* [PATCH 0/4] kunit: Fix some bugs in kunit_filter_suites()
@ 2023-08-31 7:16 Jinjie Ruan
2023-08-31 7:16 ` [PATCH 1/4] kunit: Fix wild-memory-access bug in kunit_free_suite_set() Jinjie Ruan
` (3 more replies)
0 siblings, 4 replies; 14+ messages in thread
From: Jinjie Ruan @ 2023-08-31 7:16 UTC (permalink / raw)
To: brendan.higgins, davidgow, skhan, jk, dlatypov, rmoar,
linux-kselftest, kunit-dev
Cc: ruanjinjie
The state handle in kunit_module_notify() is not correct when
the mod->state switch from MODULE_STATE_COMING to MODULE_STATE_GOING.
And it's necessary to check NULL for kzalloc() in
kunit_parse_glob_filter().
The order in which memory is released in err path in kunit_filter_suites()
is also problematic.
And there is a possible memory leak in kunit_filter_suites().
This patchset fix the above issues.
Jinjie Ruan (4):
kunit: Fix wild-memory-access bug in kunit_free_suite_set()
kunit: Fix possible null-ptr-deref in kunit_parse_glob_filter()
kunit: Fix possible memory leak in kunit_filter_suites()
kunit: Fix the wrong error path in kunit_filter_suites()
lib/kunit/executor.c | 39 +++++++++++++++++++++++++++------------
lib/kunit/test.c | 3 ++-
2 files changed, 29 insertions(+), 13 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 1/4] kunit: Fix wild-memory-access bug in kunit_free_suite_set()
2023-08-31 7:16 [PATCH 0/4] kunit: Fix some bugs in kunit_filter_suites() Jinjie Ruan
@ 2023-08-31 7:16 ` Jinjie Ruan
2023-08-31 20:29 ` Rae Moar
2023-09-01 5:17 ` David Gow
2023-08-31 7:16 ` [PATCH 2/4] kunit: Fix possible null-ptr-deref in kunit_parse_glob_filter() Jinjie Ruan
` (2 subsequent siblings)
3 siblings, 2 replies; 14+ messages in thread
From: Jinjie Ruan @ 2023-08-31 7:16 UTC (permalink / raw)
To: brendan.higgins, davidgow, skhan, jk, dlatypov, rmoar,
linux-kselftest, kunit-dev
Cc: ruanjinjie
Inject fault while probing kunit-example-test.ko, if kstrdup()
fails in mod_sysfs_setup() in load_module(), the mod->state will
switch from MODULE_STATE_COMING to MODULE_STATE_GOING instead of
from MODULE_STATE_LIVE to MODULE_STATE_GOING, so only
kunit_module_exit() will be called without kunit_module_init(), and
the mod->kunit_suites is no set correctly and the free in
kunit_free_suite_set() will cause below wild-memory-access bug.
The mod->state state machine when load_module() succeeds:
MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_LIVE
^ |
| | delete_module
+---------------- MODULE_STATE_GOING <---------+
The mod->state state machine when load_module() fails at
mod_sysfs_setup():
MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_GOING
^ |
| |
+-----------------------------------------------+
Call kunit_module_init() at MODULE_STATE_COMING state to fix the issue
because MODULE_STATE_LIVE is transformed from it.
Unable to handle kernel paging request at virtual address ffffff341e942a88
KASAN: maybe wild-memory-access in range [0x0003f9a0f4a15440-0x0003f9a0f4a15447]
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000441ea000
[ffffff341e942a88] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in: kunit_example_test(-) cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: kunit_example_test]
CPU: 3 PID: 2035 Comm: modprobe Tainted: G W N 6.5.0-next-20230828+ #136
Hardware name: linux,dummy-virt (DT)
pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : kfree+0x2c/0x70
lr : kunit_free_suite_set+0xcc/0x13c
sp : ffff8000829b75b0
x29: ffff8000829b75b0 x28: ffff8000829b7b90 x27: 0000000000000000
x26: dfff800000000000 x25: ffffcd07c82a7280 x24: ffffcd07a50ab300
x23: ffffcd07a50ab2e8 x22: 1ffff00010536ec0 x21: dfff800000000000
x20: ffffcd07a50ab2f0 x19: ffffcd07a50ab2f0 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: ffffcd07c24b6764
x14: ffffcd07c24b63c0 x13: ffffcd07c4cebb94 x12: ffff700010536ec7
x11: 1ffff00010536ec6 x10: ffff700010536ec6 x9 : dfff800000000000
x8 : 00008fffefac913a x7 : 0000000041b58ab3 x6 : 0000000000000000
x5 : 1ffff00010536ec5 x4 : ffff8000829b7628 x3 : dfff800000000000
x2 : ffffff341e942a80 x1 : ffffcd07a50aa000 x0 : fffffc0000000000
Call trace:
kfree+0x2c/0x70
kunit_free_suite_set+0xcc/0x13c
kunit_module_notify+0xd8/0x360
blocking_notifier_call_chain+0xc4/0x128
load_module+0x382c/0x44a4
init_module_from_file+0xd4/0x128
idempotent_init_module+0x2c8/0x524
__arm64_sys_finit_module+0xac/0x100
invoke_syscall+0x6c/0x258
el0_svc_common.constprop.0+0x160/0x22c
do_el0_svc+0x44/0x5c
el0_svc+0x38/0x78
el0t_64_sync_handler+0x13c/0x158
el0t_64_sync+0x190/0x194
Code: aa0003e1 b25657e0 d34cfc42 8b021802 (f9400440)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception
SMP: stopping secondary CPUs
Kernel Offset: 0x4d0742200000 from 0xffff800080000000
PHYS_OFFSET: 0xffffee43c0000000
CPU features: 0x88000203,3c020000,1000421b
Memory Limit: none
Rebooting in 1 seconds..
Fixes: 3d6e44623841 ("kunit: unify module and builtin suite definitions")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
---
lib/kunit/test.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/kunit/test.c b/lib/kunit/test.c
index 49698a168437..421f13981412 100644
--- a/lib/kunit/test.c
+++ b/lib/kunit/test.c
@@ -784,12 +784,13 @@ static int kunit_module_notify(struct notifier_block *nb, unsigned long val,
switch (val) {
case MODULE_STATE_LIVE:
- kunit_module_init(mod);
break;
case MODULE_STATE_GOING:
kunit_module_exit(mod);
break;
case MODULE_STATE_COMING:
+ kunit_module_init(mod);
+ break;
case MODULE_STATE_UNFORMED:
break;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/4] kunit: Fix possible null-ptr-deref in kunit_parse_glob_filter()
2023-08-31 7:16 [PATCH 0/4] kunit: Fix some bugs in kunit_filter_suites() Jinjie Ruan
2023-08-31 7:16 ` [PATCH 1/4] kunit: Fix wild-memory-access bug in kunit_free_suite_set() Jinjie Ruan
@ 2023-08-31 7:16 ` Jinjie Ruan
2023-08-31 20:34 ` Rae Moar
2023-09-01 5:18 ` David Gow
2023-08-31 7:16 ` [PATCH 3/4] kunit: Fix possible memory leak in kunit_filter_suites() Jinjie Ruan
2023-08-31 7:16 ` [PATCH 4/4] kunit: Fix the wrong error path " Jinjie Ruan
3 siblings, 2 replies; 14+ messages in thread
From: Jinjie Ruan @ 2023-08-31 7:16 UTC (permalink / raw)
To: brendan.higgins, davidgow, skhan, jk, dlatypov, rmoar,
linux-kselftest, kunit-dev
Cc: ruanjinjie
Inject fault while probing kunit-example-test.ko, if kzalloc fails
in kunit_parse_glob_filter(), strcpy() or strncpy() to NULL will
cause below null-ptr-deref bug. So check NULL for kzalloc() and
return int instead of void for kunit_parse_glob_filter().
