* Re: [PATCH] kasan: add atomic tests
2024-02-02 11:32 ` [PATCH] " Paul Heidekrüger
@ 2024-02-05 14:08 ` Marco Elver
2024-02-05 16:01 ` Mark Rutland
` (2 subsequent siblings)
3 siblings, 0 replies; 13+ messages in thread
From: Marco Elver @ 2024-02-05 14:08 UTC (permalink / raw)
To: Paul Heidekrüger
Cc: akpm, andreyknvl, dvyukov, glider, kasan-dev, linux-kernel,
linux-mm, ryabinin.a.a, vincenzo.frascino
On Fri, 2 Feb 2024 at 12:33, Paul Heidekrüger <paul.heidekrueger@tum.de> wrote:
>
> Test that KASan can detect some unsafe atomic accesses.
>
> As discussed in the linked thread below, these tests attempt to cover
> the most common uses of atomics and, therefore, aren't exhaustive.
>
> CC: Marco Elver <elver@google.com>
> CC: Andrey Konovalov <andreyknvl@gmail.com>
> Link: https://lore.kernel.org/all/20240131210041.686657-1-paul.heidekrueger@tum.de/T/#u
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214055
> Signed-off-by: Paul Heidekrüger <paul.heidekrueger@tum.de>
Reviewed-by: Marco Elver <elver@google.com>
Tested-by: Marco Elver <elver@google.com>
Thank you.
> ---
> Changes PATCH RFC v2 -> PATCH v1:
> * Remove casts to void*
> * Remove i_safe variable
> * Add atomic_long_* test cases
> * Carry over comment from kasan_bitops_tags()
>
> Changes PATCH RFC v1 -> PATCH RFC v2:
> * Adjust size of allocations to make kasan_atomics() work with all KASan modes
> * Remove comments and move tests closer to the bitops tests
> * For functions taking two addresses as an input, test each address in a separate function call.
> * Rename variables for clarity
> * Add tests for READ_ONCE(), WRITE_ONCE(), smp_load_acquire() and smp_store_release()
>
> mm/kasan/kasan_test.c | 79 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 79 insertions(+)
>
> diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c
> index 8281eb42464b..4ef2280c322c 100644
> --- a/mm/kasan/kasan_test.c
> +++ b/mm/kasan/kasan_test.c
> @@ -1150,6 +1150,84 @@ static void kasan_bitops_tags(struct kunit *test)
> kfree(bits);
> }
>
> +static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe)
> +{
> + int *i_unsafe = (int *)unsafe;
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*i_unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, smp_load_acquire(i_unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42));
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_read(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe));
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_read(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe));
> +}
> +
> +static void kasan_atomics(struct kunit *test)
> +{
> + void *a1, *a2;
> +
> + /*
> + * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such
> + * that the following 16 bytes will make up the redzone.
> + */
> + a1 = kzalloc(48, GFP_KERNEL);
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
> + a2 = kzalloc(sizeof(int), GFP_KERNEL);
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
> +
> + /* Use atomics to access the redzone. */
> + kasan_atomics_helper(test, a1 + 48, a2);
> +
> + kfree(a1);
> + kfree(a2);
> +}
> +
> static void kmalloc_double_kzfree(struct kunit *test)
> {
> char *ptr;
> @@ -1553,6 +1631,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> KUNIT_CASE(kasan_strings),
> KUNIT_CASE(kasan_bitops_generic),
> KUNIT_CASE(kasan_bitops_tags),
> + KUNIT_CASE(kasan_atomics),
> KUNIT_CASE(kmalloc_double_kzfree),
> KUNIT_CASE(rcu_uaf),
> KUNIT_CASE(workqueue_uaf),
> --
> 2.40.1
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] kasan: add atomic tests
2024-02-02 11:32 ` [PATCH] " Paul Heidekrüger
2024-02-05 14:08 ` Marco Elver
@ 2024-02-05 16:01 ` Mark Rutland
2024-02-05 21:00 ` Andrey Konovalov
2024-02-11 9:17 ` [PATCH v2] " Paul Heidekrüger
3 siblings, 0 replies; 13+ messages in thread
From: Mark Rutland @ 2024-02-05 16:01 UTC (permalink / raw)
To: Paul Heidekr"uger
Cc: elver, akpm, andreyknvl, dvyukov, glider, kasan-dev,
linux-kernel, linux-mm, ryabinin.a.a, vincenzo.frascino
On Fri, Feb 02, 2024 at 11:32:59AM +0000, Paul Heidekr"uger wrote:
> Test that KASan can detect some unsafe atomic accesses.
>
> As discussed in the linked thread below, these tests attempt to cover
> the most common uses of atomics and, therefore, aren't exhaustive.
