xref: /openbmc/linux/mm/kasan/kasan_test.c (revision 724ba675)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *
4  * Copyright (c) 2014 Samsung Electronics Co., Ltd.
5  * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
6  */
7 
8 #define pr_fmt(fmt) "kasan_test: " fmt
9 
10 #include <kunit/test.h>
11 #include <linux/bitops.h>
12 #include <linux/delay.h>
13 #include <linux/io.h>
14 #include <linux/kasan.h>
15 #include <linux/kernel.h>
16 #include <linux/mm.h>
17 #include <linux/mman.h>
18 #include <linux/module.h>
19 #include <linux/printk.h>
20 #include <linux/random.h>
21 #include <linux/set_memory.h>
22 #include <linux/slab.h>
23 #include <linux/string.h>
24 #include <linux/tracepoint.h>
25 #include <linux/uaccess.h>
26 #include <linux/vmalloc.h>
27 #include <trace/events/printk.h>
28 
29 #include <asm/page.h>
30 
31 #include "kasan.h"
32 
33 #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
34 
35 static bool multishot;
36 
37 /* Fields set based on lines observed in the console. */
38 static struct {
39 	bool report_found;
40 	bool async_fault;
41 } test_status;
42 
43 /*
44  * Some tests use these global variables to store return values from function
45  * calls that could otherwise be eliminated by the compiler as dead code.
46  */
47 void *kasan_ptr_result;
48 int kasan_int_result;
49 
50 /* Probe for console output: obtains test_status lines of interest. */
51 static void probe_console(void *ignore, const char *buf, size_t len)
52 {
53 	if (strnstr(buf, "BUG: KASAN: ", len))
54 		WRITE_ONCE(test_status.report_found, true);
55 	else if (strnstr(buf, "Asynchronous fault: ", len))
56 		WRITE_ONCE(test_status.async_fault, true);
57 }
58 
59 static int kasan_suite_init(struct kunit_suite *suite)
60 {
61 	if (!kasan_enabled()) {
62 		pr_err("Can't run KASAN tests with KASAN disabled");
63 		return -1;
64 	}
65 
66 	/* Stop failing KUnit tests on KASAN reports. */
67 	kasan_kunit_test_suite_start();
68 
69 	/*
70 	 * Temporarily enable multi-shot mode. Otherwise, KASAN would only
71 	 * report the first detected bug and panic the kernel if panic_on_warn
72 	 * is enabled.
73 	 */
74 	multishot = kasan_save_enable_multi_shot();
75 
76 	register_trace_console(probe_console, NULL);
77 	return 0;
78 }
79 
80 static void kasan_suite_exit(struct kunit_suite *suite)
81 {
82 	kasan_kunit_test_suite_end();
83 	kasan_restore_multi_shot(multishot);
84 	unregister_trace_console(probe_console, NULL);
85 	tracepoint_synchronize_unregister();
86 }
87 
88 static void kasan_test_exit(struct kunit *test)
89 {
90 	KUNIT_EXPECT_FALSE(test, READ_ONCE(test_status.report_found));
91 }
92 
93 /**
94  * KUNIT_EXPECT_KASAN_FAIL() - check that the executed expression produces a
95  * KASAN report; causes a test failure otherwise. This relies on a KUnit
96  * resource named "kasan_status". Do not use this name for KUnit resources
97  * outside of KASAN tests.
98  *
99  * For hardware tag-based KASAN, when a synchronous tag fault happens, tag
100  * checking is auto-disabled. When this happens, this test handler reenables
101  * tag checking. As tag checking can be only disabled or enabled per CPU,
102  * this handler disables migration (preemption).
103  *
104  * Since the compiler doesn't see that the expression can change the test_status
105  * fields, it can reorder or optimize away the accesses to those fields.
106  * Use READ/WRITE_ONCE() for the accesses and compiler barriers around the
107  * expression to prevent that.
108  *
109  * In between KUNIT_EXPECT_KASAN_FAIL checks, test_status.report_found is kept
110  * as false. This allows detecting KASAN reports that happen outside of the
111  * checks by asserting !test_status.report_found at the start of
112  * KUNIT_EXPECT_KASAN_FAIL and in kasan_test_exit.
113  */
114 #define KUNIT_EXPECT_KASAN_FAIL(test, expression) do {			\
115 	if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) &&				\
116 	    kasan_sync_fault_possible())				\
117 		migrate_disable();					\
118 	KUNIT_EXPECT_FALSE(test, READ_ONCE(test_status.report_found));	\
119 	barrier();							\
120 	expression;							\
121 	barrier();							\
122 	if (kasan_async_fault_possible())				\
123 		kasan_force_async_fault();				\
124 	if (!READ_ONCE(test_status.report_found)) {			\
125 		KUNIT_FAIL(test, KUNIT_SUBTEST_INDENT "KASAN failure "	\
126 				"expected in \"" #expression		\
127 				 "\", but none occurred");		\
128 	}								\
129 	if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) &&				\
130 	    kasan_sync_fault_possible()) {				\
131 		if (READ_ONCE(test_status.report_found) &&		\
132 		    !READ_ONCE(test_status.async_fault))		\
133 			kasan_enable_hw_tags();				\
134 		migrate_enable();					\
135 	}								\
136 	WRITE_ONCE(test_status.report_found, false);			\
137 	WRITE_ONCE(test_status.async_fault, false);			\
138 } while (0)
139 
140 #define KASAN_TEST_NEEDS_CONFIG_ON(test, config) do {			\
141 	if (!IS_ENABLED(config))					\
142 		kunit_skip((test), "Test requires " #config "=y");	\
143 } while (0)
144 
145 #define KASAN_TEST_NEEDS_CONFIG_OFF(test, config) do {			\
146 	if (IS_ENABLED(config))						\
147 		kunit_skip((test), "Test requires " #config "=n");	\
148 } while (0)
149 
150 #define KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test) do {		\
151 	if (IS_ENABLED(CONFIG_KASAN_HW_TAGS))				\
152 		break;  /* No compiler instrumentation. */		\
153 	if (IS_ENABLED(CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX))	\
154 		break;  /* Should always be instrumented! */		\
155 	if (IS_ENABLED(CONFIG_GENERIC_ENTRY))				\
156 		kunit_skip((test), "Test requires checked mem*()");	\
157 } while (0)
158 
159 static void kmalloc_oob_right(struct kunit *test)
160 {
161 	char *ptr;
162 	size_t size = 128 - KASAN_GRANULE_SIZE - 5;
163 
164 	ptr = kmalloc(size, GFP_KERNEL);
165 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
166 
167 	OPTIMIZER_HIDE_VAR(ptr);
168 	/*
169 	 * An unaligned access past the requested kmalloc size.