Unable to handle kernel paging request at virtual address dfff800000000000
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
Data abort info:
ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000000] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in: kunit_example_test cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: kunit_example_test]
CPU: 4 PID: 6047 Comm: modprobe Tainted: G W N 6.5.0-next-20230829+ #141
Hardware name: linux,dummy-virt (DT)
pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : strncpy+0x58/0xc0
lr : kunit_filter_suites+0x15c/0xa84
sp : ffff800082a17420
x29: ffff800082a17420 x28: 0000000000000000 x27: 0000000000000004
x26: 0000000000000000 x25: ffffa847e40a5320 x24: 0000000000000001
x23: 0000000000000000 x22: 0000000000000001 x21: dfff800000000000
x20: 000000000000002a x19: 0000000000000000 x18: 00000000750b3b54
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 34393178302f3039 x12: ffff7508fcea4ec1
x11: 1ffff508fcea4ec0 x10: ffff7508fcea4ec0 x9 : dfff800000000000
x8 : ffff6051b1a7f86a x7 : ffff800082a17270 x6 : 0000000000000002
x5 : 0000000000000098 x4 : ffff028d9817b250 x3 : 0000000000000000
x2 : 0000000000000000 x1 : ffffa847e40a5320 x0 : 0000000000000000
Call trace:
strncpy+0x58/0xc0
kunit_filter_suites+0x15c/0xa84
kunit_module_notify+0x1b0/0x3ac
blocking_notifier_call_chain+0xc4/0x128
do_init_module+0x250/0x594
load_module+0x37b0/0x44b4
init_module_from_file+0xd4/0x128
idempotent_init_module+0x2c8/0x524
__arm64_sys_finit_module+0xac/0x100
invoke_syscall+0x6c/0x258
el0_svc_common.constprop.0+0x160/0x22c
do_el0_svc+0x44/0x5c
el0_svc+0x38/0x78
el0t_64_sync_handler+0x13c/0x158
el0t_64_sync+0x190/0x194
Code: 5400028a d343fe63 12000a62 39400034 (38f56863)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception
SMP: stopping secondary CPUs
Kernel Offset: 0x284761400000 from 0xffff800080000000
PHYS_OFFSET: 0xfffffd7380000000
CPU features: 0x88000203,3c020000,1000421b
Memory Limit: none
Rebooting in 1 seconds..
Fixes: a127b154a8f2 ("kunit: tool: allow filtering test cases via glob")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
---
lib/kunit/executor.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
index 5181aa2e760b..25ce8d6e5fe7 100644
--- a/lib/kunit/executor.c
+++ b/lib/kunit/executor.c
@@ -65,7 +65,7 @@ struct kunit_glob_filter {
};
/* Split "suite_glob.test_glob" into two. Assumes filter_glob is not empty. */
-static void kunit_parse_glob_filter(struct kunit_glob_filter *parsed,
+static int kunit_parse_glob_filter(struct kunit_glob_filter *parsed,
const char *filter_glob)
{
const int len = strlen(filter_glob);
@@ -73,16 +73,28 @@ static void kunit_parse_glob_filter(struct kunit_glob_filter *parsed,
if (!period) {
parsed->suite_glob = kzalloc(len + 1, GFP_KERNEL);
+ if (!parsed->suite_glob)
+ return -ENOMEM;
+
parsed->test_glob = NULL;
strcpy(parsed->suite_glob, filter_glob);
- return;
+ return 0;
}
parsed->suite_glob = kzalloc(period - filter_glob + 1, GFP_KERNEL);
+ if (!parsed->suite_glob)
+ return -ENOMEM;
+
parsed->test_glob = kzalloc(len - (period - filter_glob) + 1, GFP_KERNEL);
+ if (!parsed->test_glob) {
+ kfree(parsed->suite_glob);
+ return -ENOMEM;
+ }
strncpy(parsed->suite_glob, filter_glob, period - filter_glob);
strncpy(parsed->test_glob, period + 1, len - (period - filter_glob));
+
+ return 0;
}
/* Create a copy of suite with only tests that match test_glob. */
@@ -152,8 +164,13 @@ kunit_filter_suites(const struct kunit_suite_set *suite_set,
}
copy_start = copy;
- if (filter_glob)
- kunit_parse_glob_filter(&parsed_glob, filter_glob);
+ if (filter_glob) {
+ *err = kunit_parse_glob_filter(&parsed_glob, filter_glob);
+ if (*err) {
+ kfree(copy);
+ return filtered;
+ }
+ }
/* Parse attribute filters */
if (filters) {
--
2.34.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 3/4] kunit: Fix possible memory leak in kunit_filter_suites()
2023-08-31 7:16 [PATCH 0/4] kunit: Fix some bugs in kunit_filter_suites() Jinjie Ruan
2023-08-31 7:16 ` [PATCH 1/4] kunit: Fix wild-memory-access bug in kunit_free_suite_set() Jinjie Ruan
2023-08-31 7:16 ` [PATCH 2/4] kunit: Fix possible null-ptr-deref in kunit_parse_glob_filter() Jinjie Ruan
@ 2023-08-31 7:16 ` Jinjie Ruan
2023-08-31 21:01 ` Rae Moar
2023-09-01 5:18 ` David Gow
2023-08-31 7:16 ` [PATCH 4/4] kunit: Fix the wrong error path " Jinjie Ruan
3 siblings, 2 replies; 14+ messages in thread
From: Jinjie Ruan @ 2023-08-31 7:16 UTC (permalink / raw)
To: brendan.higgins, davidgow, skhan, jk, dlatypov, rmoar,
linux-kselftest, kunit-dev
Cc: ruanjinjie
If both filter_glob and filters are not NULL, and kunit_parse_glob_filter()
succeed, but kcalloc parsed_filters fails, the suite_glob and test_glob of
parsed kzalloc in kunit_parse_glob_filter() will be leaked.
