xref: /linux/mm/kasan/kasan_test_c.c (revision 566ab427f827b0256d3e8ce0235d088e6a9c28bd)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *
4  * Copyright (c) 2014 Samsung Electronics Co., Ltd.
5  * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
6  */
7 
8 #define pr_fmt(fmt) "kasan: test: " fmt
9 
10 #include <kunit/test.h>
11 #include <linux/bitops.h>
12 #include <linux/delay.h>
13 #include <linux/io.h>
14 #include <linux/kasan.h>
15 #include <linux/kernel.h>
16 #include <linux/mempool.h>
17 #include <linux/mm.h>
18 #include <linux/mman.h>
19 #include <linux/module.h>
20 #include <linux/printk.h>
21 #include <linux/random.h>
22 #include <linux/set_memory.h>
23 #include <linux/slab.h>
24 #include <linux/string.h>
25 #include <linux/tracepoint.h>
26 #include <linux/uaccess.h>
27 #include <linux/vmalloc.h>
28 #include <trace/events/printk.h>
29 
30 #include <asm/page.h>
31 
32 #include "kasan.h"
33 
34 #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
35 
36 static bool multishot;
37 
38 /* Fields set based on lines observed in the console. */
39 static struct {
40 	bool report_found;
41 	bool async_fault;
42 } test_status;
43 
44 /*
45  * Some tests use these global variables to store return values from function
46  * calls that could otherwise be eliminated by the compiler as dead code.
47  */
48 void *kasan_ptr_result;
49 int kasan_int_result;
50 
51 /* Probe for console output: obtains test_status lines of interest. */
52 static void probe_console(void *ignore, const char *buf, size_t len)
53 {
54 	if (strnstr(buf, "BUG: KASAN: ", len))
55 		WRITE_ONCE(test_status.report_found, true);
56 	else if (strnstr(buf, "Asynchronous fault: ", len))
57 		WRITE_ONCE(test_status.async_fault, true);
58 }
59 
60 static int kasan_suite_init(struct kunit_suite *suite)
61 {
62 	if (!kasan_enabled()) {
63 		pr_err("Can't run KASAN tests with KASAN disabled");
64 		return -1;
65 	}
66 
67 	/* Stop failing KUnit tests on KASAN reports. */
68 	kasan_kunit_test_suite_start();
69 
70 	/*
71 	 * Temporarily enable multi-shot mode. Otherwise, KASAN would only
72 	 * report the first detected bug and panic the kernel if panic_on_warn
73 	 * is enabled.
74 	 */
75 	multishot = kasan_save_enable_multi_shot();
76 
77 	register_trace_console(probe_console, NULL);
78 	return 0;
79 }
80 
81 static void kasan_suite_exit(struct kunit_suite *suite)
82 {
83 	kasan_kunit_test_suite_end();
84 	kasan_restore_multi_shot(multishot);
85 	unregister_trace_console(probe_console, NULL);
86 	tracepoint_synchronize_unregister();
87 }
88 
89 static void kasan_test_exit(struct kunit *test)
90 {
91 	KUNIT_EXPECT_FALSE(test, READ_ONCE(test_status.report_found));
92 }
93 
94 /**
95  * KUNIT_EXPECT_KASAN_FAIL - check that the executed expression produces a
96  * KASAN report; causes a KUnit test failure otherwise.
97  *
98  * @test: Currently executing KUnit test.
99  * @expression: Expression that must produce a KASAN report.
100  *
101  * For hardware tag-based KASAN, when a synchronous tag fault happens, tag
102  * checking is auto-disabled. When this happens, this test handler reenables
103  * tag checking. As tag checking can be only disabled or enabled per CPU,
104  * this handler disables migration (preemption).
105  *
106  * Since the compiler doesn't see that the expression can change the test_status
107  * fields, it can reorder or optimize away the accesses to those fields.
108  * Use READ/WRITE_ONCE() for the accesses and compiler barriers around the
109  * expression to prevent that.
110  *
111  * In between KUNIT_EXPECT_KASAN_FAIL checks, test_status.report_found is kept
112  * as false. This allows detecting KASAN reports that happen outside of the
113  * checks by asserting !test_status.report_found at the start of
114  * KUNIT_EXPECT_KASAN_FAIL and in kasan_test_exit.
115  */
116 #define KUNIT_EXPECT_KASAN_FAIL(test, expression) do {			\
117 	if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) &&				\
118 	    kasan_sync_fault_possible())				\
119 		migrate_disable();					\
120 	KUNIT_EXPECT_FALSE(test, READ_ONCE(test_status.report_found));	\
121 	barrier();							\
122 	expression;							\
123 	barrier();							\
124 	if (kasan_async_fault_possible())				\
125 		kasan_force_async_fault();				\
126 	if (!READ_ONCE(test_status.report_found)) {			\
127 		KUNIT_FAIL(test, KUNIT_SUBTEST_INDENT "KASAN failure "	\
128 				"expected in \"" #expression		\
129 				 "\", but none occurred");		\
130 	}								\
131 	if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) &&				\
132 	    kasan_sync_fault_possible()) {				\
133 		if (READ_ONCE(test_status.report_found) &&		\
134 		    !READ_ONCE(test_status.async_fault))		\
135 			kasan_enable_hw_tags();				\
136 		migrate_enable();					\
137 	}								\
138 	WRITE_ONCE(test_status.report_found, false);			\
139 	WRITE_ONCE(test_status.async_fault, false);			\
140 } while (0)
141 
142 #define KASAN_TEST_NEEDS_CONFIG_ON(test, config) do {			\
143 	if (!IS_ENABLED(config))					\
144 		kunit_skip((test), "Test requires " #config "=y");	\
145 } while (0)
146 
147 #define KASAN_TEST_NEEDS_CONFIG_OFF(test, config) do {			\
148 	if (IS_ENABLED(config))						\
149 		kunit_skip((test), "Test requires " #config "=n");	\
150 } while (0)
151 
152 #define KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test) do {		\
153 	if (IS_ENABLED(CONFIG_KASAN_HW_TAGS))				\
154 		break;  /* No compiler instrumentation. */		\
155 	if (IS_ENABLED(CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX))	\
156 		break;  /* Should always be instrumented! */		\
157 	if (IS_ENABLED(CONFIG_GENERIC_ENTRY))				\
158 		kunit_skip((test), "Test requires checked mem*()");	\
159 } while (0)
160 
161 static void kmalloc_oob_right(struct kunit *test)
162 {
163 	char *ptr;
164 	size_t size = 128 - KASAN_GRANULE_SIZE - 5;
165 
166 	ptr = kmalloc(size, GFP_KERNEL);
167 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
168 
169 	OPTIMIZER_HIDE_VAR(ptr);
170 	/*
171 	 * An unaligned access past the requested kmalloc size.
172 	 * Only generic KASAN can precisely detect these.
173 	 */
174 	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
175 		KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x');
176 
177 	/*
178 	 * An aligned access into the first out-of-bounds granule that falls
179 	 * within the aligned kmalloc object.
180 	 */
181 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + 5] = 'y');
182 
183 	/* Out-of-bounds access past the aligned kmalloc object. */
184 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] =
185 					ptr[size + KASAN_GRANULE_SIZE + 5]);
186 
187 	kfree(ptr);
188 }
189 
190 static void kmalloc_oob_left(struct kunit *test)
191 {
192 	char *ptr;
193 	size_t size = 15;
194 
195 	ptr = kmalloc(size, GFP_KERNEL);
196 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
197 
198 	OPTIMIZER_HIDE_VAR(ptr);
199 	KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1));
200 	kfree(ptr);
201 }
202 
203 static void kmalloc_node_oob_right(struct kunit *test)
204 {
205 	char *ptr;
206 	size_t size = 4096;
207 
208 	ptr = kmalloc_node(size, GFP_KERNEL, 0);
209 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
210 
211 	OPTIMIZER_HIDE_VAR(ptr);
212 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]);
213 	kfree(ptr);
214 }
215 
216 /*
217  * Check that KASAN detects an out-of-bounds access for a big object allocated
218  * via kmalloc(). But not as big as to trigger the page_alloc fallback.
219  */
220 static void kmalloc_big_oob_right(struct kunit *test)
221 {
222 	char *ptr;
223 	size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
224 
225 	ptr = kmalloc(size, GFP_KERNEL);
226 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
227 
228 	OPTIMIZER_HIDE_VAR(ptr);
229 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
230 	kfree(ptr);
231 }
232 
233 /*
234  * The kmalloc_large_* tests below use kmalloc() to allocate a memory chunk
235  * that does not fit into the largest slab cache and therefore is allocated via
236  * the page_alloc fallback.