170 	 * Only generic KASAN can precisely detect these.
171 	 */
172 	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
173 		KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x');
174 
175 	/*
176 	 * An aligned access into the first out-of-bounds granule that falls
177 	 * within the aligned kmalloc object.
178 	 */
179 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + 5] = 'y');
180 
181 	/* Out-of-bounds access past the aligned kmalloc object. */
182 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] =
183 					ptr[size + KASAN_GRANULE_SIZE + 5]);
184 
185 	kfree(ptr);
186 }
187 
188 static void kmalloc_oob_left(struct kunit *test)
189 {
190 	char *ptr;
191 	size_t size = 15;
192 
193 	ptr = kmalloc(size, GFP_KERNEL);
194 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
195 
196 	OPTIMIZER_HIDE_VAR(ptr);
197 	KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1));
198 	kfree(ptr);
199 }
200 
201 static void kmalloc_node_oob_right(struct kunit *test)
202 {
203 	char *ptr;
204 	size_t size = 4096;
205 
206 	ptr = kmalloc_node(size, GFP_KERNEL, 0);
207 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
208 
209 	OPTIMIZER_HIDE_VAR(ptr);
210 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]);
211 	kfree(ptr);
212 }
213 
214 /*
215  * These kmalloc_pagealloc_* tests try allocating a memory chunk that doesn't
216  * fit into a slab cache and therefore is allocated via the page allocator
217  * fallback. Since this kind of fallback is only implemented for SLUB, these
218  * tests are limited to that allocator.
219  */
220 static void kmalloc_pagealloc_oob_right(struct kunit *test)
221 {
222 	char *ptr;
223 	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
224 
225 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
226 
227 	ptr = kmalloc(size, GFP_KERNEL);
228 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
229 
230 	OPTIMIZER_HIDE_VAR(ptr);
231 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 0);
232 
233 	kfree(ptr);
234 }
235 
236 static void kmalloc_pagealloc_uaf(struct kunit *test)
237 {
238 	char *ptr;
239 	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
240 
241 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
242 
243 	ptr = kmalloc(size, GFP_KERNEL);
244 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
245 	kfree(ptr);
246 
247 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
248 }
249 
250 static void kmalloc_pagealloc_invalid_free(struct kunit *test)
251 {
252 	char *ptr;
253 	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
254 
255 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
256 
257 	ptr = kmalloc(size, GFP_KERNEL);
258 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
259 
260 	KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));
261 }
262 
263 static void pagealloc_oob_right(struct kunit *test)
264 {
265 	char *ptr;
266 	struct page *pages;
267 	size_t order = 4;
268 	size_t size = (1UL << (PAGE_SHIFT + order));
269 
270 	/*
271 	 * With generic KASAN page allocations have no redzones, thus
272 	 * out-of-bounds detection is not guaranteed.
273 	 * See https://bugzilla.kernel.org/show_bug.cgi?id=210503.
274 	 */
275 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
276 
277 	pages = alloc_pages(GFP_KERNEL, order);
278 	ptr = page_address(pages);
279 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
280 
281 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]);
282 	free_pages((unsigned long)ptr, order);
283 }
284 
285 static void pagealloc_uaf(struct kunit *test)
286 {
287 	char *ptr;
288 	struct page *pages;
289 	size_t order = 4;
290 
291 	pages = alloc_pages(GFP_KERNEL, order);
292 	ptr = page_address(pages);
293 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
294 	free_pages((unsigned long)ptr, order);
295 
296 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
297 }
298 
299 static void kmalloc_large_oob_right(struct kunit *test)
300 {
301 	char *ptr;
302 	size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
303 
304 	/*
305 	 * Allocate a chunk that is large enough, but still fits into a slab
306 	 * and does not trigger the page allocator fallback in SLUB.
307 	 */
308 	ptr = kmalloc(size, GFP_KERNEL);
309 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
310 
311 	OPTIMIZER_HIDE_VAR(ptr);
312 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
313 	kfree(ptr);
314 }
315 
316 static void krealloc_more_oob_helper(struct kunit *test,
317 					size_t size1, size_t size2)
318 {
319 	char *ptr1, *ptr2;
320 	size_t middle;
321 
322 	KUNIT_ASSERT_LT(test, size1, size2);
323 	middle = size1 + (size2 - size1) / 2;
324 
325 	ptr1 = kmalloc(size1, GFP_KERNEL);
326 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
327 
328 	ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
329 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
330 
331 	/* Suppress -Warray-bounds warnings. */
332 	OPTIMIZER_HIDE_VAR(ptr2);
333 
334 	/* All offsets up to size2 must be accessible. */
335 	ptr2[size1 - 1] = 'x';
336 	ptr2[size1] = 'x';
337 	ptr2[middle] = 'x';
338 	ptr2[size2 - 1] = 'x';
339 
340 	/* Generic mode is precise, so unaligned size2 must be inaccessible. */
341 	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
342 		KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x');
343 
344 	/* For all modes first aligned offset after size2 must be inaccessible. */
345 	KUNIT_EXPECT_KASAN_FAIL(test,
346 		ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x');
347 
348 	kfree(ptr2);
349 }
350 
351 static void krealloc_less_oob_helper(struct kunit *test,
352 					size_t size1, size_t size2)
353 {
354 	char *ptr1, *ptr2;
355 	size_t middle;
356 
357 	KUNIT_ASSERT_LT(test, size2, size1);
358 	middle = size2 + (size1 - size2) / 2;
359 
360 	ptr1 = kmalloc(size1, GFP_KERNEL);
361 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
362 
363 	ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
364 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
365 
366 	/* Suppress -Warray-bounds warnings. */
367 	OPTIMIZER_HIDE_VAR(ptr2);
368 
369 	/* Must be accessible for all modes. */
370 	ptr2[size2 - 1] = 'x';
371 
372 	/* Generic mode is precise, so unaligned size2 must be inaccessible. */
373 	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
374 		KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x');
375 
376 	/* For all modes first aligned offset after size2 must be inaccessible. */
377 	KUNIT_EXPECT_KASAN_FAIL(test,
378 		ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x');
379 
380 	/*
381 	 * For all modes all size2, middle, and size1 should land in separate
382 	 * granules and thus the latter two offsets should be inaccessible.