Fixes: 1c9fd080dffe ("kunit: fix uninitialized variables bug in attributes filtering")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
---
lib/kunit/executor.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
index 25ce8d6e5fe7..7654c09c1ab1 100644
--- a/lib/kunit/executor.c
+++ b/lib/kunit/executor.c
@@ -176,10 +176,8 @@ kunit_filter_suites(const struct kunit_suite_set *suite_set,
if (filters) {
filter_count = kunit_get_filter_count(filters);
parsed_filters = kcalloc(filter_count, sizeof(*parsed_filters), GFP_KERNEL);
- if (!parsed_filters) {
- kfree(copy);
- return filtered;
- }
+ if (!parsed_filters)
+ goto err;
for (j = 0; j < filter_count; j++)
parsed_filters[j] = kunit_next_attr_filter(&filters, err);
if (*err)
--
2.34.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 4/4] kunit: Fix the wrong error path in kunit_filter_suites()
2023-08-31 7:16 [PATCH 0/4] kunit: Fix some bugs in kunit_filter_suites() Jinjie Ruan
` (2 preceding siblings ...)
2023-08-31 7:16 ` [PATCH 3/4] kunit: Fix possible memory leak in kunit_filter_suites() Jinjie Ruan
@ 2023-08-31 7:16 ` Jinjie Ruan
2023-08-31 21:03 ` Rae Moar
2023-09-01 5:18 ` David Gow
3 siblings, 2 replies; 14+ messages in thread
From: Jinjie Ruan @ 2023-08-31 7:16 UTC (permalink / raw)
To: brendan.higgins, davidgow, skhan, jk, dlatypov, rmoar,
linux-kselftest, kunit-dev
Cc: ruanjinjie
Take the last kfree(parsed_filters) and add it to be the first. Take
the first kfree(copy) and add it to be the last. The Best practice is to
return these errors reversely.
Fixes: 529534e8cba3 ("kunit: Add ability to filter attributes")
Fixes: abbf73816b6f ("kunit: fix possible memory leak in kunit_filter_suites()")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
---
lib/kunit/executor.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
index 7654c09c1ab1..da9444d22711 100644
--- a/lib/kunit/executor.c
+++ b/lib/kunit/executor.c
@@ -229,16 +229,16 @@ kunit_filter_suites(const struct kunit_suite_set *suite_set,
filtered.end = copy;
err:
- if (*err)
- kfree(copy);
+ if (filter_count)
+ kfree(parsed_filters);
if (filter_glob) {
kfree(parsed_glob.suite_glob);
kfree(parsed_glob.test_glob);
}
- if (filter_count)
- kfree(parsed_filters);
+ if (*err)
+ kfree(copy);
return filtered;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH 1/4] kunit: Fix wild-memory-access bug in kunit_free_suite_set()
2023-08-31 7:16 ` [PATCH 1/4] kunit: Fix wild-memory-access bug in kunit_free_suite_set() Jinjie Ruan
@ 2023-08-31 20:29 ` Rae Moar
2023-09-01 5:17 ` David Gow
1 sibling, 0 replies; 14+ messages in thread
From: Rae Moar @ 2023-08-31 20:29 UTC (permalink / raw)
To: Jinjie Ruan
Cc: brendan.higgins, davidgow, skhan, jk, dlatypov, linux-kselftest,
kunit-dev
On Thu, Aug 31, 2023 at 3:17 AM 'Jinjie Ruan' via KUnit Development
<kunit-dev@googlegroups.com> wrote:
>
> Inject fault while probing kunit-example-test.ko, if kstrdup()
> fails in mod_sysfs_setup() in load_module(), the mod->state will
> switch from MODULE_STATE_COMING to MODULE_STATE_GOING instead of
> from MODULE_STATE_LIVE to MODULE_STATE_GOING, so only
> kunit_module_exit() will be called without kunit_module_init(), and
> the mod->kunit_suites is no set correctly and the free in
> kunit_free_suite_set() will cause below wild-memory-access bug.
>
> The mod->state state machine when load_module() succeeds:
>
> MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_LIVE
> ^ |
> | | delete_module
> +---------------- MODULE_STATE_GOING <---------+
>
> The mod->state state machine when load_module() fails at
> mod_sysfs_setup():
>
> MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_GOING
> ^ |
> | |
> +-----------------------------------------------+
>
> Call kunit_module_init() at MODULE_STATE_COMING state to fix the issue
> because MODULE_STATE_LIVE is transformed from it.
>
> Unable to handle kernel paging request at virtual address ffffff341e942a88
> KASAN: maybe wild-memory-access in range [0x0003f9a0f4a15440-0x0003f9a0f4a15447]
> Mem abort info:
> ESR = 0x0000000096000004
> EC = 0x25: DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x04: level 0 translation fault
> Data abort info:
> ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000441ea000
> [ffffff341e942a88] pgd=0000000000000000, p4d=0000000000000000
> Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
> Modules linked in: kunit_example_test(-) cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: kunit_example_test]
> CPU: 3 PID: 2035 Comm: modprobe Tainted: G W N 6.5.0-next-20230828+ #136
> Hardware name: linux,dummy-virt (DT)
> pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : kfree+0x2c/0x70
> lr : kunit_free_suite_set+0xcc/0x13c
> sp : ffff8000829b75b0
> x29: ffff8000829b75b0 x28: ffff8000829b7b90 x27: 0000000000000000
> x26: dfff800000000000 x25: ffffcd07c82a7280 x24: ffffcd07a50ab300
> x23: ffffcd07a50ab2e8 x22: 1ffff00010536ec0 x21: dfff800000000000
> x20: ffffcd07a50ab2f0 x19: ffffcd07a50ab2f0 x18: 0000000000000000
> x17: 0000000000000000 x16: 0000000000000000 x15: ffffcd07c24b6764
> x14: ffffcd07c24b63c0 x13: ffffcd07c4cebb94 x12: ffff700010536ec7
> x11: 1ffff00010536ec6 x10: ffff700010536ec6 x9 : dfff800000000000
> x8 : 00008fffefac913a x7 : 0000000041b58ab3 x6 : 0000000000000000
> x5 : 1ffff00010536ec5 x4 : ffff8000829b7628 x3 : dfff800000000000
> x2 : ffffff341e942a80 x1 : ffffcd07a50aa000 x0 : fffffc0000000000
> Call trace:
> kfree+0x2c/0x70
> kunit_free_suite_set+0xcc/0x13c
> kunit_module_notify+0xd8/0x360
> blocking_notifier_call_chain+0xc4/0x128
> load_module+0x382c/0x44a4
> init_module_from_file+0xd4/0x128
> idempotent_init_module+0x2c8/0x524
> __arm64_sys_finit_module+0xac/0x100
> invoke_syscall+0x6c/0x258
> el0_svc_common.constprop.0+0x160/0x22c
> do_el0_svc+0x44/0x5c
> el0_svc+0x38/0x78
> el0t_64_sync_handler+0x13c/0x158
> el0t_64_sync+0x190/0x194
> Code: aa0003e1 b25657e0 d34cfc42 8b021802 (f9400440)
> ---[ end trace 0000000000000000 ]---
> Kernel panic - not syncing: Oops: Fatal exception
> SMP: stopping secondary CPUs
> Kernel Offset: 0x4d0742200000 from 0xffff800080000000
> PHYS_OFFSET: 0xffffee43c0000000
> CPU features: 0x88000203,3c020000,1000421b
> Memory Limit: none
> Rebooting in 1 seconds..