237  */
238 
239 static void kmalloc_large_oob_right(struct kunit *test)
240 {
241 	char *ptr;
242 	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
243 
244 	ptr = kmalloc(size, GFP_KERNEL);
245 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
246 
247 	OPTIMIZER_HIDE_VAR(ptr);
248 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 0);
249 
250 	kfree(ptr);
251 }
252 
253 static void kmalloc_large_uaf(struct kunit *test)
254 {
255 	char *ptr;
256 	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
257 
258 	ptr = kmalloc(size, GFP_KERNEL);
259 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
260 	kfree(ptr);
261 
262 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
263 }
264 
265 static void kmalloc_large_invalid_free(struct kunit *test)
266 {
267 	char *ptr;
268 	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
269 
270 	ptr = kmalloc(size, GFP_KERNEL);
271 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
272 
273 	KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));
274 }
275 
276 static void page_alloc_oob_right(struct kunit *test)
277 {
278 	char *ptr;
279 	struct page *pages;
280 	size_t order = 4;
281 	size_t size = (1UL << (PAGE_SHIFT + order));
282 
283 	/*
284 	 * With generic KASAN page allocations have no redzones, thus
285 	 * out-of-bounds detection is not guaranteed.
286 	 * See https://bugzilla.kernel.org/show_bug.cgi?id=210503.
287 	 */
288 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
289 
290 	pages = alloc_pages(GFP_KERNEL, order);
291 	ptr = page_address(pages);
292 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
293 
294 	KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]);
295 	free_pages((unsigned long)ptr, order);
296 }
297 
298 static void page_alloc_uaf(struct kunit *test)
299 {
300 	char *ptr;
301 	struct page *pages;
302 	size_t order = 4;
303 
304 	pages = alloc_pages(GFP_KERNEL, order);
305 	ptr = page_address(pages);
306 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
307 	free_pages((unsigned long)ptr, order);
308 
309 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
310 }
311 
312 static void krealloc_more_oob_helper(struct kunit *test,
313 					size_t size1, size_t size2)
314 {
315 	char *ptr1, *ptr2;
316 	size_t middle;
317 
318 	KUNIT_ASSERT_LT(test, size1, size2);
319 	middle = size1 + (size2 - size1) / 2;
320 
321 	ptr1 = kmalloc(size1, GFP_KERNEL);
322 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
323 
324 	ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
325 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
326 
327 	/* Suppress -Warray-bounds warnings. */
328 	OPTIMIZER_HIDE_VAR(ptr2);
329 
330 	/* All offsets up to size2 must be accessible. */
331 	ptr2[size1 - 1] = 'x';
332 	ptr2[size1] = 'x';
333 	ptr2[middle] = 'x';
334 	ptr2[size2 - 1] = 'x';
335 
336 	/* Generic mode is precise, so unaligned size2 must be inaccessible. */
337 	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
338 		KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x');
339 
340 	/* For all modes first aligned offset after size2 must be inaccessible. */
341 	KUNIT_EXPECT_KASAN_FAIL(test,
342 		ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x');
343 
344 	kfree(ptr2);
345 }
346 
347 static void krealloc_less_oob_helper(struct kunit *test,
348 					size_t size1, size_t size2)
349 {
350 	char *ptr1, *ptr2;
351 	size_t middle;
352 
353 	KUNIT_ASSERT_LT(test, size2, size1);
354 	middle = size2 + (size1 - size2) / 2;
355 
356 	ptr1 = kmalloc(size1, GFP_KERNEL);
357 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
358 
359 	ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
360 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
361 
362 	/* Suppress -Warray-bounds warnings. */
363 	OPTIMIZER_HIDE_VAR(ptr2);
364 
365 	/* Must be accessible for all modes. */
366 	ptr2[size2 - 1] = 'x';
367 
368 	/* Generic mode is precise, so unaligned size2 must be inaccessible. */
369 	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
370 		KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x');
371 
372 	/* For all modes first aligned offset after size2 must be inaccessible. */
373 	KUNIT_EXPECT_KASAN_FAIL(test,
374 		ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x');
375 
376 	/*
377 	 * For all modes all size2, middle, and size1 should land in separate
378 	 * granules and thus the latter two offsets should be inaccessible.
379 	 */
380 	KUNIT_EXPECT_LE(test, round_up(size2, KASAN_GRANULE_SIZE),
381 				round_down(middle, KASAN_GRANULE_SIZE));
382 	KUNIT_EXPECT_LE(test, round_up(middle, KASAN_GRANULE_SIZE),
383 				round_down(size1, KASAN_GRANULE_SIZE));
384 	KUNIT_EXPECT_KASAN_FAIL(test, ptr2[middle] = 'x');
385 	KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1 - 1] = 'x');
386 	KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1] = 'x');
387 
388 	kfree(ptr2);
389 }
390 
391 static void krealloc_more_oob(struct kunit *test)
392 {
393 	krealloc_more_oob_helper(test, 201, 235);
394 }
395 
396 static void krealloc_less_oob(struct kunit *test)
397 {
398 	krealloc_less_oob_helper(test, 235, 201);
399 }
400 
401 static void krealloc_large_more_oob(struct kunit *test)
402 {
403 	krealloc_more_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 201,
404 					KMALLOC_MAX_CACHE_SIZE + 235);
405 }
406 
407 static void krealloc_large_less_oob(struct kunit *test)
408 {
409 	krealloc_less_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 235,
410 					KMALLOC_MAX_CACHE_SIZE + 201);
411 }
412 
413 /*
414  * Check that krealloc() detects a use-after-free, returns NULL,
415  * and doesn't unpoison the freed object.
416  */
417 static void krealloc_uaf(struct kunit *test)
418 {
419 	char *ptr1, *ptr2;
420 	int size1 = 201;
421 	int size2 = 235;
422 
423 	ptr1 = kmalloc(size1, GFP_KERNEL);
424 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
425 	kfree(ptr1);
426 
427 	KUNIT_EXPECT_KASAN_FAIL(test, ptr2 = krealloc(ptr1, size2, GFP_KERNEL));
428 	KUNIT_ASSERT_NULL(test, ptr2);
429 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)ptr1);
430 }
431 
432 static void kmalloc_oob_16(struct kunit *test)
433 {
434 	struct {
435 		u64 words[2];
436 	} *ptr1, *ptr2;
437 
438 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
439 
440 	/* This test is specifically crafted for the generic mode. */
441 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
442 
443 	/* RELOC_HIDE to prevent gcc from warning about short alloc */
444 	ptr1 = RELOC_HIDE(kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL), 0);
445 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
446 
447 	ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
448 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
449 
450 	OPTIMIZER_HIDE_VAR(ptr1);
451 	OPTIMIZER_HIDE_VAR(ptr2);
452 	KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
453 	kfree(ptr1);
454 	kfree(ptr2);
455 }
456 
457 static void kmalloc_uaf_16(struct kunit *test)
458 {
459 	struct {
460 		u64 words[2];
461 	} *ptr1, *ptr2;
462 
463 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
464 
465 	ptr1 = kmalloc(sizeof(*ptr1), GFP_KERNEL);
466 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
467 
468 	ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
469 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
470 	kfree(ptr2);
471 
472 	KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
473 	kfree(ptr1);
474 }
475 
476 /*
477  * Note: in the memset tests below, the written range touches both valid and
478  * invalid memory. This makes sure that the instrumentation does not only check
479  * the starting address but the whole range.
