git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Andrey Ryabinin <ryabinin.a.a@gmail.com>
	Thu, 5 Mar 2026 18:56:59 +0000 (19:56 +0100)
committer	Andrew Morton <akpm@linux-foundation.org>
	Sun, 5 Apr 2026 20:53:18 +0000 (13:53 -0700)
commit	caf55fef6141c29c095cb1ef7ba84af08ff16734
tree	71bad99e8c5ed0d7cde81db6e94b587109327f4a	tree \| snapshot
parent	d9f74cfb5a9b06d287e855f4c388db1eb40f91e3	commit \| diff

kasan: fix bug type classification for SW_TAGS mode

kasan_non_canonical_hook() derives orig_addr from kasan_shadow_to_mem(),
but the pointer tag may remain in the top byte.  In SW_TAGS mode this
tagged address is compared against PAGE_SIZE and TASK_SIZE, which leads to
incorrect bug classification.

As a result, NULL pointer dereferences may be reported as
"wild-memory-access".

Strip the tag before performing these range checks and use the untagged
value when reporting addresses in these ranges.

Before:
  [ ] Unable to handle kernel paging request at virtual address ffef800000000000
  [ ] KASAN: maybe wild-memory-access in range [0xff00000000000000-0xff0000000000000f]

After:
  [ ] Unable to handle kernel paging request at virtual address ffef800000000000
  [ ] KASAN: null-ptr-deref in range [0x0000000000000000-0x000000000000000f]

Link: https://lkml.kernel.org/r/20260305185659.20807-1-ryabinin.a.a@gmail.com
Signed-off-by: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>