>
> Fixes: 3d6e44623841 ("kunit: unify module and builtin suite definitions")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Hello!
This looks good to me. It seems to be working well.
Reviewed-by: Rae Moar <rmoar@google.com>
Thanks!
-Rae
> ---
> lib/kunit/test.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/kunit/test.c b/lib/kunit/test.c
> index 49698a168437..421f13981412 100644
> --- a/lib/kunit/test.c
> +++ b/lib/kunit/test.c
> @@ -784,12 +784,13 @@ static int kunit_module_notify(struct notifier_block *nb, unsigned long val,
>
> switch (val) {
> case MODULE_STATE_LIVE:
> - kunit_module_init(mod);
> break;
> case MODULE_STATE_GOING:
> kunit_module_exit(mod);
> break;
> case MODULE_STATE_COMING:
> + kunit_module_init(mod);
> + break;
> case MODULE_STATE_UNFORMED:
> break;
> }
> --
> 2.34.1
>
> --
> You received this message because you are subscribed to the Google Groups "KUnit Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kunit-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kunit-dev/20230831071655.2907683-2-ruanjinjie%40huawei.com.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/4] kunit: Fix possible null-ptr-deref in kunit_parse_glob_filter()
2023-08-31 7:16 ` [PATCH 2/4] kunit: Fix possible null-ptr-deref in kunit_parse_glob_filter() Jinjie Ruan
@ 2023-08-31 20:34 ` Rae Moar
2023-09-01 5:18 ` David Gow
1 sibling, 0 replies; 14+ messages in thread
From: Rae Moar @ 2023-08-31 20:34 UTC (permalink / raw)
To: Jinjie Ruan
Cc: brendan.higgins, davidgow, skhan, jk, dlatypov, linux-kselftest,
kunit-dev
On Thu, Aug 31, 2023 at 3:17 AM 'Jinjie Ruan' via KUnit Development
<kunit-dev@googlegroups.com> wrote:
>
> Inject fault while probing kunit-example-test.ko, if kzalloc fails
> in kunit_parse_glob_filter(), strcpy() or strncpy() to NULL will
> cause below null-ptr-deref bug. So check NULL for kzalloc() and
> return int instead of void for kunit_parse_glob_filter().
>
> Unable to handle kernel paging request at virtual address dfff800000000000
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> Mem abort info:
> ESR = 0x0000000096000005
> EC = 0x25: DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x05: level 1 translation fault
> Data abort info:
> ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
> CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [dfff800000000000] address between user and kernel address ranges
> Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
> Modules linked in: kunit_example_test cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: kunit_example_test]
> CPU: 4 PID: 6047 Comm: modprobe Tainted: G W N 6.5.0-next-20230829+ #141
> Hardware name: linux,dummy-virt (DT)
> pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : strncpy+0x58/0xc0
> lr : kunit_filter_suites+0x15c/0xa84
> sp : ffff800082a17420
> x29: ffff800082a17420 x28: 0000000000000000 x27: 0000000000000004
> x26: 0000000000000000 x25: ffffa847e40a5320 x24: 0000000000000001
> x23: 0000000000000000 x22: 0000000000000001 x21: dfff800000000000
> x20: 000000000000002a x19: 0000000000000000 x18: 00000000750b3b54
> x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
> x14: 0000000000000000 x13: 34393178302f3039 x12: ffff7508fcea4ec1
> x11: 1ffff508fcea4ec0 x10: ffff7508fcea4ec0 x9 : dfff800000000000
> x8 : ffff6051b1a7f86a x7 : ffff800082a17270 x6 : 0000000000000002
> x5 : 0000000000000098 x4 : ffff028d9817b250 x3 : 0000000000000000
> x2 : 0000000000000000 x1 : ffffa847e40a5320 x0 : 0000000000000000
> Call trace:
> strncpy+0x58/0xc0
> kunit_filter_suites+0x15c/0xa84
> kunit_module_notify+0x1b0/0x3ac
> blocking_notifier_call_chain+0xc4/0x128
> do_init_module+0x250/0x594
> load_module+0x37b0/0x44b4
> init_module_from_file+0xd4/0x128
> idempotent_init_module+0x2c8/0x524
> __arm64_sys_finit_module+0xac/0x100
> invoke_syscall+0x6c/0x258
> el0_svc_common.constprop.0+0x160/0x22c
> do_el0_svc+0x44/0x5c
> el0_svc+0x38/0x78
> el0t_64_sync_handler+0x13c/0x158
> el0t_64_sync+0x190/0x194
> Code: 5400028a d343fe63 12000a62 39400034 (38f56863)
> ---[ end trace 0000000000000000 ]---
> Kernel panic - not syncing: Oops: Fatal exception
> SMP: stopping secondary CPUs
> Kernel Offset: 0x284761400000 from 0xffff800080000000
> PHYS_OFFSET: 0xfffffd7380000000
> CPU features: 0x88000203,3c020000,1000421b
> Memory Limit: none
> Rebooting in 1 seconds..
>
> Fixes: a127b154a8f2 ("kunit: tool: allow filtering test cases via glob")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Hello!
This also looks good to me. Thanks for catching these!
Reviewed-by: Rae Moar <rmoar@google.com>
Thanks!
-Rae
> ---
> lib/kunit/executor.c | 25 +++++++++++++++++++++----
> 1 file changed, 21 insertions(+), 4 deletions(-)
>
> diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
> index 5181aa2e760b..25ce8d6e5fe7 100644
> --- a/lib/kunit/executor.c
> +++ b/lib/kunit/executor.c
> @@ -65,7 +65,7 @@ struct kunit_glob_filter {
> };
>
> /* Split "suite_glob.test_glob" into two. Assumes filter_glob is not empty. */
> -static void kunit_parse_glob_filter(struct kunit_glob_filter *parsed,
> +static int kunit_parse_glob_filter(struct kunit_glob_filter *parsed,
> const char *filter_glob)
> {
> const int len = strlen(filter_glob);
> @@ -73,16 +73,28 @@ static void kunit_parse_glob_filter(struct kunit_glob_filter *parsed,
>
> if (!period) {
> parsed->suite_glob = kzalloc(len + 1, GFP_KERNEL);
> + if (!parsed->suite_glob)
> + return -ENOMEM;
> +
> parsed->test_glob = NULL;
> strcpy(parsed->suite_glob, filter_glob);
> - return;
> + return 0;
> }
>
> parsed->suite_glob = kzalloc(period - filter_glob + 1, GFP_KERNEL);
> + if (!parsed->suite_glob)
> + return -ENOMEM;
> +
> parsed->test_glob = kzalloc(len - (period - filter_glob) + 1, GFP_KERNEL);
> + if (!parsed->test_glob) {
> + kfree(parsed->suite_glob);
> + return -ENOMEM;
> + }
>
> strncpy(parsed->suite_glob, filter_glob, period - filter_glob);
> strncpy(parsed->test_glob, period + 1, len - (period - filter_glob));
> +
> + return 0;
> }
>
> /* Create a copy of suite with only tests that match test_glob. */
> @@ -152,8 +164,13 @@ kunit_filter_suites(const struct kunit_suite_set *suite_set,
> }
> copy_start = copy;
>
> - if (filter_glob)
> - kunit_parse_glob_filter(&parsed_glob, filter_glob);
> + if (filter_glob) {
> + *err = kunit_parse_glob_filter(&parsed_glob, filter_glob);
> + if (*err) {
> + kfree(copy);
> + return filtered;
> + }
> + }
>
> /* Parse attribute filters */
> if (filters) {
> --
> 2.34.1
>
> --
> You received this message because you are subscribed to the Google Groups "KUnit Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kunit-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kunit-dev/20230831071655.2907683-3-ruanjinjie%40huawei.com.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 3/4] kunit: Fix possible memory leak in kunit_filter_suites()
2023-08-31 7:16 ` [PATCH 3/4] kunit: Fix possible memory leak in kunit_filter_suites() Jinjie Ruan
@ 2023-08-31 21:01 ` Rae Moar
2023-09-01 5:18 ` David Gow
1 sibling, 0 replies; 14+ messages in thread
From: Rae Moar @ 2023-08-31 21:01 UTC (permalink / raw)
To: Jinjie Ruan
Cc: brendan.higgins, davidgow, skhan, jk, dlatypov, linux-kselftest,
kunit-dev
On Thu, Aug 31, 2023 at 3:17 AM 'Jinjie Ruan' via KUnit Development
<kunit-dev@googlegroups.com> wrote:
>
> If both filter_glob and filters are not NULL, and kunit_parse_glob_filter()
> succeed, but kcalloc parsed_filters fails, the suite_glob and test_glob of
> parsed kzalloc in kunit_parse_glob_filter() will be leaked.
