summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--mm/kasan/report.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/mm/kasan/report.c b/mm/kasan/report.c
index 27efb78eb32d..e804b1e1f886 100644
--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -638,7 +638,7 @@ void kasan_report_async(void)
*/
void kasan_non_canonical_hook(unsigned long addr)
{
- unsigned long orig_addr;
+ unsigned long orig_addr, user_orig_addr;
const char *bug_type;
/*
@@ -650,6 +650,9 @@ void kasan_non_canonical_hook(unsigned long addr)
orig_addr = (unsigned long)kasan_shadow_to_mem((void *)addr);
+ /* Strip pointer tag before comparing against userspace ranges */
+ user_orig_addr = (unsigned long)set_tag((void *)orig_addr, 0);
+
/*
* For faults near the shadow address for NULL, we can be fairly certain
* that this is a KASAN shadow memory access.
@@ -661,11 +664,13 @@ void kasan_non_canonical_hook(unsigned long addr)
* address, but make it clear that this is not necessarily what's
* actually going on.
*/
- if (orig_addr < PAGE_SIZE)
+ if (user_orig_addr < PAGE_SIZE) {
bug_type = "null-ptr-deref";
- else if (orig_addr < TASK_SIZE)
+ orig_addr = user_orig_addr;
+ } else if (user_orig_addr < TASK_SIZE) {
bug_type = "probably user-memory-access";
- else if (addr_in_shadow((void *)addr))
+ orig_addr = user_orig_addr;
+ } else if (addr_in_shadow((void *)addr))
bug_type = "probably wild-memory-access";
else
bug_type = "maybe wild-memory-access";