Documentation/dev-tools/kmsan.rst

1 .. SPDX-License-Identifier: GPL-2.0
19 -------------------
27 --------------
32   BUG: KMSAN: uninit-value in test_uninit_kmsan_check_memory+0x1be/0x380 [kmsan_test]
36    kunit_generic_run_threadfn_adapter+0x6d/0xc0 lib/kunit/try-catch.c:28
45    kunit_generic_run_threadfn_adapter+0x6d/0xc0 lib/kunit/try-catch.c:28
53   Bytes 4-7 of 8 are uninitialized
56   CPU: 0 PID: 6731 Comm: kunit_try_catch Tainted: G    B       E     5.16.0-rc3+ #104
57   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
71  - in a condition, e.g. ``if (v) { ... }``;
72  - in an indexing or pointer dereferencing, e.g. ``array[v]`` or ``*v``;
73  - when it is copied to userspace or hardware, e.g. ``copy_to_user(..., &v, ...)``;
74  - when it is passed as an argument to a function, and
82 -----------------------------
91 low-level code (e.g. that marked with ``noinstr`` which implicitly adds
96 called from non-instrumented code may also receive incorrect metadata for their
133 -------------------
168 ---------------
170 Every four bytes of kernel memory also have a so-called origin mapped to them.
173 stack (for heap-allocated memory), or the function containing the uninitialized
195 same four-byte chunk. In this case every write to either variable updates the
228 -------------------------
262 Access to per-task data
290 ``-fsanitize-memory-param-retval``, which makes the compiler check function
340 ---------------
344 Per-task KMSAN state
348 context (see above) and a per-task counter disallowing KMSAN reports::
366 When running in a kernel task context, KMSAN uses ``current->kmsan.cstate`` to
370 where ``current`` is unavailable, KMSAN switches to per-cpu interrupt state::
388 At boot-time, the kernel allocates shadow and origin pages for every available
393 This means that in general for two contiguous memory pages their shadow/origin
394 pages may not be contiguous. Consequently, if a memory access crosses the
398 In practice, contiguous memory pages returned by the same ``alloc_pages()``
399 call will have contiguous metadata, whereas if these pages belong to two
406 pages with non-contiguous metadata, it returns pointers to fake shadow/origin regions::
411 ``dummy_load_page`` is zero-initialized, so reads from it always yield zeroes.
422 When an array of pages is mapped into a contiguous virtual memory space, their
423 shadow and origin pages are similarly mapped into contiguous regions.
435 .. _LKML discussion: https://lore.kernel.org/all/20220614144853.3693273-1-glider@google.com/