projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
kasan: add macros to simplify checking test constraints
[linux-block.git] / lib / test_kasan.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
3f15801c
AR		 2/*
3 *
4 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
3f15801c
AR		 6 */
7
19a33ca6 8#include <linux/bitops.h>
0386bf38 9#include <linux/delay.h>
19a33ca6 10#include <linux/kasan.h>
3f15801c 11#include <linux/kernel.h>
eae08dca 12#include <linux/mm.h>
19a33ca6
ME		 13#include <linux/mman.h>
14#include <linux/module.h>
3f15801c
AR		 15#include <linux/printk.h>
16#include <linux/slab.h>
17#include <linux/string.h>
eae08dca 18#include <linux/uaccess.h>
b92a953c 19#include <linux/io.h>
06513916 20#include <linux/vmalloc.h>
b92a953c
MR		 21
22#include <asm/page.h>
3f15801c 23
83c4e7a0
PA		 24#include <kunit/test.h>
25
f33a0149
WW		 26#include "../mm/kasan/kasan.h"
27
1f600626 28#define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
f33a0149 29
adb72ae1 30/*
0fd37925
AK		 31 * Some tests use these global variables to store return values from function
32 * calls that could otherwise be eliminated by the compiler as dead code.
adb72ae1 33 */
adb72ae1 34void *kasan_ptr_result;
83c4e7a0
PA		 35int kasan_int_result;
36
37static struct kunit_resource resource;
38static struct kunit_kasan_expectation fail_data;
39static bool multishot;
40
0fd37925
AK		 41/*
42 * Temporarily enable multi-shot mode. Otherwise, KASAN would only report the
43 * first detected bug and panic the kernel if panic_on_warn is enabled.
44 */
83c4e7a0
PA		 45static int kasan_test_init(struct kunit *test)
46{
83c4e7a0 47 multishot = kasan_save_enable_multi_shot();
83c4e7a0
PA		 48 return 0;
49}
50
51static void kasan_test_exit(struct kunit *test)
52{
53 kasan_restore_multi_shot(multishot);
54}
55
56/**
0fd37925
AK		 57 * KUNIT_EXPECT_KASAN_FAIL() - check that the executed expression produces a
58 * KASAN report; causes a test failure otherwise. This relies on a KUnit
59 * resource named "kasan_data". Do not use this name for KUnit resources
60 * outside of KASAN tests.
83c4e7a0 61 */
0fd37925 62#define KUNIT_EXPECT_KASAN_FAIL(test, expression) do { \
83c4e7a0
PA		 63 fail_data.report_expected = true; \
64 fail_data.report_found = false; \
65 kunit_add_named_resource(test, \
66 NULL, \
67 NULL, \
68 &resource, \
69 "kasan_data", &fail_data); \
0fd37925 70 expression; \
83c4e7a0
PA		 71 KUNIT_EXPECT_EQ(test, \
72 fail_data.report_expected, \
73 fail_data.report_found); \
74} while (0)
75
da17e377
AK		 76#define KASAN_TEST_NEEDS_CONFIG_ON(test, config) do { \
77 if (!IS_ENABLED(config)) { \
78 kunit_info((test), "skipping, " #config " required"); \
79 return; \
80 } \
81} while (0)
82
83#define KASAN_TEST_NEEDS_CONFIG_OFF(test, config) do { \
84 if (IS_ENABLED(config)) { \
85 kunit_info((test), "skipping, " #config " enabled"); \
86 return; \
87 } \
88} while (0)
89
73228c7e 90static void kmalloc_oob_right(struct kunit *test)
3f15801c
AR		 91{
92 char *ptr;
93 size_t size = 123;
94
3f15801c 95 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 96 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
f33a0149 97
73228c7e 98 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 'x');
3f15801c
AR		 99 kfree(ptr);
100}
101
73228c7e 102static void kmalloc_oob_left(struct kunit *test)
3f15801c
AR		 103{
104 char *ptr;
105 size_t size = 15;
106
3f15801c 107 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 108 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
3f15801c 109
73228c7e 110 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1));
3f15801c
AR		 111 kfree(ptr);
112}
113
73228c7e 114static void kmalloc_node_oob_right(struct kunit *test)
3f15801c
AR		 115{
116 char *ptr;
117 size_t size = 4096;
118
3f15801c 119 ptr = kmalloc_node(size, GFP_KERNEL, 0);
73228c7e 120 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
3f15801c 121
73228c7e 122 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
3f15801c
AR		 123 kfree(ptr);
124}
125
73228c7e 126static void kmalloc_pagealloc_oob_right(struct kunit *test)
3f15801c
AR		 127{
128 char *ptr;
129 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
130
da17e377 131 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
73228c7e 132
0fd37925
AK		 133 /*
134 * Allocate a chunk that does not fit into a SLUB cache to trigger
e6e8379c
AP		 135 * the page allocator fallback.
136 */
e6e8379c 137 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 138 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
f33a0149 139
73228c7e 140 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 0);
e6e8379c
AP		 141 kfree(ptr);
142}
47adccce 143
73228c7e 144static void kmalloc_pagealloc_uaf(struct kunit *test)
47adccce
DV		 145{
146 char *ptr;
147 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
148
da17e377 149 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
47adccce 150
73228c7e
PA		 151 ptr = kmalloc(size, GFP_KERNEL);
152 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
153
47adccce 154 kfree(ptr);
73228c7e 155 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0);
47adccce
DV		 156}
157
73228c7e 158static void kmalloc_pagealloc_invalid_free(struct kunit *test)
47adccce
DV		 159{
160 char *ptr;
161 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
162
da17e377 163 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
47adccce 164
73228c7e
PA		 165 ptr = kmalloc(size, GFP_KERNEL);
166 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
167
168 KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));
47adccce 169}
e6e8379c 170
73228c7e 171static void kmalloc_large_oob_right(struct kunit *test)
e6e8379c
AP		 172{
173 char *ptr;
174 size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
0fd37925
AK		 175
176 /*
177 * Allocate a chunk that is large enough, but still fits into a slab
e6e8379c
AP		 178 * and does not trigger the page allocator fallback in SLUB.
179 */
3f15801c 180 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 181 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
3f15801c 182
73228c7e 183 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
3f15801c
AR		 184 kfree(ptr);
185}
186
73228c7e 187static void kmalloc_oob_krealloc_more(struct kunit *test)
3f15801c
AR		 188{
189 char *ptr1, *ptr2;
190 size_t size1 = 17;
191 size_t size2 = 19;
192
3f15801c 193 ptr1 = kmalloc(size1, GFP_KERNEL);
73228c7e 194 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
3f15801c 195
73228c7e
PA		 196 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
197 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
f33a0149 198
73228c7e 199 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2 + OOB_TAG_OFF] = 'x');
3f15801c
AR		 200 kfree(ptr2);
201}
202
73228c7e 203static void kmalloc_oob_krealloc_less(struct kunit *test)
3f15801c
AR		 204{
205 char *ptr1, *ptr2;
206 size_t size1 = 17;
207 size_t size2 = 15;
208
3f15801c 209 ptr1 = kmalloc(size1, GFP_KERNEL);
73228c7e 210 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
f33a0149 211
73228c7e
PA		 212 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
213 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
f33a0149 214
73228c7e 215 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2 + OOB_TAG_OFF] = 'x');
3f15801c
AR		 216 kfree(ptr2);
217}
218
73228c7e 219static void kmalloc_oob_16(struct kunit *test)
3f15801c
AR		 220{
221 struct {
222 u64 words[2];
223 } *ptr1, *ptr2;
224
58b999d7 225 /* This test is specifically crafted for the generic mode. */
da17e377 226 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
58b999d7 227
3f15801c 228 ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
73228c7e
PA		 229 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
230
3f15801c 231 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
73228c7e
PA		 232 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
233
234 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
3f15801c
AR		 235 kfree(ptr1);
236 kfree(ptr2);
237}
238
58b999d7
AK		 239static void kmalloc_uaf_16(struct kunit *test)
240{
241 struct {
242 u64 words[2];
243 } *ptr1, *ptr2;
244
245 ptr1 = kmalloc(sizeof(*ptr1), GFP_KERNEL);
246 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
247
248 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
249 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
250 kfree(ptr2);
251
252 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
253 kfree(ptr1);
254}
255
73228c7e 256static void kmalloc_oob_memset_2(struct kunit *test)
f523e737
WL		 257{
258 char *ptr;
259 size_t size = 8;
260
f523e737 261 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 262 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
f33a0149 263
73228c7e 264 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 7 + OOB_TAG_OFF, 0, 2));
f523e737
WL		 265 kfree(ptr);
266}
267
73228c7e 268static void kmalloc_oob_memset_4(struct kunit *test)
f523e737
WL		 269{
270 char *ptr;
271 size_t size = 8;
272
f523e737 273 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 274 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
f33a0149 275
73228c7e 276 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 5 + OOB_TAG_OFF, 0, 4));
f523e737
WL		 277 kfree(ptr);
278}
279
280
73228c7e 281static void kmalloc_oob_memset_8(struct kunit *test)
f523e737
WL		 282{
283 char *ptr;
284 size_t size = 8;
285
f523e737 286 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 287 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
f33a0149 288
73228c7e 289 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 8));
f523e737
WL		 290 kfree(ptr);
291}
292
73228c7e 293static void kmalloc_oob_memset_16(struct kunit *test)
f523e737
WL		 294{
295 char *ptr;
296 size_t size = 16;
297
f523e737 298 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 299 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
f33a0149 300
73228c7e 301 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 16));
f523e737
WL		 302 kfree(ptr);
303}
304
73228c7e 305static void kmalloc_oob_in_memset(struct kunit *test)
3f15801c
AR		 306{
307 char *ptr;
308 size_t size = 666;
309
3f15801c 310 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 311 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
f33a0149 312
73228c7e 313 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size + 5 + OOB_TAG_OFF));
3f15801c
AR		 314 kfree(ptr);
315}
316
73228c7e 317static void kmalloc_memmove_invalid_size(struct kunit *test)
98f3b56f
WW		 318{
319 char *ptr;
320 size_t size = 64;
321 volatile size_t invalid_size = -2;
322
98f3b56f 323 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 324 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
98f3b56f
WW		 325
326 memset((char *)ptr, 0, 64);
73228c7e
PA		 327
328 KUNIT_EXPECT_KASAN_FAIL(test,
329 memmove((char *)ptr, (char *)ptr + 4, invalid_size));
98f3b56f
WW		 330 kfree(ptr);
331}
332
73228c7e 333static void kmalloc_uaf(struct kunit *test)
3f15801c
AR		 334{
335 char *ptr;
336 size_t size = 10;
337
3f15801c 338 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 339 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
3f15801c
AR		 340
341 kfree(ptr);
73228c7e 342 KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x');
3f15801c
AR		 343}
344
73228c7e 345static void kmalloc_uaf_memset(struct kunit *test)
3f15801c
AR		 346{
347 char *ptr;
348 size_t size = 33;
349
3f15801c 350 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 351 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
3f15801c
AR		 352
353 kfree(ptr);
73228c7e 354 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));
3f15801c
AR		 355}
356
73228c7e 357static void kmalloc_uaf2(struct kunit *test)
3f15801c
AR		 358{
359 char *ptr1, *ptr2;
360 size_t size = 43;
361
3f15801c 362 ptr1 = kmalloc(size, GFP_KERNEL);
73228c7e 363 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
3f15801c
AR		 364
365 kfree(ptr1);
73228c7e 366
3f15801c 367 ptr2 = kmalloc(size, GFP_KERNEL);
73228c7e
PA		 368 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
369
370 KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x');
371 KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
3f15801c 372
3f15801c
AR		 373 kfree(ptr2);
374}
375
73228c7e 376static void kfree_via_page(struct kunit *test)
b92a953c
MR		 377{
378 char *ptr;
379 size_t size = 8;
380 struct page *page;
381 unsigned long offset;
382
b92a953c 383 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 384 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
b92a953c
MR		 385
386 page = virt_to_page(ptr);
387 offset = offset_in_page(ptr);
388 kfree(page_address(page) + offset);
389}
390
73228c7e 391static void kfree_via_phys(struct kunit *test)
b92a953c
MR		 392{
393 char *ptr;
394 size_t size = 8;
395 phys_addr_t phys;
396
b92a953c 397 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 398 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
b92a953c
MR		 399
400 phys = virt_to_phys(ptr);
401 kfree(phys_to_virt(phys));
402}
403
73228c7e 404static void kmem_cache_oob(struct kunit *test)
3f15801c
AR		 405{
406 char *p;
407 size_t size = 200;
408 struct kmem_cache *cache = kmem_cache_create("test_cache",
409 size, 0,
410 0, NULL);
73228c7e 411 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
3f15801c
AR		 412 p = kmem_cache_alloc(cache, GFP_KERNEL);
413 if (!p) {
73228c7e 414 kunit_err(test, "Allocation failed: %s\n", __func__);
3f15801c
AR		 415 kmem_cache_destroy(cache);
416 return;
417 }
418
73228c7e 419 KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size + OOB_TAG_OFF]);
3f15801c
AR		 420 kmem_cache_free(cache, p);
421 kmem_cache_destroy(cache);
422}
423
73228c7e 424static void memcg_accounted_kmem_cache(struct kunit *test)
0386bf38
GT		 425{
426 int i;
427 char *p;
428 size_t size = 200;
429 struct kmem_cache *cache;
430
431 cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
73228c7e 432 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
0386bf38 433
0386bf38
GT		 434 /*
435 * Several allocations with a delay to allow for lazy per memcg kmem
436 * cache creation.
437 */
438 for (i = 0; i < 5; i++) {
439 p = kmem_cache_alloc(cache, GFP_KERNEL);
dc2bf000 440 if (!p)
0386bf38 441 goto free_cache;
dc2bf000 442
0386bf38
GT		 443 kmem_cache_free(cache, p);
444 msleep(100);
445 }
446
447free_cache:
448 kmem_cache_destroy(cache);
449}
450
3f15801c
AR		 451static char global_array[10];
452
73228c7e 453static void kasan_global_oob(struct kunit *test)
3f15801c
AR		 454{
455 volatile int i = 3;
456 char *p = &global_array[ARRAY_SIZE(global_array) + i];
457
58b999d7 458 /* Only generic mode instruments globals. */
da17e377 459 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
58b999d7 460
73228c7e 461 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
3f15801c
AR		 462}
463
73228c7e 464static void ksize_unpoisons_memory(struct kunit *test)
96fe805f
AP		 465{
466 char *ptr;
48c23239 467 size_t size = 123, real_size;
96fe805f 468
96fe805f 469 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 470 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
96fe805f 471 real_size = ksize(ptr);
0fd37925
AK		 472
473 /* This access shouldn't trigger a KASAN report. */
96fe805f 474 ptr[size] = 'x';
0fd37925
AK		 475
476 /* This one must. */
73228c7e 477 KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y');
0fd37925 478
96fe805f
AP		 479 kfree(ptr);
480}
481
73228c7e 482static void kasan_stack_oob(struct kunit *test)
eae08dca 483{
73228c7e
PA		 484 char stack_array[10];
485 volatile int i = OOB_TAG_OFF;
486 char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
eae08dca 487
da17e377 488 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
eae08dca 489
73228c7e 490 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
eae08dca
AR		 491}
492
73228c7e 493static void kasan_alloca_oob_left(struct kunit *test)
00a14294
PL		 494{
495 volatile int i = 10;
496 char alloca_array[i];
497 char *p = alloca_array - 1;
498
58b999d7 499 /* Only generic mode instruments dynamic allocas. */
da17e377
AK		 500 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
501 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
73228c7e
PA		 502
503 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
00a14294
PL		 504}
505
73228c7e 506static void kasan_alloca_oob_right(struct kunit *test)
00a14294
PL		 507{
508 volatile int i = 10;
509 char alloca_array[i];
510 char *p = alloca_array + i;
511
58b999d7 512 /* Only generic mode instruments dynamic allocas. */
da17e377
AK		 513 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
514 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
73228c7e
PA		 515
516 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
00a14294
PL		 517}
518
73228c7e 519static void kmem_cache_double_free(struct kunit *test)
b1d57289
DV		 520{
521 char *p;
522 size_t size = 200;
523 struct kmem_cache *cache;
524
525 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
73228c7e
PA		 526 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
527
b1d57289
DV		 528 p = kmem_cache_alloc(cache, GFP_KERNEL);
529 if (!p) {
73228c7e 530 kunit_err(test, "Allocation failed: %s\n", __func__);
b1d57289
DV		 531 kmem_cache_destroy(cache);
532 return;
533 }
534
535 kmem_cache_free(cache, p);
73228c7e 536 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p));
b1d57289
DV		 537 kmem_cache_destroy(cache);
538}
539
73228c7e 540static void kmem_cache_invalid_free(struct kunit *test)
b1d57289
DV		 541{
542 char *p;
543 size_t size = 200;
544 struct kmem_cache *cache;
545
546 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
547 NULL);
73228c7e
PA		 548 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
549
b1d57289
DV		 550 p = kmem_cache_alloc(cache, GFP_KERNEL);
551 if (!p) {
73228c7e 552 kunit_err(test, "Allocation failed: %s\n", __func__);
b1d57289
DV		 553 kmem_cache_destroy(cache);
554 return;
555 }
556
0fd37925 557 /* Trigger invalid free, the object doesn't get freed. */
73228c7e 558 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1));
91c93ed0
AK		 559
560 /*
561 * Properly free the object to prevent the "Objects remaining in
562 * test_cache on __kmem_cache_shutdown" BUG failure.
563 */
564 kmem_cache_free(cache, p);
565
b1d57289
DV		 566 kmem_cache_destroy(cache);
567}
568
73228c7e 569static void kasan_memchr(struct kunit *test)
0c96350a
AR		 570{
571 char *ptr;
572 size_t size = 24;
573
0fd37925
AK		 574 /*
575 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
576 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
577 */
da17e377 578 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
73228c7e 579
58b999d7
AK		 580 if (OOB_TAG_OFF)
581 size = round_up(size, OOB_TAG_OFF);
582
73228c7e
PA		 583 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
584 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
585
586 KUNIT_EXPECT_KASAN_FAIL(test,
587 kasan_ptr_result = memchr(ptr, '1', size + 1));
0c96350a 588
0c96350a
AR		 589 kfree(ptr);
590}
591
73228c7e 592static void kasan_memcmp(struct kunit *test)
0c96350a
AR		 593{
594 char *ptr;
595 size_t size = 24;
596 int arr[9];
597
0fd37925
AK		 598 /*
599 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
600 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
601 */
da17e377 602 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
0c96350a 603
58b999d7
AK		 604 if (OOB_TAG_OFF)
605 size = round_up(size, OOB_TAG_OFF);
606
73228c7e
PA		 607 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
608 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
0c96350a 609 memset(arr, 0, sizeof(arr));
73228c7e
PA		 610
611 KUNIT_EXPECT_KASAN_FAIL(test,
612 kasan_int_result = memcmp(ptr, arr, size+1));
0c96350a
AR		 613 kfree(ptr);
614}
615
73228c7e 616static void kasan_strings(struct kunit *test)
0c96350a
AR		 617{
618 char *ptr;
619 size_t size = 24;
620
0fd37925
AK		 621 /*
622 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
623 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
624 */
da17e377 625 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
73228c7e
PA		 626
627 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
628 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
0c96350a
AR		 629
630 kfree(ptr);
631
632 /*
633 * Try to cause only 1 invalid access (less spam in dmesg).
634 * For that we need ptr to point to zeroed byte.
635 * Skip metadata that could be stored in freed object so ptr
636 * will likely point to zeroed byte.
637 */
638 ptr += 16;
73228c7e 639 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strchr(ptr, '1'));
0c96350a 640
73228c7e 641 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strrchr(ptr, '1'));
0c96350a 642
73228c7e 643 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strcmp(ptr, "2"));
0c96350a 644
73228c7e 645 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strncmp(ptr, "2", 1));
0c96350a 646
73228c7e 647 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strlen(ptr));
0c96350a 648
73228c7e 649 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strnlen(ptr, 1));
0c96350a
AR		 650}
651
58b999d7
AK		 652static void kasan_bitops_modify(struct kunit *test, int nr, void *addr)
653{
654 KUNIT_EXPECT_KASAN_FAIL(test, set_bit(nr, addr));
655 KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(nr, addr));
656 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(nr, addr));
657 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(nr, addr));
658 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(nr, addr));
659 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(nr, addr));
660 KUNIT_EXPECT_KASAN_FAIL(test, change_bit(nr, addr));
661 KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(nr, addr));
662}
663
664static void kasan_bitops_test_and_modify(struct kunit *test, int nr, void *addr)
665{
666 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit(nr, addr));
667 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_set_bit(nr, addr));
668 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit_lock(nr, addr));
669 KUNIT_EXPECT_KASAN_FAIL(test, test_and_clear_bit(nr, addr));
670 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_clear_bit(nr, addr));
671 KUNIT_EXPECT_KASAN_FAIL(test, test_and_change_bit(nr, addr));
672 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_change_bit(nr, addr));
673 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = test_bit(nr, addr));
674
675#if defined(clear_bit_unlock_is_negative_byte)
676 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result =
677 clear_bit_unlock_is_negative_byte(nr, addr));
678#endif
679}
680
681static void kasan_bitops_generic(struct kunit *test)
19a33ca6 682{
58b999d7
AK		 683 long *bits;
684
685 /* This test is specifically crafted for the generic mode. */
da17e377 686 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
58b999d7 687
19a33ca6 688 /*
0fd37925 689 * Allocate 1 more byte, which causes kzalloc to round up to 16 bytes;
19a33ca6
ME		 690 * this way we do not actually corrupt other memory.
691 */
58b999d7 692 bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
73228c7e 693 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
19a33ca6
ME		 694
695 /*
696 * Below calls try to access bit within allocated memory; however, the
697 * below accesses are still out-of-bounds, since bitops are defined to
698 * operate on the whole long the bit is in.
699 */
58b999d7 700 kasan_bitops_modify(test, BITS_PER_LONG, bits);
19a33ca6
ME		 701
702 /*
703 * Below calls try to access bit beyond allocated memory.
704 */
58b999d7 705 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, bits);
19a33ca6 706
58b999d7
AK		 707 kfree(bits);
708}
19a33ca6 709
58b999d7
AK		 710static void kasan_bitops_tags(struct kunit *test)
711{
712 long *bits;
19a33ca6 713
da17e377
AK		 714 /* This test is specifically crafted for tag-based modes. */
715 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
19a33ca6 716
58b999d7
AK		 717 /* Allocation size will be rounded to up granule size, which is 16. */
718 bits = kzalloc(sizeof(*bits), GFP_KERNEL);
719 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
19a33ca6 720
58b999d7
AK		 721 /* Do the accesses past the 16 allocated bytes. */
722 kasan_bitops_modify(test, BITS_PER_LONG, &bits[1]);
723 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, &bits[1]);
19a33ca6 724
19a33ca6
ME		 725 kfree(bits);
726}
727
73228c7e 728static void kmalloc_double_kzfree(struct kunit *test)
bb104ed7
ME		 729{
730 char *ptr;
731 size_t size = 16;
732
bb104ed7 733 ptr = kmalloc(size, GFP_KERNEL);
73228c7e 734 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
bb104ed7 735
453431a5 736 kfree_sensitive(ptr);
73228c7e 737 KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr));
bb104ed7
ME		 738}
739
73228c7e 740static void vmalloc_oob(struct kunit *test)
06513916
DA		 741{
742 void *area;
743
da17e377 744 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
06513916
DA		 745
746 /*
747 * We have to be careful not to hit the guard page.