383 	 */
384 	KUNIT_EXPECT_LE(test, round_up(size2, KASAN_GRANULE_SIZE),
385 				round_down(middle, KASAN_GRANULE_SIZE));
386 	KUNIT_EXPECT_LE(test, round_up(middle, KASAN_GRANULE_SIZE),
387 				round_down(size1, KASAN_GRANULE_SIZE));
388 	KUNIT_EXPECT_KASAN_FAIL(test, ptr2[middle] = 'x');
389 	KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1 - 1] = 'x');
390 	KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1] = 'x');
391 
392 	kfree(ptr2);
393 }
394 
395 static void krealloc_more_oob(struct kunit *test)
396 {
397 	krealloc_more_oob_helper(test, 201, 235);
398 }
399 
400 static void krealloc_less_oob(struct kunit *test)
401 {
402 	krealloc_less_oob_helper(test, 235, 201);
403 }
404 
405 static void krealloc_pagealloc_more_oob(struct kunit *test)
406 {
407 	/* page_alloc fallback in only implemented for SLUB. */
408 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
409 
410 	krealloc_more_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 201,
411 					KMALLOC_MAX_CACHE_SIZE + 235);
412 }
413 
414 static void krealloc_pagealloc_less_oob(struct kunit *test)
415 {
416 	/* page_alloc fallback in only implemented for SLUB. */
417 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
418 
419 	krealloc_less_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 235,
420 					KMALLOC_MAX_CACHE_SIZE + 201);
421 }
422 
423 /*
424  * Check that krealloc() detects a use-after-free, returns NULL,
425  * and doesn't unpoison the freed object.
426  */
427 static void krealloc_uaf(struct kunit *test)
428 {
429 	char *ptr1, *ptr2;
430 	int size1 = 201;
431 	int size2 = 235;
432 
433 	ptr1 = kmalloc(size1, GFP_KERNEL);
434 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
435 	kfree(ptr1);
436 
437 	KUNIT_EXPECT_KASAN_FAIL(test, ptr2 = krealloc(ptr1, size2, GFP_KERNEL));
438 	KUNIT_ASSERT_NULL(test, ptr2);
439 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)ptr1);
440 }
441 
442 static void kmalloc_oob_16(struct kunit *test)
443 {
444 	struct {
445 		u64 words[2];
446 	} *ptr1, *ptr2;
447 
448 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
449 
450 	/* This test is specifically crafted for the generic mode. */
451 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
452 
453 	ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
454 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
455 
456 	ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
457 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
458 
459 	OPTIMIZER_HIDE_VAR(ptr1);
460 	OPTIMIZER_HIDE_VAR(ptr2);
461 	KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
462 	kfree(ptr1);
463 	kfree(ptr2);
464 }
465 
466 static void kmalloc_uaf_16(struct kunit *test)
467 {
468 	struct {
469 		u64 words[2];
470 	} *ptr1, *ptr2;
471 
472 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
473 
474 	ptr1 = kmalloc(sizeof(*ptr1), GFP_KERNEL);
475 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
476 
477 	ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
478 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
479 	kfree(ptr2);
480 
481 	KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
482 	kfree(ptr1);
483 }
484 
485 /*
486  * Note: in the memset tests below, the written range touches both valid and
487  * invalid memory. This makes sure that the instrumentation does not only check
488  * the starting address but the whole range.
489  */
490 
491 static void kmalloc_oob_memset_2(struct kunit *test)
492 {
493 	char *ptr;
494 	size_t size = 128 - KASAN_GRANULE_SIZE;
495 
496 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
497 
498 	ptr = kmalloc(size, GFP_KERNEL);
499 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
500 
501 	OPTIMIZER_HIDE_VAR(size);
502 	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 1, 0, 2));
503 	kfree(ptr);
504 }
505 
506 static void kmalloc_oob_memset_4(struct kunit *test)
507 {
508 	char *ptr;
509 	size_t size = 128 - KASAN_GRANULE_SIZE;
510 
511 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
512 
513 	ptr = kmalloc(size, GFP_KERNEL);
514 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
515 
516 	OPTIMIZER_HIDE_VAR(size);
517 	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 3, 0, 4));
518 	kfree(ptr);
519 }
520 
521 static void kmalloc_oob_memset_8(struct kunit *test)
522 {
523 	char *ptr;
524 	size_t size = 128 - KASAN_GRANULE_SIZE;
525 
526 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
527 
528 	ptr = kmalloc(size, GFP_KERNEL);
529 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
530 
531 	OPTIMIZER_HIDE_VAR(size);
532 	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 7, 0, 8));
533 	kfree(ptr);
534 }
535 
536 static void kmalloc_oob_memset_16(struct kunit *test)
537 {
538 	char *ptr;
539 	size_t size = 128 - KASAN_GRANULE_SIZE;
540 
541 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
542 
543 	ptr = kmalloc(size, GFP_KERNEL);
544 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
545 
546 	OPTIMIZER_HIDE_VAR(size);
547 	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 15, 0, 16));
548 	kfree(ptr);
549 }
550 
551 static void kmalloc_oob_in_memset(struct kunit *test)
552 {
553 	char *ptr;
554 	size_t size = 128 - KASAN_GRANULE_SIZE;
555 
556 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
557 
558 	ptr = kmalloc(size, GFP_KERNEL);
559 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
560 
561 	OPTIMIZER_HIDE_VAR(ptr);
562 	OPTIMIZER_HIDE_VAR(size);
563 	KUNIT_EXPECT_KASAN_FAIL(test,
564 				memset(ptr, 0, size + KASAN_GRANULE_SIZE));
565 	kfree(ptr);
566 }
567 
568 static void kmalloc_memmove_negative_size(struct kunit *test)
569 {
570 	char *ptr;
571 	size_t size = 64;
572 	size_t invalid_size = -2;
573 
574 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
575 
576 	/*
577 	 * Hardware tag-based mode doesn't check memmove for negative size.
578 	 * As a result, this test introduces a side-effect memory corruption,
579 	 * which can result in a crash.
580 	 */
581 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS);
582 
583 	ptr = kmalloc(size, GFP_KERNEL);
584 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
585 
586 	memset((char *)ptr, 0, 64);
587 	OPTIMIZER_HIDE_VAR(ptr);
588 	OPTIMIZER_HIDE_VAR(invalid_size);
589 	KUNIT_EXPECT_KASAN_FAIL(test,
590 		memmove((char *)ptr, (char *)ptr + 4, invalid_size));
591 	kfree(ptr);
592 }
593 
594 static void kmalloc_memmove_invalid_size(struct kunit *test)
595 {
596 	char *ptr;
597 	size_t size = 64;
598 	size_t invalid_size = size;
599 
600 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
601 
602 	ptr = kmalloc(size, GFP_KERNEL);
603 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
604 
605 	memset((char *)ptr, 0, 64);
606 	OPTIMIZER_HIDE_VAR(ptr);
607 	OPTIMIZER_HIDE_VAR(invalid_size);
608 	KUNIT_EXPECT_KASAN_FAIL(test,
609 		memmove((char *)ptr, (char *)ptr + 4, invalid_size));
610 	kfree(ptr);
611 }
612 
613 static void kmalloc_uaf(struct kunit *test)
614 {
615 	char *ptr;
616 	size_t size = 10;
617 
618 	ptr = kmalloc(size, GFP_KERNEL);
619 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
620 
621 	kfree(ptr);
622 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[8]);
623 }
624 
625 static void kmalloc_uaf_memset(struct kunit *test)
626 {
627 	char *ptr;
628 	size_t size = 33;
629 
630 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
631 
632 	/*
633 	 * Only generic KASAN uses quarantine, which is required to avoid a
634 	 * kernel memory corruption this test causes.