480  */
481 
482 static void kmalloc_oob_memset_2(struct kunit *test)
483 {
484 	char *ptr;
485 	size_t size = 128 - KASAN_GRANULE_SIZE;
486 	size_t memset_size = 2;
487 
488 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
489 
490 	ptr = kmalloc(size, GFP_KERNEL);
491 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
492 
493 	OPTIMIZER_HIDE_VAR(ptr);
494 	OPTIMIZER_HIDE_VAR(size);
495 	OPTIMIZER_HIDE_VAR(memset_size);
496 	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 1, 0, memset_size));
497 	kfree(ptr);
498 }
499 
500 static void kmalloc_oob_memset_4(struct kunit *test)
501 {
502 	char *ptr;
503 	size_t size = 128 - KASAN_GRANULE_SIZE;
504 	size_t memset_size = 4;
505 
506 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
507 
508 	ptr = kmalloc(size, GFP_KERNEL);
509 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
510 
511 	OPTIMIZER_HIDE_VAR(ptr);
512 	OPTIMIZER_HIDE_VAR(size);
513 	OPTIMIZER_HIDE_VAR(memset_size);
514 	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 3, 0, memset_size));
515 	kfree(ptr);
516 }
517 
518 static void kmalloc_oob_memset_8(struct kunit *test)
519 {
520 	char *ptr;
521 	size_t size = 128 - KASAN_GRANULE_SIZE;
522 	size_t memset_size = 8;
523 
524 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
525 
526 	ptr = kmalloc(size, GFP_KERNEL);
527 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
528 
529 	OPTIMIZER_HIDE_VAR(ptr);
530 	OPTIMIZER_HIDE_VAR(size);
531 	OPTIMIZER_HIDE_VAR(memset_size);
532 	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 7, 0, memset_size));
533 	kfree(ptr);
534 }
535 
536 static void kmalloc_oob_memset_16(struct kunit *test)
537 {
538 	char *ptr;
539 	size_t size = 128 - KASAN_GRANULE_SIZE;
540 	size_t memset_size = 16;
541 
542 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
543 
544 	ptr = kmalloc(size, GFP_KERNEL);
545 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
546 
547 	OPTIMIZER_HIDE_VAR(ptr);
548 	OPTIMIZER_HIDE_VAR(size);
549 	OPTIMIZER_HIDE_VAR(memset_size);
550 	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 15, 0, memset_size));
551 	kfree(ptr);
552 }
553 
554 static void kmalloc_oob_in_memset(struct kunit *test)
555 {
556 	char *ptr;
557 	size_t size = 128 - KASAN_GRANULE_SIZE;
558 
559 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
560 
561 	ptr = kmalloc(size, GFP_KERNEL);
562 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
563 
564 	OPTIMIZER_HIDE_VAR(ptr);
565 	OPTIMIZER_HIDE_VAR(size);
566 	KUNIT_EXPECT_KASAN_FAIL(test,
567 				memset(ptr, 0, size + KASAN_GRANULE_SIZE));
568 	kfree(ptr);
569 }
570 
571 static void kmalloc_memmove_negative_size(struct kunit *test)
572 {
573 	char *ptr;
574 	size_t size = 64;
575 	size_t invalid_size = -2;
576 
577 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
578 
579 	/*
580 	 * Hardware tag-based mode doesn't check memmove for negative size.
581 	 * As a result, this test introduces a side-effect memory corruption,
582 	 * which can result in a crash.
583 	 */
584 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS);
585 
586 	ptr = kmalloc(size, GFP_KERNEL);
587 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
588 
589 	memset((char *)ptr, 0, 64);
590 	OPTIMIZER_HIDE_VAR(ptr);
591 	OPTIMIZER_HIDE_VAR(invalid_size);
592 	KUNIT_EXPECT_KASAN_FAIL(test,
593 		memmove((char *)ptr, (char *)ptr + 4, invalid_size));
594 	kfree(ptr);
595 }
596 
597 static void kmalloc_memmove_invalid_size(struct kunit *test)
598 {
599 	char *ptr;
600 	size_t size = 64;
601 	size_t invalid_size = size;
602 
603 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
604 
605 	ptr = kmalloc(size, GFP_KERNEL);
606 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
607 
608 	memset((char *)ptr, 0, 64);
609 	OPTIMIZER_HIDE_VAR(ptr);
610 	OPTIMIZER_HIDE_VAR(invalid_size);
611 	KUNIT_EXPECT_KASAN_FAIL(test,
612 		memmove((char *)ptr, (char *)ptr + 4, invalid_size));
613 	kfree(ptr);
614 }
615 
616 static void kmalloc_uaf(struct kunit *test)
617 {
618 	char *ptr;
619 	size_t size = 10;
620 
621 	ptr = kmalloc(size, GFP_KERNEL);
622 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
623 
624 	kfree(ptr);
625 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[8]);
626 }
627 
628 static void kmalloc_uaf_memset(struct kunit *test)
629 {
630 	char *ptr;
631 	size_t size = 33;
632 
633 	KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test);
634 
635 	/*
636 	 * Only generic KASAN uses quarantine, which is required to avoid a
637 	 * kernel memory corruption this test causes.
638 	 */
639 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
640 
641 	ptr = kmalloc(size, GFP_KERNEL);
642 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
643 
644 	kfree(ptr);
645 	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));
646 }
647 
648 static void kmalloc_uaf2(struct kunit *test)
649 {
650 	char *ptr1, *ptr2;
651 	size_t size = 43;
652 	int counter = 0;
653 
654 again:
655 	ptr1 = kmalloc(size, GFP_KERNEL);
656 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
657 
658 	kfree(ptr1);
659 
660 	ptr2 = kmalloc(size, GFP_KERNEL);
661 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
662 
663 	/*
664 	 * For tag-based KASAN ptr1 and ptr2 tags might happen to be the same.
665 	 * Allow up to 16 attempts at generating different tags.
666 	 */
667 	if (!IS_ENABLED(CONFIG_KASAN_GENERIC) && ptr1 == ptr2 && counter++ < 16) {
668 		kfree(ptr2);
669 		goto again;
670 	}
671 
672 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[40]);
673 	KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
674 
675 	kfree(ptr2);
676 }
677 
678 /*
679  * Check that KASAN detects use-after-free when another object was allocated in
680  * the same slot. Relevant for the tag-based modes, which do not use quarantine.
681  */
682 static void kmalloc_uaf3(struct kunit *test)
683 {
684 	char *ptr1, *ptr2;
685 	size_t size = 100;
686 
687 	/* This test is specifically crafted for tag-based modes. */
688 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
689 
690 	ptr1 = kmalloc(size, GFP_KERNEL);
691 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
692 	kfree(ptr1);
693 
694 	ptr2 = kmalloc(size, GFP_KERNEL);
695 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
696 	kfree(ptr2);
697 
698 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[8]);
699 }
700 
701 static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe)
702 {
703 	int *i_unsafe = unsafe;
704 
705 	KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*i_unsafe));
706 	KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42));
707 	KUNIT_EXPECT_KASAN_FAIL(test, smp_load_acquire(i_unsafe));
708 	KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42));
709 
710 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_read(unsafe));
711 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42));
712 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe));
713 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe));
714 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe));
715 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe));
716 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe));
717 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe));
718 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe));
719 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe));
720 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42));
721 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42));
722 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42));
723 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42));
724 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe));
725 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe));
726 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe));
727 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe));
728 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42));
729 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe));
730 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe));
731 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe));
732 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe));
733 
734 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_read(unsafe));
735 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42));
736 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe));
737 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe));
738 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe));
739 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe));
740 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe));
741 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe));
742 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe));
743 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe));
744 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42));
745 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42));
746 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42));
747 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42));
748 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe));
749 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe));
750 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe));
751 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe));
752 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42));
753 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe));
754 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe));
755 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe));
756 	KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe));
757 }
758 
759 static void kasan_atomics(struct kunit *test)
760 {
761 	void *a1, *a2;
762 
763 	/*
764 	 * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such
765 	 * that the following 16 bytes will make up the redzone.
766 	 */
767 	a1 = kzalloc(48, GFP_KERNEL);
768 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
769 	a2 = kzalloc(sizeof(atomic_long_t), GFP_KERNEL);
770 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a2);
771 
772 	/* Use atomics to access the redzone. */
773 	kasan_atomics_helper(test, a1 + 48, a2);
774 
775 	kfree(a1);
776 	kfree(a2);
777 }
778 
779 static void kmalloc_double_kzfree(struct kunit *test)
780 {
781 	char *ptr;
782 	size_t size = 16;
783 
784 	ptr = kmalloc(size, GFP_KERNEL);
785 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
786 
787 	kfree_sensitive(ptr);
788 	KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr));
789 }
790 
791 /* Check that ksize() does NOT unpoison whole object. */
792 static void ksize_unpoisons_memory(struct kunit *test)
793 {
794 	char *ptr;
795 	size_t size = 128 - KASAN_GRANULE_SIZE - 5;
796 	size_t real_size;
797 
798 	ptr = kmalloc(size, GFP_KERNEL);
799 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
800 
801 	real_size = ksize(ptr);
802 	KUNIT_EXPECT_GT(test, real_size, size);
803 
804 	OPTIMIZER_HIDE_VAR(ptr);
805 
806 	/* These accesses shouldn't trigger a KASAN report. */
807 	ptr[0] = 'x';
808 	ptr[size - 1] = 'x';
809 
810 	/* These must trigger a KASAN report. */
811 	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
812 		KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]);
813 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size + 5]);
814 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size - 1]);
815 
816 	kfree(ptr);
817 }
818 
819 /*
820  * Check that a use-after-free is detected by ksize() and via normal accesses
821  * after it.
