From patchwork Fri Jul 31 04:42:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gow X-Patchwork-Id: 11694079 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7C309722 for ; Fri, 31 Jul 2020 04:43:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 63ED821744 for ; Fri, 31 Jul 2020 04:43:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="wK2O50yS" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729519AbgGaEnE (ORCPT ); Fri, 31 Jul 2020 00:43:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45336 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726482AbgGaEnC (ORCPT ); Fri, 31 Jul 2020 00:43:02 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 986E5C061574 for ; Thu, 30 Jul 2020 21:43:02 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id p138so13130509yba.12 for ; Thu, 30 Jul 2020 21:43:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=beEVykI/w3KZVAvPQjbc06TAF1ssDBP5sJ8EW7g7IJE=; b=wK2O50ySlF5ASt2GKsAqVARb1LUmHwMkknk0UmPXxVufvAvC9lPGBOkaNfqYgrUDnJ 4VBXnS9MseaGLdap+ZvQlGrYrI3snt1mfaZn7LxpF2cXgy4V6aPkzKy8R6u7XFWktHGT t2+H/wWC4qg7iKNZYvNWzcklCOmnyiKLU0AZ0DvC9ceOf+LTgyhPZH3x6Y4TeED/2h/x f3/STNqkn2miCTcRso4ITLjV0JevDlJHzw26WTn/mm5BBmQ5oRKPl8lcFJRamwkHGMTg qU3vreHwygr5pbQ+xaLEqDePQXvDflCaVQZQeZJUyhv5081JqiQIAaqtyrxFlZM1B66V 3Bqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=beEVykI/w3KZVAvPQjbc06TAF1ssDBP5sJ8EW7g7IJE=; b=lmsTubqTTFQ3ztcc0d75WwYzu1XUf2fiquavfFAWK0foluX6xt2aybleRbCu75JYfw ueQPDzPrN+RufQUoHDlDGXCVY3OYDv/qsM+zsd7piRQ3UAkYpUJ2salGGnT/lwaygRSG udO/V3HLevfKlcbuVRIeDvgIJuSlgE1KMDFKtfzFCCW2oT4mH2oVANYXC50iL46SwDMo I10oE6PCoNELj4i3dfr9/s2+y7q7syd9FF694hqrsVFIqJ68R1NcQt94I2+Xkp8P2qHS bxvQ1wuwr3qe+v2ABzbeCrSvuRPt0ucQ/wigEoTtpVZ8moRUBgE7NJsyS6bOUBJsCsfF 6hVw== X-Gm-Message-State: AOAM530HGL8mE5ILFfL/hPQogn1a7UBJ5tTCp2xF2yD1LnpHGhRmrk5G CMRhgI0pdol2kqyHvYy1VvGb6iu5schQBQ== X-Google-Smtp-Source: ABdhPJwu24MFR6IZ+344IkbGVBQg1N3XcrFl0sy/7OerPAGdbj160vL5rZ6Qdok7k/Q4sjw98Arnn+OnNTN0Jw== X-Received: by 2002:a5b:30d:: with SMTP id j13mr3228618ybp.51.1596170581813; Thu, 30 Jul 2020 21:43:01 -0700 (PDT) Date: Thu, 30 Jul 2020 21:42:38 -0700 In-Reply-To: <20200731044242.1323143-1-davidgow@google.com> Message-Id: <20200731044242.1323143-2-davidgow@google.com> Mime-Version: 1.0 References: <20200731044242.1323143-1-davidgow@google.com> X-Mailer: git-send-email 2.28.0.163.g6104cc2f0b6-goog Subject: [PATCH v9 1/5] Add KUnit Struct to Current Task From: David Gow To: trishalfonso@google.com, brendanhiggins@google.com, aryabinin@virtuozzo.com, dvyukov@google.com, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, andreyknvl@google.com, shuah@kernel.org Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, kunit-dev@googlegroups.com, linux-kselftest@vger.kernel.org, David Gow Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org From: Patricia Alfonso In order to integrate debugging tools like KASAN into the KUnit framework, add KUnit struct to the current task to keep track of the current KUnit test. Signed-off-by: Patricia Alfonso Reviewed-by: Brendan Higgins Signed-off-by: David Gow --- include/linux/sched.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/linux/sched.h b/include/linux/sched.h index 683372943093..3a27399c98b1 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1197,6 +1197,10 @@ struct task_struct { struct kcsan_ctx kcsan_ctx; #endif +#if IS_ENABLED(CONFIG_KUNIT) + struct kunit *kunit_test; +#endif + #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack: */ int curr_ret_stack; From patchwork Fri Jul 31 04:42:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gow X-Patchwork-Id: 11694071 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C0866722 for ; Fri, 31 Jul 2020 04:43:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A24DC21744 for ; Fri, 31 Jul 2020 04:43:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="F5FUtMZE" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729308AbgGaEnG (ORCPT ); Fri, 31 Jul 2020 00:43:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45352 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729510AbgGaEnE (ORCPT ); Fri, 31 Jul 2020 00:43:04 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 87CDAC061575 for ; Thu, 30 Jul 2020 21:43:04 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id b127so19256000ybh.21 for ; Thu, 30 Jul 2020 21:43:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=kYS2D6CxxblTibspc3xfpsTe+zwQeBARGFYFgMjXAdI=; b=F5FUtMZEZUqnGxr3zriqCQl09AXyQMkrQcLC501lLrTidZykKhhfrQcGiJOGMUnx1p r6HS4epcnMjo8nfi3GsRRZbRvQXMFsNkKZhZik32o0XwnMF0cNeaeGQ7jdReHE+yP8Fm LQO0592KdeyZOjuE2wNJy+KxLHpIMhvByfqkkLqTUyWjNNC9xdCLUaOIxcmh+3SJ9dbf cro2s/f2/N3mfKyIEHsyqFdN9LMOaaK5OzI9s6t/vGlxiQpv9Guds6YRa11VW7O/DSq+ pu909D1pKe71JRY01FL46PM+SnaYIh+b4FTryU11v6ije2KkAuVGliW5neTf4U5xaGFy /CBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=kYS2D6CxxblTibspc3xfpsTe+zwQeBARGFYFgMjXAdI=; b=hZj8Q/lrbjMfb9IYgcMOnn1co9M4cW02c/cnGdCpLxu+2tSKmjxmtU7RDQycB6qd3N 57Nm38s6isKsHiGnoLFwSPOLDNMllN6dOT6Ev8/IErAkGJIdt/YVzFc5l6y9j+FL6yoM gX8ePJ62hpZcHRdrgXPosHEdzRm35HhQHR/RgGmaGp7GKrEXAVgYhHWC+ebBShLrOvKA /dFagZLM6eIGkydjo9PS/PMEyMij49hMZdjFM/mVWeJsjBfAyJeThbk482F/KZaye7tw VaSLHQKpdzFi4jQXMnlBz+qMmrQwvMfWU3DidYiDmiDuyh3zdD5IMLRiRyBoIgeoOvw8 bgWg== X-Gm-Message-State: AOAM533lSWhGFFzCjJz+yRYFhqpGdnusq9TlL8PPhkXhyFPx2KJNrU7y Dy3EDpeXbVGSjyE05lfJi8q27sTuyg6s8g== X-Google-Smtp-Source: ABdhPJz0MwGEqfX/WPtJxUIxNrBzDDDhSBWH5E34eoCeGj4SczVvW7injKyVahaJGh264MxcUq+XS00uc8Oyfg== X-Received: by 2002:a25:84cd:: with SMTP id x13mr3482818ybm.425.1596170583730; Thu, 30 Jul 2020 21:43:03 -0700 (PDT) Date: Thu, 30 Jul 2020 21:42:39 -0700 In-Reply-To: <20200731044242.1323143-1-davidgow@google.com> Message-Id: <20200731044242.1323143-3-davidgow@google.com> Mime-Version: 1.0 References: <20200731044242.1323143-1-davidgow@google.com> X-Mailer: git-send-email 2.28.0.163.g6104cc2f0b6-goog Subject: [PATCH v9 2/5] KUnit: KASAN Integration From: David Gow To: trishalfonso@google.com, brendanhiggins@google.com, aryabinin@virtuozzo.com, dvyukov@google.com, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, andreyknvl@google.com, shuah@kernel.org Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, kunit-dev@googlegroups.com, linux-kselftest@vger.kernel.org, David Gow Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org From: Patricia Alfonso Integrate KASAN into KUnit testing framework. - Fail tests when KASAN reports an error that is not expected - Use KUNIT_EXPECT_KASAN_FAIL to expect a KASAN error in KASAN tests - Expected KASAN reports pass tests and are still printed when run without kunit_tool (kunit_tool still bypasses the report due to the test passing) - KUnit struct in current task used to keep track of the current test from KASAN code Make use of "[PATCH v3 kunit-next 1/2] kunit: generalize kunit_resource API beyond allocated resources" and "[PATCH v3 kunit-next 2/2] kunit: add support for named resources" from Alan Maguire [1] - A named resource is added to a test when a KASAN report is expected - This resource contains a struct for kasan_data containing booleans representing if a KASAN report is expected and if a KASAN report is found [1] (https://lore.kernel.org/linux-kselftest/1583251361-12748-1-git-send-email-alan.maguire@oracle.com/T/#t) Signed-off-by: Patricia Alfonso Signed-off-by: David Gow Reviewed-by: Andrey Konovalov Reviewed-by: Dmitry Vyukov Acked-by: Brendan Higgins --- include/kunit/test.h | 5 +++++ include/linux/kasan.h | 6 ++++++ lib/kunit/test.c | 13 +++++++----- lib/test_kasan.c | 47 +++++++++++++++++++++++++++++++++++++++++-- mm/kasan/report.c | 32 +++++++++++++++++++++++++++++ 5 files changed, 96 insertions(+), 7 deletions(-) diff --git a/include/kunit/test.h b/include/kunit/test.h index 59f3144f009a..3391f38389f8 100644 --- a/include/kunit/test.h +++ b/include/kunit/test.h @@ -224,6 +224,11 @@ struct kunit { struct list_head resources; /* Protected by lock. */ }; +static inline void kunit_set_failure(struct kunit *test) +{ + WRITE_ONCE(test->success, false); +} + void kunit_init_test(struct kunit *test, const char *name, char *log); int kunit_run_tests(struct kunit_suite *suite); diff --git a/include/linux/kasan.h b/include/linux/kasan.h index 82522e996c76..3ccb7874a466 100644 --- a/include/linux/kasan.h +++ b/include/linux/kasan.h @@ -14,6 +14,12 @@ struct task_struct; #include #include +/* kasan_data struct is used in KUnit tests for KASAN expected failures */ +struct kunit_kasan_expectation { + bool report_expected; + bool report_found; +}; + extern unsigned char kasan_early_shadow_page[PAGE_SIZE]; extern pte_t kasan_early_shadow_pte[PTRS_PER_PTE]; extern pmd_t kasan_early_shadow_pmd[PTRS_PER_PMD]; diff --git a/lib/kunit/test.c b/lib/kunit/test.c index c36037200310..dcc35fd30d95 100644 --- a/lib/kunit/test.c +++ b/lib/kunit/test.c @@ -10,16 +10,12 @@ #include #include #include +#include #include "debugfs.h" #include "string-stream.h" #include "try-catch-impl.h" -static void kunit_set_failure(struct kunit *test) -{ - WRITE_ONCE(test->success, false); -} - static void kunit_print_tap_version(void) { static bool kunit_has_printed_tap_version; @@ -288,6 +284,10 @@ static void kunit_try_run_case(void *data) struct kunit_suite *suite = ctx->suite; struct kunit_case *test_case = ctx->test_case; +#if (IS_ENABLED(CONFIG_KASAN) && IS_ENABLED(CONFIG_KUNIT)) + current->kunit_test = test; +#endif /* IS_ENABLED(CONFIG_KASAN) && IS_ENABLED(CONFIG_KUNIT) */ + /* * kunit_run_case_internal may encounter a fatal error; if it does, * abort will be called, this thread will exit, and finally the parent @@ -602,6 +602,9 @@ void kunit_cleanup(struct kunit *test) spin_unlock(&test->lock); kunit_remove_resource(test, res); } +#if (IS_ENABLED(CONFIG_KASAN) && IS_ENABLED(CONFIG_KUNIT)) + current->kunit_test = NULL; +#endif /* IS_ENABLED(CONFIG_KASAN) && IS_ENABLED(CONFIG_KUNIT)*/ } EXPORT_SYMBOL_GPL(kunit_cleanup); diff --git a/lib/test_kasan.c b/lib/test_kasan.c index dc2c6a51d11a..842adcd30943 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -23,19 +23,62 @@ #include +#include + /* * We assign some test results to these globals to make sure the tests * are not eliminated as dead code. */ -int kasan_int_result; void *kasan_ptr_result; +int kasan_int_result; + +static struct kunit_resource resource; +static struct kunit_kasan_expectation fail_data; +static bool multishot; + +static int kasan_test_init(struct kunit *test) +{ + /* + * Temporarily enable multi-shot mode and set panic_on_warn=0. + * Otherwise, we'd only get a report for the first case. + */ + multishot = kasan_save_enable_multi_shot(); + + return 0; +} + +static void kasan_test_exit(struct kunit *test) +{ + kasan_restore_multi_shot(multishot); +} + +/** + * KUNIT_EXPECT_KASAN_FAIL() - Causes a test failure when the expression does + * not cause a KASAN error. This uses a KUnit resource named "kasan_data." Do + * Do not use this name for a KUnit resource outside here. + * + */ +#define KUNIT_EXPECT_KASAN_FAIL(test, condition) do { \ + fail_data.report_expected = true; \ + fail_data.report_found = false; \ + kunit_add_named_resource(test, \ + NULL, \ + NULL, \ + &resource, \ + "kasan_data", &fail_data); \ + condition; \ + KUNIT_EXPECT_EQ(test, \ + fail_data.report_expected, \ + fail_data.report_found); \ +} while (0) + + /* * Note: test functions are marked noinline so that their names appear in * reports. */ - static noinline void __init kmalloc_oob_right(void) { char *ptr; diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 51ec45407a0b..90a1348c8b81 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -33,6 +33,8 @@ #include +#include + #include "kasan.h" #include "../slab.h" @@ -464,12 +466,37 @@ static bool report_enabled(void) return !test_and_set_bit(KASAN_BIT_REPORTED, &kasan_flags); } +#if IS_ENABLED(CONFIG_KUNIT) +static void kasan_update_kunit_status(struct kunit *cur_test) +{ + struct kunit_resource *resource; + struct kunit_kasan_expectation *kasan_data; + + resource = kunit_find_named_resource(cur_test, "kasan_data"); + + if (!resource) { + kunit_set_failure(cur_test); + return; + } + + kasan_data = (struct kunit_kasan_expectation *)resource->data; + kasan_data->report_found = true; + kunit_put_resource(resource); +} +#endif /* IS_ENABLED(CONFIG_KUNIT) */ + void kasan_report_invalid_free(void *object, unsigned long ip) { unsigned long flags; u8 tag = get_tag(object); object = reset_tag(object); + +#if IS_ENABLED(CONFIG_KUNIT) + if (current->kunit_test) + kasan_update_kunit_status(current->kunit_test); +#endif /* IS_ENABLED(CONFIG_KUNIT) */ + start_report(&flags); pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", (void *)ip); print_tags(tag, object); @@ -488,6 +515,11 @@ static void __kasan_report(unsigned long addr, size_t size, bool is_write, void *untagged_addr; unsigned long flags; +#if IS_ENABLED(CONFIG_KUNIT) + if (current->kunit_test) + kasan_update_kunit_status(current->kunit_test); +#endif /* IS_ENABLED(CONFIG_KUNIT) */ + disable_trace_on_warning(); tagged_addr = (void *)addr; From patchwork Fri Jul 31 04:42:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gow X-Patchwork-Id: 11694073 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A3F8D913 for ; Fri, 31 Jul 2020 04:43:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8345A21D95 for ; Fri, 31 Jul 2020 04:43:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="F3Nhp2LS" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730164AbgGaEnI (ORCPT ); Fri, 31 Jul 2020 00:43:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45362 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729494AbgGaEnH (ORCPT ); Fri, 31 Jul 2020 00:43:07 -0400 Received: from mail-qk1-x74a.google.com (mail-qk1-x74a.google.com [IPv6:2607:f8b0:4864:20::74a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 93A4EC061575 for ; Thu, 30 Jul 2020 21:43:07 -0700 (PDT) Received: by mail-qk1-x74a.google.com with SMTP id j7so20096061qki.5 for ; Thu, 30 Jul 2020 21:43:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=7dFgQHjt7Usp0rqVZL95+8EYF1jmm5C7PyiIaSPxU24=; b=F3Nhp2LScxXiHkmGatzDuIPWfStdcIELcG+Dwl7C7JyY8PHLi1OIscazvKbmlqWHbK nGNqitoapHxDDGiKd2mCp30iBeXSZzPj1bwmRsNJb2zJjhu9E0ECr6d432mGI2H45jn9 1pEehXaIHomUWlXTcetwpNPYnBCU6UJaBibmjEHxoay1hp6MJdqvWsLh1EvrPvMmwXZV yI5XmjZU84g9jImzeeaaaiMuAah1FH+BWq16JP6980ULe+9uR5nulF6i5+90OIMY+DdQ NcAw6pU+mCTEqfgEAM8Gm+GXVVT82RvvoRSYEsMACAj3TCpoXkwsDpWb1BTSKtWgTTmd dP+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=7dFgQHjt7Usp0rqVZL95+8EYF1jmm5C7PyiIaSPxU24=; b=JHEZJ4L3Qbdc6OT1sM4H8PDBTUTdreiV9WsV1eZCqigEKCZYz3JZNvvLkHZfofwGWS 0zu6iclc+5vrFW2TPtHQ59sJfKw5jpvUo7hBMLsi7g6/0sfrPnzg0I5r9II3XvARG1bO ZdXjYVzrUpJaSm516e4WSBVwFqUdW7MYd8OKzbM7LRwU/w13LtHmeSA/NbzaL6WLDuc8 VyGGN73Z7AdWfCBYHo+F733HCSM5Vd7kMBwXfpyxlBOL93MAytkTeZSdn7H73YqefSyE UNDbwOUeHvtrNGB7ciI32cgagbiRnqLNrCpko6Mh3x8Hu0awq0n7dJqAY9ML7AOMofph WV7A== X-Gm-Message-State: AOAM530DVUA5PLkz1UlEmCkBU4C4sNv97iSte4qH0exvEZoUW86Z0mwU DQGbQdrI0QwaYJf0jG/fuUNGN5KO01R/GA== X-Google-Smtp-Source: ABdhPJzphp92gTowRKNuC/g2DaK0H4qbWJpVNWUdQHvXV09+QWcabaZ62uVXA+eUBp73abZc3UiAKrexu+gtlg== X-Received: by 2002:a05:6214:554:: with SMTP id ci20mr2421931qvb.108.1596170585932; Thu, 30 Jul 2020 21:43:05 -0700 (PDT) Date: Thu, 30 Jul 2020 21:42:40 -0700 In-Reply-To: <20200731044242.1323143-1-davidgow@google.com> Message-Id: <20200731044242.1323143-4-davidgow@google.com> Mime-Version: 1.0 References: <20200731044242.1323143-1-davidgow@google.com> X-Mailer: git-send-email 2.28.0.163.g6104cc2f0b6-goog Subject: [PATCH v9 3/5] KASAN: Port KASAN Tests to KUnit From: David Gow To: trishalfonso@google.com, brendanhiggins@google.com, aryabinin@virtuozzo.com, dvyukov@google.com, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, andreyknvl@google.com, shuah@kernel.org Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, kunit-dev@googlegroups.com, linux-kselftest@vger.kernel.org, David Gow Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org From: Patricia Alfonso Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg. Stack tests do not work properly when KASAN_STACK is enabled so those tests use a check for "if IS_ENABLED(CONFIG_KASAN_STACK)" so they only run if stack instrumentation is enabled. If KASAN_STACK is not enabled, KUnit will print a statement to let the user know this test was not run with KASAN_STACK enabled. copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module. Signed-off-by: Patricia Alfonso Signed-off-by: David Gow Reviewed-by: Brendan Higgins Reviewed-by: Andrey Konovalov Reviewed-by: Dmitry Vyukov --- lib/Kconfig.kasan | 22 +- lib/Makefile | 7 +- lib/test_kasan.c | 901 ---------------------------------------------- 3 files changed, 21 insertions(+), 909 deletions(-) delete mode 100644 lib/test_kasan.c diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index 34b84bcbd3d9..a9f7451c541d 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -162,10 +162,22 @@ config KASAN_VMALLOC for KASAN to detect more sorts of errors (and to support vmapped stacks), but at the cost of higher memory usage. -config TEST_KASAN - tristate "Module for testing KASAN for bug detection" - depends on m && KASAN +config KASAN_KUNIT_TEST + tristate "KUnit-compatible tests of KASAN bug detection capabilities" if !KUNIT_ALL_TESTS + depends on KASAN && KUNIT + default KUNIT_ALL_TESTS help - This is a test module doing various nasty things like - out of bounds accesses, use after free. It is useful for testing + This is a KUnit test suite doing various nasty things like + out of bounds and use after free accesses. It is useful for testing kernel debugging features like KASAN. + + For more information on KUnit and unit tests in general, please refer + to the KUnit documentation in Documentation/dev-tools/kunit + +config TEST_KASAN_MODULE + tristate "KUnit-incompatible tests of