>
> CC: Marco Elver <elver@google.com>
> CC: Andrey Konovalov <andreyknvl@gmail.com>
> Link: https://lore.kernel.org/all/20240131210041.686657-1-paul.heidekrueger@tum.de/T/#u
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214055
> Signed-off-by: Paul Heidekr"uger <paul.heidekrueger@tum.de>
> ---
> Changes PATCH RFC v2 -> PATCH v1:
> * Remove casts to void*
> * Remove i_safe variable
> * Add atomic_long_* test cases
> * Carry over comment from kasan_bitops_tags()
>
> Changes PATCH RFC v1 -> PATCH RFC v2:
> * Adjust size of allocations to make kasan_atomics() work with all KASan modes
> * Remove comments and move tests closer to the bitops tests
> * For functions taking two addresses as an input, test each address in a separate function call.
> * Rename variables for clarity
> * Add tests for READ_ONCE(), WRITE_ONCE(), smp_load_acquire() and smp_store_release()
>
> mm/kasan/kasan_test.c | 79 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 79 insertions(+)
>
> diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c
> index 8281eb42464b..4ef2280c322c 100644
> --- a/mm/kasan/kasan_test.c
> +++ b/mm/kasan/kasan_test.c
> @@ -1150,6 +1150,84 @@ static void kasan_bitops_tags(struct kunit *test)
> kfree(bits);
> }
>
> +static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe)
> +{
> + int *i_unsafe = (int *)unsafe;
Minor nit: you don't need the cast here either.
Regardless:
Acked-by: Mark Rutland <mark.rutland@arm.com>
Mark.
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*i_unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, smp_load_acquire(i_unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42));
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_read(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe));
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_read(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe));
> +}
> +
> +static void kasan_atomics(struct kunit *test)
> +{
> + void *a1, *a2;
> +
> + /*
> + * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such
> + * that the following 16 bytes will make up the redzone.
> + */
> + a1 = kzalloc(48, GFP_KERNEL);
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
> + a2 = kzalloc(sizeof(int), GFP_KERNEL);
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
> +
> + /* Use atomics to access the redzone. */
> + kasan_atomics_helper(test, a1 + 48, a2);
> +
> + kfree(a1);
> + kfree(a2);
> +}
> +
> static void kmalloc_double_kzfree(struct kunit *test)
> {
> char *ptr;
> @@ -1553,6 +1631,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> KUNIT_CASE(kasan_strings),
> KUNIT_CASE(kasan_bitops_generic),
> KUNIT_CASE(kasan_bitops_tags),
> + KUNIT_CASE(kasan_atomics),
> KUNIT_CASE(kmalloc_double_kzfree),
> KUNIT_CASE(rcu_uaf),
> KUNIT_CASE(workqueue_uaf),
> --
> 2.40.1
>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] kasan: add atomic tests
2024-02-02 11:32 ` [PATCH] " Paul Heidekrüger
2024-02-05 14:08 ` Marco Elver
2024-02-05 16:01 ` Mark Rutland
@ 2024-02-05 21:00 ` Andrey Konovalov
2024-02-11 9:11 ` Paul Heidekrüger
2024-02-11 9:17 ` [PATCH v2] " Paul Heidekrüger
3 siblings, 1 reply; 13+ messages in thread
From: Andrey Konovalov @ 2024-02-05 21:00 UTC (permalink / raw)
To: Paul Heidekrüger
Cc: elver, akpm, dvyukov, glider, kasan-dev, linux-kernel, linux-mm,
ryabinin.a.a, vincenzo.frascino
On Fri, Feb 2, 2024 at 12:33 PM Paul Heidekrüger
<paul.heidekrueger@tum.de> wrote:
>
> Test that KASan can detect some unsafe atomic accesses.
>
> As discussed in the linked thread below, these tests attempt to cover
> the most common uses of atomics and, therefore, aren't exhaustive.
>
> CC: Marco Elver <elver@google.com>
> CC: Andrey Konovalov <andreyknvl@gmail.com>
> Link: https://lore.kernel.org/all/20240131210041.686657-1-paul.heidekrueger@tum.de/T/#u
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214055
> Signed-off-by: Paul Heidekrüger <paul.heidekrueger@tum.de>
> ---
> Changes PATCH RFC v2 -> PATCH v1:
> * Remove casts to void*
> * Remove i_safe variable
> * Add atomic_long_* test cases
> * Carry over comment from kasan_bitops_tags()
>
> Changes PATCH RFC v1 -> PATCH RFC v2:
> * Adjust size of allocations to make kasan_atomics() work with all KASan modes
> * Remove comments and move tests closer to the bitops tests
> * For functions taking two addresses as an input, test each address in a separate function call.
> * Rename variables for clarity
> * Add tests for READ_ONCE(), WRITE_ONCE(), smp_load_acquire() and smp_store_release()
>
> mm/kasan/kasan_test.c | 79 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 79 insertions(+)
>
> diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c
> index 8281eb42464b..4ef2280c322c 100644
> --- a/mm/kasan/kasan_test.c
> +++ b/mm/kasan/kasan_test.c
> @@ -1150,6 +1150,84 @@ static void kasan_bitops_tags(struct kunit *test)
> kfree(bits);
> }
>
> +static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe)
> +{
> + int *i_unsafe = (int *)unsafe;
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*i_unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, smp_load_acquire(i_unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42));
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_read(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe));
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_read(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe));
> +}
> +
> +static void kasan_atomics(struct kunit *test)
> +{
> + void *a1, *a2;
> +
> + /*
> + * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such
> + * that the following 16 bytes will make up the redzone.