635 	 */
636 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
637 
638 	ptr = kmalloc(size, GFP_KERNEL);
639 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
640 
641 	kfree(ptr);
642 	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));
643 }
644 
645 static void kmalloc_uaf2(struct kunit *test)
646 {
647 	char *ptr1, *ptr2;
648 	size_t size = 43;
649 	int counter = 0;
650 
651 again:
652 	ptr1 = kmalloc(size, GFP_KERNEL);
653 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
654 
655 	kfree(ptr1);
656 
657 	ptr2 = kmalloc(size, GFP_KERNEL);
658 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
659 
660 	/*
661 	 * For tag-based KASAN ptr1 and ptr2 tags might happen to be the same.
662 	 * Allow up to 16 attempts at generating different tags.
663 	 */
664 	if (!IS_ENABLED(CONFIG_KASAN_GENERIC) && ptr1 == ptr2 && counter++ < 16) {
665 		kfree(ptr2);
666 		goto again;
667 	}
668 
669 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[40]);
670 	KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
671 
672 	kfree(ptr2);
673 }
674 
675 /*
676  * Check that KASAN detects use-after-free when another object was allocated in
677  * the same slot. Relevant for the tag-based modes, which do not use quarantine.
678  */
679 static void kmalloc_uaf3(struct kunit *test)
680 {
681 	char *ptr1, *ptr2;
682 	size_t size = 100;
683 
684 	/* This test is specifically crafted for tag-based modes. */
685 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
686 
687 	ptr1 = kmalloc(size, GFP_KERNEL);
688 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
689 	kfree(ptr1);
690 
691 	ptr2 = kmalloc(size, GFP_KERNEL);
692 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
693 	kfree(ptr2);
694 
695 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[8]);
696 }
697 
698 static void kfree_via_page(struct kunit *test)
699 {
700 	char *ptr;
701 	size_t size = 8;
702 	struct page *page;
703 	unsigned long offset;
704 
705 	ptr = kmalloc(size, GFP_KERNEL);
706 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
707 
708 	page = virt_to_page(ptr);
709 	offset = offset_in_page(ptr);
710 	kfree(page_address(page) + offset);
711 }
712 
713 static void kfree_via_phys(struct kunit *test)
714 {
715 	char *ptr;
716 	size_t size = 8;
717 	phys_addr_t phys;
718 
719 	ptr = kmalloc(size, GFP_KERNEL);
720 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
721 
722 	phys = virt_to_phys(ptr);
723 	kfree(phys_to_virt(phys));
724 }
725 
726 static void kmem_cache_oob(struct kunit *test)
727 {
728 	char *p;
729 	size_t size = 200;
730 	struct kmem_cache *cache;
731 
732 	cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
733 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
734 
735 	p = kmem_cache_alloc(cache, GFP_KERNEL);
736 	if (!p) {
737 		kunit_err(test, "Allocation failed: %s\n", __func__);
738 		kmem_cache_destroy(cache);
739 		return;
740 	}
741 
742 	KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size + OOB_TAG_OFF]);
743 
744 	kmem_cache_free(cache, p);
745 	kmem_cache_destroy(cache);
746 }
747 
748 static void kmem_cache_accounted(struct kunit *test)
749 {
750 	int i;
751 	char *p;
752 	size_t size = 200;
753 	struct kmem_cache *cache;
754 
755 	cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
756 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
757 
758 	/*
759 	 * Several allocations with a delay to allow for lazy per memcg kmem
760 	 * cache creation.
761 	 */
762 	for (i = 0; i < 5; i++) {
763 		p = kmem_cache_alloc(cache, GFP_KERNEL);
764 		if (!p)
765 			goto free_cache;
766 
767 		kmem_cache_free(cache, p);
768 		msleep(100);
769 	}
770 
771 free_cache:
772 	kmem_cache_destroy(cache);
773 }
774 
775 static void kmem_cache_bulk(struct kunit *test)
776 {
777 	struct kmem_cache *cache;
778 	size_t size = 200;
779 	char *p[10];
780 	bool ret;
781 	int i;
782 
783 	cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
784 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
785 
786 	ret = kmem_cache_alloc_bulk(cache, GFP_KERNEL, ARRAY_SIZE(p), (void **)&p);
787 	if (!ret) {
788 		kunit_err(test, "Allocation failed: %s\n", __func__);
789 		kmem_cache_destroy(cache);
790 		return;
791 	}
792 
793 	for (i = 0; i < ARRAY_SIZE(p); i++)
794 		p[i][0] = p[i][size - 1] = 42;
795 
796 	kmem_cache_free_bulk(cache, ARRAY_SIZE(p), (void **)&p);
797 	kmem_cache_destroy(cache);
798 }
799 
800 static char global_array[10];
801 
802 static void kasan_global_oob_right(struct kunit *test)
803 {
804 	/*
805 	 * Deliberate out-of-bounds access. To prevent CONFIG_UBSAN_LOCAL_BOUNDS
806 	 * from failing here and panicking the kernel, access the array via a
807 	 * volatile pointer, which will prevent the compiler from being able to
808 	 * determine the array bounds.
809 	 *
810 	 * This access uses a volatile pointer to char (char *volatile) rather
811 	 * than the more conventional pointer to volatile char (volatile char *)
812 	 * because we want to prevent the compiler from making inferences about
813 	 * the pointer itself (i.e. its array bounds), not the data that it
814 	 * refers to.
815 	 */
816 	char *volatile array = global_array;
817 	char *p = &array[ARRAY_SIZE(global_array) + 3];
818 
819 	/* Only generic mode instruments globals. */
820 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
821 
822 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
823 }
824 
825 static void kasan_global_oob_left(struct kunit *test)
826 {
827 	char *volatile array = global_array;
828 	char *p = array - 3;
829 
830 	/*
831 	 * GCC is known to fail this test, skip it.
832 	 * See https://bugzilla.kernel.org/show_bug.cgi?id=215051.