822  */
823 static void ksize_uaf(struct kunit *test)
824 {
825 	char *ptr;
826 	int size = 128 - KASAN_GRANULE_SIZE;
827 
828 	ptr = kmalloc(size, GFP_KERNEL);
829 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
830 	kfree(ptr);
831 
832 	OPTIMIZER_HIDE_VAR(ptr);
833 	KUNIT_EXPECT_KASAN_FAIL(test, ksize(ptr));
834 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
835 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]);
836 }
837 
838 /*
839  * The two tests below check that Generic KASAN prints auxiliary stack traces
840  * for RCU callbacks and workqueues. The reports need to be inspected manually.
841  *
842  * These tests are still enabled for other KASAN modes to make sure that all
843  * modes report bad accesses in tested scenarios.
844  */
845 
846 static struct kasan_rcu_info {
847 	int i;
848 	struct rcu_head rcu;
849 } *global_rcu_ptr;
850 
851 static void rcu_uaf_reclaim(struct rcu_head *rp)
852 {
853 	struct kasan_rcu_info *fp =
854 		container_of(rp, struct kasan_rcu_info, rcu);
855 
856 	kfree(fp);
857 	((volatile struct kasan_rcu_info *)fp)->i;
858 }
859 
860 static void rcu_uaf(struct kunit *test)
861 {
862 	struct kasan_rcu_info *ptr;
863 
864 	ptr = kmalloc(sizeof(struct kasan_rcu_info), GFP_KERNEL);
865 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
866 
867 	global_rcu_ptr = rcu_dereference_protected(
868 				(struct kasan_rcu_info __rcu *)ptr, NULL);
869 
870 	KUNIT_EXPECT_KASAN_FAIL(test,
871 		call_rcu(&global_rcu_ptr->rcu, rcu_uaf_reclaim);
872 		rcu_barrier());
873 }
874 
875 static void workqueue_uaf_work(struct work_struct *work)
876 {
877 	kfree(work);
878 }
879 
880 static void workqueue_uaf(struct kunit *test)
881 {
882 	struct workqueue_struct *workqueue;
883 	struct work_struct *work;
884 
885 	workqueue = create_workqueue("kasan_workqueue_test");
886 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, workqueue);
887 
888 	work = kmalloc(sizeof(struct work_struct), GFP_KERNEL);
889 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, work);
890 
891 	INIT_WORK(work, workqueue_uaf_work);
892 	queue_work(workqueue, work);
893 	destroy_workqueue(workqueue);
894 
895 	KUNIT_EXPECT_KASAN_FAIL(test,
896 		((volatile struct work_struct *)work)->data);
897 }
898 
899 static void kfree_via_page(struct kunit *test)
900 {
901 	char *ptr;
902 	size_t size = 8;
903 	struct page *page;
904 	unsigned long offset;
905 
906 	ptr = kmalloc(size, GFP_KERNEL);
907 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
908 
909 	page = virt_to_page(ptr);
910 	offset = offset_in_page(ptr);
911 	kfree(page_address(page) + offset);
912 }
913 
914 static void kfree_via_phys(struct kunit *test)
915 {
916 	char *ptr;
917 	size_t size = 8;
918 	phys_addr_t phys;
919 
920 	ptr = kmalloc(size, GFP_KERNEL);
921 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
922 
923 	phys = virt_to_phys(ptr);
924 	kfree(phys_to_virt(phys));
925 }
926 
927 static void kmem_cache_oob(struct kunit *test)
928 {
929 	char *p;
930 	size_t size = 200;
931 	struct kmem_cache *cache;
932 
933 	cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
934 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
935 
936 	p = kmem_cache_alloc(cache, GFP_KERNEL);
937 	if (!p) {
938 		kunit_err(test, "Allocation failed: %s\n", __func__);
939 		kmem_cache_destroy(cache);
940 		return;
941 	}
942 
943 	KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size + OOB_TAG_OFF]);
944 
945 	kmem_cache_free(cache, p);
946 	kmem_cache_destroy(cache);
947 }
948 
949 static void kmem_cache_double_free(struct kunit *test)
950 {
951 	char *p;
952 	size_t size = 200;
953 	struct kmem_cache *cache;
954 
955 	cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
956 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
957 
958 	p = kmem_cache_alloc(cache, GFP_KERNEL);
959 	if (!p) {
960 		kunit_err(test, "Allocation failed: %s\n", __func__);
961 		kmem_cache_destroy(cache);
962 		return;
963 	}
964 
965 	kmem_cache_free(cache, p);
966 	KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p));
967 	kmem_cache_destroy(cache);
968 }
969 
970 static void kmem_cache_invalid_free(struct kunit *test)
971 {
972 	char *p;
973 	size_t size = 200;
974 	struct kmem_cache *cache;
975 
976 	cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
977 				  NULL);
978 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
979 
980 	p = kmem_cache_alloc(cache, GFP_KERNEL);
981 	if (!p) {
982 		kunit_err(test, "Allocation failed: %s\n", __func__);
983 		kmem_cache_destroy(cache);
984 		return;
985 	}
986 
987 	/* Trigger invalid free, the object doesn't get freed. */
988 	KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1));
989 
990 	/*
991 	 * Properly free the object to prevent the "Objects remaining in
992 	 * test_cache on __kmem_cache_shutdown" BUG failure.
993 	 */
994 	kmem_cache_free(cache, p);
995 
996 	kmem_cache_destroy(cache);
997 }
998 
999 static void kmem_cache_rcu_uaf(struct kunit *test)
1000 {
1001 	char *p;
1002 	size_t size = 200;
1003 	struct kmem_cache *cache;
1004 
1005 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB_RCU_DEBUG);
1006 
1007 	cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
1008 				  NULL);
1009 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
1010 
1011 	p = kmem_cache_alloc(cache, GFP_KERNEL);
1012 	if (!p) {
1013 		kunit_err(test, "Allocation failed: %s\n", __func__);
1014 		kmem_cache_destroy(cache);
1015 		return;
1016 	}
1017 	*p = 1;
1018 
1019 	rcu_read_lock();
1020 
1021 	/* Free the object - this will internally schedule an RCU callback. */
1022 	kmem_cache_free(cache, p);
1023 
1024 	/*
1025 	 * We should still be allowed to access the object at this point because
1026 	 * the cache is SLAB_TYPESAFE_BY_RCU and we've been in an RCU read-side
1027 	 * critical section since before the kmem_cache_free().
1028 	 */
1029 	READ_ONCE(*p);
1030 
1031 	rcu_read_unlock();
1032 
1033 	/*
1034 	 * Wait for the RCU callback to execute; after this, the object should
1035 	 * have actually been freed from KASAN's perspective.
1036 	 */
1037 	rcu_barrier();
1038 
1039 	KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*p));
1040 
1041 	kmem_cache_destroy(cache);
1042 }
1043 
1044 static void empty_cache_ctor(void *object) { }
1045 
1046 static void kmem_cache_double_destroy(struct kunit *test)
1047 {
1048 	struct kmem_cache *cache;
1049 
1050 	/* Provide a constructor to prevent cache merging. */
1051 	cache = kmem_cache_create("test_cache", 200, 0, 0, empty_cache_ctor);
1052 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
1053 	kmem_cache_destroy(cache);
1054 	KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_destroy(cache));
1055 }
1056 
1057 static void kmem_cache_accounted(struct kunit *test)
1058 {
1059 	int i;
1060 	char *p;
1061 	size_t size = 200;
1062 	struct kmem_cache *cache;
1063 
1064 	cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
1065 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
1066 
1067 	/*
1068 	 * Several allocations with a delay to allow for lazy per memcg kmem
1069 	 * cache creation.
1070 	 */
1071 	for (i = 0; i < 5; i++) {
1072 		p = kmem_cache_alloc(cache, GFP_KERNEL);
1073 		if (!p)
1074 			goto free_cache;
1075 
1076 		kmem_cache_free(cache, p);
1077 		msleep(100);
1078 	}
1079 
1080 free_cache:
1081 	kmem_cache_destroy(cache);
1082 }
1083 
1084 static void kmem_cache_bulk(struct kunit *test)
1085 {
1086 	struct kmem_cache *cache;
1087 	size_t size = 200;
1088 	char *p[10];
1089 	bool ret;
1090 	int i;
1091 
1092 	cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
1093 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
1094 
1095 	ret = kmem_cache_alloc_bulk(cache, GFP_KERNEL, ARRAY_SIZE(p), (void **)&p);
1096 	if (!ret) {
1097 		kunit_err(test, "Allocation failed: %s\n", __func__);
1098 		kmem_cache_destroy(cache);
1099 		return;
1100 	}
1101 
1102 	for (i = 0; i < ARRAY_SIZE(p); i++)
1103 		p[i][0] = p[i][size - 1] = 42;
1104 
1105 	kmem_cache_free_bulk(cache, ARRAY_SIZE(p), (void **)&p);
1106 	kmem_cache_destroy(cache);
1107 }
1108 
1109 static void *mempool_prepare_kmalloc(struct kunit *test, mempool_t *pool, size_t size)
1110 {
1111 	int pool_size = 4;
1112 	int ret;
1113 	void *elem;
1114 
1115 	memset(pool, 0, sizeof(*pool));
1116 	ret = mempool_init_kmalloc_pool(pool, pool_size, size);
1117 	KUNIT_ASSERT_EQ(test, ret, 0);
1118 
1119 	/*
1120 	 * Allocate one element to prevent mempool from freeing elements to the
1121 	 * underlying allocator and instead make it add them to the element
1122 	 * list when the tests trigger double-free and invalid-free bugs.