>
> Fixes: 1c9fd080dffe ("kunit: fix uninitialized variables bug in attributes filtering")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Hello!
Thanks for catching this! I just had two concerns listed below.
-Rae
> ---
> lib/kunit/executor.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
> index 25ce8d6e5fe7..7654c09c1ab1 100644
> --- a/lib/kunit/executor.c
> +++ b/lib/kunit/executor.c
> @@ -176,10 +176,8 @@ kunit_filter_suites(const struct kunit_suite_set *suite_set,
> if (filters) {
> filter_count = kunit_get_filter_count(filters);
> parsed_filters = kcalloc(filter_count, sizeof(*parsed_filters), GFP_KERNEL);
> - if (!parsed_filters) {
> - kfree(copy);
> - return filtered;
> - }
> + if (!parsed_filters)
> + goto err;
When this goes to the "err" label this will likely enter the if
(filter_count) statement and attempt to free parsed_filters. Since
parsed_filters is NULL in this case, it could be a cleaner practice to
set a new label, maybe "filter_err", to skip over that if statement.
Although, I realize this may require the order of the patches to
switch.
Additionally, the value of *err should definitely be set here before
"goto err". The kunit_run_all_tests() function checks this err value
in order to produce the correct error message and to prevent any
attempt to run tests. I would suggest: *err = -ENOMEM;
> for (j = 0; j < filter_count; j++)
> parsed_filters[j] = kunit_next_attr_filter(&filters, err);
> if (*err)
> --
> 2.34.1
>
> --
> You received this message because you are subscribed to the Google Groups "KUnit Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kunit-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kunit-dev/20230831071655.2907683-4-ruanjinjie%40huawei.com.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 4/4] kunit: Fix the wrong error path in kunit_filter_suites()
2023-08-31 7:16 ` [PATCH 4/4] kunit: Fix the wrong error path " Jinjie Ruan
@ 2023-08-31 21:03 ` Rae Moar
2023-09-01 5:18 ` David Gow
1 sibling, 0 replies; 14+ messages in thread
From: Rae Moar @ 2023-08-31 21:03 UTC (permalink / raw)
To: Jinjie Ruan
Cc: brendan.higgins, davidgow, skhan, jk, dlatypov, linux-kselftest,
kunit-dev
On Thu, Aug 31, 2023 at 3:17 AM 'Jinjie Ruan' via KUnit Development
<kunit-dev@googlegroups.com> wrote:
>
> Take the last kfree(parsed_filters) and add it to be the first. Take
> the first kfree(copy) and add it to be the last. The Best practice is to
> return these errors reversely.
>
> Fixes: 529534e8cba3 ("kunit: Add ability to filter attributes")
> Fixes: abbf73816b6f ("kunit: fix possible memory leak in kunit_filter_suites()")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Hello!
This seems fine to me. See my comments from the last patch regarding a
potential change in the order of the patches.
Otherwise, this works for me.
Reviewed-by: Rae Moar <rmoar@google.com>
Thanks!
-Rae
> ---
> lib/kunit/executor.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
> index 7654c09c1ab1..da9444d22711 100644
> --- a/lib/kunit/executor.c
> +++ b/lib/kunit/executor.c
> @@ -229,16 +229,16 @@ kunit_filter_suites(const struct kunit_suite_set *suite_set,
> filtered.end = copy;
>
> err:
> - if (*err)
> - kfree(copy);
> + if (filter_count)
> + kfree(parsed_filters);
>
> if (filter_glob) {
> kfree(parsed_glob.suite_glob);
> kfree(parsed_glob.test_glob);
> }
>
> - if (filter_count)
> - kfree(parsed_filters);
> + if (*err)
> + kfree(copy);
>
> return filtered;
> }
> --
> 2.34.1
>
> --
> You received this message because you are subscribed to the Google Groups "KUnit Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kunit-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kunit-dev/20230831071655.2907683-5-ruanjinjie%40huawei.com.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/4] kunit: Fix wild-memory-access bug in kunit_free_suite_set()
2023-08-31 7:16 ` [PATCH 1/4] kunit: Fix wild-memory-access bug in kunit_free_suite_set() Jinjie Ruan
2023-08-31 20:29 ` Rae Moar
@ 2023-09-01 5:17 ` David Gow
1 sibling, 0 replies; 14+ messages in thread
From: David Gow @ 2023-09-01 5:17 UTC (permalink / raw)
To: Jinjie Ruan
Cc: brendan.higgins, skhan, jk, dlatypov, rmoar, linux-kselftest, kunit-dev
On Thu, 31 Aug 2023 at 15:17, 'Jinjie Ruan' via KUnit Development
<kunit-dev@googlegroups.com> wrote:
>
> Inject fault while probing kunit-example-test.ko, if kstrdup()
> fails in mod_sysfs_setup() in load_module(), the mod->state will
> switch from MODULE_STATE_COMING to MODULE_STATE_GOING instead of
> from MODULE_STATE_LIVE to MODULE_STATE_GOING, so only
> kunit_module_exit() will be called without kunit_module_init(), and
> the mod->kunit_suites is no set correctly and the free in
> kunit_free_suite_set() will cause below wild-memory-access bug.