833 	 */
834 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_CC_IS_CLANG);
835 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
836 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
837 }
838 
839 /* Check that ksize() does NOT unpoison whole object. */
840 static void ksize_unpoisons_memory(struct kunit *test)
841 {
842 	char *ptr;
843 	size_t size = 128 - KASAN_GRANULE_SIZE - 5;
844 	size_t real_size;
845 
846 	ptr = kmalloc(size, GFP_KERNEL);
847 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
848 
849 	real_size = ksize(ptr);
850 	KUNIT_EXPECT_GT(test, real_size, size);
851 
852 	OPTIMIZER_HIDE_VAR(ptr);
853 
854 	/* These accesses shouldn't trigger a KASAN report. */
855 	ptr[0] = 'x';
856 	ptr[size - 1] = 'x';
857 
858 	/* These must trigger a KASAN report. */
859 	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
860 		KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]);
861 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size + 5]);
862 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size - 1]);
863 
864 	kfree(ptr);
865 }
866 
867 /*
868  * Check that a use-after-free is detected by ksize() and via normal accesses
869  * after it.
870  */
871 static void ksize_uaf(struct kunit *test)
872 {
873 	char *ptr;
874 	int size = 128 - KASAN_GRANULE_SIZE;
875 
876 	ptr = kmalloc(size, GFP_KERNEL);
877 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
878 	kfree(ptr);
879 
880 	OPTIMIZER_HIDE_VAR(ptr);
881 	KUNIT_EXPECT_KASAN_FAIL(test, ksize(ptr));
882 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
883 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]);
884 }
885 
886 static void kasan_stack_oob(struct kunit *test)
887 {
888 	char stack_array[10];
889 	/* See comment in kasan_global_oob_right. */
890 	char *volatile array = stack_array;
891 	char *p = &array[ARRAY_SIZE(stack_array) + OOB_TAG_OFF];
892 
893 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
894 
895 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
896 }
897 
898 static void kasan_alloca_oob_left(struct kunit *test)
899 {
900 	volatile int i = 10;
901 	char alloca_array[i];
902 	/* See comment in kasan_global_oob_right. */
903 	char *volatile array = alloca_array;
904 	char *p = array - 1;
905 
906 	/* Only generic mode instruments dynamic allocas. */
907 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
908 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
909 
910 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
911 }
912 
913 static void kasan_alloca_oob_right(struct kunit *test)
914 {
915 	volatile int i = 10;
916 	char alloca_array[i];
917 	/* See comment in kasan_global_oob_right. */
918 	char *volatile array = alloca_array;
919 	char *p = array + i;
920 
921 	/* Only generic mode instruments dynamic allocas. */
922 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
923 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
924 
925 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
926 }
927 
928 static void kmem_cache_double_free(struct kunit *test)
929 {
930 	char *p;
931 	size_t size = 200;
932 	struct kmem_cache *cache;
933 
934 	cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
935 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
936 
937 	p = kmem_cache_alloc(cache, GFP_KERNEL);
938 	if (!p) {
939 		kunit_err(test, "Allocation failed: %s\n", __func__);
940 		kmem_cache_destroy(cache);
941 		return;
942 	}
943 
944 	kmem_cache_free(cache, p);
945 	KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p));
946 	kmem_cache_destroy(cache);
947 }
948 
949 static void kmem_cache_invalid_free(struct kunit *test)
950 {
951 	char *p;
952 	size_t size = 200;
953 	struct kmem_cache *cache;
954 
955 	cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
956 				  NULL);
957 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
958 
959 	p = kmem_cache_alloc(cache, GFP_KERNEL);
960 	if (!p) {
961 		kunit_err(test, "Allocation failed: %s\n", __func__);
962 		kmem_cache_destroy(cache);
963 		return;
964 	}
965 
966 	/* Trigger invalid free, the object doesn't get freed. */
967 	KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1));
968 
969 	/*
970 	 * Properly free the object to prevent the "Objects remaining in
971 	 * test_cache on __kmem_cache_shutdown" BUG failure.
972 	 */
973 	kmem_cache_free(cache, p);
974 
975 	kmem_cache_destroy(cache);
976 }
977 
978 static void empty_cache_ctor(void *object) { }
979 
980 static void kmem_cache_double_destroy(struct kunit *test)
981 {
982 	struct kmem_cache *cache;
983 
984 	/* Provide a constructor to prevent cache merging. */
985 	cache = kmem_cache_create("test_cache", 200, 0, 0, empty_cache_ctor);
986 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
987 	kmem_cache_destroy(cache);
988 	KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_destroy(cache));
989 }
990 
991 static void kasan_memchr(struct kunit *test)
992 {
993 	char *ptr;
994 	size_t size = 24;
995 
996 	/*
997 	 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
998 	 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
999 	 */
1000 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
1001 
1002 	if (OOB_TAG_OFF)
1003 		size = round_up(size, OOB_TAG_OFF);
1004 
1005 	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
1006 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1007 
1008 	OPTIMIZER_HIDE_VAR(ptr);
1009 	OPTIMIZER_HIDE_VAR(size);
1010 	KUNIT_EXPECT_KASAN_FAIL(test,
1011 		kasan_ptr_result = memchr(ptr, '1', size + 1));
1012 
1013 	kfree(ptr);
1014 }
1015 
1016 static void kasan_memcmp(struct kunit *test)
1017 {
1018 	char *ptr;
1019 	size_t size = 24;
1020 	int arr[9];
1021 
1022 	/*
1023 	 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
1024 	 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
1025 	 */
1026 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
1027 
1028 	if (OOB_TAG_OFF)
1029 		size = round_up(size, OOB_TAG_OFF);
1030 
1031 	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
1032 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1033 	memset(arr, 0, sizeof(arr));
1034 
1035 	OPTIMIZER_HIDE_VAR(ptr);
1036 	OPTIMIZER_HIDE_VAR(size);
1037 	KUNIT_EXPECT_KASAN_FAIL(test,
1038 		kasan_int_result = memcmp(ptr, arr, size+1));
1039 	kfree(ptr);
1040 }
1041 
1042 static void kasan_strings(struct kunit *test)
1043 {
1044 	char *ptr;
1045 	size_t size = 24;
1046 
1047 	/*
1048 	 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
1049 	 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
1050 	 */
1051 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
1052 
1053 	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
1054 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1055 
1056 	kfree(ptr);
1057 
1058 	/*
1059 	 * Try to cause only 1 invalid access (less spam in dmesg).
1060 	 * For that we need ptr to point to zeroed byte.
1061 	 * Skip metadata that could be stored in freed object so ptr
1062 	 * will likely point to zeroed byte.