KASAN bug detection capabilities" + depends on m && KASAN + help + This is a part of the KASAN test suite that is incompatible with + KUnit. Currently includes tests that do bad copy_from/to_user + accesses. diff --git a/lib/Makefile b/lib/Makefile index b1c42c10073b..24a5c3cc7262 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -64,9 +64,10 @@ CFLAGS_test_bitops.o += -Werror obj-$(CONFIG_TEST_SYSCTL) += test_sysctl.o obj-$(CONFIG_TEST_HASH) += test_hash.o test_siphash.o obj-$(CONFIG_TEST_IDA) += test_ida.o -obj-$(CONFIG_TEST_KASAN) += test_kasan.o -CFLAGS_test_kasan.o += -fno-builtin -CFLAGS_test_kasan.o += $(call cc-disable-warning, vla) +obj-$(CONFIG_KASAN_KUNIT_TEST) += kasan_kunit.o +CFLAGS_kasan_kunit.o += -fno-builtin +CFLAGS_kasan_kunit.o += $(call cc-disable-warning, vla) +obj-$(CONFIG_TEST_KASAN_MODULE) += test_kasan_module.o obj-$(CONFIG_TEST_UBSAN) += test_ubsan.o CFLAGS_test_ubsan.o += $(call cc-disable-warning, vla) UBSAN_SANITIZE_test_ubsan.o := y diff --git a/lib/test_kasan.c b/lib/test_kasan.c deleted file mode 100644 index 842adcd30943..000000000000 --- a/lib/test_kasan.c +++ /dev/null @@ -1,901 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* - * - * Copyright (c) 2014 Samsung Electronics Co., Ltd. - * Author: Andrey Ryabinin - */ - -#define pr_fmt(fmt) "kasan test: %s " fmt, __func__ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include - -/* - * We assign some test results to these globals to make sure the tests - * are not eliminated as dead code. - */ - -void *kasan_ptr_result; -int kasan_int_result; - -static struct kunit_resource resource; -static struct kunit_kasan_expectation fail_data; -static bool multishot; - -static int kasan_test_init(struct kunit *test) -{ - /* - * Temporarily enable multi-shot mode and set panic_on_warn=0. - * Otherwise, we'd only get a report for the first case. - */ - multishot = kasan_save_enable_multi_shot(); - - return 0; -} - -static void kasan_test_exit(struct kunit *test) -{ - kasan_restore_multi_shot(multishot); -} - -/** - * KUNIT_EXPECT_KASAN_FAIL() - Causes a test failure when the expression does - * not cause a KASAN error. This uses a KUnit resource named "kasan_data." Do - * Do not use this name for a KUnit resource outside here. - * - */ -#define KUNIT_EXPECT_KASAN_FAIL(test, condition) do { \ - fail_data.report_expected = true; \ - fail_data.report_found = false; \ - kunit_add_named_resource(test, \ - NULL, \ - NULL, \ - &resource, \ - "kasan_data", &fail_data); \ - condition; \ - KUNIT_EXPECT_EQ(test, \ - fail_data.report_expected, \ - fail_data.report_found); \ -} while (0) - - - -/* - * Note: test functions are marked noinline so that their names appear in - * reports. - */ -static noinline void __init kmalloc_oob_right(void) -{ - char *ptr; - size_t size = 123; - - pr_info("out-of-bounds to right\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - ptr[size] = 'x'; - kfree(ptr); -} - -static noinline void __init kmalloc_oob_left(void) -{ - char *ptr; - size_t size = 15; - - pr_info("out-of-bounds to left\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - *ptr = *(ptr - 1); - kfree(ptr); -} - -static noinline void __init kmalloc_node_oob_right(void) -{ - char *ptr; - size_t size = 4096; - - pr_info("kmalloc_node(): out-of-bounds to right\n"); - ptr = kmalloc_node(size, GFP_KERNEL, 0); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - ptr[size] = 0; - kfree(ptr); -} - -#ifdef CONFIG_SLUB -static noinline void __init kmalloc_pagealloc_oob_right(void) -{ - char *ptr; - size_t size = KMALLOC_MAX_CACHE_SIZE + 10; - - /* Allocate a chunk that does not fit into a SLUB cache to trigger - * the page allocator fallback. - */ - pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - ptr[size] = 0; - kfree(ptr); -} - -static noinline void __init kmalloc_pagealloc_uaf(void) -{ - char *ptr; - size_t size = KMALLOC_MAX_CACHE_SIZE + 10; - - pr_info("kmalloc pagealloc allocation: use-after-free\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - kfree(ptr); - ptr[0] = 0; -} - -static noinline void __init kmalloc_pagealloc_invalid_free(void) -{ - char *ptr; - size_t size = KMALLOC_MAX_CACHE_SIZE + 10; - - pr_info("kmalloc pagealloc allocation: invalid-free\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - kfree(ptr + 1); -} -#endif - -static noinline void __init kmalloc_large_oob_right(void) -{ - char *ptr; - size_t size = KMALLOC_MAX_CACHE_SIZE - 256; - /* Allocate a chunk that is large enough, but still fits into a slab - * and does not trigger the page allocator fallback in SLUB. - */ - pr_info("kmalloc large allocation: out-of-bounds to right\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - ptr[size] = 0; - kfree(ptr); -} - -static noinline void __init kmalloc_oob_krealloc_more(void) -{ - char *ptr1, *ptr2; - size_t size1 = 17; - size_t size2 = 19; - - pr_info("out-of-bounds after krealloc more\n"); - ptr1 = kmalloc(size1, GFP_KERNEL); - ptr2 = krealloc(ptr1, size2, GFP_KERNEL); - if (!ptr1 || !ptr2) { - pr_err("Allocation failed\n"); - kfree(ptr1); - kfree(ptr2); - return; - } - - ptr2[size2] = 'x'; - kfree(ptr2); -} - -static noinline void __init kmalloc_oob_krealloc_less(void) -{ - char *ptr1, *ptr2; - size_t size1 = 17; - size_t size2 = 15; - - pr_info("out-of-bounds after krealloc less\n"); - ptr1 = kmalloc(size1, GFP_KERNEL); - ptr2 = krealloc(ptr1, size2, GFP_KERNEL); - if (!ptr1 || !ptr2) { - pr_err("Allocation failed\n"); - kfree(ptr1); - return; - } - ptr2[size2] = 'x'; - kfree(ptr2); -} - -static noinline void __init kmalloc_oob_16(void) -{ - struct { - u64 words[2]; - } *ptr1, *ptr2; - - pr_info("kmalloc out-of-bounds for 16-bytes access\n"); - ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL); - ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL); - if (!ptr1 || !ptr2) { - pr_err("Allocation failed\n"); - kfree(ptr1); - kfree(ptr2); - return; - } - *ptr1 = *ptr2; - kfree(ptr1); - kfree(ptr2); -} - -static