Why copy_from/to_user causes KASAN complain?

From: Lifan Su
Date: Tue May 24 2016 - 12:35:45 EST

Hi all,

I got "BUG: KASAN: user-memory-access on address ..." message when
developing a driver. I reviewed my code twice and didn't find why.
I experienced this on various kernel versions. Please tell me why my
code cause this warning?

Here is a minimal reproduce example:

On a Fedora-23 host, compile a 4.6 kernel with KASAN enabled with
outline (we use GCC-4.8.5 during development).
Reboot to use the KASAN-enabled kernel.
Compile section KERNEL as a kernel module and modprobe the module.
Compile section USER as a userland executable and run the executable.

Result (timestamp omitted):
test dev : ioctl: cmd: 440074d1, arg: 0000000000601080, local: ff
test dev : ioctl/w: calling copy_from_user
BUG: KASAN: user-memory-access on address 0000000000601080
Read of size 1024 by task test_drv_ioctl/946
test dev : ioctl: cmd: 840074d0, arg: 0000000000601080, local: ff
test dev : ioctl/r: calling copy_to_user
BUG: KASAN: user-memory-access on address 0000000000601080
Write of size 1024 by task test_drv_ioctl/946

/**************************** KERNEL ****************************/

#define pr_fmt(fmt) "test dev : " fmt

#include <linux/module.h>
#include <linux/device.h>
#include <linux/fs.h>
#include <linux/cdev.h>
#include <asm-generic/uaccess.h>
#include <asm-generic/ioctl.h>


#define LEN 1024
#define IOCTL_READ _IOR('t', 0xD0, u8[LEN])
#define IOCTL_WRITE _IOW('t', 0xD1, u8[LEN])

static u8 buf[LEN];
static dev_t major;
static struct class *class;
static struct cdev cdev;
static struct device *cdevice;

static long ioctl(struct file *file, unsigned int cmd,
unsigned long arg)
long err;
void __user *ptr = (void __user *)arg;

pr_info("ioctl: cmd: %08x, arg: %p, local: %p\n", cmd, ptr, buf);

switch (cmd) {
pr_info("ioctl/r: calling copy_to_user\n");
if (copy_to_user(ptr, buf, LEN)) {
pr_info("ioctl/r: failed to copy to user\n");
err = -EFAULT;
} else {
pr_info("ioctl/r: buffer copied, val: %8ph\n", buf);
err = 0;
pr_info("ioctl/w: calling copy_from_user\n");
if (copy_from_user(buf, ptr, LEN)) {
pr_info("ioctl/w: failed to copy from user\n");
err = -EFAULT;
} else {
pr_info("ioctl/w: buffer copied, val: %8ph\n", buf);
err = 0;
pr_info("ioctl: invalid command\n");
err = -EINVAL;
return err;

static const struct file_operations cdev_ops = {
.owner = THIS_MODULE,
.unlocked_ioctl = ioctl,

static int test_init(void)
int rc;

pr_info("test device initing\n");

rc = alloc_chrdev_region(&major, 0, 1, "test");

if (rc) {
goto fail_alloc_chrdev_region;
pr_info("major assigned: %d\n", (int)MAJOR(major));

class = class_create(THIS_MODULE, "test_ctl");
if (IS_ERR(class)) {
pr_err("failed to create class\n");
rc = PTR_RET(class);
goto fail_create_class;

cdev_init(&cdev, &cdev_ops);
cdev.owner = THIS_MODULE;
rc = cdev_add(&cdev, MKDEV(MAJOR(major), 0), 1);
if (rc) {
pr_info("failed to add char dev\n");
goto fail_cdev_add;

cdevice = device_create(class, NULL, MKDEV(MAJOR(major), 0), NULL,
if (IS_ERR(cdevice)) {
pr_err("failed to create /dev/ file\n");
rc = PTR_RET(cdevice);
goto fail_device_create;
pr_info("driver initialized\n");

return 0;

device_destroy(class, MKDEV(major, 0));
unregister_chrdev_region(major, 1);
return rc;


/**************************** USER ****************************/

#include <linux/ioctl.h>
#include <stdint.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>

#define LEN 1024
#define IOCTL_READ _IOR('t', 0xD0, uint8_t[LEN])
#define IOCTL_WRITE _IOW('t', 0xD1, uint8_t[LEN])

static uint8_t buf[LEN] = {0, 1, 2, 3, 4, 5, 6, 7, 8};

int main()
int ret;
int fd = open("/dev/test_ctl", O_RDWR);

fprintf(stderr, "buf: %p\n", buf);
if (fd == -1) {
ret = -errno;
fprintf(stderr, "failed to open file: %d\n", ret);
goto err;

if (ioctl(fd, IOCTL_WRITE, buf)) {
ret = -errno;
fprintf(stderr, "failed to call ioctl write: %d\n", ret);
goto err;

buf[0] = buf[1] = buf[2] = 0;
if(ioctl(fd, IOCTL_READ, buf)) {
ret = -errno;
fprintf(stderr, "failed to call ioctl read: %d\n", ret);
goto err;
fprintf(stderr, "memory: %02x %02x %02x %02x %02x %02x %02x %02x\n",
buf[0], buf[1], buf[2], buf[3],
buf[4], buf[5], buf[6], buf[7]);
return ret;