>
> The mod->state state machine when load_module() succeeds:
>
> MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_LIVE
> ^ |
> | | delete_module
> +---------------- MODULE_STATE_GOING <---------+
>
> The mod->state state machine when load_module() fails at
> mod_sysfs_setup():
>
> MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_GOING
> ^ |
> | |
> +-----------------------------------------------+
>
> Call kunit_module_init() at MODULE_STATE_COMING state to fix the issue
> because MODULE_STATE_LIVE is transformed from it.
>
> Unable to handle kernel paging request at virtual address ffffff341e942a88
> KASAN: maybe wild-memory-access in range [0x0003f9a0f4a15440-0x0003f9a0f4a15447]
> Mem abort info:
> ESR = 0x0000000096000004
> EC = 0x25: DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x04: level 0 translation fault
> Data abort info:
> ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000441ea000
> [ffffff341e942a88] pgd=0000000000000000, p4d=0000000000000000
> Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
> Modules linked in: kunit_example_test(-) cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: kunit_example_test]
> CPU: 3 PID: 2035 Comm: modprobe Tainted: G W N 6.5.0-next-20230828+ #136
> Hardware name: linux,dummy-virt (DT)
> pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : kfree+0x2c/0x70
> lr : kunit_free_suite_set+0xcc/0x13c
> sp : ffff8000829b75b0
> x29: ffff8000829b75b0 x28: ffff8000829b7b90 x27: 0000000000000000
> x26: dfff800000000000 x25: ffffcd07c82a7280 x24: ffffcd07a50ab300
> x23: ffffcd07a50ab2e8 x22: 1ffff00010536ec0 x21: dfff800000000000
> x20: ffffcd07a50ab2f0 x19: ffffcd07a50ab2f0 x18: 0000000000000000
> x17: 0000000000000000 x16: 0000000000000000 x15: ffffcd07c24b6764
> x14: ffffcd07c24b63c0 x13: ffffcd07c4cebb94 x12: ffff700010536ec7
> x11: 1ffff00010536ec6 x10: ffff700010536ec6 x9 : dfff800000000000
> x8 : 00008fffefac913a x7 : 0000000041b58ab3 x6 : 0000000000000000
> x5 : 1ffff00010536ec5 x4 : ffff8000829b7628 x3 : dfff800000000000
> x2 : ffffff341e942a80 x1 : ffffcd07a50aa000 x0 : fffffc0000000000
> Call trace:
> kfree+0x2c/0x70
> kunit_free_suite_set+0xcc/0x13c
> kunit_module_notify+0xd8/0x360
> blocking_notifier_call_chain+0xc4/0x128
> load_module+0x382c/0x44a4
> init_module_from_file+0xd4/0x128
> idempotent_init_module+0x2c8/0x524
> __arm64_sys_finit_module+0xac/0x100
> invoke_syscall+0x6c/0x258
> el0_svc_common.constprop.0+0x160/0x22c
> do_el0_svc+0x44/0x5c
> el0_svc+0x38/0x78
> el0t_64_sync_handler+0x13c/0x158
> el0t_64_sync+0x190/0x194
> Code: aa0003e1 b25657e0 d34cfc42 8b021802 (f9400440)
> ---[ end trace 0000000000000000 ]---
> Kernel panic - not syncing: Oops: Fatal exception
> SMP: stopping secondary CPUs
> Kernel Offset: 0x4d0742200000 from 0xffff800080000000
> PHYS_OFFSET: 0xffffee43c0000000
> CPU features: 0x88000203,3c020000,1000421b
> Memory Limit: none
> Rebooting in 1 seconds..
>
> Fixes: 3d6e44623841 ("kunit: unify module and builtin suite definitions")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
Nice catch, thanks. I'm not seeing the actual panic here (with a quick
hack to fail module loading), but the patch looks sound.
I suspect we may want to split the module loading up into separate
'init' and 'run' phases, tied to MODULE_STATE_COMING and
MODULE_STATE_LIVE respectively, at some point (perhaps when the
planned support for triggering tests from userspace is done), but this
is a good fix in the meantime,
Reviewed-by: David Gow <davidgow@google.com>
Cheers,
-- David
> lib/kunit/test.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/kunit/test.c b/lib/kunit/test.c
> index 49698a168437..421f13981412 100644
> --- a/lib/kunit/test.c
> +++ b/lib/kunit/test.c
> @@ -784,12 +784,13 @@ static int kunit_module_notify(struct notifier_block *nb, unsigned long val,
>
> switch (val) {
> case MODULE_STATE_LIVE:
> - kunit_module_init(mod);
> break;
> case MODULE_STATE_GOING:
> kunit_module_exit(mod);
> break;
> case MODULE_STATE_COMING:
> + kunit_module_init(mod);
> + break;
> case MODULE_STATE_UNFORMED:
> break;
> }
> --
> 2.34.1
>
> --
> You received this message because you are subscribed to the Google Groups "KUnit Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kunit-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kunit-dev/20230831071655.2907683-2-ruanjinjie%40huawei.com.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/4] kunit: Fix possible null-ptr-deref in kunit_parse_glob_filter()
2023-08-31 7:16 ` [PATCH 2/4] kunit: Fix possible null-ptr-deref in kunit_parse_glob_filter() Jinjie Ruan
2023-08-31 20:34 ` Rae Moar
@ 2023-09-01 5:18 ` David Gow
1 sibling, 0 replies; 14+ messages in thread
From: David Gow @ 2023-09-01 5:18 UTC (permalink / raw)
To: Jinjie Ruan
Cc: brendan.higgins, skhan, jk, dlatypov, rmoar, linux-kselftest, kunit-dev
On Thu, 31 Aug 2023 at 15:17, 'Jinjie Ruan' via KUnit Development
<kunit-dev@googlegroups.com> wrote:
>
> Inject fault while probing kunit-example-test.ko, if kzalloc fails
> in kunit_parse_glob_filter(), strcpy() or strncpy() to NULL will
> cause below null-ptr-deref bug. So check NULL for kzalloc() and
> return int instead of void for kunit_parse_glob_filter().