1063 	 */
1064 	ptr += 16;
1065 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strchr(ptr, '1'));
1066 
1067 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strrchr(ptr, '1'));
1068 
1069 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strcmp(ptr, "2"));
1070 
1071 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strncmp(ptr, "2", 1));
1072 
1073 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strlen(ptr));
1074 
1075 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strnlen(ptr, 1));
1076 }
1077 
1078 static void kasan_bitops_modify(struct kunit *test, int nr, void *addr)
1079 {
1080 	KUNIT_EXPECT_KASAN_FAIL(test, set_bit(nr, addr));
1081 	KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(nr, addr));
1082 	KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(nr, addr));
1083 	KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(nr, addr));
1084 	KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(nr, addr));
1085 	KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(nr, addr));
1086 	KUNIT_EXPECT_KASAN_FAIL(test, change_bit(nr, addr));
1087 	KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(nr, addr));
1088 }
1089 
1090 static void kasan_bitops_test_and_modify(struct kunit *test, int nr, void *addr)
1091 {
1092 	KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit(nr, addr));
1093 	KUNIT_EXPECT_KASAN_FAIL(test, __test_and_set_bit(nr, addr));
1094 	KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit_lock(nr, addr));
1095 	KUNIT_EXPECT_KASAN_FAIL(test, test_and_clear_bit(nr, addr));
1096 	KUNIT_EXPECT_KASAN_FAIL(test, __test_and_clear_bit(nr, addr));
1097 	KUNIT_EXPECT_KASAN_FAIL(test, test_and_change_bit(nr, addr));
1098 	KUNIT_EXPECT_KASAN_FAIL(test, __test_and_change_bit(nr, addr));
1099 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = test_bit(nr, addr));
1100 
1101 #if defined(clear_bit_unlock_is_negative_byte)
1102 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result =
1103 				clear_bit_unlock_is_negative_byte(nr, addr));
1104 #endif
1105 }
1106 
1107 static void kasan_bitops_generic(struct kunit *test)
1108 {
1109 	long *bits;
1110 
1111 	/* This test is specifically crafted for the generic mode. */
1112 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1113 
1114 	/*
1115 	 * Allocate 1 more byte, which causes kzalloc to round up to 16 bytes;
1116 	 * this way we do not actually corrupt other memory.
1117 	 */
1118 	bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
1119 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
1120 
1121 	/*
1122 	 * Below calls try to access bit within allocated memory; however, the
1123 	 * below accesses are still out-of-bounds, since bitops are defined to
1124 	 * operate on the whole long the bit is in.
1125 	 */
1126 	kasan_bitops_modify(test, BITS_PER_LONG, bits);
1127 
1128 	/*
1129 	 * Below calls try to access bit beyond allocated memory.
1130 	 */
1131 	kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, bits);
1132 
1133 	kfree(bits);
1134 }
1135 
1136 static void kasan_bitops_tags(struct kunit *test)
1137 {
1138 	long *bits;
1139 
1140 	/* This test is specifically crafted for tag-based modes. */
1141 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1142 
1143 	/* kmalloc-64 cache will be used and the last 16 bytes will be the redzone. */
1144 	bits = kzalloc(48, GFP_KERNEL);
1145 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
1146 
1147 	/* Do the accesses past the 48 allocated bytes, but within the redone. */
1148 	kasan_bitops_modify(test, BITS_PER_LONG, (void *)bits + 48);
1149 	kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, (void *)bits + 48);
1150 
1151 	kfree(bits);
1152 }
1153 
1154 static void kmalloc_double_kzfree(struct kunit *test)
1155 {
1156 	char *ptr;
1157 	size_t size = 16;
1158 
1159 	ptr = kmalloc(size, GFP_KERNEL);
1160 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1161 
1162 	kfree_sensitive(ptr);
1163 	KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr));
1164 }
1165 
1166 /*
1167  * The two tests below check that Generic KASAN prints auxiliary stack traces
1168  * for RCU callbacks and workqueues. The reports need to be inspected manually.
1169  *
1170  * These tests are still enabled for other KASAN modes to make sure that all
1171  * modes report bad accesses in tested scenarios.
1172  */
1173 
1174 static struct kasan_rcu_info {
1175 	int i;
1176 	struct rcu_head rcu;
1177 } *global_rcu_ptr;
1178 
1179 static void rcu_uaf_reclaim(struct rcu_head *rp)
1180 {
1181 	struct kasan_rcu_info *fp =
1182 		container_of(rp, struct kasan_rcu_info, rcu);
1183 
1184 	kfree(fp);
1185 	((volatile struct kasan_rcu_info *)fp)->i;
1186 }
1187 
1188 static void rcu_uaf(struct kunit *test)
1189 {
1190 	struct kasan_rcu_info *ptr;
1191 
1192 	ptr = kmalloc(sizeof(struct kasan_rcu_info), GFP_KERNEL);
1193 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1194 
1195 	global_rcu_ptr = rcu_dereference_protected(
1196 				(struct kasan_rcu_info __rcu *)ptr, NULL);
1197 
1198 	KUNIT_EXPECT_KASAN_FAIL(test,
1199 		call_rcu(&global_rcu_ptr->rcu, rcu_uaf_reclaim);
1200 		rcu_barrier());
1201 }
1202 
1203 static void workqueue_uaf_work(struct work_struct *work)
1204 {
1205 	kfree(work);
1206 }
1207 
1208 static void workqueue_uaf(struct kunit *test)
1209 {
1210 	struct workqueue_struct *workqueue;
1211 	struct work_struct *work;
1212 
1213 	workqueue = create_workqueue("kasan_workqueue_test");
1214 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, workqueue);
1215 
1216 	work = kmalloc(sizeof(struct work_struct), GFP_KERNEL);
1217 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, work);
1218 
1219 	INIT_WORK(work, workqueue_uaf_work);
1220 	queue_work(workqueue, work);
1221 	destroy_workqueue(workqueue);
1222 
1223 	KUNIT_EXPECT_KASAN_FAIL(test,
1224 		((volatile struct work_struct *)work)->data);
1225 }
1226 
1227 static void vmalloc_helpers_tags(struct kunit *test)
1228 {
1229 	void *ptr;
1230 
1231 	/* This test is intended for tag-based modes. */
1232 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1233 
1234 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1235 
1236 	ptr = vmalloc(PAGE_SIZE);
1237 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1238 
1239 	/* Check that the returned pointer is tagged. */
1240 	KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1241 	KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1242 
1243 	/* Make sure exported vmalloc helpers handle tagged pointers. */
1244 	KUNIT_ASSERT_TRUE(test, is_vmalloc_addr(ptr));
1245 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, vmalloc_to_page(ptr));
1246 
1247 #if !IS_MODULE(CONFIG_KASAN_KUNIT_TEST)
1248 	{
1249 		int rv;
1250 
1251 		/* Make sure vmalloc'ed memory permissions can be changed. */
1252 		rv = set_memory_ro((unsigned long)ptr, 1);
1253 		KUNIT_ASSERT_GE(test, rv, 0);
1254 		rv = set_memory_rw((unsigned long)ptr, 1);
1255 		KUNIT_ASSERT_GE(test, rv, 0);
1256 	}
1257 #endif
1258 
1259 	vfree(ptr);
1260 }
1261 
1262 static void vmalloc_oob(struct kunit *test)
1263 {
1264 	char *v_ptr, *p_ptr;
1265 	struct page *page;
1266 	size_t size = PAGE_SIZE / 2 - KASAN_GRANULE_SIZE - 5;
1267 
1268 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1269 
1270 	v_ptr = vmalloc(size);
1271 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1272 
1273 	OPTIMIZER_HIDE_VAR(v_ptr);
1274 
1275 	/*
1276 	 * We have to be careful not to hit the guard page in vmalloc tests.
