From patchwork Tue Sep 27 17:09:11 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: andrey.konovalov@linux.dev
X-Patchwork-Id: 12990995
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 701D7C6FA82
	for <linux-mm@archiver.kernel.org>; Tue, 27 Sep 2022 17:09:19 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8DC068E00E9; Tue, 27 Sep 2022 13:09:18 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 7AE488E00C1; Tue, 27 Sep 2022 13:09:18 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 6282B8E00E8; Tue, 27 Sep 2022 13:09:18 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 53D0D8E00C1
	for <linux-mm@kvack.org>; Tue, 27 Sep 2022 13:09:18 -0400 (EDT)
Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id 2A9D2A7682
	for <linux-mm@kvack.org>; Tue, 27 Sep 2022 17:09:18 +0000 (UTC)
X-FDA: 79958501196.23.2B7DB76
Received: from out1.migadu.com (out1.migadu.com [91.121.223.63])
	by imf18.hostedemail.com (Postfix) with ESMTP id 7B1CC1C001E
	for <linux-mm@kvack.org>; Tue, 27 Sep 2022 17:09:17 +0000 (UTC)
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
 include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1664298556;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=R2fGkx5wPZy+xk3vesvKnmgkl9l2oY+h5lye3VG93Jo=;
	b=eFRsiTEb0mYQArK+DAz+6UI41MBfh6tOafnAJGgUpIh0lXP1BObLZWvsYPh/HNuCMLWCNI
	i63RaG/2KiWqArce17gjFWEVPGIitWYVHOTKqF47OTNFyaNRePu51HOeNP240bo/RC3xng
	mz+l262T0dfM08D9JwCekFLet3by5XQ=
From: andrey.konovalov@linux.dev
To: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>,
	Alexander Potapenko <glider@google.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Andrey Ryabinin <ryabinin.a.a@gmail.com>,
	kasan-dev@googlegroups.com,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Andrey Konovalov <andreyknvl@google.com>
Subject: [PATCH mm v2 3/3] kasan: migrate workqueue_uaf test to kunit
Date: Tue, 27 Sep 2022 19:09:11 +0200
Message-Id: 
 <1d81b6cc2a58985126283d1e0de8e663716dd930.1664298455.git.andreyknvl@google.com>
In-Reply-To: 
 <9345acdd11e953b207b0ed4724ff780e63afeb36.1664298455.git.andreyknvl@google.com>
References: 
 <9345acdd11e953b207b0ed4724ff780e63afeb36.1664298455.git.andreyknvl@google.com>
MIME-Version: 1.0
X-Migadu-Flow: FLOW_OUT
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1664298557; a=rsa-sha256;
	cv=none;
	b=TDGHMNt/MiipyshVtCkODkS6s5OBAKyXLtYShdLsOK8OPwuwG0fSeqFMht6sAwi8vOzphm
	u4Ygk8AOQ9gGvqSwDNZqj1c14NUBL/yyWHvuU0Y/crc1wbRWiIEtpd4JGPZTWzXPBEbSyG
	UWHLCG+btCInfw0lTeCidZo5uH8GHPE=
ARC-Authentication-Results: i=1;
	imf18.hostedemail.com;
	dkim=pass header.d=linux.dev header.s=key1 header.b=eFRsiTEb;
	spf=pass (imf18.hostedemail.com: domain of andrey.konovalov@linux.dev
 designates 91.121.223.63 as permitted sender)
 smtp.mailfrom=andrey.konovalov@linux.dev;
	dmarc=pass (policy=none) header.from=linux.dev
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1664298557;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=R2fGkx5wPZy+xk3vesvKnmgkl9l2oY+h5lye3VG93Jo=;
	b=MUXmw9HIX/F0F/HX9gXZUOj1yEAa+OjRu/cyw8K5I+gnPTVA+s8hjmEz2BOyUy+yBraGwC
	Fsk+zZJJtyc7Js+ux4MgLD+MVgOf9bXkqOtmALfMNfBVyqQyyL8+hRUdtGnUius/BrJeSr
	5YiP3D6JwdFkUHhWs5dfD+Av9M9GVvk=
X-Stat-Signature: d8s6xdj8cerwmak6b3cowrd7yekn9dse
X-Rspamd-Queue-Id: 7B1CC1C001E
X-Rspam-User: 
Authentication-Results: imf18.hostedemail.com;
	dkim=pass header.d=linux.dev header.s=key1 header.b=eFRsiTEb;
	spf=pass (imf18.hostedemail.com: domain of andrey.konovalov@linux.dev
 designates 91.121.223.63 as permitted sender)
 smtp.mailfrom=andrey.konovalov@linux.dev;
	dmarc=pass (policy=none) header.from=linux.dev
X-Rspamd-Server: rspam01
X-HE-Tag: 1664298557-29441
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Andrey Konovalov <andreyknvl@google.com>

Migrate the workqueue_uaf test to the KUnit framework.

