On Wed, 9 Mar 2022 at 09:19, 'Peng Liu' via kasan-dev
<kasan-dev@xxxxxxxxxxxxxxxx> wrote:
>
> Kunit will create a new thread to run an actual test case, and the
> main process will wait for the completion of the actual test thread
> until overtime. The variable "struct kunit test" has local property
> in function kunit_try_catch_run, and will be used in the test case
> thread. Task kunit_try_catch_run will free "struct kunit test" when
> kunit runs overtime, but the actual test case is still run and an
> UAF bug will be triggered.
>
> The above problem has been both observed in a physical machine and
> qemu platform when running kfence kunit tests. The problem can be
> triggered when setting CONFIG_KFENCE_NUM_OBJECTS = 65535. Under
> this setting, the test case test_gfpzero will cost hours and kunit
> will run to overtime. The follows show the panic log.
>
> BUG: unable to handle page fault for address: ffffffff82d882e9
>
> Call Trace:
> kunit_log_append+0x58/0xd0
> ...
> test_alloc.constprop.0.cold+0x6b/0x8a [kfence_test]
> test_gfpzero.cold+0x61/0x8ab [kfence_test]
> kunit_try_run_case+0x4c/0x70
> kunit_generic_run_threadfn_adapter+0x11/0x20
> kthread+0x166/0x190
> ret_from_fork+0x22/0x30
> Kernel panic - not syncing: Fatal exception
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> Ubuntu-1.8.2-1ubuntu1 04/01/2014
>
> To solve this problem, the test case thread should be stopped when
> the kunit frame runs overtime. The stop signal will send in function
> kunit_try_catch_run, and test_gfpzero will handle it.
>
> Signed-off-by: Peng Liu <liupeng256@xxxxxxxxxx>
Reviewed-by: Marco Elver <elver@xxxxxxxxxx>
Also Cc'ing more KUnit folks to double-check this is the right solution.
> ---
> lib/kunit/try-catch.c | 1 +
> mm/kfence/kfence_test.c | 2 +-
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c
> index be38a2c5ecc2..6b3d4db94077 100644
> --- a/lib/kunit/try-catch.c
> +++ b/lib/kunit/try-catch.c
> @@ -78,6 +78,7 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context)
> if (time_remaining == 0) {
> kunit_err(test, "try timed out\n");
> try_catch->try_result = -ETIMEDOUT;
> + kthread_stop(task_struct);
> }
>
> exit_code = try_catch->try_result;
> diff --git a/mm/kfence/kfence_test.c b/mm/kfence/kfence_test.c
> index 50dbb815a2a8..caed6b4eba94 100644
> --- a/mm/kfence/kfence_test.c
> +++ b/mm/kfence/kfence_test.c
> @@ -623,7 +623,7 @@ static void test_gfpzero(struct kunit *test)
> break;
> test_free(buf2);
>
> - if (i == CONFIG_KFENCE_NUM_OBJECTS) {
> + if (kthread_should_stop() || (i == CONFIG_KFENCE_NUM_OBJECTS)) {
> kunit_warn(test, "giving up ... cannot get same object back\n");
> return;
> }
> --
> 2.18.0.huawei.25
>
> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@xxxxxxxxxxxxxxxx.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20220309083753.1561921-2-liupeng256%40huawei.com.