noinline void __init kmalloc_oob_memset_2(void) -{ - char *ptr; - size_t size = 8; - - pr_info("out-of-bounds in memset2\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - memset(ptr+7, 0, 2); - kfree(ptr); -} - -static noinline void __init kmalloc_oob_memset_4(void) -{ - char *ptr; - size_t size = 8; - - pr_info("out-of-bounds in memset4\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - memset(ptr+5, 0, 4); - kfree(ptr); -} - - -static noinline void __init kmalloc_oob_memset_8(void) -{ - char *ptr; - size_t size = 8; - - pr_info("out-of-bounds in memset8\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - memset(ptr+1, 0, 8); - kfree(ptr); -} - -static noinline void __init kmalloc_oob_memset_16(void) -{ - char *ptr; - size_t size = 16; - - pr_info("out-of-bounds in memset16\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - memset(ptr+1, 0, 16); - kfree(ptr); -} - -static noinline void __init kmalloc_oob_in_memset(void) -{ - char *ptr; - size_t size = 666; - - pr_info("out-of-bounds in memset\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - memset(ptr, 0, size+5); - kfree(ptr); -} - -static noinline void __init kmalloc_memmove_invalid_size(void) -{ - char *ptr; - size_t size = 64; - volatile size_t invalid_size = -2; - - pr_info("invalid size in memmove\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - memset((char *)ptr, 0, 64); - memmove((char *)ptr, (char *)ptr + 4, invalid_size); - kfree(ptr); -} - -static noinline void __init kmalloc_uaf(void) -{ - char *ptr; - size_t size = 10; - - pr_info("use-after-free\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - kfree(ptr); - *(ptr + 8) = 'x'; -} - -static noinline void __init kmalloc_uaf_memset(void) -{ - char *ptr; - size_t size = 33; - - pr_info("use-after-free in memset\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - kfree(ptr); - memset(ptr, 0, size); -} - -static noinline void __init kmalloc_uaf2(void) -{ - char *ptr1, *ptr2; - size_t size = 43; - - pr_info("use-after-free after another kmalloc\n"); - ptr1 = kmalloc(size, GFP_KERNEL); - if (!ptr1) { - pr_err("Allocation failed\n"); - return; - } - - kfree(ptr1); - ptr2 = kmalloc(size, GFP_KERNEL); - if (!ptr2) { - pr_err("Allocation failed\n"); - return; - } - - ptr1[40] = 'x'; - if (ptr1 == ptr2) - pr_err("Could not detect use-after-free: ptr1 == ptr2\n"); - kfree(ptr2); -} - -static noinline void __init kfree_via_page(void) -{ - char *ptr; - size_t size = 8; - struct page *page; - unsigned long offset; - - pr_info("invalid-free false positive (via page)\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - page = virt_to_page(ptr); - offset = offset_in_page(ptr); - kfree(page_address(page) + offset); -} - -static noinline void __init kfree_via_phys(void) -{ - char *ptr; - size_t size = 8; - phys_addr_t phys; - - pr_info("invalid-free false positive (via phys)\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - phys = virt_to_phys(ptr); - kfree(phys_to_virt(phys)); -} - -static noinline void __init kmem_cache_oob(void) -{ - char *p; - size_t size = 200; - struct kmem_cache *cache = kmem_cache_create("test_cache", - size, 0, - 0, NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } - pr_info("out-of-bounds in kmem_cache_alloc\n"); - p = kmem_cache_alloc(cache, GFP_KERNEL); - if (!p) { - pr_err("Allocation failed\n"); - kmem_cache_destroy(cache); - return; - } - - *p = p[size]; - kmem_cache_free(cache, p); - kmem_cache_destroy(cache); -} - -static noinline void __init memcg_accounted_kmem_cache(void) -{ - int i; - char *p; - size_t size = 200; - struct kmem_cache *cache; - - cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } - - pr_info("allocate memcg accounted object\n"); - /* - * Several allocations with a delay to allow for lazy per memcg kmem - * cache creation. - */ - for (i = 0; i < 5; i++) { - p = kmem_cache_alloc(cache, GFP_KERNEL); - if (!p) - goto free_cache; - - kmem_cache_free(cache, p); - msleep(100); - } - -free_cache: - kmem_cache_destroy(cache); -} - -static char global_array[10]; - -static noinline void __init kasan_global_oob(void) -{ - volatile int i = 3; - char *p = &global_array[ARRAY_SIZE(global_array) + i]; - - pr_info("out-of-bounds global variable\n"); - *(volatile char *)p; -} - -static noinline void __init kasan_stack_oob(void) -{ - char stack_array[10]; - volatile int i = 0; - char *p = &stack_array[ARRAY_SIZE(stack_array) + i]; - - pr_info("out-of-bounds on stack\n"); - *(volatile char *)p; -} - -static noinline void __init ksize_unpoisons_memory(void) -{ - char *ptr; - size_t size = 123, real_size; - - pr_info("ksize() unpoisons the whole allocated chunk\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - real_size = ksize(ptr); - /* This access doesn't trigger an error. */ - ptr[size] = 'x'; - /* This one does. */ - ptr[real_size] = 'y'; - kfree(ptr); -} - -static noinline void __init copy_user_test(void) -{ - char *kmem; - char __user *usermem; - size_t size = 10; - int unused; - - kmem = kmalloc(size, GFP_KERNEL); - if (!kmem) - return; - - usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE, - PROT_READ | PROT_WRITE | PROT_EXEC, - MAP_ANONYMOUS | MAP_PRIVATE, 0); - if (IS_ERR(usermem)) { - pr_err("Failed to allocate user memory\n"); - kfree(kmem); - return; - } - - pr_info("out-of-bounds in copy_from_user()\n"); - unused = copy_from_user(kmem, usermem, size + 1); - - pr_info("out-of-bounds in copy_to_user()\n"); - unused = copy_to_user(usermem, kmem, size + 1); - - pr_info("out-of-bounds in __copy_from_user()\n"); - unused = __copy_from_user(kmem, usermem, size + 1); - - pr_info("out-of-bounds in __copy_to_user()\n"); - unused = __copy_to_user(usermem, kmem, size + 1); - - pr_info("out-of-bounds in __copy_from_user_inatomic()\n"); - unused = __copy_from_user_inatomic(kmem, usermem, size + 1); - - pr_info("out-of-bounds in __copy_to_user_inatomic()\n"); - unused = __copy_to_user_inatomic(usermem, kmem, size + 