Initially, this test was intended to check that Generic KASAN prints
auxiliary stack traces for workqueues. Nevertheless, the test is enabled
for all modes to make that KASAN reports bad accesses in the tested
scenario.

The presence of auxiliary stack traces for the Generic mode needs to be
inspected manually.

Reviewed-by: Marco Elver <elver@google.com>
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
 mm/kasan/kasan_test.c        | 40 +++++++++++++++++++++++++++++-------
 mm/kasan/kasan_test_module.c | 30 ---------------------------
 2 files changed, 33 insertions(+), 37 deletions(-)

diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c
index 005776325e20..71cb402c404f 100644
--- a/mm/kasan/kasan_test.c
+++ b/mm/kasan/kasan_test.c
@@ -1134,6 +1134,14 @@ static void kmalloc_double_kzfree(struct kunit *test)
 	KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr));
 }
 
+/*
+ * The two tests below check that Generic KASAN prints auxiliary stack traces
+ * for RCU callbacks and workqueues. The reports need to be inspected manually.
+ *
+ * These tests are still enabled for other KASAN modes to make sure that all
+ * modes report bad accesses in tested scenarios.
+ */
+
 static struct kasan_rcu_info {
 	int i;
 	struct rcu_head rcu;
@@ -1148,13 +1156,6 @@ static void rcu_uaf_reclaim(struct rcu_head *rp)
 	((volatile struct kasan_rcu_info *)fp)->i;
 }
 
-/*
- * Check that Generic KASAN prints auxiliary stack traces for RCU callbacks.
- * The report needs to be inspected manually.
- *
- * This test is still enabled for other KASAN modes to make sure that all modes
- * report bad accesses in tested scenarios.
- */
 static void rcu_uaf(struct kunit *test)
 {
 	struct kasan_rcu_info *ptr;
@@ -1170,6 +1171,30 @@ static void rcu_uaf(struct kunit *test)
 		rcu_barrier());
 }
 
+static void workqueue_uaf_work(struct work_struct *work)
+{
+	kfree(work);
+}
+
+static void workqueue_uaf(struct kunit *test)
+{
+	struct workqueue_struct *workqueue;
+	struct work_struct *work;
+
+	workqueue = create_workqueue("kasan_workqueue_test");
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, workqueue);
+
+	work = kmalloc(sizeof(struct work_struct), GFP_KERNEL);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, work);
+
+	INIT_WORK(work, workqueue_uaf_work);
+	queue_work(workqueue, work);
+	destroy_workqueue(workqueue);
+
+	KUNIT_EXPECT_KASAN_FAIL(test,
+		((volatile struct work_struct *)work)->data);
+}
+
 static void vmalloc_helpers_tags(struct kunit *test)
 {
 	void *ptr;
@@ -1502,6 +1527,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
 	KUNIT_CASE(kasan_bitops_tags),
 	KUNIT_CASE(kmalloc_double_kzfree),
 	KUNIT_CASE(rcu_uaf),
+	KUNIT_CASE(workqueue_uaf),
 	KUNIT_CASE(vmalloc_helpers_tags),
 	KUNIT_CASE(vmalloc_oob),
 	KUNIT_CASE(vmap_tags),
diff --git a/mm/kasan/kasan_test_module.c b/mm/kasan/kasan_test_module.c
index 4688cbcd722d..7be7bed456ef 100644
--- a/mm/kasan/kasan_test_module.c
+++ b/mm/kasan/kasan_test_module.c
@@ -62,35 +62,6 @@ static noinline void __init copy_user_test(void)
 	kfree(kmem);
 }
 
-static noinline void __init kasan_workqueue_work(struct work_struct *work)
-{
-	kfree(work);
-}
-
-static noinline void __init kasan_workqueue_uaf(void)
-{
-	struct workqueue_struct *workqueue;
-	struct work_struct *work;
-
-	workqueue = create_workqueue("kasan_wq_test");
-	if (!workqueue) {
-		pr_err("Allocation failed\n");
-		return;
-	}
-	work = kmalloc(sizeof(struct work_struct), GFP_KERNEL);
-	if (!work) {
-		pr_err("Allocation failed\n");
-		return;
-	}
-
-	INIT_WORK(work, kasan_workqueue_work);
-	queue_work(workqueue, work);
-	destroy_workqueue(workqueue);
-
-	pr_info("use-after-free on workqueue\n");
-	((volatile struct work_struct *)work)->data;
-}
-
 static int __init test_kasan_module_init(void)
 {
 	/*
@@ -101,7 +72,6 @@ static int __init test_kasan_module_init(void)
 	bool multishot = kasan_save_enable_multi_shot();
 
 	copy_user_test();
-	kasan_workqueue_uaf();
 
 	kasan_restore_multi_shot(multishot);
 	return -EAGAIN;