1277 	 * The MMU will catch that and crash us.
1278 	 */
1279 
1280 	/* Make sure in-bounds accesses are valid. */
1281 	v_ptr[0] = 0;
1282 	v_ptr[size - 1] = 0;
1283 
1284 	/*
1285 	 * An unaligned access past the requested vmalloc size.
1286 	 * Only generic KASAN can precisely detect these.
1287 	 */
1288 	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
1289 		KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)v_ptr)[size]);
1290 
1291 	/* An aligned access into the first out-of-bounds granule. */
1292 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)v_ptr)[size + 5]);
1293 
1294 	/* Check that in-bounds accesses to the physical page are valid. */
1295 	page = vmalloc_to_page(v_ptr);
1296 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page);
1297 	p_ptr = page_address(page);
1298 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1299 	p_ptr[0] = 0;
1300 
1301 	vfree(v_ptr);
1302 
1303 	/*
1304 	 * We can't check for use-after-unmap bugs in this nor in the following
1305 	 * vmalloc tests, as the page might be fully unmapped and accessing it
1306 	 * will crash the kernel.
1307 	 */
1308 }
1309 
1310 static void vmap_tags(struct kunit *test)
1311 {
1312 	char *p_ptr, *v_ptr;
1313 	struct page *p_page, *v_page;
1314 
1315 	/*
1316 	 * This test is specifically crafted for the software tag-based mode,
1317 	 * the only tag-based mode that poisons vmap mappings.
1318 	 */
1319 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1320 
1321 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1322 
1323 	p_page = alloc_pages(GFP_KERNEL, 1);
1324 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_page);
1325 	p_ptr = page_address(p_page);
1326 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1327 
1328 	v_ptr = vmap(&p_page, 1, VM_MAP, PAGE_KERNEL);
1329 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1330 
1331 	/*
1332 	 * We can't check for out-of-bounds bugs in this nor in the following
1333 	 * vmalloc tests, as allocations have page granularity and accessing
1334 	 * the guard page will crash the kernel.
1335 	 */
1336 
1337 	KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN);
1338 	KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL);
1339 
1340 	/* Make sure that in-bounds accesses through both pointers work. */
1341 	*p_ptr = 0;
1342 	*v_ptr = 0;
1343 
1344 	/* Make sure vmalloc_to_page() correctly recovers the page pointer. */
1345 	v_page = vmalloc_to_page(v_ptr);
1346 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_page);
1347 	KUNIT_EXPECT_PTR_EQ(test, p_page, v_page);
1348 
1349 	vunmap(v_ptr);
1350 	free_pages((unsigned long)p_ptr, 1);
1351 }
1352 
1353 static void vm_map_ram_tags(struct kunit *test)
1354 {
1355 	char *p_ptr, *v_ptr;
1356 	struct page *page;
1357 
1358 	/*
1359 	 * This test is specifically crafted for the software tag-based mode,
1360 	 * the only tag-based mode that poisons vm_map_ram mappings.
1361 	 */
1362 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1363 
1364 	page = alloc_pages(GFP_KERNEL, 1);
1365 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page);
1366 	p_ptr = page_address(page);
1367 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1368 
1369 	v_ptr = vm_map_ram(&page, 1, -1);
1370 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1371 
1372 	KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN);
1373 	KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL);
1374 
1375 	/* Make sure that in-bounds accesses through both pointers work. */
1376 	*p_ptr = 0;
1377 	*v_ptr = 0;
1378 
1379 	vm_unmap_ram(v_ptr, 1);
1380 	free_pages((unsigned long)p_ptr, 1);
1381 }
1382 
1383 static void vmalloc_percpu(struct kunit *test)
1384 {
1385 	char __percpu *ptr;
1386 	int cpu;
1387 
1388 	/*
1389 	 * This test is specifically crafted for the software tag-based mode,
1390 	 * the only tag-based mode that poisons percpu mappings.
1391 	 */
1392 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1393 
1394 	ptr = __alloc_percpu(PAGE_SIZE, PAGE_SIZE);
1395 
1396 	for_each_possible_cpu(cpu) {
1397 		char *c_ptr = per_cpu_ptr(ptr, cpu);
1398 
1399 		KUNIT_EXPECT_GE(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_MIN);
1400 		KUNIT_EXPECT_LT(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_KERNEL);
1401 
1402 		/* Make sure that in-bounds accesses don't crash the kernel. */
1403 		*c_ptr = 0;
1404 	}
1405 
1406 	free_percpu(ptr);
1407 }
1408 
1409 /*
1410  * Check that the assigned pointer tag falls within the [KASAN_TAG_MIN,
1411  * KASAN_TAG_KERNEL) range (note: excluding the match-all tag) for tag-based
1412  * modes.
1413  */
1414 static void match_all_not_assigned(struct kunit *test)
1415 {
1416 	char *ptr;
1417 	struct page *pages;
1418 	int i, size, order;
1419 
1420 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1421 
1422 	for (i = 0; i < 256; i++) {
1423 		size = get_random_u32_inclusive(1, 1024);
1424 		ptr = kmalloc(size, GFP_KERNEL);
1425 		KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1426 		KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1427 		KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1428 		kfree(ptr);
1429 	}
1430 
1431 	for (i = 0; i < 256; i++) {
1432 		order = get_random_u32_inclusive(1, 4);
1433 		pages = alloc_pages(GFP_KERNEL, order);
1434 		ptr = page_address(pages);
1435 		KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1436 		KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1437 		KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1438 		free_pages((unsigned long)ptr, order);
1439 	}
1440 
1441 	if (!IS_ENABLED(CONFIG_KASAN_VMALLOC))
1442 		return;
1443 
1444 	for (i = 0; i < 256; i++) {
1445 		size = get_random_u32_inclusive(1, 1024);
1446 		ptr = vmalloc(size);
1447 		KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1448 		KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1449 		KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1450 		vfree(ptr);
1451 	}
1452 }
1453 
1454 /* Check that 0xff works as a match-all pointer tag for tag-based modes. */
1455 static void match_all_ptr_tag(struct kunit *test)
1456 {
1457 	char *ptr;
1458 	u8 tag;
1459 
1460 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1461 
1462 	ptr = kmalloc(128, GFP_KERNEL);
1463 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1464 
1465 	/* Backup the assigned tag. */
1466 	tag = get_tag(ptr);
1467 	KUNIT_EXPECT_NE(test, tag, (u8)KASAN_TAG_KERNEL);
1468 
1469 	/* Reset the tag to 0xff.*/
1470 	ptr = set_tag(ptr, KASAN_TAG_KERNEL);
1471 
1472 	/* This access shouldn't trigger a KASAN report. */
1473 	*ptr = 0;
1474 
1475 	/* Recover the pointer tag and free. */
1476 	ptr = set_tag(ptr, tag);
1477 	kfree(ptr);
1478 }
1479 
1480 /* Check that there are no match-all memory tags for tag-based modes. */
1481 static void match_all_mem_tag(struct kunit *test)
1482 {
1483 	char *ptr;
1484 	int tag;
1485 
1486 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1487 
1488 	ptr = kmalloc(128, GFP_KERNEL);
1489 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1490 	KUNIT_EXPECT_NE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1491 
1492 	/* For each possible tag value not matching the pointer tag. */
1493 	for (tag = KASAN_TAG_MIN; tag <= KASAN_TAG_KERNEL; tag++) {
1494 		if (tag == get_tag(ptr))
1495 			continue;
1496 
1497 		/* Mark the first memory granule with the chosen memory tag. */
1498 		kasan_poison(ptr, KASAN_GRANULE_SIZE, (u8)tag, false);
1499 
1500 		/* This access must cause a KASAN report. */
1501 		KUNIT_EXPECT_KASAN_FAIL(test, *ptr = 0);
1502 	}
1503 
1504 	/* Recover the memory tag and free. */
1505 	kasan_poison(ptr, KASAN_GRANULE_SIZE, get_tag(ptr), false);
1506 	kfree(ptr);
1507 }
1508 
1509 static struct kunit_case kasan_kunit_test_cases[] = {
1510 	KUNIT_CASE(kmalloc_oob_right),
1511 	KUNIT_CASE(kmalloc_oob_left),
1512 	KUNIT_CASE(kmalloc_node_oob_right),
1513 	KUNIT_CASE(kmalloc_pagealloc_oob_right),
1514 	KUNIT_CASE(kmalloc_pagealloc_uaf),
1515 	KUNIT_CASE(kmalloc_pagealloc_invalid_free),
1516 	KUNIT_CASE(pagealloc_oob_right),
1517 	KUNIT_CASE(pagealloc_uaf),
1518 	KUNIT_CASE(kmalloc_large_oob_right),
1519 	KUNIT_CASE(krealloc_more_oob),
1520 	KUNIT_CASE(krealloc_less_oob),
1521 	KUNIT_CASE(krealloc_pagealloc_more_oob),
1522 	KUNIT_CASE(krealloc_pagealloc_less_oob),
1523 	KUNIT_CASE(krealloc_uaf),
1524 	KUNIT_CASE(kmalloc_oob_16),
1525 	KUNIT_CASE(kmalloc_uaf_16),
1526 	KUNIT_CASE(kmalloc_oob_in_memset),
1527 	KUNIT_CASE(kmalloc_oob_memset_2),
1528 	KUNIT_CASE(kmalloc_oob_memset_4),
1529 	KUNIT_CASE(kmalloc_oob_memset_8),
1530 	KUNIT_CASE(kmalloc_oob_memset_16),
1531 	KUNIT_CASE(kmalloc_memmove_negative_size),
1532 	KUNIT_CASE(kmalloc_memmove_invalid_size),
1533 	KUNIT_CASE(kmalloc_uaf),
1534 	KUNIT_CASE(kmalloc_uaf_memset),
1535 	KUNIT_CASE(kmalloc_uaf2),
1536 	KUNIT_CASE(kmalloc_uaf3),
1537 	KUNIT_CASE(kfree_via_page),
1538 	KUNIT_CASE(kfree_via_phys),
1539 	KUNIT_CASE(kmem_cache_oob),
1540 	KUNIT_CASE(kmem_cache_accounted),
1541 	KUNIT_CASE(kmem_cache_bulk),
1542 	KUNIT_CASE(kasan_global_oob_right),
1543 	KUNIT_CASE(kasan_global_oob_left),
1544 	KUNIT_CASE(kasan_stack_oob),
1545 	KUNIT_CASE(kasan_alloca_oob_left),
1546 	KUNIT_CASE(kasan_alloca_oob_right),
1547 	KUNIT_CASE(ksize_unpoisons_memory),
1548 	KUNIT_CASE(ksize_uaf),
1549 	KUNIT_CASE(kmem_cache_double_free),
1550 	KUNIT_CASE(kmem_cache_invalid_free),
1551 	KUNIT_CASE(kmem_cache_double_destroy),
1552 	KUNIT_CASE(kasan_memchr),
1553 	KUNIT_CASE(kasan_memcmp),
1554 	KUNIT_CASE(kasan_strings),
1555 	KUNIT_CASE(kasan_bitops_generic),
1556 	KUNIT_CASE(kasan_bitops_tags),
1557 	KUNIT_CASE(kmalloc_double_kzfree),
1558 	KUNIT_CASE(rcu_uaf),
1559 	KUNIT_CASE(workqueue_uaf),
1560 	KUNIT_CASE(vmalloc_helpers_tags),
1561 	KUNIT_CASE(vmalloc_oob),
1562 	KUNIT_CASE(vmap_tags),
1563 	KUNIT_CASE(vm_map_ram_tags),
1564 	KUNIT_CASE(vmalloc_percpu),
1565 	KUNIT_CASE(match_all_not_assigned),
1566 	KUNIT_CASE(match_all_ptr_tag),
1567 	KUNIT_CASE(match_all_mem_tag),
1568 	{}
1569 };
1570 
1571 static struct kunit_suite kasan_kunit_test_suite = {
1572 	.name = "kasan",
1573 	.test_cases = kasan_kunit_test_cases,
1574 	.exit = kasan_test_exit,
1575 	.suite_init = kasan_suite_init,
1576 	.suite_exit = kasan_suite_exit,
1577 };
1578 
1579 kunit_test_suite(kasan_kunit_test_suite);
1580 
1581 MODULE_LICENSE("GPL");
1582