>
> Unable to handle kernel paging request at virtual address dfff800000000000
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> Mem abort info:
> ESR = 0x0000000096000005
> EC = 0x25: DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> FSC = 0x05: level 1 translation fault
> Data abort info:
> ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
> CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [dfff800000000000] address between user and kernel address ranges
> Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
> Modules linked in: kunit_example_test cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: kunit_example_test]
> CPU: 4 PID: 6047 Comm: modprobe Tainted: G W N 6.5.0-next-20230829+ #141
> Hardware name: linux,dummy-virt (DT)
> pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : strncpy+0x58/0xc0
> lr : kunit_filter_suites+0x15c/0xa84
> sp : ffff800082a17420
> x29: ffff800082a17420 x28: 0000000000000000 x27: 0000000000000004
> x26: 0000000000000000 x25: ffffa847e40a5320 x24: 0000000000000001
> x23: 0000000000000000 x22: 0000000000000001 x21: dfff800000000000
> x20: 000000000000002a x19: 0000000000000000 x18: 00000000750b3b54
> x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
> x14: 0000000000000000 x13: 34393178302f3039 x12: ffff7508fcea4ec1
> x11: 1ffff508fcea4ec0 x10: ffff7508fcea4ec0 x9 : dfff800000000000
> x8 : ffff6051b1a7f86a x7 : ffff800082a17270 x6 : 0000000000000002
> x5 : 0000000000000098 x4 : ffff028d9817b250 x3 : 0000000000000000
> x2 : 0000000000000000 x1 : ffffa847e40a5320 x0 : 0000000000000000
> Call trace:
> strncpy+0x58/0xc0
> kunit_filter_suites+0x15c/0xa84
> kunit_module_notify+0x1b0/0x3ac
> blocking_notifier_call_chain+0xc4/0x128
> do_init_module+0x250/0x594
> load_module+0x37b0/0x44b4
> init_module_from_file+0xd4/0x128
> idempotent_init_module+0x2c8/0x524
> __arm64_sys_finit_module+0xac/0x100
> invoke_syscall+0x6c/0x258
> el0_svc_common.constprop.0+0x160/0x22c
> do_el0_svc+0x44/0x5c
> el0_svc+0x38/0x78
> el0t_64_sync_handler+0x13c/0x158
> el0t_64_sync+0x190/0x194
> Code: 5400028a d343fe63 12000a62 39400034 (38f56863)
> ---[ end trace 0000000000000000 ]---
> Kernel panic - not syncing: Oops: Fatal exception
> SMP: stopping secondary CPUs
> Kernel Offset: 0x284761400000 from 0xffff800080000000
> PHYS_OFFSET: 0xfffffd7380000000
> CPU features: 0x88000203,3c020000,1000421b
> Memory Limit: none
> Rebooting in 1 seconds..
>
> Fixes: a127b154a8f2 ("kunit: tool: allow filtering test cases via glob")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
Looks sensible to me! Thanks for catching it.
Reviewed-by: David Gow <davidgow@google.com>
Cheers,
-- David
> lib/kunit/executor.c | 25 +++++++++++++++++++++----
> 1 file changed, 21 insertions(+), 4 deletions(-)
>
> diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
> index 5181aa2e760b..25ce8d6e5fe7 100644
> --- a/lib/kunit/executor.c
> +++ b/lib/kunit/executor.c
> @@ -65,7 +65,7 @@ struct kunit_glob_filter {
> };
>
> /* Split "suite_glob.test_glob" into two. Assumes filter_glob is not empty. */
> -static void kunit_parse_glob_filter(struct kunit_glob_filter *parsed,
> +static int kunit_parse_glob_filter(struct kunit_glob_filter *parsed,
> const char *filter_glob)
> {
> const int len = strlen(filter_glob);
> @@ -73,16 +73,28 @@ static void kunit_parse_glob_filter(struct kunit_glob_filter *parsed,
>
> if (!period) {
> parsed->suite_glob = kzalloc(len + 1, GFP_KERNEL);
> + if (!parsed->suite_glob)
> + return -ENOMEM;
> +
> parsed->test_glob = NULL;
> strcpy(parsed->suite_glob, filter_glob);
> - return;
> + return 0;
> }
>
> parsed->suite_glob = kzalloc(period - filter_glob + 1, GFP_KERNEL);
> + if (!parsed->suite_glob)
> + return -ENOMEM;
> +
> parsed->test_glob = kzalloc(len - (period - filter_glob) + 1, GFP_KERNEL);
> + if (!parsed->test_glob) {
> + kfree(parsed->suite_glob);
> + return -ENOMEM;
> + }
>
> strncpy(parsed->suite_glob, filter_glob, period - filter_glob);
> strncpy(parsed->test_glob, period + 1, len - (period - filter_glob));
> +
> + return 0;
> }
>
> /* Create a copy of suite with only tests that match test_glob. */
> @@ -152,8 +164,13 @@ kunit_filter_suites(const struct kunit_suite_set *suite_set,
> }
> copy_start = copy;
>
> - if (filter_glob)
> - kunit_parse_glob_filter(&parsed_glob, filter_glob);
> + if (filter_glob) {
> + *err = kunit_parse_glob_filter(&parsed_glob, filter_glob);
> + if (*err) {
> + kfree(copy);
> + return filtered;
> + }
> + }
>
> /* Parse attribute filters */
> if (filters) {
> --
> 2.34.1
>
> --
> You received this message because you are subscribed to the Google Groups "KUnit Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kunit-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kunit-dev/20230831071655.2907683-3-ruanjinjie%40huawei.com.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 3/4] kunit: Fix possible memory leak in kunit_filter_suites()
2023-08-31 7:16 ` [PATCH 3/4] kunit: Fix possible memory leak in kunit_filter_suites() Jinjie Ruan
2023-08-31 21:01 ` Rae Moar
@ 2023-09-01 5:18 ` David Gow
1 sibling, 0 replies; 14+ messages in thread
From: David Gow @ 2023-09-01 5:18 UTC (permalink / raw)
To: Jinjie Ruan
Cc: brendan.higgins, skhan, jk, dlatypov, rmoar, linux-kselftest, kunit-dev
[-- Attachment #1: Type: text/plain, Size: 2671 bytes --]
On Thu, 31 Aug 2023 at 15:17, 'Jinjie Ruan' via KUnit Development
<kunit-dev@googlegroups.com> wrote:
>
> If both filter_glob and filters are not NULL, and kunit_parse_glob_filter()
> succeed, but kcalloc parsed_filters fails, the suite_glob and test_glob of
> parsed kzalloc in kunit_parse_glob_filter() will be leaked.
>
> Fixes: 1c9fd080dffe ("kunit: fix uninitialized variables bug in attributes filtering")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
As Rae points out, I don't think this is correct. If filter_count is
non-zero, but parsed_filters is NULL due to an allocation failure,
we'll still end up trying to kfree() a NULL pointer.
That's why this didn't goto err; before: we explicitly _don't_ want to
free parsed_filters here. We could set filter_count = 0 before goto
err, but I think either wrapping the kfree() call in if
(parsed_filters), or
Indeed, this may be the case for most of the cleanup here: we're
checking if we intended to allocate something (e.g., the filter_count
is nonzero, the filter_glob is set), rather than whether we
successfully allocated something, so can kfree(NULL) on failure. The
issues with ordering (that you fix in the next patch) could help if we
had several labels to jump to after each allocation, or just checking
that what we're freeing was non-NULL (and initialising them to NULL if
needed).