1); - - pr_info("out-of-bounds in strncpy_from_user()\n"); - unused = strncpy_from_user(kmem, usermem, size + 1); - - vm_munmap((unsigned long)usermem, PAGE_SIZE); - kfree(kmem); -} - -static noinline void __init kasan_alloca_oob_left(void) -{ - volatile int i = 10; - char alloca_array[i]; - char *p = alloca_array - 1; - - pr_info("out-of-bounds to left on alloca\n"); - *(volatile char *)p; -} - -static noinline void __init kasan_alloca_oob_right(void) -{ - volatile int i = 10; - char alloca_array[i]; - char *p = alloca_array + i; - - pr_info("out-of-bounds to right on alloca\n"); - *(volatile char *)p; -} - -static noinline void __init kmem_cache_double_free(void) -{ - char *p; - size_t size = 200; - struct kmem_cache *cache; - - cache = kmem_cache_create("test_cache", size, 0, 0, NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } - pr_info("double-free on heap object\n"); - p = kmem_cache_alloc(cache, GFP_KERNEL); - if (!p) { - pr_err("Allocation failed\n"); - kmem_cache_destroy(cache); - return; - } - - kmem_cache_free(cache, p); - kmem_cache_free(cache, p); - kmem_cache_destroy(cache); -} - -static noinline void __init kmem_cache_invalid_free(void) -{ - char *p; - size_t size = 200; - struct kmem_cache *cache; - - cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU, - NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } - pr_info("invalid-free of heap object\n"); - p = kmem_cache_alloc(cache, GFP_KERNEL); - if (!p) { - pr_err("Allocation failed\n"); - kmem_cache_destroy(cache); - return; - } - - /* Trigger invalid free, the object doesn't get freed */ - kmem_cache_free(cache, p + 1); - - /* - * Properly free the object to prevent the "Objects remaining in - * test_cache on __kmem_cache_shutdown" BUG failure. - */ - kmem_cache_free(cache, p); - - kmem_cache_destroy(cache); -} - -static noinline void __init kasan_memchr(void) -{ - char *ptr; - size_t size = 24; - - pr_info("out-of-bounds in memchr\n"); - ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); - if (!ptr) - return; - - kasan_ptr_result = memchr(ptr, '1', size + 1); - kfree(ptr); -} - -static noinline void __init kasan_memcmp(void) -{ - char *ptr; - size_t size = 24; - int arr[9]; - - pr_info("out-of-bounds in memcmp\n"); - ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); - if (!ptr) - return; - - memset(arr, 0, sizeof(arr)); - kasan_int_result = memcmp(ptr, arr, size + 1); - kfree(ptr); -} - -static noinline void __init kasan_strings(void) -{ - char *ptr; - size_t size = 24; - - pr_info("use-after-free in strchr\n"); - ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); - if (!ptr) - return; - - kfree(ptr); - - /* - * Try to cause only 1 invalid access (less spam in dmesg). - * For that we need ptr to point to zeroed byte. - * Skip metadata that could be stored in freed object so ptr - * will likely point to zeroed byte. - */ - ptr += 16; - kasan_ptr_result = strchr(ptr, '1'); - - pr_info("use-after-free in strrchr\n"); - kasan_ptr_result = strrchr(ptr, '1'); - - pr_info("use-after-free in strcmp\n"); - kasan_int_result = strcmp(ptr, "2"); - - pr_info("use-after-free in strncmp\n"); - kasan_int_result = strncmp(ptr, "2", 1); - - pr_info("use-after-free in strlen\n"); - kasan_int_result = strlen(ptr); - - pr_info("use-after-free in strnlen\n"); - kasan_int_result = strnlen(ptr, 1); -} - -static noinline void __init kasan_bitops(void) -{ - /* - * Allocate 1 more byte, which causes kzalloc to round up to 16-bytes; - * this way we do not actually corrupt other memory. - */ - long *bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL); - if (!bits) - return; - - /* - * Below calls try to access bit within allocated memory; however, the - * below accesses are still out-of-bounds, since bitops are defined to - * operate on the whole long the bit is in. - */ - pr_info("out-of-bounds in set_bit\n"); - set_bit(BITS_PER_LONG, bits); - - pr_info("out-of-bounds in __set_bit\n"); - __set_bit(BITS_PER_LONG, bits); - - pr_info("out-of-bounds in clear_bit\n"); - clear_bit(BITS_PER_LONG, bits); - - pr_info("out-of-bounds in __clear_bit\n"); - __clear_bit(BITS_PER_LONG, bits); - - pr_info("out-of-bounds in clear_bit_unlock\n"); - clear_bit_unlock(BITS_PER_LONG, bits); - - pr_info("out-of-bounds in __clear_bit_unlock\n"); - __clear_bit_unlock(BITS_PER_LONG, bits); - - pr_info("out-of-bounds in change_bit\n"); - change_bit(BITS_PER_LONG, bits); - - pr_info("out-of-bounds in __change_bit\n"); - __change_bit(BITS_PER_LONG, bits); - - /* - * Below calls try to access bit beyond allocated memory. - */ - pr_info("out-of-bounds in test_and_set_bit\n"); - test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - - pr_info("out-of-bounds in __test_and_set_bit\n"); - __test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - - pr_info("out-of-bounds in test_and_set_bit_lock\n"); - test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits); - - pr_info("out-of-bounds in test_and_clear_bit\n"); - test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - - pr_info("out-of-bounds in __test_and_clear_bit\n"); - __test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - - pr_info("out-of-bounds in test_and_change_bit\n"); - test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - - pr_info("out-of-bounds in __test_and_change_bit\n"); - __test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - - pr_info("out-of-bounds in test_bit\n"); - kasan_int_result = test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - -#if defined(clear_bit_unlock_is_negative_byte) - pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n"); - kasan_int_result = clear_bit_unlock_is_negative_byte(BITS_PER_LONG + - BITS_PER_BYTE, bits); -#endif - kfree(bits); -} - -static noinline void __init kmalloc_double_kzfree(void) -{ - char *ptr; - size_t size = 16; - - pr_info("double-free (kzfree)\n"); - ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } - - kzfree(ptr); - kzfree(ptr); -} - -#ifdef CONFIG_KASAN_VMALLOC -static noinline void __init vmalloc_oob(void) -{ - void *area; - - pr_info("vmalloc out-of-bounds\n"); - - /* - * We have to be careful not to hit the guard page. - * The MMU will catch that and crash us. - */ - area = vmalloc(3000); - if (!area) { - pr_err("Allocation failed\n"); - return; - } - - ((volatile char *)area)[3100]; - vfree(area); -} -#else -static void __init vmalloc_oob(void) {} -#endif - -static int __init kmalloc_tests_init(void) -{ - /* - * Temporarily enable multi-shot mode. Otherwise, we'd only get a - * report for the first case. - */ - bool multishot = kasan_save_enable_multi_shot(); - - kmalloc_oob_right(); - kmalloc_oob_left(); - kmalloc_node_oob_right(); -#ifdef CONFIG_SLUB - kmalloc_pagealloc_oob_right(); - kmalloc_pagealloc_uaf(); - kmalloc_pagealloc_invalid_free(); -#endif - kmalloc_large_oob_right(); - kmalloc_oob_krealloc_more(); - kmalloc_oob_krealloc_less(); - kmalloc_oob_16(); - kmalloc_oob_in_memset(); - kmalloc_oob_memset_2(); - kmalloc_oob_memset_4(); - kmalloc_oob_memset_8(); - kmalloc_oob_memset_16(); - kmalloc_memmove_invalid_size(); - kmalloc_uaf(); - kmalloc_uaf_memset(); - kmalloc_uaf2(); - kfree_via_page(); - kfree_via_phys(); - kmem_cache_oob(); - memcg_accounted_kmem_cache(); - kasan_stack_oob(); - kasan_global_oob(); - kasan_alloca_oob_left(); - kasan_alloca_oob_right(); - ksize_unpoisons_memory(); - copy_user_test(); - kmem_cache_double_free(); - kmem_cache_invalid_free(); - kasan_memchr(); - kasan_memcmp(); - kasan_strings(); - kasan_bitops(); - kmalloc_double_kzfree(); - vmalloc_oob(); - - kasan_restore_multi_shot(multishot); - - return -EAGAIN; -} - -module_init(kmalloc_tests_init); -MODULE_LICENSE("GPL"); From patchwork Fri Jul 31 04:42:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gow X-Patchwork-Id: 11694075 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 151351392 for ; Fri, 31 Jul 2020 04:43:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EF6DC21744 for ; Fri, 31 Jul 2020 04:43:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="PzMkVTq1" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730158AbgGaEnK (ORCPT ); Fri, 31 Jul 2020 00:43:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45370 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730168AbgGaEnI (ORCPT ); Fri, 31 Jul 2020 00:43:08 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99C21C061575 for ; Thu, 30 Jul 2020 21:43:08 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id z5so21107206ybo.9 for ; Thu, 30 Jul 2020 21:43:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=BW8tJXunVDhJUT5XRrBOJfZjcR8xNS1VRsDjHnpq2UQ=; b=PzMkVTq10D01+nFN0V52eFmLisb/U/VEBWan8hJsJnThbAngryHxl38SbnKMApQ6qW PdabAwkR9xbxtvheieCsaIlOzrUP6Teis45mKc7ur9HBY9UaIgwwhiY3GrGX4KG7fRis 4BdBKiHTuT0clu1HgySJZcRY9XVk2go5BaQ8/0Wa63HGGKk/aXh1bM0uTCKejvlU4SzT ohMrA2PNPdWUBDBtLN45Lib/QMo3nKcNY5haiVtlHkBWYFxXGwcG+aJvVIomQKKbTIVv nAfJxnc6acozGQ8jdBijukd5XX//IL8LwykdEsbnn522DJOLQ8wphwFxyEz/Qmv+YOPQ nSNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=BW8tJXunVDhJUT5XRrBOJfZjcR8xNS1VRsDjHnpq2UQ=; b=g0+mSjnubKqrKsNaSTEhPQtC7ONVlCSOvDkdsseeHc7g/IBF2MgHbUdf1phyenkN7h b9JzjqrkbJCZ+XZnG0Y9ovcdQNHtdkgZHjdirYpP7RUdy3NahZmctEiwJNm+WY1DJi6W EoFjqIqU182b/T96MMkNa9YdwlCnu4JfhfjPSJ1X0AVXDiTLalFCCn4dq5AAb1InflEB DiXVTZnSARNnH8PUPMJCrAKLS4K0vTB7P3zzFEyx131Yf4TmRNEF3xZXinKPa4xCeLja O97wXde3GlutmZzzQRZbwspYEe3/Vzhxfur3kryXuVLpp+42dRwHV2foghgTyR1BAxUP jmzQ== X-Gm-Message-State: AOAM531VCt4xhbYj5VoFuqgE0JdVjEwWfkGEKLypXbuKgtOTplwJdn1U 8gt4BHkFpMuIyXjOSJMjRvy0+cxg0smFHw== X-Google-Smtp-Source: ABdhPJyYVIzaRc4aBuc+Ee1NuoEmRVl6x9tNw+147D/G2kf68oji9oeoR4JZ1I0m72B9SUwdn0JErt2a5Zxunw== X-Received: by 2002:a25:aaf3:: with SMTP id t106mr3273322ybi.56.1596170587795; Thu, 30 Jul 2020 21:43:07 -0700 (PDT) Date: Thu, 30 Jul 2020 21:42:41 -0700 In-Reply-To: <20200731044242.1323143-1-davidgow@google.com> Message-Id: <20200731044242.1323143-5-davidgow@google.com> Mime-Version: 1.0 References: <20200731044242.1323143-1-davidgow@google.com> X-Mailer: git-send-email 2.28.0.163.g6104cc2f0b6-goog Subject: [PATCH v9 4/5] KASAN: Testing Documentation From: David Gow To: trishalfonso@google.com, brendanhiggins@google.com, aryabinin@virtuozzo.com, dvyukov@google.com, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, andreyknvl@google.com, shuah@kernel.org Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, kunit-dev@googlegroups.com, linux-kselftest@vger.kernel.org, David Gow Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org From: Patricia Alfonso Include documentation on how to test KASAN using CONFIG_TEST_KASAN_KUNIT and CONFIG_TEST_KASAN_MODULE. Signed-off-by: Patricia Alfonso Signed-off-by: David Gow Reviewed-by: Andrey Konovalov Reviewed-by: Dmitry Vyukov Acked-by: Brendan Higgins --- Documentation/dev-tools/kasan.rst | 70 +++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst index c652d740735d..1f9a75df0fc8 100644 --- a/Documentation/dev-tools/kasan.rst +++ b/Documentation/dev-tools/kasan.rst @@ -281,3 +281,73 @@ unmapped. This will require changes in arch-specific code. This allows ``VMAP_STACK`` support on x86, and can simplify support of architectures that do not have a fixed module region. + +CONFIG_KASAN_KUNIT_TEST & CONFIG_TEST_KASAN_MODULE +-------------------------------------------------- + +``CONFIG_KASAN_KUNIT_TEST`` utilizes the KUnit Test Framework for testing. +This means each test focuses on a small unit of functionality and +there are a few ways these tests can be run. + +Each test will print the KASAN report if an error is detected and then +print the number of the test and the status of the test: + +pass:: + + ok 28 - kmalloc_double_kzfree +or, if kmalloc failed:: + + # kmalloc_large_oob_right: ASSERTION FAILED at lib/test_kasan.c:163 + Expected ptr is not null, but is + not ok 4 - kmalloc_large_oob_right +or, if a KASAN report was expected, but not found:: + + # kmalloc_double_kzfree: EXPECTATION FAILED at lib/test_kasan.c:629 + Expected kasan_data->report_expected == kasan_data->report_found, but + kasan_data->report_expected == 1 + kasan_data->report_found == 0 + not ok 28 - kmalloc_double_kzfree + +All test statuses are tracked as they run and an overall status will +be printed at the end:: + + ok 1 - kasan_kunit_test + +or:: + + not ok 1 - kasan_kunit_test + +(1) Loadable Module +~~~~~~~~~~~~~~~~~~~~ + +With ``CONFIG_KUNIT`` enabled, ``CONFIG_KASAN_KUNIT_TEST`` can be built as +a loadable module and run on any architecture that supports KASAN +using something like insmod or modprobe. + +(2) Built-In +~~~~~~~~~~~~~ + +With ``CONFIG_KUNIT`` built-in, ``CONFIG_KASAN_KUNIT_TEST`` can be built-in +on any architecure that supports KASAN. These and any other KUnit +tests enabled will run and print the results at boot as a late-init +call. + +(3) Using kunit_tool +~~~~~~~~~~~~~~~~~~~~~ + +With ``CONFIG_KUNIT`` and ``CONFIG_KASAN_KUNIT_TEST`` built-in, we can also +use kunit_tool to see the results of these along with other KUnit +tests in a more readable way. This will not print the KASAN reports +of tests that passed. Use `KUnit documentation `_ for more up-to-date +information on kunit_tool. + +.. _KUnit: https://www.kernel.org/doc/html/latest/dev-tools/kunit/index.html + +``CONFIG_TEST_KASAN_MODULE`` is a set of KASAN tests that could not be +converted to KUnit. These tests can be run only as a module with +``CONFIG_TEST_KASAN_MODULE`` built as a loadable module and +``CONFIG_KASAN`` built-in. The type of error expected and the +function being run is printed before the expression expected to give +an error. Then the error is printed, if found, and that test +should be interpretted to pass only if the error was the one expected +by the test. From patchwork Fri Jul 31 04:42:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gow X-Patchwork-Id: 11694077 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 68405913 for ; Fri, 31 Jul 2020 04:43:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 50DED21744 for ; Fri, 31 Jul 2020 04:43:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="nM1Ko5uZ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730793AbgGaEnN (ORCPT ); Fri, 31 Jul 2020 00:43:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730174AbgGaEnL (ORCPT ); Fri, 31 Jul 2020 00:43:11 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B129AC061575 for ; Thu, 30 Jul 2020 21:43:10 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id u189so36255898ybg.17 for ; Thu, 30 Jul 2020 21:43:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=85loYESi4Z2DrhOdMAtj0xQZzuVg3GU4Cjv9w5JgQ2w=; b=nM1Ko5uZ5PaKCYqDU0NYwRa4XHN/6iUAMZ4+j+5QaGXLZRxZwQZf5LEc6+kAM2Psif aodCaQs23B9t2l+OM4rJPukl1RwNcw1W5Z63j+BtuCBi1z133KYzKXAIzaZxLahvPr3L yUM8scgAEetSOoLmpfNqgC84H5UNnXcbpyEDCXcn4m8Qm4ILVxIjN+UZ0g2dJ3tLYGLY qFxDMKpr1Ptj79QIrsIDfo3M+sPsG/MvaX5sKtmgq9/PKyCZ7tXezJVqPQKIv4JatMs+ HEg2sgK/k5nGTU9KYSLCTZ21qWL94+72ZAsuoliRVTEiHEN2rWosgclnu6AHJK80/hkA 5IFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=85loYESi4Z2DrhOdMAtj0xQZzuVg3GU4Cjv9w5JgQ2w=; b=KwFtTM+GKrZq38WJH0eEgXISNfjDtI3H02fF05UJr8eaFbTBNP7p4PNf6whQOc66ah 8BbmxBBF8gxfWGXsiGh7a5RuMQkGfCZqFiFZTDq75OIX4q8HXkcMy3anzEngvTQV7Mq0 oxVCdHDvGPeDKunMTixxIwWXZAhgvUqwnqtwtPz1Je8X2OrbFJbXw4PpskmWMw4HdSwR Psr61VTm03ojNwqtgGPBCQGVgq+mrAgMcYEO9HI0R8TV+V6AZz7rBC7LQNOzW/xfNKZP MNOS2WtFbbbcjPNU12omoJ0lts6i+vFEjkVezR0nVz/rE9ChovD+QEYbGi/BlDmWDt4j pLdw== X-Gm-Message-State: AOAM530GvvBtnrVWGNb7vBwem88h4t0SsDkdP3FZojxQEmbKMm3SaQ0P 08H2mDOYnnnngaeQMr9X/hNjyFAUAYsYbQ== X-Google-Smtp-Source: ABdhPJyP/mw67ayLNhKdDi8CnTcyvIx5quWF1/mZZvx61no3lP/ey5ookrMRZRyPQjQoDCQPjTLmvbv8g27ITw== X-Received: by 2002:a25:e5c3:: with SMTP id c186mr3565894ybh.332.1596170589932; Thu, 30 Jul 2020 21:43:09 -0700 (PDT) Date: Thu, 30 Jul 2020 21:42:42 -0700 In-Reply-To: <20200731044242.1323143-1-davidgow@google.com> Message-Id: <20200731044242.1323143-6-davidgow@google.com> Mime-Version: 1.0 References: <20200731044242.1323143-1-davidgow@google.com> X-Mailer: git-send-email 2.28.0.163.g6104cc2f0b6-goog Subject: [PATCH v9 5/5] mm: kasan: Do not panic if both panic_on_warn and kasan_multishot set From: David Gow To: trishalfonso@google.com, brendanhiggins@google.com, aryabinin@virtuozzo.com, dvyukov@google.com, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, andreyknvl@google.com, shuah@kernel.org Cc: David Gow , linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, kunit-dev@googlegroups.com, linux-kselftest@vger.kernel.org Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org KASAN errors will currently trigger a panic when panic_on_warn is set. This renders kasan_multishot useless, as further KASAN errors won't be reported if the kernel has already paniced. By making kasan_multishot disable this behaviour for KASAN errors, we can still have the benefits of panic_on_warn for non-KASAN warnings, yet be able to use kasan_multishot. This is particularly important when running KASAN tests, which need to trigger multiple KASAN errors: previously these would panic the system if panic_on_warn was set, now they can run (and will panic the system should non-KASAN warnings show up). Signed-off-by: David Gow Reviewed-by: Andrey Konovalov Reviewed-by: Brendan Higgins --- mm/kasan/report.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 90a1348c8b81..c83d6fde9ee4 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -95,7 +95,7 @@ static void end_report(unsigned long *flags) pr_err("==================================================================\n"); add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); spin_unlock_irqrestore(&report_lock, *flags); - if (panic_on_warn) { + if (panic_on_warn && !test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags)) { /* * This thread may hit another WARN() in the panic path. * Resetting this prevents additional WARN() from panicking the