1123 	 * This allows testing KASAN annotations in add_element().
1124 	 */
1125 	elem = mempool_alloc_preallocated(pool);
1126 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1127 
1128 	return elem;
1129 }
1130 
1131 static struct kmem_cache *mempool_prepare_slab(struct kunit *test, mempool_t *pool, size_t size)
1132 {
1133 	struct kmem_cache *cache;
1134 	int pool_size = 4;
1135 	int ret;
1136 
1137 	cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
1138 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
1139 
1140 	memset(pool, 0, sizeof(*pool));
1141 	ret = mempool_init_slab_pool(pool, pool_size, cache);
1142 	KUNIT_ASSERT_EQ(test, ret, 0);
1143 
1144 	/*
1145 	 * Do not allocate one preallocated element, as we skip the double-free
1146 	 * and invalid-free tests for slab mempool for simplicity.
1147 	 */
1148 
1149 	return cache;
1150 }
1151 
1152 static void *mempool_prepare_page(struct kunit *test, mempool_t *pool, int order)
1153 {
1154 	int pool_size = 4;
1155 	int ret;
1156 	void *elem;
1157 
1158 	memset(pool, 0, sizeof(*pool));
1159 	ret = mempool_init_page_pool(pool, pool_size, order);
1160 	KUNIT_ASSERT_EQ(test, ret, 0);
1161 
1162 	elem = mempool_alloc_preallocated(pool);
1163 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1164 
1165 	return elem;
1166 }
1167 
1168 static void mempool_oob_right_helper(struct kunit *test, mempool_t *pool, size_t size)
1169 {
1170 	char *elem;
1171 
1172 	elem = mempool_alloc_preallocated(pool);
1173 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1174 
1175 	OPTIMIZER_HIDE_VAR(elem);
1176 
1177 	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
1178 		KUNIT_EXPECT_KASAN_FAIL(test,
1179 			((volatile char *)&elem[size])[0]);
1180 	else
1181 		KUNIT_EXPECT_KASAN_FAIL(test,
1182 			((volatile char *)&elem[round_up(size, KASAN_GRANULE_SIZE)])[0]);
1183 
1184 	mempool_free(elem, pool);
1185 }
1186 
1187 static void mempool_kmalloc_oob_right(struct kunit *test)
1188 {
1189 	mempool_t pool;
1190 	size_t size = 128 - KASAN_GRANULE_SIZE - 5;
1191 	void *extra_elem;
1192 
1193 	extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1194 
1195 	mempool_oob_right_helper(test, &pool, size);
1196 
1197 	mempool_free(extra_elem, &pool);
1198 	mempool_exit(&pool);
1199 }
1200 
1201 static void mempool_kmalloc_large_oob_right(struct kunit *test)
1202 {
1203 	mempool_t pool;
1204 	size_t size = KMALLOC_MAX_CACHE_SIZE + 1;
1205 	void *extra_elem;
1206 
1207 	extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1208 
1209 	mempool_oob_right_helper(test, &pool, size);
1210 
1211 	mempool_free(extra_elem, &pool);
1212 	mempool_exit(&pool);
1213 }
1214 
1215 static void mempool_slab_oob_right(struct kunit *test)
1216 {
1217 	mempool_t pool;
1218 	size_t size = 123;
1219 	struct kmem_cache *cache;
1220 
1221 	cache = mempool_prepare_slab(test, &pool, size);
1222 
1223 	mempool_oob_right_helper(test, &pool, size);
1224 
1225 	mempool_exit(&pool);
1226 	kmem_cache_destroy(cache);
1227 }
1228 
1229 /*
1230  * Skip the out-of-bounds test for page mempool. With Generic KASAN, page
1231  * allocations have no redzones, and thus the out-of-bounds detection is not
1232  * guaranteed; see https://bugzilla.kernel.org/show_bug.cgi?id=210503. With
1233  * the tag-based KASAN modes, the neighboring allocation might have the same
1234  * tag; see https://bugzilla.kernel.org/show_bug.cgi?id=203505.
1235  */
1236 
1237 static void mempool_uaf_helper(struct kunit *test, mempool_t *pool, bool page)
1238 {
1239 	char *elem, *ptr;
1240 
1241 	elem = mempool_alloc_preallocated(pool);
1242 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1243 
1244 	mempool_free(elem, pool);
1245 
1246 	ptr = page ? page_address((struct page *)elem) : elem;
1247 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
1248 }
1249 
1250 static void mempool_kmalloc_uaf(struct kunit *test)
1251 {
1252 	mempool_t pool;
1253 	size_t size = 128;
1254 	void *extra_elem;
1255 
1256 	extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1257 
1258 	mempool_uaf_helper(test, &pool, false);
1259 
1260 	mempool_free(extra_elem, &pool);
1261 	mempool_exit(&pool);
1262 }
1263 
1264 static void mempool_kmalloc_large_uaf(struct kunit *test)
1265 {
1266 	mempool_t pool;
1267 	size_t size = KMALLOC_MAX_CACHE_SIZE + 1;
1268 	void *extra_elem;
1269 
1270 	extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1271 
1272 	mempool_uaf_helper(test, &pool, false);
1273 
1274 	mempool_free(extra_elem, &pool);
1275 	mempool_exit(&pool);
1276 }
1277 
1278 static void mempool_slab_uaf(struct kunit *test)
1279 {
1280 	mempool_t pool;
1281 	size_t size = 123;
1282 	struct kmem_cache *cache;
1283 
1284 	cache = mempool_prepare_slab(test, &pool, size);
1285 
1286 	mempool_uaf_helper(test, &pool, false);
1287 
1288 	mempool_exit(&pool);
1289 	kmem_cache_destroy(cache);
1290 }
1291 
1292 static void mempool_page_alloc_uaf(struct kunit *test)
1293 {
1294 	mempool_t pool;
1295 	int order = 2;
1296 	void *extra_elem;
1297 
1298 	extra_elem = mempool_prepare_page(test, &pool, order);
1299 
1300 	mempool_uaf_helper(test, &pool, true);
1301 
1302 	mempool_free(extra_elem, &pool);
1303 	mempool_exit(&pool);
1304 }
1305 
1306 static void mempool_double_free_helper(struct kunit *test, mempool_t *pool)
1307 {
1308 	char *elem;
1309 
1310 	elem = mempool_alloc_preallocated(pool);
1311 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1312 
1313 	mempool_free(elem, pool);
1314 
1315 	KUNIT_EXPECT_KASAN_FAIL(test, mempool_free(elem, pool));
1316 }
1317 
1318 static void mempool_kmalloc_double_free(struct kunit *test)
1319 {
1320 	mempool_t pool;
1321 	size_t size = 128;
1322 	char *extra_elem;
1323 
1324 	extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1325 
1326 	mempool_double_free_helper(test, &pool);
1327 
1328 	mempool_free(extra_elem, &pool);
1329 	mempool_exit(&pool);
1330 }
1331 
1332 static void mempool_kmalloc_large_double_free(struct kunit *test)
1333 {
1334 	mempool_t pool;
1335 	size_t size = KMALLOC_MAX_CACHE_SIZE + 1;
1336 	char *extra_elem;
1337 
1338 	extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1339 
1340 	mempool_double_free_helper(test, &pool);
1341 
1342 	mempool_free(extra_elem, &pool);
1343 	mempool_exit(&pool);
1344 }
1345 
1346 static void mempool_page_alloc_double_free(struct kunit *test)
1347 {
1348 	mempool_t pool;
1349 	int order = 2;
1350 	char *extra_elem;
1351 
1352 	extra_elem = mempool_prepare_page(test, &pool, order);
1353 
1354 	mempool_double_free_helper(test, &pool);
1355 
1356 	mempool_free(extra_elem, &pool);
1357 	mempool_exit(&pool);
1358 }
1359 
1360 static void mempool_kmalloc_invalid_free_helper(struct kunit *test, mempool_t *pool)
1361 {
1362 	char *elem;
1363 
1364 	elem = mempool_alloc_preallocated(pool);
1365 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem);
1366 
1367 	KUNIT_EXPECT_KASAN_FAIL(test, mempool_free(elem + 1, pool));
1368 
1369 	mempool_free(elem, pool);
1370 }
1371 
1372 static void mempool_kmalloc_invalid_free(struct kunit *test)
1373 {
1374 	mempool_t pool;
1375 	size_t size = 128;
1376 	char *extra_elem;
1377 
1378 	extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1379 
1380 	mempool_kmalloc_invalid_free_helper(test, &pool);
1381 
1382 	mempool_free(extra_elem, &pool);
1383 	mempool_exit(&pool);
1384 }
1385 
1386 static void mempool_kmalloc_large_invalid_free(struct kunit *test)
1387 {
1388 	mempool_t pool;
1389 	size_t size = KMALLOC_MAX_CACHE_SIZE + 1;
1390 	char *extra_elem;
1391 
1392 	extra_elem = mempool_prepare_kmalloc(test, &pool, size);
1393 
1394 	mempool_kmalloc_invalid_free_helper(test, &pool);
1395 
1396 	mempool_free(extra_elem, &pool);
1397 	mempool_exit(&pool);
1398 }
1399 
1400 /*
1401  * Skip the invalid-free test for page mempool. The invalid-free detection only
1402  * works for compound pages and mempool preallocates all page elements without
1403  * the __GFP_COMP flag.
1404  */
1405 
1406 static char global_array[10];
1407 
1408 static void kasan_global_oob_right(struct kunit *test)
1409 {
1410 	/*
1411 	 * Deliberate out-of-bounds access. To prevent CONFIG_UBSAN_LOCAL_BOUNDS
1412 	 * from failing here and panicking the kernel, access the array via a
1413 	 * volatile pointer, which will prevent the compiler from being able to
1414 	 * determine the array bounds.
1415 	 *
1416 	 * This access uses a volatile pointer to char (char *volatile) rather
1417 	 * than the more conventional pointer to volatile char (volatile char *)
1418 	 * because we want to prevent the compiler from making inferences about
1419 	 * the pointer itself (i.e. its array bounds), not the data that it
1420 	 * refers to.
1421 	 */
1422 	char *volatile array = global_array;
1423 	char *p = &array[ARRAY_SIZE(global_array) + 3];
1424 
1425 	/* Only generic mode instruments globals. */
1426 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1427 
1428 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
1429 }
1430 
1431 static void kasan_global_oob_left(struct kunit *test)
1432 {
1433 	char *volatile array = global_array;
1434 	char *p = array - 3;
1435 
1436 	/*
1437 	 * GCC is known to fail this test, skip it.
1438 	 * See https://bugzilla.kernel.org/show_bug.cgi?id=215051.
1439 	 */
1440 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_CC_IS_CLANG);
1441 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1442 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
1443 }
1444 
1445 static void kasan_stack_oob(struct kunit *test)
1446 {
1447 	char stack_array[10];
1448 	/* See comment in kasan_global_oob_right. */
1449 	char *volatile array = stack_array;
1450 	char *p = &array[ARRAY_SIZE(stack_array) + OOB_TAG_OFF];
1451 
1452 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
1453 
1454 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
1455 }
1456 
1457 static void kasan_alloca_oob_left(struct kunit *test)
1458 {
1459 	volatile int i = 10;
1460 	char alloca_array[i];
1461 	/* See comment in kasan_global_oob_right. */
1462 	char *volatile array = alloca_array;
1463 	char *p = array - 1;
1464 
1465 	/* Only generic mode instruments dynamic allocas. */
1466 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1467 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
1468 
1469 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
1470 }
1471 
1472 static void kasan_alloca_oob_right(struct kunit *test)
1473 {
1474 	volatile int i = 10;
1475 	char alloca_array[i];
1476 	/* See comment in kasan_global_oob_right. */
1477 	char *volatile array = alloca_array;
1478 	char *p = array + i;
1479 
1480 	/* Only generic mode instruments dynamic allocas. */
1481 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1482 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
1483 
1484 	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
1485 }
1486 
1487 static void kasan_memchr(struct kunit *test)
1488 {
1489 	char *ptr;
1490 	size_t size = 24;
1491 
1492 	/*
1493 	 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
1494 	 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
1495 	 */
1496 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
1497 
1498 	if (OOB_TAG_OFF)
1499 		size = round_up(size, OOB_TAG_OFF);
1500 
1501 	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
1502 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1503 
1504 	OPTIMIZER_HIDE_VAR(ptr);
1505 	OPTIMIZER_HIDE_VAR(size);
1506 	KUNIT_EXPECT_KASAN_FAIL(test,
1507 		kasan_ptr_result = memchr(ptr, '1', size + 1));
1508 
1509 	kfree(ptr);
1510 }
1511 
1512 static void kasan_memcmp(struct kunit *test)
1513 {
1514 	char *ptr;
1515 	size_t size = 24;
1516 	int arr[9];
1517 
1518 	/*
1519 	 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
1520 	 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
1521 	 */
1522 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
1523 
1524 	if (OOB_TAG_OFF)
1525 		size = round_up(size, OOB_TAG_OFF);
1526 
1527 	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
1528 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1529 	memset(arr, 0, sizeof(arr));
1530 
1531 	OPTIMIZER_HIDE_VAR(ptr);
1532 	OPTIMIZER_HIDE_VAR(size);
1533 	KUNIT_EXPECT_KASAN_FAIL(test,
1534 		kasan_int_result = memcmp(ptr, arr, size+1));
1535 	kfree(ptr);
1536 }
1537 
1538 static void kasan_strings(struct kunit *test)
1539 {
1540 	char *ptr;
1541 	size_t size = 24;
1542 
1543 	/*
1544 	 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
1545 	 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
1546 	 */
1547 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
1548 
1549 	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
1550 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1551 
1552 	kfree(ptr);
1553 
1554 	/*
1555 	 * Try to cause only 1 invalid access (less spam in dmesg).
1556 	 * For that we need ptr to point to zeroed byte.
1557 	 * Skip metadata that could be stored in freed object so ptr
1558 	 * will likely point to zeroed byte.
1559 	 */
1560 	ptr += 16;
1561 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strchr(ptr, '1'));
1562 
1563 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strrchr(ptr, '1'));
1564 
1565 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strcmp(ptr, "2"));
1566 
1567 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strncmp(ptr, "2", 1));
1568 
1569 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strlen(ptr));
1570 
1571 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strnlen(ptr, 1));
1572 }
1573 
1574 static void kasan_bitops_modify(struct kunit *test, int nr, void *addr)
1575 {
1576 	KUNIT_EXPECT_KASAN_FAIL(test, set_bit(nr, addr));
1577 	KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(nr, addr));
1578 	KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(nr, addr));
1579 	KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(nr, addr));
1580 	KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(nr, addr));
1581 	KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(nr, addr));
1582 	KUNIT_EXPECT_KASAN_FAIL(test, change_bit(nr, addr));
1583 	KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(nr, addr));
1584 }
1585 
1586 static void kasan_bitops_test_and_modify(struct kunit *test, int nr, void *addr)
1587 {
1588 	KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit(nr, addr));
1589 	KUNIT_EXPECT_KASAN_FAIL(test, __test_and_set_bit(nr, addr));
1590 	KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit_lock(nr, addr));
1591 	KUNIT_EXPECT_KASAN_FAIL(test, test_and_clear_bit(nr, addr));
1592 	KUNIT_EXPECT_KASAN_FAIL(test, __test_and_clear_bit(nr, addr));
1593 	KUNIT_EXPECT_KASAN_FAIL(test, test_and_change_bit(nr, addr));
1594 	KUNIT_EXPECT_KASAN_FAIL(test, __test_and_change_bit(nr, addr));
1595 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = test_bit(nr, addr));
1596 	if (nr < 7)
1597 		KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result =
1598 				xor_unlock_is_negative_byte(1 << nr, addr));
1599 }
1600 
1601 static void kasan_bitops_generic(struct kunit *test)
1602 {
1603 	long *bits;
1604 
1605 	/* This test is specifically crafted for the generic mode. */
1606 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1607 
1608 	/*
1609 	 * Allocate 1 more byte, which causes kzalloc to round up to 16 bytes;
1610 	 * this way we do not actually corrupt other memory.
1611 	 */
1612 	bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
1613 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
1614 
1615 	/*
1616 	 * Below calls try to access bit within allocated memory; however, the
1617 	 * below accesses are still out-of-bounds, since bitops are defined to
1618 	 * operate on the whole long the bit is in.
1619 	 */
1620 	kasan_bitops_modify(test, BITS_PER_LONG, bits);
1621 
1622 	/*
1623 	 * Below calls try to access bit beyond allocated memory.
1624 	 */
1625 	kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, bits);
1626 
1627 	kfree(bits);
1628 }
1629 
1630 static void kasan_bitops_tags(struct kunit *test)
1631 {
1632 	long *bits;
1633 
1634 	/* This test is specifically crafted for tag-based modes. */
1635 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1636 
1637 	/* kmalloc-64 cache will be used and the last 16 bytes will be the redzone. */
1638 	bits = kzalloc(48, GFP_KERNEL);
1639 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
1640 
1641 	/* Do the accesses past the 48 allocated bytes, but within the redone. */
1642 	kasan_bitops_modify(test, BITS_PER_LONG, (void *)bits + 48);
1643 	kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, (void *)bits + 48);
1644 
1645 	kfree(bits);
1646 }
1647 
1648 static void vmalloc_helpers_tags(struct kunit *test)
1649 {
1650 	void *ptr;
1651 
1652 	/* This test is intended for tag-based modes. */
1653 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1654 
1655 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1656 
1657 	if (!kasan_vmalloc_enabled())
1658 		kunit_skip(test, "Test requires kasan.vmalloc=on");
1659 
1660 	ptr = vmalloc(PAGE_SIZE);
1661 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1662 
1663 	/* Check that the returned pointer is tagged. */
1664 	KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1665 	KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1666 
1667 	/* Make sure exported vmalloc helpers handle tagged pointers. */
1668 	KUNIT_ASSERT_TRUE(test, is_vmalloc_addr(ptr));
1669 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, vmalloc_to_page(ptr));
1670 
1671 #if !IS_MODULE(CONFIG_KASAN_KUNIT_TEST)
1672 	{
1673 		int rv;
1674 
1675 		/* Make sure vmalloc'ed memory permissions can be changed. */
1676 		rv = set_memory_ro((unsigned long)ptr, 1);
1677 		KUNIT_ASSERT_GE(test, rv, 0);
1678 		rv = set_memory_rw((unsigned long)ptr, 1);
1679 		KUNIT_ASSERT_GE(test, rv, 0);
1680 	}
1681 #endif
1682 
1683 	vfree(ptr);
1684 }
1685 
1686 static void vmalloc_oob(struct kunit *test)
1687 {
1688 	char *v_ptr, *p_ptr;
1689 	struct page *page;
1690 	size_t size = PAGE_SIZE / 2 - KASAN_GRANULE_SIZE - 5;
1691 
1692 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1693 
1694 	if (!kasan_vmalloc_enabled())
1695 		kunit_skip(test, "Test requires kasan.vmalloc=on");
1696 
1697 	v_ptr = vmalloc(size);
1698 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1699 
1700 	OPTIMIZER_HIDE_VAR(v_ptr);
1701 
1702 	/*
1703 	 * We have to be careful not to hit the guard page in vmalloc tests.
1704 	 * The MMU will catch that and crash us.
1705 	 */
1706 
1707 	/* Make sure in-bounds accesses are valid. */
1708 	v_ptr[0] = 0;
1709 	v_ptr[size - 1] = 0;
1710 
1711 	/*
1712 	 * An unaligned access past the requested vmalloc size.
1713 	 * Only generic KASAN can precisely detect these.
1714 	 */
1715 	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
1716 		KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)v_ptr)[size]);
1717 
1718 	/* An aligned access into the first out-of-bounds granule. */
1719 	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)v_ptr)[size + 5]);
1720 
1721 	/* Check that in-bounds accesses to the physical page are valid. */
1722 	page = vmalloc_to_page(v_ptr);
1723 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page);
1724 	p_ptr = page_address(page);
1725 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1726 	p_ptr[0] = 0;
1727 
1728 	vfree(v_ptr);
1729 
1730 	/*
1731 	 * We can't check for use-after-unmap bugs in this nor in the following
1732 	 * vmalloc tests, as the page might be fully unmapped and accessing it
1733 	 * will crash the kernel.
1734 	 */
1735 }
1736 
1737 static void vmap_tags(struct kunit *test)
1738 {
1739 	char *p_ptr, *v_ptr;
1740 	struct page *p_page, *v_page;
1741 
1742 	/*
1743 	 * This test is specifically crafted for the software tag-based mode,
1744 	 * the only tag-based mode that poisons vmap mappings.
1745 	 */
1746 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1747 
1748 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1749 
1750 	if (!kasan_vmalloc_enabled())
1751 		kunit_skip(test, "Test requires kasan.vmalloc=on");
1752 
1753 	p_page = alloc_pages(GFP_KERNEL, 1);
1754 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_page);
1755 	p_ptr = page_address(p_page);
1756 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1757 
1758 	v_ptr = vmap(&p_page, 1, VM_MAP, PAGE_KERNEL);
1759 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1760 
1761 	/*
1762 	 * We can't check for out-of-bounds bugs in this nor in the following
1763 	 * vmalloc tests, as allocations have page granularity and accessing
1764 	 * the guard page will crash the kernel.
1765 	 */
1766 
1767 	KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN);
1768 	KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL);
1769 
1770 	/* Make sure that in-bounds accesses through both pointers work. */
1771 	*p_ptr = 0;
1772 	*v_ptr = 0;
1773 
1774 	/* Make sure vmalloc_to_page() correctly recovers the page pointer. */
1775 	v_page = vmalloc_to_page(v_ptr);
1776 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_page);
1777 	KUNIT_EXPECT_PTR_EQ(test, p_page, v_page);
1778 
1779 	vunmap(v_ptr);
1780 	free_pages((unsigned long)p_ptr, 1);
1781 }
1782 
1783 static void vm_map_ram_tags(struct kunit *test)
1784 {
1785 	char *p_ptr, *v_ptr;
1786 	struct page *page;
1787 
1788 	/*
1789 	 * This test is specifically crafted for the software tag-based mode,
1790 	 * the only tag-based mode that poisons vm_map_ram mappings.
1791 	 */
1792 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1793 
1794 	page = alloc_pages(GFP_KERNEL, 1);
1795 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page);
1796 	p_ptr = page_address(page);
1797 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1798 
1799 	v_ptr = vm_map_ram(&page, 1, -1);
1800 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1801 
1802 	KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN);
1803 	KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL);
1804 
1805 	/* Make sure that in-bounds accesses through both pointers work. */
1806 	*p_ptr = 0;
1807 	*v_ptr = 0;
1808 
1809 	vm_unmap_ram(v_ptr, 1);
1810 	free_pages((unsigned long)p_ptr, 1);
1811 }
1812 
1813 static void vmalloc_percpu(struct kunit *test)
1814 {
1815 	char __percpu *ptr;
1816 	int cpu;
1817 
1818 	/*
1819 	 * This test is specifically crafted for the software tag-based mode,
1820 	 * the only tag-based mode that poisons percpu mappings.
1821 	 */
1822 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1823 
1824 	ptr = __alloc_percpu(PAGE_SIZE, PAGE_SIZE);
1825 
1826 	for_each_possible_cpu(cpu) {
1827 		char *c_ptr = per_cpu_ptr(ptr, cpu);
1828 
1829 		KUNIT_EXPECT_GE(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_MIN);
1830 		KUNIT_EXPECT_LT(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_KERNEL);
1831 
1832 		/* Make sure that in-bounds accesses don't crash the kernel. */
1833 		*c_ptr = 0;
1834 	}
1835 
1836 	free_percpu(ptr);
1837 }
1838 
1839 /*
1840  * Check that the assigned pointer tag falls within the [KASAN_TAG_MIN,
1841  * KASAN_TAG_KERNEL) range (note: excluding the match-all tag) for tag-based
1842  * modes.
1843  */
1844 static void match_all_not_assigned(struct kunit *test)
1845 {
1846 	char *ptr;
1847 	struct page *pages;
1848 	int i, size, order;
1849 
1850 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1851 
1852 	for (i = 0; i < 256; i++) {
1853 		size = get_random_u32_inclusive(1, 1024);
1854 		ptr = kmalloc(size, GFP_KERNEL);
1855 		KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1856 		KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1857 		KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1858 		kfree(ptr);
1859 	}
1860 
1861 	for (i = 0; i < 256; i++) {
1862 		order = get_random_u32_inclusive(1, 4);
1863 		pages = alloc_pages(GFP_KERNEL, order);
1864 		ptr = page_address(pages);
1865 		KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1866 		KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1867 		KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1868 		free_pages((unsigned long)ptr, order);
1869 	}
1870 
1871 	if (!kasan_vmalloc_enabled())
1872 		return;
1873 
1874 	for (i = 0; i < 256; i++) {
1875 		size = get_random_u32_inclusive(1, 1024);
1876 		ptr = vmalloc(size);
1877 		KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1878 		KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1879 		KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1880 		vfree(ptr);
1881 	}
1882 }
1883 
1884 /* Check that 0xff works as a match-all pointer tag for tag-based modes. */
1885 static void match_all_ptr_tag(struct kunit *test)
1886 {
1887 	char *ptr;
1888 	u8 tag;
1889 
1890 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1891 
1892 	ptr = kmalloc(128, GFP_KERNEL);
1893 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1894 
1895 	/* Backup the assigned tag. */
1896 	tag = get_tag(ptr);
1897 	KUNIT_EXPECT_NE(test, tag, (u8)KASAN_TAG_KERNEL);
1898 
1899 	/* Reset the tag to 0xff.*/
1900 	ptr = set_tag(ptr, KASAN_TAG_KERNEL);
1901 
1902 	/* This access shouldn't trigger a KASAN report. */
1903 	*ptr = 0;
1904 
1905 	/* Recover the pointer tag and free. */
1906 	ptr = set_tag(ptr, tag);
1907 	kfree(ptr);
1908 }
1909 
1910 /* Check that there are no match-all memory tags for tag-based modes. */
1911 static void match_all_mem_tag(struct kunit *test)
1912 {
1913 	char *ptr;
1914 	int tag;
1915 
1916 	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1917 
1918 	ptr = kmalloc(128, GFP_KERNEL);
1919 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1920 	KUNIT_EXPECT_NE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1921 
1922 	/* For each possible tag value not matching the pointer tag. */
1923 	for (tag = KASAN_TAG_MIN; tag <= KASAN_TAG_KERNEL; tag++) {
1924 		/*
1925 		 * For Software Tag-Based KASAN, skip the majority of tag
1926 		 * values to avoid the test printing too many reports.
1927 		 */
1928 		if (IS_ENABLED(CONFIG_KASAN_SW_TAGS) &&
1929 		    tag >= KASAN_TAG_MIN + 8 && tag <= KASAN_TAG_KERNEL - 8)
1930 			continue;
1931 
1932 		if (tag == get_tag(ptr))
1933 			continue;
1934 
1935 		/* Mark the first memory granule with the chosen memory tag. */
1936 		kasan_poison(ptr, KASAN_GRANULE_SIZE, (u8)tag, false);
1937 
1938 		/* This access must cause a KASAN report. */
1939 		KUNIT_EXPECT_KASAN_FAIL(test, *ptr = 0);
1940 	}
1941 
1942 	/* Recover the memory tag and free. */
1943 	kasan_poison(ptr, KASAN_GRANULE_SIZE, get_tag(ptr), false);
1944 	kfree(ptr);
1945 }
1946 
1947 /*
1948  * Check that Rust performing a use-after-free using `unsafe` is detected.
1949  * This is a smoke test to make sure that Rust is being sanitized properly.
1950  */
1951 static void rust_uaf(struct kunit *test)
1952 {
1953 	KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_RUST);
1954 	KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf());
1955 }
1956 
1957 static struct kunit_case kasan_kunit_test_cases[] = {
1958 	KUNIT_CASE(kmalloc_oob_right),
1959 	KUNIT_CASE(kmalloc_oob_left),
1960 	KUNIT_CASE(kmalloc_node_oob_right),
1961 	KUNIT_CASE(kmalloc_big_oob_right),
1962 	KUNIT_CASE(kmalloc_large_oob_right),
1963 	KUNIT_CASE(kmalloc_large_uaf),
1964 	KUNIT_CASE(kmalloc_large_invalid_free),
1965 	KUNIT_CASE(page_alloc_oob_right),
1966 	KUNIT_CASE(page_alloc_uaf),
1967 	KUNIT_CASE(krealloc_more_oob),
1968 	KUNIT_CASE(krealloc_less_oob),
1969 	KUNIT_CASE(krealloc_large_more_oob),
1970 	KUNIT_CASE(krealloc_large_less_oob),
1971 	KUNIT_CASE(krealloc_uaf),
1972 	KUNIT_CASE(kmalloc_oob_16),
1973 	KUNIT_CASE(kmalloc_uaf_16),
1974 	KUNIT_CASE(kmalloc_oob_in_memset),
1975 	KUNIT_CASE(kmalloc_oob_memset_2),
1976 	KUNIT_CASE(kmalloc_oob_memset_4),
1977 	KUNIT_CASE(kmalloc_oob_memset_8),
1978 	KUNIT_CASE(kmalloc_oob_memset_16),
1979 	KUNIT_CASE(kmalloc_memmove_negative_size),
1980 	KUNIT_CASE(kmalloc_memmove_invalid_size),
1981 	KUNIT_CASE(kmalloc_uaf),
1982 	KUNIT_CASE(kmalloc_uaf_memset),
1983 	KUNIT_CASE(kmalloc_uaf2),
1984 	KUNIT_CASE(kmalloc_uaf3),
1985 	KUNIT_CASE(kmalloc_double_kzfree),
1986 	KUNIT_CASE(ksize_unpoisons_memory),
1987 	KUNIT_CASE(ksize_uaf),
1988 	KUNIT_CASE(rcu_uaf),
1989 	KUNIT_CASE(workqueue_uaf),
1990 	KUNIT_CASE(kfree_via_page),
1991 	KUNIT_CASE(kfree_via_phys),
1992 	KUNIT_CASE(kmem_cache_oob),
1993 	KUNIT_CASE(kmem_cache_double_free),
1994 	KUNIT_CASE(kmem_cache_invalid_free),
1995 	KUNIT_CASE(kmem_cache_rcu_uaf),
1996 	KUNIT_CASE(kmem_cache_double_destroy),
1997 	KUNIT_CASE(kmem_cache_accounted),
1998 	KUNIT_CASE(kmem_cache_bulk),
1999 	KUNIT_CASE(mempool_kmalloc_oob_right),
2000 	KUNIT_CASE(mempool_kmalloc_large_oob_right),
2001 	KUNIT_CASE(mempool_slab_oob_right),
2002 	KUNIT_CASE(mempool_kmalloc_uaf),
2003 	KUNIT_CASE(mempool_kmalloc_large_uaf),
2004 	KUNIT_CASE(mempool_slab_uaf),
2005 	KUNIT_CASE(mempool_page_alloc_uaf),
2006 	KUNIT_CASE(mempool_kmalloc_double_free),
2007 	KUNIT_CASE(mempool_kmalloc_large_double_free),
2008 	KUNIT_CASE(mempool_page_alloc_double_free),
2009 	KUNIT_CASE(mempool_kmalloc_invalid_free),
2010 	KUNIT_CASE(mempool_kmalloc_large_invalid_free),
2011 	KUNIT_CASE(kasan_global_oob_right),
2012 	KUNIT_CASE(kasan_global_oob_left),
2013 	KUNIT_CASE(kasan_stack_oob),
2014 	KUNIT_CASE(kasan_alloca_oob_left),
2015 	KUNIT_CASE(kasan_alloca_oob_right),
2016 	KUNIT_CASE(kasan_memchr),
2017 	KUNIT_CASE(kasan_memcmp),
2018 	KUNIT_CASE(kasan_strings),
2019 	KUNIT_CASE(kasan_bitops_generic),
2020 	KUNIT_CASE(kasan_bitops_tags),
2021 	KUNIT_CASE(kasan_atomics),
2022 	KUNIT_CASE(vmalloc_helpers_tags),
2023 	KUNIT_CASE(vmalloc_oob),
2024 	KUNIT_CASE(vmap_tags),
2025 	KUNIT_CASE(vm_map_ram_tags),
2026 	KUNIT_CASE(vmalloc_percpu),
2027 	KUNIT_CASE(match_all_not_assigned),
2028 	KUNIT_CASE(match_all_ptr_tag),
2029 	KUNIT_CASE(match_all_mem_tag),
2030 	KUNIT_CASE(rust_uaf),
2031 	{}
2032 };
2033 
2034 static struct kunit_suite kasan_kunit_test_suite = {
2035 	.name = "kasan",
2036 	.test_cases = kasan_kunit_test_cases,
2037 	.exit = kasan_test_exit,
2038 	.suite_init = kasan_suite_init,
2039 	.suite_exit = kasan_suite_exit,
2040 };
2041 
2042 kunit_test_suite(kasan_kunit_test_suite);
2043 
2044 MODULE_LICENSE("GPL");
2045