From: Andrey Ryabinin <ryabinin.a.a@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>,
Alexander Potapenko <glider@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, Andrey Ryabinin <ryabinin.a.a@gmail.com>
Subject: [PATCH] kasan: fix bug type classification for SW_TAGS mode
Date: Thu, 5 Mar 2026 19:56:59 +0100 [thread overview]
Message-ID: <20260305185659.20807-1-ryabinin.a.a@gmail.com> (raw)
kasan_non_canonical_hook() derives orig_addr from kasan_shadow_to_mem(),
but the pointer tag may remain in the top byte. In SW_TAGS mode this
tagged address is compared against PAGE_SIZE and TASK_SIZE, which leads
to incorrect bug classification.
As a result, NULL pointer dereferences may be reported as
"wild-memory-access".
Strip the tag before performing these range checks and use the untagged
value when reporting addresses in these ranges.
Before:
[ ] Unable to handle kernel paging request at virtual address ffef800000000000
[ ] KASAN: maybe wild-memory-access in range [0xff00000000000000-0xff0000000000000f]
After:
[ ] Unable to handle kernel paging request at virtual address ffef800000000000
[ ] KASAN: null-ptr-deref in range [0x0000000000000000-0x000000000000000f]
Signed-off-by: Andrey Ryabinin <ryabinin.a.a@gmail.com>
---
mm/kasan/report.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 27efb78eb32d..e804b1e1f886 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -638,7 +638,7 @@ void kasan_report_async(void)
*/
void kasan_non_canonical_hook(unsigned long addr)
{
- unsigned long orig_addr;
+ unsigned long orig_addr, user_orig_addr;
const char *bug_type;
/*
@@ -650,6 +650,9 @@ void kasan_non_canonical_hook(unsigned long addr)
orig_addr = (unsigned long)kasan_shadow_to_mem((void *)addr);
+ /* Strip pointer tag before comparing against userspace ranges */
+ user_orig_addr = (unsigned long)set_tag((void *)orig_addr, 0);
+
/*
* For faults near the shadow address for NULL, we can be fairly certain
* that this is a KASAN shadow memory access.
@@ -661,11 +664,13 @@ void kasan_non_canonical_hook(unsigned long addr)
* address, but make it clear that this is not necessarily what's
* actually going on.
*/
- if (orig_addr < PAGE_SIZE)
+ if (user_orig_addr < PAGE_SIZE) {
bug_type = "null-ptr-deref";
- else if (orig_addr < TASK_SIZE)
+ orig_addr = user_orig_addr;
+ } else if (user_orig_addr < TASK_SIZE) {
bug_type = "probably user-memory-access";
- else if (addr_in_shadow((void *)addr))
+ orig_addr = user_orig_addr;
+ } else if (addr_in_shadow((void *)addr))
bug_type = "probably wild-memory-access";
else
bug_type = "maybe wild-memory-access";
--
2.52.0
reply other threads:[~2026-03-05 18:57 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260305185659.20807-1-ryabinin.a.a@gmail.com \
--to=ryabinin.a.a@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maciej.wieczor-retman@intel.com \
--cc=vincenzo.frascino@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox