1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 *
4 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
6 */
7
8 #define pr_fmt(fmt) "kasan: test: " fmt
9
10 #include <kunit/test.h>
11 #include <linux/bitops.h>
12 #include <linux/delay.h>
13 #include <linux/io.h>
14 #include <linux/kasan.h>
15 #include <linux/kernel.h>
16 #include <linux/mempool.h>
17 #include <linux/mm.h>
18 #include <linux/mman.h>
19 #include <linux/module.h>
20 #include <linux/printk.h>
21 #include <linux/random.h>
22 #include <linux/set_memory.h>
23 #include <linux/slab.h>
24 #include <linux/string.h>
25 #include <linux/tracepoint.h>
26 #include <linux/uaccess.h>
27 #include <linux/vmalloc.h>
28 #include <trace/events/printk.h>
29
30 #include <asm/page.h>
31
32 #include "kasan.h"
33
34 #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
35
36 static bool multishot;
37
38 /* Fields set based on lines observed in the console. */
39 static struct {
40 bool report_found;
41 bool async_fault;
42 } test_status;
43
44 /*
45 * Some tests use these global variables to store return values from function
46 * calls that could otherwise be eliminated by the compiler as dead code.
47 */
48 void *kasan_ptr_result;
49 int kasan_int_result;
50
51 /* Probe for console output: obtains test_status lines of interest. */
52 static void probe_console(void *ignore, const char *buf, size_t len)
53 {
54 if (strnstr(buf, "BUG: KASAN: ", len))
55 WRITE_ONCE(test_status.report_found, true);
56 else if (strnstr(buf, "Asynchronous fault: ", len))
57 WRITE_ONCE(test_status.async_fault, true);
58 }
59
60 static int kasan_suite_init(struct kunit_suite *suite)
61 {
62 if (!kasan_enabled()) {
63 pr_err("Can't run KASAN tests with KASAN disabled");
64 return -1;
65 }
66
67 /* Stop failing KUnit tests on KASAN reports. */
68 kasan_kunit_test_suite_start();
69
70 /*
71 * Temporarily enable multi-shot mode. Otherwise, KASAN would only
72 * report the first detected bug and panic the kernel if panic_on_warn
73 * is enabled.
74 */
75 multishot = kasan_save_enable_multi_shot();
76
77 register_trace_console(probe_console, NULL);
78 return 0;
79 }
80
81 static void kasan_suite_exit(struct kunit_suite *suite)
82 {
83 kasan_kunit_test_suite_end();
84 kasan_restore_multi_shot(multishot);
85 unregister_trace_console(probe_console, NULL);
86 tracepoint_synchronize_unregister();
87 }
88
89 static void kasan_test_exit(struct kunit *test)
90 {
91 KUNIT_EXPECT_FALSE(test, READ_ONCE(test_status.report_found));
92 }
93
94 /**
95 * KUNIT_EXPECT_KASAN_FAIL - check that the executed expression produces a
96 * KASAN report; causes a KUnit test failure otherwise.
97 *
98 * @test: Currently executing KUnit test.
99 * @expression: Expression that must produce a KASAN report.
100 *
101 * For hardware tag-based KASAN, when a synchronous tag fault happens, tag
102 * checking is auto-disabled. When this happens, this test handler reenables
103 * tag checking. As tag checking can be only disabled or enabled per CPU,
104 * this handler disables migration (preemption).
105 *
106 * Since the compiler doesn't see that the expression can change the test_status
107 * fields, it can reorder or optimize away the accesses to those fields.
108 * Use READ/WRITE_ONCE() for the accesses and compiler barriers around the
109 * expression to prevent that.
110 *
111 * In between KUNIT_EXPECT_KASAN_FAIL checks, test_status.report_found is kept
112 * as false. This allows detecting KASAN reports that happen outside of the
113 * checks by asserting !test_status.report_found at the start of
114 * KUNIT_EXPECT_KASAN_FAIL and in kasan_test_exit.
115 */
116 #define KUNIT_EXPECT_KASAN_FAIL(test, expression) do { \
117 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) && \
118 kasan_sync_fault_possible()) \
119 migrate_disable(); \
120 KUNIT_EXPECT_FALSE(test, READ_ONCE(test_status.report_found)); \
121 barrier(); \
122 expression; \
123 barrier(); \
124 if (kasan_async_fault_possible()) \
125 kasan_force_async_fault(); \
126 if (!READ_ONCE(test_status.report_found)) { \
127 KUNIT_FAIL(test, KUNIT_SUBTEST_INDENT "KASAN failure " \
128 "expected in \"" #expression \
129 "\", but none occurred"); \
130 } \
131 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) && \
132 kasan_sync_fault_possible()) { \
133 if (READ_ONCE(test_status.report_found) && \
134 !READ_ONCE(test_status.async_fault)) \
135 kasan_enable_hw_tags(); \
136 migrate_enable(); \
137 } \
138 WRITE_ONCE(test_status.report_found, false); \
139 WRITE_ONCE(test_status.async_fault, false); \
140 } while (0)
141
142 #define KASAN_TEST_NEEDS_CONFIG_ON(test, config) do { \
143 if (!IS_ENABLED(config)) \
144 kunit_skip((test), "Test requires " #config "=y"); \
145 } while (0)
146
147 #define KASAN_TEST_NEEDS_CONFIG_OFF(test, config) do { \
148 if (IS_ENABLED(config)) \
149 kunit_skip((test), "Test requires " #config "=n"); \
150 } while (0)
151
152 #define KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test) do { \
153 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS)) \
154 break; /* No compiler instrumentation. */ \
155 if (IS_ENABLED(CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX)) \
156 break; /* Should always be instrumented! */ \
157 if (IS_ENABLED(CONFIG_GENERIC_ENTRY)) \
158 kunit_skip((test), "Test requires checked mem*()"); \
159 } while (0)
160
161 static void kmalloc_oob_right(struct kunit *test)
162 {
163 char *ptr;
164 size_t size = 128 - KASAN_GRANULE_SIZE - 5;
165
166 ptr = kmalloc(size, GFP_KERNEL);
167 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
168
169 OPTIMIZER_HIDE_VAR(ptr);
170 /*
171 * An unaligned access past the requested kmalloc size.
172 * Only generic KASAN can precisely detect these.
173 */
174 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
175 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x');
176
177 /*
178 * An aligned access into the first out-of-bounds granule that falls
179 * within the aligned kmalloc object.
180 */
181 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + 5] = 'y');
182
183 /* Out-of-bounds access past the aligned kmalloc object. */
184 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] =
185 ptr[size + KASAN_GRANULE_SIZE + 5]);
186
187 kfree(ptr);
188 }
189
190 static void kmalloc_oob_left(struct kunit *test)
191 {
192 char *ptr;
193 size_t size = 15;
194
195 ptr = kmalloc(size, GFP_KERNEL);
196 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
197
198 OPTIMIZER_HIDE_VAR(ptr);
199 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1));
200 kfree(ptr);
201 }
202
203 static void kmalloc_node_oob_right(struct kunit *test)
204 {
205 char *ptr;
206 size_t size = 4096;
207
208 ptr = kmalloc_node(size, GFP_KERNEL, 0);
209 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
210
211 OPTIMIZER_HIDE_VAR(ptr);
212 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]);
213 kfree(ptr);
214 }
215
216 /*
217 * Check that KASAN detects an out-of-bounds access for a big object allocated
218 * via kmalloc(). But not as big as to trigger the page_alloc fallback.
219 */
220 static void kmalloc_big_oob_right(struct kunit *test)
221 {
222 char *ptr;
223 size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
224
225 ptr = kmalloc(size, GFP_KERNEL);
226 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
227
228 OPTIMIZER_HIDE_VAR(ptr);
229 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
230 kfree(ptr);
231 }
232
233 /*
234 * The kmalloc_large_* tests below use kmalloc() to allocate a memory chunk
235 * that does not fit into the largest slab cache and therefore is allocated via
236 * the page_alloc fallback.
237 */
238
239 static void kmalloc_large_oob_right(struct kunit *test)
240 {
241 char *ptr;
242 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
243
244 ptr = kmalloc(size, GFP_KERNEL);
245 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
246
247 OPTIMIZER_HIDE_VAR(ptr);
248 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 0);
249
250 kfree(ptr);
251 }
252
253 static void kmalloc_large_uaf(struct kunit *test)
254 {
255 char *ptr;
256 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
257
258 ptr = kmalloc(size, GFP_KERNEL);
259 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
260 kfree(ptr);
261
262 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
263 }
264
265 static void kmalloc_large_invalid_free(struct kunit *test)
266 {
267 char *ptr;
268 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
269
270 ptr = kmalloc(size, GFP_KERNEL);
271 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
272
273 KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));
274 }
275
276 static void page_alloc_oob_right(struct kunit *test)
277 {
278 char *ptr;
279 struct page *pages;
280 size_t order = 4;
281 size_t size = (1UL << (PAGE_SHIFT + order));
282
283 /*
284 * With generic KASAN page allocations have no redzones, thus
285 * out-of-bounds detection is not guaranteed.
286 * See https://bugzilla.kernel.org/show_bug.cgi?id=210503.
287 */
288 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
289
290 pages = alloc_pages(GFP_KERNEL, order);
291 ptr = page_address(pages);
292 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
293
294 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]);
295 free_pages((unsigned long)ptr, order);
296 }
297
298 static void page_alloc_uaf(struct kunit *test)
299 {
300 char *ptr;
301 struct page *pages;
302 size_t order = 4;
303
304 pages = alloc_pages(GFP_KERNEL, order);
305 ptr = page_address(pages);
306 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
307 free_pages((unsigned long)ptr, order);
308
309 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
310 }
311
312 static void krealloc_more_oob_helper(struct kunit *test,
313 size_t size1, size_t size2)
314 {
315 char *ptr1, *ptr2;
316 size_t middle;
317
318 KUNIT_ASSERT_LT(test, size1, size2);
319 middle = size1 + (size2 - size1) / 2;
320
321 ptr1 = kmalloc(size1, GFP_KERNEL);
322 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
323
324 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
325 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
326
327 /* Suppress -Warray-bounds warnings. */
328 OPTIMIZER_HIDE_VAR(ptr2);
329
330 /* All offsets up to size2 must be accessible. */
331 ptr2[size1 - 1] = 'x';
332 ptr2[size1] = 'x';
333 ptr2[middle] = 'x';
334 ptr2[size2 - 1] = 'x';
335
336 /* Generic mode is precise, so unaligned size2 must be inaccessible. */
337 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
338 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x');
339
340 /* For all modes first aligned offset after size2 must be inaccessible. */
341 KUNIT_EXPECT_KASAN_FAIL(test,
342 ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x');
343
344 kfree(ptr2);
345 }
346
347 static void krealloc_less_oob_helper(struct kunit *test,
348 size_t size1, size_t size2)
349 {
350 char *ptr1, *ptr2;
351 size_t middle;
352
353 KUNIT_ASSERT_LT(test, size2, size1);
354 middle = size2 + (size1 - size2) / 2;
355
356 ptr1 = kmalloc(size1, GFP_KERNEL);
357 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
358
359 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
360 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
361
362 /* Suppress -Warray-bounds warnings. */
363 OPTIMIZER_HIDE_VAR(ptr2);
364
365 /* Must be accessible for all modes. */
366 ptr2[size2 - 1] = 'x';
367
368 /* Generic mode is precise, so unaligned size2 must be inaccessible. */
369 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
370 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x');
371
372 /* For all modes first aligned offset after size2 must be inaccessible. */
373 KUNIT_EXPECT_KASAN_FAIL(test,
374 ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x');
375
376 /*
377 * For all modes all size2, middle, and size1 should land in separate
378 * granules and thus the latter two offsets should be inaccessible.
379 */
380 KUNIT_EXPECT_LE(test, round_up(size2, KASAN_GRANULE_SIZE),
381 round_down(middle, KASAN_GRANULE_SIZE));
382 KUNIT_EXPECT_LE(test, round_up(middle, KASAN_GRANULE_SIZE),
383 round_down(size1, KASAN_GRANULE_SIZE));
384 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[middle] = 'x');
385 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1 - 1] = 'x');
386 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1] = 'x');
387
388 kfree(ptr2);
389 }
390
391 static void krealloc_more_oob(struct kunit *test)
392 {
393 krealloc_more_oob_helper(test, 201, 235);
394 }
395
396 static void krealloc_less_oob(struct kunit *test)
397 {
398 krealloc_less_oob_helper(test, 235, 201);
399 }
400
401 static void krealloc_large_more_oob(struct kunit *test)
402 {
403 krealloc_more_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 201,
404 KMALLOC_MAX_CACHE_SIZE + 235);
405 }
406
407 static void krealloc_large_less_oob(struct kunit *test)
408 {
409 krealloc_less_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 235,
410 KMALLOC_MAX_CACHE_SIZE + 201);
411 }
412
413 /*
414 * Check that krealloc() detects a use-after-free, returns NULL,
415 * and doesn't unpoison the freed object.
416 */
417 static void krealloc_uaf(struct kunit *test)
418 {
419 char *ptr1, *ptr2;
420 int size1 = 201;
421 int size2 = 235;
422
423 ptr1 = kmalloc(size1, GFP_KERNEL);
424 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
425 kfree(ptr1);
426
427 KUNIT_EXPECT_KASAN_FAIL(test, ptr2 = krealloc(ptr1, size2, GFP_KERNEL));
428 KUNIT_ASSERT_NULL(test, ptr2);
429 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)ptr1);
430 }
431
432 static void kmalloc_oob_16(struct kunit *test)
433 {
434 struct {
435 u64 words[2];
436 } *ptr1, *ptr2;
437
438 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
439
440 /* This test is specifically crafted for the generic mode. */
441 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
442
443 /* RELOC_HIDE to prevent gcc from warning about short alloc */
444 ptr1 = RELOC_HIDE(kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL), 0);
445 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
446
447 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
448 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
449
450 OPTIMIZER_HIDE_VAR(ptr1);
451 OPTIMIZER_HIDE_VAR(ptr2);
452 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
453 kfree(ptr1);
454 kfree(ptr2);
455 }
456
457 static void kmalloc_uaf_16(struct kunit *test)
458 {
459 struct {
460 u64 words[2];
461 } *ptr1, *ptr2;
462
463 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
464
465 ptr1 = kmalloc(sizeof(*ptr1), GFP_KERNEL);
466 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
467
468 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
469 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
470 kfree(ptr2);
471
472 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
473 kfree(ptr1);
474 }
475
476 /*
477 * Note: in the memset tests below, the written range touches both valid and
478 * invalid memory. This makes sure that the instrumentation does not only check
479 * the starting address but the whole range.
480 */
481
482 static void kmalloc_oob_memset_2(struct kunit *test)
483 {
484 char *ptr;
485 size_t size = 128 - KASAN_GRANULE_SIZE;
486 size_t memset_size = 2;
487
488 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
489
490 ptr = kmalloc(size, GFP_KERNEL);
491 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
492
493 OPTIMIZER_HIDE_VAR(ptr);
494 OPTIMIZER_HIDE_VAR(size);
495 OPTIMIZER_HIDE_VAR(memset_size);
496 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 1, 0, memset_size));
497 kfree(ptr);
498 }
499
500 static void kmalloc_oob_memset_4(struct kunit *test)
501 {
502 char *ptr;
503 size_t size = 128 - KASAN_GRANULE_SIZE;
504 size_t memset_size = 4;
505
506 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
507
508 ptr = kmalloc(size, GFP_KERNEL);
509 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
510
511 OPTIMIZER_HIDE_VAR(ptr);
512 OPTIMIZER_HIDE_VAR(size);
513 OPTIMIZER_HIDE_VAR(memset_size);
514 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 3, 0, memset_size));
515 kfree(ptr);
516 }
517
518 static void kmalloc_oob_memset_8(struct kunit *test)
519 {
520 char *ptr;
521 size_t size = 128 - KASAN_GRANULE_SIZE;
522 size_t memset_size = 8;
523
524 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
525
526 ptr = kmalloc(size, GFP_KERNEL);
527 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
528
529 OPTIMIZER_HIDE_VAR(ptr);
530 OPTIMIZER_HIDE_VAR(size);
531 OPTIMIZER_HIDE_VAR(memset_size);
532 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 7, 0, memset_size));
533 kfree(ptr);
534 }
535
536 static void kmalloc_oob_memset_16(struct kunit *test)
537 {
538 char *ptr;
539 size_t size = 128 - KASAN_GRANULE_SIZE;
540 size_t memset_size = 16;
541
542 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
543
544 ptr = kmalloc(size, GFP_KERNEL);
545 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
546
547 OPTIMIZER_HIDE_VAR(ptr);
548 OPTIMIZER_HIDE_VAR(size);
549 OPTIMIZER_HIDE_VAR(memset_size);
550 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 15, 0, memset_size));
551 kfree(ptr);
552 }
553
554 static void kmalloc_oob_in_memset(struct kunit *test)
555 {
556 char *ptr;
557 size_t size = 128 - KASAN_GRANULE_SIZE;
558
559 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
560
561 ptr = kmalloc(size, GFP_KERNEL);
562 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
563
564 OPTIMIZER_HIDE_VAR(ptr);
565 OPTIMIZER_HIDE_VAR(size);
566 KUNIT_EXPECT_KASAN_FAIL(test,
567 memset(ptr, 0, size + KASAN_GRANULE_SIZE));
568 kfree(ptr);
569 }
570
571 static void kmalloc_memmove_negative_size(struct kunit *test)
572 {
573 char *ptr;
574 size_t size = 64;
575 size_t invalid_size = -2;
576
577 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
578
579 /*
580 * Hardware tag-based mode doesn't check memmove for negative size.
581 * As a result, this test introduces a side-effect memory corruption,
582 * which can result in a crash.
583 */
584 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS);
585
586 ptr = kmalloc(size, GFP_KERNEL);
587 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
588
589 memset((char *)ptr, 0, 64);
590 OPTIMIZER_HIDE_VAR(ptr);
591 OPTIMIZER_HIDE_VAR(invalid_size);
592 KUNIT_EXPECT_KASAN_FAIL(test,
593 memmove((char *)ptr, (char *)ptr + 4, invalid_size));
594 kfree(ptr);
595 }
596
597 static void kmalloc_memmove_invalid_size(struct kunit *test)
598 {
599 char *ptr;
600 size_t size = 64;
601 size_t invalid_size = size;
602
603 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
604
605 ptr = kmalloc(size, GFP_KERNEL);
606 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
607
608 memset((char *)ptr, 0, 64);
609 OPTIMIZER_HIDE_VAR(ptr);
610 OPTIMIZER_HIDE_VAR(invalid_size);
611 KUNIT_EXPECT_KASAN_FAIL(test,
612 memmove((char *)ptr, (char *)ptr + 4, invalid_size));
613 kfree(ptr);
614 }
615
616 static void kmalloc_uaf(struct kunit *test)
617 {
618 char *ptr;
619 size_t size = 10;
620
621 ptr = kmalloc(size, GFP_KERNEL);
622 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
623
624 kfree(ptr);
625 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[8]);
626 }
627
628 static void kmalloc_uaf_memset(struct kunit *test)
629 {
630 char *ptr;
631 size_t size = 33;
632
633 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
634
635 /*
636 * Only generic KASAN uses quarantine, which is required to avoid a
637 * kernel memory corruption this test causes.
638 */
639 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
640
641 ptr = kmalloc(size, GFP_KERNEL);
642 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
643
644 kfree(ptr);
645 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));
646 }
647
648 static void kmalloc_uaf2(struct kunit *test)
649 {
650 char *ptr1, *ptr2;
651 size_t size = 43;
652 int counter = 0;
653
654 again:
655 ptr1 = kmalloc(size, GFP_KERNEL);
656 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
657
658 kfree(ptr1);
659
660 ptr2 = kmalloc(size, GFP_KERNEL);
661 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
662
663 /*
664 * For tag-based KASAN ptr1 and ptr2 tags might happen to be the same.
665 * Allow up to 16 attempts at generating different tags.
666 */
667 if (!IS_ENABLED(CONFIG_KASAN_GENERIC) && ptr1 == ptr2 && counter++ < 16) {
668 kfree(ptr2);
669 goto again;
670 }
671
672 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[40]);
673 KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
674
675 kfree(ptr2);
676 }
677
678 /*
679 * Check that KASAN detects use-after-free when another object was allocated in
680 * the same slot. Relevant for the tag-based modes, which do not use quarantine.
681 */
682 static void kmalloc_uaf3(struct kunit *test)
683 {
684 char *ptr1, *ptr2;
685 size_t size = 100;
686
687 /* This test is specifically crafted for tag-based modes. */
688 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
689
690 ptr1 = kmalloc(size, GFP_KERNEL);
691 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
692 kfree(ptr1);
693
694 ptr2 = kmalloc(size, GFP_KERNEL);
695 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
696 kfree(ptr2);
697
698 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[8]);
699 }
700
701 static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe)
702 {
703 int *i_unsafe = unsafe;
704
705 KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*i_unsafe));
706 KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42));
707 KUNIT_EXPECT_KASAN_FAIL(test, smp_load_acquire(i_unsafe));
708 KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42));
709
710 KUNIT_EXPECT_KASAN_FAIL(test, atomic_read(unsafe));
711 KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42));
712 KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe));
713 KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe));
714 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe));
715 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe));
716 KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe));
717 KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe));
718 KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe));
719 KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe));
720 KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42));
721 KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42));
722 KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42));
723 KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42));
724 KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe));
725 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe));
726 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe));
727 KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe));
728 KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42));
729 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe));
730 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe));
731 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe));
732 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe));
733
734 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_read(unsafe));
735 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42));
736 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe));
737 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe));
738 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe));
739 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe));
740 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe));
741 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe));
742 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe));
743 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe));
744 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42));
745 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42));
746 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42));
747 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42));
748 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe));
749 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe));
750 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe));
751 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe));
752 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42));
753 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe));
754 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe));
755 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe));
756 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe));
757 }
758
759 static void kasan_atomics(struct kunit *test)
760 {
761 void *a1, *a2;
762
763 /*
764 * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such
765 * that the following 16 bytes will make up the redzone.
766 */
767 a1 = kzalloc(48, GFP_KERNEL);
768 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
769 a2 = kzalloc(sizeof(atomic_long_t), GFP_KERNEL);
770 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a2);
771
772 /* Use atomics to access the redzone. */
773 kasan_atomics_helper(test, a1 + 48, a2);
774
775 kfree(a1);
776 kfree(a2);
777 }
778
779 static void kmalloc_double_kzfree(struct kunit *test)
780 {
781 char *ptr;
782 size_t size = 16;
783
784 ptr = kmalloc(size, GFP_KERNEL);
785 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
786
787 kfree_sensitive(ptr);
788 KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr));
789 }
790
791 /* Check that ksize() does NOT unpoison whole object. */
792 static void ksize_unpoisons_memory(struct kunit *test)
793 {
794 char *ptr;
795 size_t size = 128 - KASAN_GRANULE_SIZE - 5;
796 size_t real_size;
797
798 ptr = kmalloc(size, GFP_KERNEL);
799 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
800
801 real_size = ksize(ptr);
802 KUNIT_EXPECT_GT(test, real_size, size);
803
804 OPTIMIZER_HIDE_VAR(ptr);
805
806 /* These accesses shouldn't trigger a KASAN report. */
807 ptr[0] = 'x';
808 ptr[size - 1] = 'x';
809
810 /* These must trigger a KASAN report. */
811 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
812 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]);
813 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size + 5]);
814 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size - 1]);
815
816 kfree(ptr);
817 }
818
819 /*
820 * Check that a use-after-free is detected by ksize() and via normal accesses
821 * after it.
822 */
823 static void ksize_uaf(struct kunit *test)
824 {
825 char *ptr;
826 int size = 128 - KASAN_GRANULE_SIZE;
827
828 ptr = kmalloc(size, GFP_KERNEL);
829 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
830 kfree(ptr);
831
832 OPTIMIZER_HIDE_VAR(ptr);
833 KUNIT_EXPECT_KASAN_FAIL(test, ksize(ptr));
834 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
835 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]);
836 }
837
838 /*
839 * The two tests below check that Generic KASAN prints auxiliary stack traces
840 * for RCU callbacks and workqueues. The reports need to be inspected manually.
841 *
842 * These tests are still enabled for other KASAN modes to make sure that all
843 * modes report bad accesses in tested scenarios.
844 */
845
846 static struct kasan_rcu_info {
847 int i;
848 struct rcu_head rcu;
849 } *global_rcu_ptr;
850
851 static void rcu_uaf_reclaim(struct rcu_head *rp)
852 {
853 struct kasan_rcu_info *fp =
854 container_of(rp, struct kasan_rcu_info, rcu);
855
856 kfree(fp);
857 ((volatile struct kasan_rcu_info *)fp)->i;
858 }
859
860 static void rcu_uaf(struct kunit *test)
861 {
862 struct kasan_rcu_info *ptr;
863
864 ptr = kmalloc(sizeof(struct kasan_rcu_info), GFP_KERNEL);
865 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
866
867 global_rcu_ptr = rcu_dereference_protected(
868 (struct kasan_rcu_info __rcu *)ptr, NULL);
869
870 KUNIT_EXPECT_KASAN_FAIL(test,
871 call_rcu(&global_rcu_ptr->rcu, rcu_uaf_reclaim);
872 rcu_barrier());
873 }
874
875 static void workqueue_uaf_work(struct work_struct *work)
876 {
877 kfree(work);
878 }
879
880 static void workqueue_uaf(struct kunit *test)
881 {
882 struct workqueue_struct *workqueue;
883 struct work_struct *work;
884
885 workqueue = create_workqueue("kasan_workqueue_test");
886 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, workqueue);
887
888 work = kmalloc(sizeof(struct work_struct), GFP_KERNEL);
889 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, work);
890
891 INIT_WORK(work, workqueue_uaf_work);
892 queue_work(workqueue, work);
893 destroy_workqueue(workqueue);
894
895 KUNIT_EXPECT_KASAN_FAIL(test,
896 ((volatile struct work_struct *)work)->data);
897 }
898
899 static void kfree_via_page(struct kunit *test)
900 {
901 char *ptr;
902 size_t size = 8;
903 struct page *page;
904 unsigned long offset;
905
906 ptr = kmalloc(size, GFP_KERNEL);
907 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
908
909 page = virt_to_page(ptr);
910 offset = offset_in_page(ptr);
911 kfree(page_address(page) + offset);
912 }
913
914 static void kfree_via_phys(struct kunit *test)
915 {
916 char *ptr;
917 size_t size = 8;
918 phys_addr_t phys;
919
920 ptr = kmalloc(size, GFP_KERNEL);
921 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
922
923 phys = virt_to_phys(ptr);
924 kfree(phys_to_virt(phys));
925 }
926
927 static void kmem_cache_oob(struct kunit *test)
928 {
929 char *p;
930 size_t size = 200;
931 struct kmem_cache *cache;
932
933 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
934 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
935
936 p = kmem_cache_alloc(cache, GFP_KERNEL);
937 if (!p) {
938 kunit_err(test, "Allocation failed: %s\n", __func__);
939 kmem_cache_destroy(cache);
940 return;
941 }
942
943 KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size + OOB_TAG_OFF]);
944
945 kmem_cache_free(cache, p);
946 kmem_cache_destroy(cache);
947 }
948
949 static void kmem_cache_double_free(struct kunit *test)
950 {
951 char *p;
952 size_t size = 200;
953 struct kmem_cache *cache;
954
955 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
956 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
957
958 p = kmem_cache_alloc(cache, GFP_KERNEL);
959 if (!p) {
960 kunit_err(test, "Allocation failed: %s\n", __func__);
961 kmem_cache_destroy(cache);
962 return;
963 }
964
965 kmem_cache_free(cache, p);
966 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p));
967 kmem_cache_destroy(cache);
968 }
969
970 static void kmem_cache_invalid_free(struct kunit *test)
971 {
972 char *p;
973 size_t size = 200;
974 struct kmem_cache *cache;
975
976 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
977 NULL);
978 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
979
980 p = kmem_cache_alloc(cache, GFP_KERNEL);
981 if (!p) {
982 kunit_err(test, "Allocation failed: %s\n", __func__);
983 kmem_cache_destroy(cache);
984 return;
985 }
986
987 /* Trigger invalid free, the object doesn't get freed. */
988 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1));
989
990 /*
991 * Properly free the object to prevent the "Objects remaining in
992 * test_cache on __kmem_cache_shutdown" BUG failure.
993 */
994 kmem_cache_free(cache, p);
995
996 kmem_cache_destroy(cache);
997 }
998
999 static void empty_cache_ctor(void *object) { }
1000
1001 static void kmem_cache_double_destroy(struct kunit *test)
1002 {
1003 struct kmem_cache *cache;
1004
1005 /* Provide a constructor to prevent cache merging. */
1006 cache = kmem_cache_create("test_cache", 200, 0, 0, empty_cache_ctor);
1007 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
1008 kmem_cache_destroy(cache);
1009 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_destroy(cache));
1010 }
1011
1012 static void kmem_cache_accounted(struct kunit *test)
1013 {
1014 int i;
1015 char *p;
1016 size_t size = 200;
1017 struct kmem_cache *cache;
1018
1019 cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
1020 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
1021
1022 /*
1023 * Several allocations with a delay to allow for lazy per memcg kmem
1024 * cache creation.
1025 */
1026 for (i = 0; i < 5; i++) {
1027 p = kmem_cache_alloc(cache, GFP_KERNEL);
1028 if (!p)
1029 goto free_cache;
1030
1031 kmem_cache_free(cache, p);
1032 msleep(100);
1033 }
1034
1035 free_cache:
1036 kmem_cache_destroy(cache);
1037 }
1038
1039 static void kmem_cache_bulk(struct kunit *test)
1040 {
1041 struct kmem_cache *cache;
1042 size_t size = 200;
1043 char *p[10];
1044 bool ret;
1045 int i;
1046
1047 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
1048 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
1049
1050 ret = kmem_cache_alloc_bulk(cache, GFP_KERNEL, ARRAY_SIZE(p), (void **)&p);
1051 if (!ret) {
1052 kunit_err(test, "Allocation failed: %s\n", __func__);
1053 kmem_cache_destroy(cache);
1054 return;
1055 }
1056
1057 for (i = 0; i < ARRAY_SIZE(p); i++)
1058 p[i][0] = p[i][size - 1] = 42;
1059
1060 kmem_cache_free_bulk(cache, ARRAY_SIZE(p), (void **)&p);
1061 kmem_cache_destroy(cache);
1062 }
1063
1064 static void *mempool_prepare_kmalloc(struct kunit *test, mempool_t *pool, size_t size)
1065 {
1066 int pool_size = 4;
1067 int ret;
1068 void *elem;
1069
1070 memset(pool, 0, sizeof(*pool));
1071 ret = mempool_init_kmalloc_pool(pool, pool_size, size);
1072 KUNIT_ASSERT_EQ(test, ret, 0);
1073
1074 /*
1075 * Allocate one element to prevent mempool from freeing elements to the
1076 * underlying allocator and instead make it add them to the element
1077 * list when the tests trigger double-free and invalid-free bugs.
1078 * This allows testing KASAN annotations in add_element().
1079 */
1080 elem = mempool_alloc_preallocated(pool);
1081 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1082
1083 return elem;
1084 }
1085
1086 static struct kmem_cache *mempool_prepare_slab(struct kunit *test, mempool_t *pool, size_t size)
1087 {
1088 struct kmem_cache *cache;
1089 int pool_size = 4;
1090 int ret;
1091
1092 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
1093 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
1094
1095 memset(pool, 0, sizeof(*pool));
1096 ret = mempool_init_slab_pool(pool, pool_size, cache);
1097 KUNIT_ASSERT_EQ(test, ret, 0);
1098
1099 /*
1100 * Do not allocate one preallocated element, as we skip the double-free
1101 * and invalid-free tests for slab mempool for simplicity.
1102 */
1103
1104 return cache;
1105 }
1106
1107 static void *mempool_prepare_page(struct kunit *test, mempool_t *pool, int order)
1108 {
1109 int pool_size = 4;
1110 int ret;
1111 void *elem;
1112
1113 memset(pool, 0, sizeof(*pool));
1114 ret = mempool_init_page_pool(pool, pool_size, order);
1115 KUNIT_ASSERT_EQ(test, ret, 0);
1116
1117 elem = mempool_alloc_preallocated(pool);
1118 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1119
1120 return elem;
1121 }
1122
1123 static void mempool_oob_right_helper(struct kunit *test, mempool_t *pool, size_t size)
1124 {
1125 char *elem;
1126
1127 elem = mempool_alloc_preallocated(pool);
1128 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1129
1130 OPTIMIZER_HIDE_VAR(elem);
1131
1132 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
1133 KUNIT_EXPECT_KASAN_FAIL(test,
1134 ((volatile char *)&elem[size])[0]);
1135 else
1136 KUNIT_EXPECT_KASAN_FAIL(test,
1137 ((volatile char *)&elem[round_up(size, KASAN_GRANULE_SIZE)])[0]);
1138
1139 mempool_free(elem, pool);
1140 }
1141
1142 static void mempool_kmalloc_oob_right(struct kunit *test)
1143 {
1144 mempool_t pool;
1145 size_t size = 128 - KASAN_GRANULE_SIZE - 5;
1146 void *extra_elem;
1147
1148 extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1149
1150 mempool_oob_right_helper(test, &pool, size);
1151
1152 mempool_free(extra_elem, &pool);
1153 mempool_exit(&pool);
1154 }
1155
1156 static void mempool_kmalloc_large_oob_right(struct kunit *test)
1157 {
1158 mempool_t pool;
1159 size_t size = KMALLOC_MAX_CACHE_SIZE + 1;
1160 void *extra_elem;
1161
1162 extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1163
1164 mempool_oob_right_helper(test, &pool, size);
1165
1166 mempool_free(extra_elem, &pool);
1167 mempool_exit(&pool);
1168 }
1169
1170 static void mempool_slab_oob_right(struct kunit *test)
1171 {
1172 mempool_t pool;
1173 size_t size = 123;
1174 struct kmem_cache *cache;
1175
1176 cache = mempool_prepare_slab(test, &pool, size);
1177
1178 mempool_oob_right_helper(test, &pool, size);
1179
1180 mempool_exit(&pool);
1181 kmem_cache_destroy(cache);
1182 }
1183
1184 /*
1185 * Skip the out-of-bounds test for page mempool. With Generic KASAN, page
1186 * allocations have no redzones, and thus the out-of-bounds detection is not
1187 * guaranteed; see https://bugzilla.kernel.org/show_bug.cgi?id=210503. With
1188 * the tag-based KASAN modes, the neighboring allocation might have the same
1189 * tag; see https://bugzilla.kernel.org/show_bug.cgi?id=203505.
1190 */
1191
1192 static void mempool_uaf_helper(struct kunit *test, mempool_t *pool, bool page)
1193 {
1194 char *elem, *ptr;
1195
1196 elem = mempool_alloc_preallocated(pool);
1197 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1198
1199 mempool_free(elem, pool);
1200
1201 ptr = page ? page_address((struct page *)elem) : elem;
1202 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
1203 }
1204
1205 static void mempool_kmalloc_uaf(struct kunit *test)
1206 {
1207 mempool_t pool;
1208 size_t size = 128;
1209 void *extra_elem;
1210
1211 extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1212
1213 mempool_uaf_helper(test, &pool, false);
1214
1215 mempool_free(extra_elem, &pool);
1216 mempool_exit(&pool);
1217 }
1218
1219 static void mempool_kmalloc_large_uaf(struct kunit *test)
1220 {
1221 mempool_t pool;
1222 size_t size = KMALLOC_MAX_CACHE_SIZE + 1;
1223 void *extra_elem;
1224
1225 extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1226
1227 mempool_uaf_helper(test, &pool, false);
1228
1229 mempool_free(extra_elem, &pool);
1230 mempool_exit(&pool);
1231 }
1232
1233 static void mempool_slab_uaf(struct kunit *test)
1234 {
1235 mempool_t pool;
1236 size_t size = 123;
1237 struct kmem_cache *cache;
1238
1239 cache = mempool_prepare_slab(test, &pool, size);
1240
1241 mempool_uaf_helper(test, &pool, false);
1242
1243 mempool_exit(&pool);
1244 kmem_cache_destroy(cache);
1245 }
1246
1247 static void mempool_page_alloc_uaf(struct kunit *test)
1248 {
1249 mempool_t pool;
1250 int order = 2;
1251 void *extra_elem;
1252
1253 extra_elem = mempool_prepare_page(test, &pool, order);
1254
1255 mempool_uaf_helper(test, &pool, true);
1256
1257 mempool_free(extra_elem, &pool);
1258 mempool_exit(&pool);
1259 }
1260
1261 static void mempool_double_free_helper(struct kunit *test, mempool_t *pool)
1262 {
1263 char *elem;
1264
1265 elem = mempool_alloc_preallocated(pool);
1266 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1267
1268 mempool_free(elem, pool);
1269
1270 KUNIT_EXPECT_KASAN_FAIL(test, mempool_free(elem, pool));
1271 }
1272
1273 static void mempool_kmalloc_double_free(struct kunit *test)
1274 {
1275 mempool_t pool;
1276 size_t size = 128;
1277 char *extra_elem;
1278
1279 extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1280
1281 mempool_double_free_helper(test, &pool);
1282
1283 mempool_free(extra_elem, &pool);
1284 mempool_exit(&pool);
1285 }
1286
1287 static void mempool_kmalloc_large_double_free(struct kunit *test)
1288 {
1289 mempool_t pool;
1290 size_t size = KMALLOC_MAX_CACHE_SIZE + 1;
1291 char *extra_elem;
1292
1293 extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1294
1295 mempool_double_free_helper(test, &pool);
1296
1297 mempool_free(extra_elem, &pool);
1298 mempool_exit(&pool);
1299 }
1300
1301 static void mempool_page_alloc_double_free(struct kunit *test)
1302 {
1303 mempool_t pool;
1304 int order = 2;
1305 char *extra_elem;
1306
1307 extra_elem = mempool_prepare_page(test, &pool, order);
1308
1309 mempool_double_free_helper(test, &pool);
1310
1311 mempool_free(extra_elem, &pool);
1312 mempool_exit(&pool);
1313 }
1314
1315 static void mempool_kmalloc_invalid_free_helper(struct kunit *test, mempool_t *pool)
1316 {
1317 char *elem;
1318
1319 elem = mempool_alloc_preallocated(pool);
1320 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1321
1322 KUNIT_EXPECT_KASAN_FAIL(test, mempool_free(elem + 1, pool));
1323
1324 mempool_free(elem, pool);
1325 }
1326
1327 static void mempool_kmalloc_invalid_free(struct kunit *test)
1328 {
1329 mempool_t pool;
1330 size_t size = 128;
1331 char *extra_elem;
1332
1333 extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1334
1335 mempool_kmalloc_invalid_free_helper(test, &pool);
1336
1337 mempool_free(extra_elem, &pool);
1338 mempool_exit(&pool);
1339 }
1340
1341 static void mempool_kmalloc_large_invalid_free(struct kunit *test)
1342 {
1343 mempool_t pool;
1344 size_t size = KMALLOC_MAX_CACHE_SIZE + 1;
1345 char *extra_elem;
1346
1347 extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1348
1349 mempool_kmalloc_invalid_free_helper(test, &pool);
1350
1351 mempool_free(extra_elem, &pool);
1352 mempool_exit(&pool);
1353 }
1354
1355 /*
1356 * Skip the invalid-free test for page mempool. The invalid-free detection only
1357 * works for compound pages and mempool preallocates all page elements without
1358 * the __GFP_COMP flag.
1359 */
1360
1361 static char global_array[10];
1362
1363 static void kasan_global_oob_right(struct kunit *test)
1364 {
1365 /*
1366 * Deliberate out-of-bounds access. To prevent CONFIG_UBSAN_LOCAL_BOUNDS
1367 * from failing here and panicking the kernel, access the array via a
1368 * volatile pointer, which will prevent the compiler from being able to
1369 * determine the array bounds.
1370 *
1371 * This access uses a volatile pointer to char (char *volatile) rather
1372 * than the more conventional pointer to volatile char (volatile char *)
1373 * because we want to prevent the compiler from making inferences about
1374 * the pointer itself (i.e. its array bounds), not the data that it
1375 * refers to.
1376 */
1377 char *volatile array = global_array;
1378 char *p = &array[ARRAY_SIZE(global_array) + 3];
1379
1380 /* Only generic mode instruments globals. */
1381 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1382
1383 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
1384 }
1385
1386 static void kasan_global_oob_left(struct kunit *test)
1387 {
1388 char *volatile array = global_array;
1389 char *p = array - 3;
1390
1391 /*
1392 * GCC is known to fail this test, skip it.
1393 * See https://bugzilla.kernel.org/show_bug.cgi?id=215051.
1394 */
1395 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_CC_IS_CLANG);
1396 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1397 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
1398 }
1399
1400 static void kasan_stack_oob(struct kunit *test)
1401 {
1402 char stack_array[10];
1403 /* See comment in kasan_global_oob_right. */
1404 char *volatile array = stack_array;
1405 char *p = &array[ARRAY_SIZE(stack_array) + OOB_TAG_OFF];
1406
1407 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
1408
1409 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
1410 }
1411
1412 static void kasan_alloca_oob_left(struct kunit *test)
1413 {
1414 volatile int i = 10;
1415 char alloca_array[i];
1416 /* See comment in kasan_global_oob_right. */
1417 char *volatile array = alloca_array;
1418 char *p = array - 1;
1419
1420 /* Only generic mode instruments dynamic allocas. */
1421 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1422 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
1423
1424 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
1425 }
1426
1427 static void kasan_alloca_oob_right(struct kunit *test)
1428 {
1429 volatile int i = 10;
1430 char alloca_array[i];
1431 /* See comment in kasan_global_oob_right. */
1432 char *volatile array = alloca_array;
1433 char *p = array + i;
1434
1435 /* Only generic mode instruments dynamic allocas. */
1436 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1437 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
1438
1439 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
1440 }
1441
1442 static void kasan_memchr(struct kunit *test)
1443 {
1444 char *ptr;
1445 size_t size = 24;
1446
1447 /*
1448 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
1449 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
1450 */
1451 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
1452
1453 if (OOB_TAG_OFF)
1454 size = round_up(size, OOB_TAG_OFF);
1455
1456 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
1457 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1458
1459 OPTIMIZER_HIDE_VAR(ptr);
1460 OPTIMIZER_HIDE_VAR(size);
1461 KUNIT_EXPECT_KASAN_FAIL(test,
1462 kasan_ptr_result = memchr(ptr, '1', size + 1));
1463
1464 kfree(ptr);
1465 }
1466
1467 static void kasan_memcmp(struct kunit *test)
1468 {
1469 char *ptr;
1470 size_t size = 24;
1471 int arr[9];
1472
1473 /*
1474 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
1475 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
1476 */
1477 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
1478
1479 if (OOB_TAG_OFF)
1480 size = round_up(size, OOB_TAG_OFF);
1481
1482 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
1483 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1484 memset(arr, 0, sizeof(arr));
1485
1486 OPTIMIZER_HIDE_VAR(ptr);
1487 OPTIMIZER_HIDE_VAR(size);
1488 KUNIT_EXPECT_KASAN_FAIL(test,
1489 kasan_int_result = memcmp(ptr, arr, size+1));
1490 kfree(ptr);
1491 }
1492
1493 static void kasan_strings(struct kunit *test)
1494 {
1495 char *ptr;
1496 size_t size = 24;
1497
1498 /*
1499 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
1500 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
1501 */
1502 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
1503
1504 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
1505 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1506
1507 kfree(ptr);
1508
1509 /*
1510 * Try to cause only 1 invalid access (less spam in dmesg).
1511 * For that we need ptr to point to zeroed byte.
1512 * Skip metadata that could be stored in freed object so ptr
1513 * will likely point to zeroed byte.
1514 */
1515 ptr += 16;
1516 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strchr(ptr, '1'));
1517
1518 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strrchr(ptr, '1'));
1519
1520 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strcmp(ptr, "2"));
1521
1522 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strncmp(ptr, "2", 1));
1523
1524 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strlen(ptr));
1525
1526 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strnlen(ptr, 1));
1527 }
1528
1529 static void kasan_bitops_modify(struct kunit *test, int nr, void *addr)
1530 {
1531 KUNIT_EXPECT_KASAN_FAIL(test, set_bit(nr, addr));
1532 KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(nr, addr));
1533 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(nr, addr));
1534 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(nr, addr));
1535 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(nr, addr));
1536 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(nr, addr));
1537 KUNIT_EXPECT_KASAN_FAIL(test, change_bit(nr, addr));
1538 KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(nr, addr));
1539 }
1540
1541 static void kasan_bitops_test_and_modify(struct kunit *test, int nr, void *addr)
1542 {
1543 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit(nr, addr));
1544 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_set_bit(nr, addr));
1545 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit_lock(nr, addr));
1546 KUNIT_EXPECT_KASAN_FAIL(test, test_and_clear_bit(nr, addr));
1547 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_clear_bit(nr, addr));
1548 KUNIT_EXPECT_KASAN_FAIL(test, test_and_change_bit(nr, addr));
1549 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_change_bit(nr, addr));
1550 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = test_bit(nr, addr));
1551 if (nr < 7)
1552 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result =
1553 xor_unlock_is_negative_byte(1 << nr, addr));
1554 }
1555
1556 static void kasan_bitops_generic(struct kunit *test)
1557 {
1558 long *bits;
1559
1560 /* This test is specifically crafted for the generic mode. */
1561 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1562
1563 /*
1564 * Allocate 1 more byte, which causes kzalloc to round up to 16 bytes;
1565 * this way we do not actually corrupt other memory.
1566 */
1567 bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
1568 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
1569
1570 /*
1571 * Below calls try to access bit within allocated memory; however, the
1572 * below accesses are still out-of-bounds, since bitops are defined to
1573 * operate on the whole long the bit is in.
1574 */
1575 kasan_bitops_modify(test, BITS_PER_LONG, bits);
1576
1577 /*
1578 * Below calls try to access bit beyond allocated memory.
1579 */
1580 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, bits);
1581
1582 kfree(bits);
1583 }
1584
1585 static void kasan_bitops_tags(struct kunit *test)
1586 {
1587 long *bits;
1588
1589 /* This test is specifically crafted for tag-based modes. */
1590 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1591
1592 /* kmalloc-64 cache will be used and the last 16 bytes will be the redzone. */
1593 bits = kzalloc(48, GFP_KERNEL);
1594 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
1595
1596 /* Do the accesses past the 48 allocated bytes, but within the redone. */
1597 kasan_bitops_modify(test, BITS_PER_LONG, (void *)bits + 48);
1598 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, (void *)bits + 48);
1599
1600 kfree(bits);
1601 }
1602
1603 static void vmalloc_helpers_tags(struct kunit *test)
1604 {
1605 void *ptr;
1606
1607 /* This test is intended for tag-based modes. */
1608 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1609
1610 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1611
1612 if (!kasan_vmalloc_enabled())
1613 kunit_skip(test, "Test requires kasan.vmalloc=on");
1614
1615 ptr = vmalloc(PAGE_SIZE);
1616 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1617
1618 /* Check that the returned pointer is tagged. */
1619 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1620 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1621
1622 /* Make sure exported vmalloc helpers handle tagged pointers. */
1623 KUNIT_ASSERT_TRUE(test, is_vmalloc_addr(ptr));
1624 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, vmalloc_to_page(ptr));
1625
1626 #if !IS_MODULE(CONFIG_KASAN_KUNIT_TEST)
1627 {
1628 int rv;
1629
1630 /* Make sure vmalloc'ed memory permissions can be changed. */
1631 rv = set_memory_ro((unsigned long)ptr, 1);
1632 KUNIT_ASSERT_GE(test, rv, 0);
1633 rv = set_memory_rw((unsigned long)ptr, 1);
1634 KUNIT_ASSERT_GE(test, rv, 0);
1635 }
1636 #endif
1637
1638 vfree(ptr);
1639 }
1640
1641 static void vmalloc_oob(struct kunit *test)
1642 {
1643 char *v_ptr, *p_ptr;
1644 struct page *page;
1645 size_t size = PAGE_SIZE / 2 - KASAN_GRANULE_SIZE - 5;
1646
1647 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1648
1649 if (!kasan_vmalloc_enabled())
1650 kunit_skip(test, "Test requires kasan.vmalloc=on");
1651
1652 v_ptr = vmalloc(size);
1653 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1654
1655 OPTIMIZER_HIDE_VAR(v_ptr);
1656
1657 /*
1658 * We have to be careful not to hit the guard page in vmalloc tests.
1659 * The MMU will catch that and crash us.
1660 */
1661
1662 /* Make sure in-bounds accesses are valid. */
1663 v_ptr[0] = 0;
1664 v_ptr[size - 1] = 0;
1665
1666 /*
1667 * An unaligned access past the requested vmalloc size.
1668 * Only generic KASAN can precisely detect these.
1669 */
1670 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
1671 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)v_ptr)[size]);
1672
1673 /* An aligned access into the first out-of-bounds granule. */
1674 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)v_ptr)[size + 5]);
1675
1676 /* Check that in-bounds accesses to the physical page are valid. */
1677 page = vmalloc_to_page(v_ptr);
1678 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page);
1679 p_ptr = page_address(page);
1680 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1681 p_ptr[0] = 0;
1682
1683 vfree(v_ptr);
1684
1685 /*
1686 * We can't check for use-after-unmap bugs in this nor in the following
1687 * vmalloc tests, as the page might be fully unmapped and accessing it
1688 * will crash the kernel.
1689 */
1690 }
1691
1692 static void vmap_tags(struct kunit *test)
1693 {
1694 char *p_ptr, *v_ptr;
1695 struct page *p_page, *v_page;
1696
1697 /*
1698 * This test is specifically crafted for the software tag-based mode,
1699 * the only tag-based mode that poisons vmap mappings.
1700 */
1701 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1702
1703 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1704
1705 if (!kasan_vmalloc_enabled())
1706 kunit_skip(test, "Test requires kasan.vmalloc=on");
1707
1708 p_page = alloc_pages(GFP_KERNEL, 1);
1709 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_page);
1710 p_ptr = page_address(p_page);
1711 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1712
1713 v_ptr = vmap(&p_page, 1, VM_MAP, PAGE_KERNEL);
1714 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1715
1716 /*
1717 * We can't check for out-of-bounds bugs in this nor in the following
1718 * vmalloc tests, as allocations have page granularity and accessing
1719 * the guard page will crash the kernel.
1720 */
1721
1722 KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN);
1723 KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL);
1724
1725 /* Make sure that in-bounds accesses through both pointers work. */
1726 *p_ptr = 0;
1727 *v_ptr = 0;
1728
1729 /* Make sure vmalloc_to_page() correctly recovers the page pointer. */
1730 v_page = vmalloc_to_page(v_ptr);
1731 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_page);
1732 KUNIT_EXPECT_PTR_EQ(test, p_page, v_page);
1733
1734 vunmap(v_ptr);
1735 free_pages((unsigned long)p_ptr, 1);
1736 }
1737
1738 static void vm_map_ram_tags(struct kunit *test)
1739 {
1740 char *p_ptr, *v_ptr;
1741 struct page *page;
1742
1743 /*
1744 * This test is specifically crafted for the software tag-based mode,
1745 * the only tag-based mode that poisons vm_map_ram mappings.
1746 */
1747 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1748
1749 page = alloc_pages(GFP_KERNEL, 1);
1750 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page);
1751 p_ptr = page_address(page);
1752 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1753
1754 v_ptr = vm_map_ram(&page, 1, -1);
1755 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1756
1757 KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN);
1758 KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL);
1759
1760 /* Make sure that in-bounds accesses through both pointers work. */
1761 *p_ptr = 0;
1762 *v_ptr = 0;
1763
1764 vm_unmap_ram(v_ptr, 1);
1765 free_pages((unsigned long)p_ptr, 1);
1766 }
1767
1768 static void vmalloc_percpu(struct kunit *test)
1769 {
1770 char __percpu *ptr;
1771 int cpu;
1772
1773 /*
1774 * This test is specifically crafted for the software tag-based mode,
1775 * the only tag-based mode that poisons percpu mappings.
1776 */
1777 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1778
1779 ptr = __alloc_percpu(PAGE_SIZE, PAGE_SIZE);
1780
1781 for_each_possible_cpu(cpu) {
1782 char *c_ptr = per_cpu_ptr(ptr, cpu);
1783
1784 KUNIT_EXPECT_GE(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_MIN);
1785 KUNIT_EXPECT_LT(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_KERNEL);
1786
1787 /* Make sure that in-bounds accesses don't crash the kernel. */
1788 *c_ptr = 0;
1789 }
1790
1791 free_percpu(ptr);
1792 }
1793
1794 /*
1795 * Check that the assigned pointer tag falls within the [KASAN_TAG_MIN,
1796 * KASAN_TAG_KERNEL) range (note: excluding the match-all tag) for tag-based
1797 * modes.
1798 */
1799 static void match_all_not_assigned(struct kunit *test)
1800 {
1801 char *ptr;
1802 struct page *pages;
1803 int i, size, order;
1804
1805 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1806
1807 for (i = 0; i < 256; i++) {
1808 size = get_random_u32_inclusive(1, 1024);
1809 ptr = kmalloc(size, GFP_KERNEL);
1810 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1811 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1812 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1813 kfree(ptr);
1814 }
1815
1816 for (i = 0; i < 256; i++) {
1817 order = get_random_u32_inclusive(1, 4);
1818 pages = alloc_pages(GFP_KERNEL, order);
1819 ptr = page_address(pages);
1820 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1821 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1822 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1823 free_pages((unsigned long)ptr, order);
1824 }
1825
1826 if (!kasan_vmalloc_enabled())
1827 return;
1828
1829 for (i = 0; i < 256; i++) {
1830 size = get_random_u32_inclusive(1, 1024);
1831 ptr = vmalloc(size);
1832 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1833 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1834 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1835 vfree(ptr);
1836 }
1837 }
1838
1839 /* Check that 0xff works as a match-all pointer tag for tag-based modes. */
1840 static void match_all_ptr_tag(struct kunit *test)
1841 {
1842 char *ptr;
1843 u8 tag;
1844
1845 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1846
1847 ptr = kmalloc(128, GFP_KERNEL);
1848 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1849
1850 /* Backup the assigned tag. */
1851 tag = get_tag(ptr);
1852 KUNIT_EXPECT_NE(test, tag, (u8)KASAN_TAG_KERNEL);
1853
1854 /* Reset the tag to 0xff.*/
1855 ptr = set_tag(ptr, KASAN_TAG_KERNEL);
1856
1857 /* This access shouldn't trigger a KASAN report. */
1858 *ptr = 0;
1859
1860 /* Recover the pointer tag and free. */
1861 ptr = set_tag(ptr, tag);
1862 kfree(ptr);
1863 }
1864
1865 /* Check that there are no match-all memory tags for tag-based modes. */
1866 static void match_all_mem_tag(struct kunit *test)
1867 {
1868 char *ptr;
1869 int tag;
1870
1871 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1872
1873 ptr = kmalloc(128, GFP_KERNEL);
1874 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1875 KUNIT_EXPECT_NE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1876
1877 /* For each possible tag value not matching the pointer tag. */
1878 for (tag = KASAN_TAG_MIN; tag <= KASAN_TAG_KERNEL; tag++) {
1879 /*
1880 * For Software Tag-Based KASAN, skip the majority of tag
1881 * values to avoid the test printing too many reports.
1882 */
1883 if (IS_ENABLED(CONFIG_KASAN_SW_TAGS) &&
1884 tag >= KASAN_TAG_MIN + 8 && tag <= KASAN_TAG_KERNEL - 8)
1885 continue;
1886
1887 if (tag == get_tag(ptr))
1888 continue;
1889
1890 /* Mark the first memory granule with the chosen memory tag. */
1891 kasan_poison(ptr, KASAN_GRANULE_SIZE, (u8)tag, false);
1892
1893 /* This access must cause a KASAN report. */
1894 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = 0);
1895 }
1896
1897 /* Recover the memory tag and free. */
1898 kasan_poison(ptr, KASAN_GRANULE_SIZE, get_tag(ptr), false);
1899 kfree(ptr);
1900 }
1901
1902 static struct kunit_case kasan_kunit_test_cases[] = {
1903 KUNIT_CASE(kmalloc_oob_right),
1904 KUNIT_CASE(kmalloc_oob_left),
1905 KUNIT_CASE(kmalloc_node_oob_right),
1906 KUNIT_CASE(kmalloc_big_oob_right),
1907 KUNIT_CASE(kmalloc_large_oob_right),
1908 KUNIT_CASE(kmalloc_large_uaf),
1909 KUNIT_CASE(kmalloc_large_invalid_free),
1910 KUNIT_CASE(page_alloc_oob_right),
1911 KUNIT_CASE(page_alloc_uaf),
1912 KUNIT_CASE(krealloc_more_oob),
1913 KUNIT_CASE(krealloc_less_oob),
1914 KUNIT_CASE(krealloc_large_more_oob),
1915 KUNIT_CASE(krealloc_large_less_oob),
1916 KUNIT_CASE(krealloc_uaf),
1917 KUNIT_CASE(kmalloc_oob_16),
1918 KUNIT_CASE(kmalloc_uaf_16),
1919 KUNIT_CASE(kmalloc_oob_in_memset),
1920 KUNIT_CASE(kmalloc_oob_memset_2),
1921 KUNIT_CASE(kmalloc_oob_memset_4),
1922 KUNIT_CASE(kmalloc_oob_memset_8),
1923 KUNIT_CASE(kmalloc_oob_memset_16),
1924 KUNIT_CASE(kmalloc_memmove_negative_size),
1925 KUNIT_CASE(kmalloc_memmove_invalid_size),
1926 KUNIT_CASE(kmalloc_uaf),
1927 KUNIT_CASE(kmalloc_uaf_memset),
1928 KUNIT_CASE(kmalloc_uaf2),
1929 KUNIT_CASE(kmalloc_uaf3),
1930 KUNIT_CASE(kmalloc_double_kzfree),
1931 KUNIT_CASE(ksize_unpoisons_memory),
1932 KUNIT_CASE(ksize_uaf),
1933 KUNIT_CASE(rcu_uaf),
1934 KUNIT_CASE(workqueue_uaf),
1935 KUNIT_CASE(kfree_via_page),
1936 KUNIT_CASE(kfree_via_phys),
1937 KUNIT_CASE(kmem_cache_oob),
1938 KUNIT_CASE(kmem_cache_double_free),
1939 KUNIT_CASE(kmem_cache_invalid_free),
1940 KUNIT_CASE(kmem_cache_double_destroy),
1941 KUNIT_CASE(kmem_cache_accounted),
1942 KUNIT_CASE(kmem_cache_bulk),
1943 KUNIT_CASE(mempool_kmalloc_oob_right),
1944 KUNIT_CASE(mempool_kmalloc_large_oob_right),
1945 KUNIT_CASE(mempool_slab_oob_right),
1946 KUNIT_CASE(mempool_kmalloc_uaf),
1947 KUNIT_CASE(mempool_kmalloc_large_uaf),
1948 KUNIT_CASE(mempool_slab_uaf),
1949 KUNIT_CASE(mempool_page_alloc_uaf),
1950 KUNIT_CASE(mempool_kmalloc_double_free),
1951 KUNIT_CASE(mempool_kmalloc_large_double_free),
1952 KUNIT_CASE(mempool_page_alloc_double_free),
1953 KUNIT_CASE(mempool_kmalloc_invalid_free),
1954 KUNIT_CASE(mempool_kmalloc_large_invalid_free),
1955 KUNIT_CASE(kasan_global_oob_right),
1956 KUNIT_CASE(kasan_global_oob_left),
1957 KUNIT_CASE(kasan_stack_oob),
1958 KUNIT_CASE(kasan_alloca_oob_left),
1959 KUNIT_CASE(kasan_alloca_oob_right),
1960 KUNIT_CASE(kasan_memchr),
1961 KUNIT_CASE(kasan_memcmp),
1962 KUNIT_CASE(kasan_strings),
1963 KUNIT_CASE(kasan_bitops_generic),
1964 KUNIT_CASE(kasan_bitops_tags),
1965 KUNIT_CASE(kasan_atomics),
1966 KUNIT_CASE(vmalloc_helpers_tags),
1967 KUNIT_CASE(vmalloc_oob),
1968 KUNIT_CASE(vmap_tags),
1969 KUNIT_CASE(vm_map_ram_tags),
1970 KUNIT_CASE(vmalloc_percpu),
1971 KUNIT_CASE(match_all_not_assigned),
1972 KUNIT_CASE(match_all_ptr_tag),
1973 KUNIT_CASE(match_all_mem_tag),
1974 {}
1975 };
1976
1977 static struct kunit_suite kasan_kunit_test_suite = {
1978 .name = "kasan",
1979 .test_cases = kasan_kunit_test_cases,
1980 .exit = kasan_test_exit,
1981 .suite_init = kasan_suite_init,
1982 .suite_exit = kasan_suite_exit,
1983 };
1984
1985 kunit_test_suite(kasan_kunit_test_suite);
1986
1987 MODULE_LICENSE("GPL");
1988
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.