Thanks,
-- David
> lib/kunit/executor.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
> index 25ce8d6e5fe7..7654c09c1ab1 100644
> --- a/lib/kunit/executor.c
> +++ b/lib/kunit/executor.c
> @@ -176,10 +176,8 @@ kunit_filter_suites(const struct kunit_suite_set *suite_set,
> if (filters) {
> filter_count = kunit_get_filter_count(filters);
> parsed_filters = kcalloc(filter_count, sizeof(*parsed_filters), GFP_KERNEL);
> - if (!parsed_filters) {
> - kfree(copy);
> - return filtered;
> - }
> + if (!parsed_filters)
> + goto err;
> for (j = 0; j < filter_count; j++)
> parsed_filters[j] = kunit_next_attr_filter(&filters, err);
> if (*err)
> --
> 2.34.1
>
> --
> You received this message because you are subscribed to the Google Groups "KUnit Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kunit-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kunit-dev/20230831071655.2907683-4-ruanjinjie%40huawei.com.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4003 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 4/4] kunit: Fix the wrong error path in kunit_filter_suites()
2023-08-31 7:16 ` [PATCH 4/4] kunit: Fix the wrong error path " Jinjie Ruan
2023-08-31 21:03 ` Rae Moar
@ 2023-09-01 5:18 ` David Gow
2023-09-03 6:37 ` Ruan Jinjie
1 sibling, 1 reply; 14+ messages in thread
From: David Gow @ 2023-09-01 5:18 UTC (permalink / raw)
To: Jinjie Ruan
Cc: brendan.higgins, skhan, jk, dlatypov, rmoar, linux-kselftest, kunit-dev
[-- Attachment #1: Type: text/plain, Size: 2326 bytes --]
On Thu, 31 Aug 2023 at 15:17, 'Jinjie Ruan' via KUnit Development
<kunit-dev@googlegroups.com> wrote:
>
> Take the last kfree(parsed_filters) and add it to be the first. Take
> the first kfree(copy) and add it to be the last. The Best practice is to
> return these errors reversely.
>
> Fixes: 529534e8cba3 ("kunit: Add ability to filter attributes")
> Fixes: abbf73816b6f ("kunit: fix possible memory leak in kunit_filter_suites()")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
Agreed, these should be freed in reverse order.
Would it make sense to initialise 'copy' to NULL, and free it if (copy
!= NULL), rather than if (*err)? As mentioned in the previous patch, I
think that'd be more correct.
We could also have several labels which target only the things which
actually have been allocated so far.
Thoughts?
-- David
> lib/kunit/executor.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
> index 7654c09c1ab1..da9444d22711 100644
> --- a/lib/kunit/executor.c
> +++ b/lib/kunit/executor.c
> @@ -229,16 +229,16 @@ kunit_filter_suites(const struct kunit_suite_set *suite_set,
> filtered.end = copy;
>
> err:
> - if (*err)
> - kfree(copy);
> + if (filter_count)
> + kfree(parsed_filters);
>
> if (filter_glob) {
> kfree(parsed_glob.suite_glob);
> kfree(parsed_glob.test_glob);
> }
I think this might also be potentially broken. If
parsed_glob.{suite,test}_glob are not successfully allocated,
filter_glob will still be set, and we'll kfree() something invalid.
Should we also init parsed_glob.* to NULL, and free them if non-NULL,
rather than relying on the presence of filter_glob?
>
> - if (filter_count)
> - kfree(parsed_filters);
> + if (*err)
> + kfree(copy);
>
> return filtered;
> }
> --
> 2.34.1
>
> --
> You received this message because you are subscribed to the Google Groups "KUnit Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kunit-dev+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kunit-dev/20230831071655.2907683-5-ruanjinjie%40huawei.com.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4003 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 4/4] kunit: Fix the wrong error path in kunit_filter_suites()
2023-09-01 5:18 ` David Gow
@ 2023-09-03 6:37 ` Ruan Jinjie
0 siblings, 0 replies; 14+ messages in thread
From: Ruan Jinjie @ 2023-09-03 6:37 UTC (permalink / raw)
To: David Gow
Cc: brendan.higgins, skhan, jk, dlatypov, rmoar, linux-kselftest, kunit-dev
On 2023/9/1 13:18, David Gow wrote:
> On Thu, 31 Aug 2023 at 15:17, 'Jinjie Ruan' via KUnit Development
> <kunit-dev@googlegroups.com> wrote:
>>
>> Take the last kfree(parsed_filters) and add it to be the first. Take
>> the first kfree(copy) and add it to be the last. The Best practice is to
>> return these errors reversely.
>>
>> Fixes: 529534e8cba3 ("kunit: Add ability to filter attributes")
>> Fixes: abbf73816b6f ("kunit: fix possible memory leak in kunit_filter_suites()")
>> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
>> ---
>
> Agreed, these should be freed in reverse order.
>
> Would it make sense to initialise 'copy' to NULL, and free it if (copy
> != NULL), rather than if (*err)? As mentioned in the previous patch, I
> think that'd be more correct.
There is a problem because the normal return also go through the all err
paths but 'copy' is not NULL and should not be freed.
>
> We could also have several labels which target only the things which
> actually have been allocated so far.
That's a good idea!
>
> Thoughts?
> -- David
>
>> lib/kunit/executor.c | 8 ++++----
>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
>> index 7654c09c1ab1..da9444d22711 100644
>> --- a/lib/kunit/executor.c
>> +++ b/lib/kunit/executor.c
>> @@ -229,16 +229,16 @@ kunit_filter_suites(const struct kunit_suite_set *suite_set,
>> filtered.end = copy;
>>
>> err:
>> - if (*err)
>> - kfree(copy);
>> + if (filter_count)
>> + kfree(parsed_filters);
>>
>> if (filter_glob) {
>> kfree(parsed_glob.suite_glob);
>> kfree(parsed_glob.test_glob);
>> }
>
> I think this might also be potentially broken. If
> parsed_glob.{suite,test}_glob are not successfully allocated,
> filter_glob will still be set, and we'll kfree() something invalid.
> Should we also init parsed_glob.* to NULL, and free them if non-NULL,
> rather than relying on the presence of filter_glob?
if not successsfully allocated, it will be NULL and kfree NULL is ok.
>
>
>
>>
>> - if (filter_count)
>> - kfree(parsed_filters);
>> + if (*err)
>> + kfree(copy);
>>
>> return filtered;
>> }
>> --
>> 2.34.1
>>
>> --
>> You received this message because you are subscribed to the Google Groups "KUnit Development" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to kunit-dev+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/kunit-dev/20230831071655.2907683-5-ruanjinjie%40huawei.com.
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2023-09-03 6:37 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-31 7:16 [PATCH 0/4] kunit: Fix some bugs in kunit_filter_suites() Jinjie Ruan
2023-08-31 7:16 ` [PATCH 1/4] kunit: Fix wild-memory-access bug in kunit_free_suite_set() Jinjie Ruan
2023-08-31 20:29 ` Rae Moar
2023-09-01 5:17 ` David Gow
2023-08-31 7:16 ` [PATCH 2/4] kunit: Fix possible null-ptr-deref in kunit_parse_glob_filter() Jinjie Ruan
2023-08-31 20:34 ` Rae Moar
2023-09-01 5:18 ` David Gow
2023-08-31 7:16 ` [PATCH 3/4] kunit: Fix possible memory leak in kunit_filter_suites() Jinjie Ruan
2023-08-31 21:01 ` Rae Moar
2023-09-01 5:18 ` David Gow
2023-08-31 7:16 ` [PATCH 4/4] kunit: Fix the wrong error path " Jinjie Ruan
2023-08-31 21:03 ` Rae Moar
2023-09-01 5:18 ` David Gow
2023-09-03 6:37 ` Ruan Jinjie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.