The patch titled
Subject: lib/test_kasan.c: add roundtrip tests
has been added to the -mm tree. Its filename is
lib-test_kasan-add-roundtrip-tests.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/lib-test_kasan-add-roundtrip-tests.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/lib-test_kasan-add-roundtrip-tests.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Mark Rutland <mark.rutland@xxxxxxx>
Subject: lib/test_kasan.c: add roundtrip tests
In several places we need to be able to operate on pointers which have
gone via a roundtrip:
virt -> {phys,page} -> virt
With KASAN_SW_TAGS, we can't preserve the tag for SLUB objects, and the
{phys,page} -> virt conversion will use KASAN_TAG_KERNEL.
This patch adds tests to ensure that this works as expected, without
false positives which have recently been spotted [1,2] in testing.
[1] https://lore.kernel.org/linux-arm-kernel/20190819114420.2535-1-walter-zh.wu@xxxxxxxxxxxx/
[2] https://lore.kernel.org/linux-arm-kernel/20190819132347.GB9927@xxxxxxxxxxxxxxxxxxxxxxxxx/
Link: http://lkml.kernel.org/r/20190821153927.28630-1-mark.rutland@xxxxxxx
Signed-off-by: Mark Rutland <mark.rutland@xxxxxxx>
Reviewed-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Tested-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Acked-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
Cc: Alexander Potapenko <glider@xxxxxxxxxx>
Cc: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Cc: Will Deacon <will.deacon@xxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
lib/test_kasan.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
--- a/lib/test_kasan.c~lib-test_kasan-add-roundtrip-tests
+++ a/lib/test_kasan.c
@@ -19,6 +19,9 @@
#include <linux/string.h>
#include <linux/uaccess.h>
+#include <asm/io.h>
+#include <asm/page.h>
+
/*
* Note: test functions are marked noinline so that their names appear in
* reports.
@@ -337,6 +340,42 @@ static noinline void __init kmalloc_uaf2
kfree(ptr2);
}
+static noinline void __init kfree_via_page(void)
+{
+ char *ptr;
+ size_t size = 8;
+ struct page *page;
+ unsigned long offset;
+
+ pr_info("invalid-free false positive (via page)\n");
+ ptr = kmalloc(size, GFP_KERNEL);
+ if (!ptr) {
+ pr_err("Allocation failed\n");
+ return;
+ }
+
+ page = virt_to_page(ptr);
+ offset = offset_in_page(ptr);
+ kfree(page_address(page) + offset);
+}
+
+static noinline void __init kfree_via_phys(void)
+{
+ char *ptr;
+ size_t size = 8;
+ phys_addr_t phys;
+
+ pr_info("invalid-free false positive (via phys)\n");
+ ptr = kmalloc(size, GFP_KERNEL);
+ if (!ptr) {
+ pr_err("Allocation failed\n");
+ return;
+ }
+
+ phys = virt_to_phys(ptr);
+ kfree(phys_to_virt(phys));
+}
+
static noinline void __init kmem_cache_oob(void)
{
char *p;
@@ -737,6 +776,8 @@ static int __init kmalloc_tests_init(voi
kmalloc_uaf();
kmalloc_uaf_memset();
kmalloc_uaf2();
+ kfree_via_page();
+ kfree_via_phys();
kmem_cache_oob();
memcg_accounted_kmem_cache();
kasan_stack_oob();
_
Patches currently in -mm which might be from mark.rutland@xxxxxxx are
lib-test_kasan-add-roundtrip-tests.patch
mm-treewide-clarify-pgtable_page_ctordtor-naming.patch
