2959ab5be97SPatricia Alfonsopass:: 2969ab5be97SPatricia Alfonso 2979ab5be97SPatricia Alfonso ok 28 - kmalloc_double_kzfree 2989ab5be97SPatricia Alfonsoor, if kmalloc failed:: 2999ab5be97SPatricia Alfonso 3009ab5be97SPatricia Alfonso # kmalloc_large_oob_right: ASSERTION FAILED at lib/test_kasan.c:163 3019ab5be97SPatricia Alfonso Expected ptr is not null, but is 3029ab5be97SPatricia Alfonso not ok 4 - kmalloc_large_oob_right 3039ab5be97SPatricia Alfonsoor, if a KASAN report was expected, but not found:: 3049ab5be97SPatricia Alfonso 3059ab5be97SPatricia Alfonso # kmalloc_double_kzfree: EXPECTATION FAILED at lib/test_kasan.c:629 3069ab5be97SPatricia Alfonso Expected kasan_data->report_expected == kasan_data->report_found, but 3079ab5be97SPatricia Alfonso kasan_data->report_expected == 1 3089ab5be97SPatricia Alfonso kasan_data->report_found == 0 3099ab5be97SPatricia Alfonso not ok 28 - kmalloc_double_kzfree 3109ab5be97SPatricia Alfonso 3119ab5be97SPatricia AlfonsoAll test statuses are tracked as they run and an overall status will 3129ab5be97SPatricia Alfonsobe printed at the end:: 3139ab5be97SPatricia Alfonso 3149ab5be97SPatricia Alfonso ok 1 - kasan 3159ab5be97SPatricia Alfonso 3169ab5be97SPatricia Alfonsoor:: 3179ab5be97SPatricia Alfonso 3189ab5be97SPatricia Alfonso not ok 1 - kasan 3199ab5be97SPatricia Alfonso 3209ab5be97SPatricia Alfonso(1) Loadable Module 3219ab5be97SPatricia Alfonso~~~~~~~~~~~~~~~~~~~~ 3229ab5be97SPatricia Alfonso 3239ab5be97SPatricia AlfonsoWith ``CONFIG_KUNIT`` enabled, ``CONFIG_KASAN_KUNIT_TEST`` can be built as 3249ab5be97SPatricia Alfonsoa loadable module and run on any architecture that supports KASAN 3259ab5be97SPatricia Alfonsousing something like insmod or modprobe. The module is called ``test_kasan``. 3269ab5be97SPatricia Alfonso 3279ab5be97SPatricia Alfonso(2) Built-In 3289ab5be97SPatricia Alfonso~~~~~~~~~~~~~ 3299ab5be97SPatricia Alfonso 3309ab5be97SPatricia AlfonsoWith ``CONFIG_KUNIT`` built-in, ``CONFIG_KASAN_KUNIT_TEST`` can be built-in 3319ab5be97SPatricia Alfonsoon any architecure that supports KASAN. These and any other KUnit 3329ab5be97SPatricia Alfonsotests enabled will run and print the results at boot as a late-init 3339ab5be97SPatricia Alfonsocall. 3349ab5be97SPatricia Alfonso 3359ab5be97SPatricia Alfonso(3) Using kunit_tool 3369ab5be97SPatricia Alfonso~~~~~~~~~~~~~~~~~~~~~ 3379ab5be97SPatricia Alfonso 3389ab5be97SPatricia AlfonsoWith ``CONFIG_KUNIT`` and ``CONFIG_KASAN_KUNIT_TEST`` built-in, we can also 3399ab5be97SPatricia Alfonsouse kunit_tool to see the results of these along with other KUnit 3409ab5be97SPatricia Alfonsotests in a more readable way. This will not print the KASAN reports 3419ab5be97SPatricia Alfonsoof tests that passed. Use `KUnit documentation <https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html>`_ for more up-to-date 3429ab5be97SPatricia Alfonsoinformation on kunit_tool. 3439ab5be97SPatricia Alfonso 3449ab5be97SPatricia Alfonso.. _KUnit: https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html 3459ab5be97SPatricia Alfonso 3469ab5be97SPatricia Alfonso``CONFIG_TEST_KASAN_MODULE`` is a set of KASAN tests that could not be 3479ab5be97SPatricia Alfonsoconverted to KUnit. These tests can be run only as a module with 3489ab5be97SPatricia Alfonso``CONFIG_TEST_KASAN_MODULE`` built as a loadable module and 3499ab5be97SPatricia Alfonso``CONFIG_KASAN`` built-in. The type of error expected and the 3509ab5be97SPatricia Alfonsofunction being run is printed before the expression expected to give 3519ab5be97SPatricia Alfonsoan error. Then the error is printed, if found, and that test 3529ab5be97SPatricia Alfonsoshould be interpretted to pass only if the error was the one expected 3539ab5be97SPatricia Alfonsoby the test. 354