748 * The MMU will catch that and crash us.
749 */
750 area = vmalloc(3000);
73228c7e 751 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area);
06513916 752
73228c7e 753 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]);
06513916
DA		 754 vfree(area);
755}
387d6e46 756
73228c7e
PA		 757static struct kunit_case kasan_kunit_test_cases[] = {
758 KUNIT_CASE(kmalloc_oob_right),
759 KUNIT_CASE(kmalloc_oob_left),
760 KUNIT_CASE(kmalloc_node_oob_right),
761 KUNIT_CASE(kmalloc_pagealloc_oob_right),
762 KUNIT_CASE(kmalloc_pagealloc_uaf),
763 KUNIT_CASE(kmalloc_pagealloc_invalid_free),
764 KUNIT_CASE(kmalloc_large_oob_right),
765 KUNIT_CASE(kmalloc_oob_krealloc_more),
766 KUNIT_CASE(kmalloc_oob_krealloc_less),
767 KUNIT_CASE(kmalloc_oob_16),
58b999d7 768 KUNIT_CASE(kmalloc_uaf_16),
73228c7e
PA		 769 KUNIT_CASE(kmalloc_oob_in_memset),
770 KUNIT_CASE(kmalloc_oob_memset_2),
771 KUNIT_CASE(kmalloc_oob_memset_4),
772 KUNIT_CASE(kmalloc_oob_memset_8),
773 KUNIT_CASE(kmalloc_oob_memset_16),
774 KUNIT_CASE(kmalloc_memmove_invalid_size),
775 KUNIT_CASE(kmalloc_uaf),
776 KUNIT_CASE(kmalloc_uaf_memset),
777 KUNIT_CASE(kmalloc_uaf2),
778 KUNIT_CASE(kfree_via_page),
779 KUNIT_CASE(kfree_via_phys),
780 KUNIT_CASE(kmem_cache_oob),
781 KUNIT_CASE(memcg_accounted_kmem_cache),
782 KUNIT_CASE(kasan_global_oob),
783 KUNIT_CASE(kasan_stack_oob),
784 KUNIT_CASE(kasan_alloca_oob_left),
785 KUNIT_CASE(kasan_alloca_oob_right),
786 KUNIT_CASE(ksize_unpoisons_memory),
787 KUNIT_CASE(kmem_cache_double_free),
788 KUNIT_CASE(kmem_cache_invalid_free),
789 KUNIT_CASE(kasan_memchr),
790 KUNIT_CASE(kasan_memcmp),
791 KUNIT_CASE(kasan_strings),
58b999d7
AK		 792 KUNIT_CASE(kasan_bitops_generic),
793 KUNIT_CASE(kasan_bitops_tags),
73228c7e
PA		 794 KUNIT_CASE(kmalloc_double_kzfree),
795 KUNIT_CASE(vmalloc_oob),
796 {}
797};
798
799static struct kunit_suite kasan_kunit_test_suite = {
800 .name = "kasan",
801 .init = kasan_test_init,
802 .test_cases = kasan_kunit_test_cases,
803 .exit = kasan_test_exit,
804};
805
806kunit_test_suite(kasan_kunit_test_suite);
3f15801c 807
3f15801c 808MODULE_LICENSE("GPL");
Linux 6.x block layer and io_uring tree(s)