> + */
> + a1 = kzalloc(48, GFP_KERNEL);
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
> + a2 = kzalloc(sizeof(int), GFP_KERNEL);
I think this should be sizeof(atomic_long_t) or sizeof(long),
otherwise a2 will not work as the safe argument for
atomic_long_try_cmpxchg on 64-bit architectures.
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
> +
> + /* Use atomics to access the redzone. */
> + kasan_atomics_helper(test, a1 + 48, a2);
> +
> + kfree(a1);
> + kfree(a2);
> +}
> +
> static void kmalloc_double_kzfree(struct kunit *test)
> {
> char *ptr;
> @@ -1553,6 +1631,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> KUNIT_CASE(kasan_strings),
> KUNIT_CASE(kasan_bitops_generic),
> KUNIT_CASE(kasan_bitops_tags),
> + KUNIT_CASE(kasan_atomics),
> KUNIT_CASE(kmalloc_double_kzfree),
> KUNIT_CASE(rcu_uaf),
> KUNIT_CASE(workqueue_uaf),
> --
> 2.40.1
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] kasan: add atomic tests
2024-02-05 21:00 ` Andrey Konovalov
@ 2024-02-11 9:11 ` Paul Heidekrüger
0 siblings, 0 replies; 13+ messages in thread
From: Paul Heidekrüger @ 2024-02-11 9:11 UTC (permalink / raw)
To: Andrey Konovalov
Cc: elver, akpm, dvyukov, glider, kasan-dev, linux-kernel, linux-mm,
ryabinin.a.a, vincenzo.frascino
On 05.02.2024 22:00, Andrey Konovalov wrote:
> On Fri, Feb 2, 2024 at 12:33 PM Paul Heidekrüger
> <paul.heidekrueger@tum.de> wrote:
> >
> > Test that KASan can detect some unsafe atomic accesses.
> >
> > As discussed in the linked thread below, these tests attempt to cover
> > the most common uses of atomics and, therefore, aren't exhaustive.
> >
> > CC: Marco Elver <elver@google.com>
> > CC: Andrey Konovalov <andreyknvl@gmail.com>
> > Link: https://lore.kernel.org/all/20240131210041.686657-1-paul.heidekrueger@tum.de/T/#u
> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214055
> > Signed-off-by: Paul Heidekrüger <paul.heidekrueger@tum.de>
> > ---
> > Changes PATCH RFC v2 -> PATCH v1:
> > * Remove casts to void*
> > * Remove i_safe variable
> > * Add atomic_long_* test cases
> > * Carry over comment from kasan_bitops_tags()
> >
> > Changes PATCH RFC v1 -> PATCH RFC v2:
> > * Adjust size of allocations to make kasan_atomics() work with all KASan modes
> > * Remove comments and move tests closer to the bitops tests
> > * For functions taking two addresses as an input, test each address in a separate function call.
> > * Rename variables for clarity
> > * Add tests for READ_ONCE(), WRITE_ONCE(), smp_load_acquire() and smp_store_release()
> >
> > mm/kasan/kasan_test.c | 79 +++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 79 insertions(+)
> >
> > diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c
> > index 8281eb42464b..4ef2280c322c 100644
> > --- a/mm/kasan/kasan_test.c
> > +++ b/mm/kasan/kasan_test.c
> > @@ -1150,6 +1150,84 @@ static void kasan_bitops_tags(struct kunit *test)
> > kfree(bits);
> > }
> >
> > +static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe)
> > +{
> > + int *i_unsafe = (int *)unsafe;
> > +
> > + KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*i_unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, smp_load_acquire(i_unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42));
> > +
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_read(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe));
> > +
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_read(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe));
> > +}
> > +
> > +static void kasan_atomics(struct kunit *test)
> > +{
> > + void *a1, *a2;
> > +
> > + /*
> > + * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such
> > + * that the following 16 bytes will make up the redzone.
> > + */
> > + a1 = kzalloc(48, GFP_KERNEL);
> > + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
> > + a2 = kzalloc(sizeof(int), GFP_KERNEL);
>
> I think this should be sizeof(atomic_long_t) or sizeof(long),
> otherwise a2 will not work as the safe argument for
> atomic_long_try_cmpxchg on 64-bit architectures.
Ah, good catch!
> > + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
> > +
> > + /* Use atomics to access the redzone. */
> > + kasan_atomics_helper(test, a1 + 48, a2);
> > +
> > + kfree(a1);
> > + kfree(a2);
> > +}
> > +
> > static void kmalloc_double_kzfree(struct kunit *test)
> > {
> > char *ptr;
> > @@ -1553,6 +1631,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> > KUNIT_CASE(kasan_strings),
> > KUNIT_CASE(kasan_bitops_generic),
> > KUNIT_CASE(kasan_bitops_tags),
> > + KUNIT_CASE(kasan_atomics),
> > KUNIT_CASE(kmalloc_double_kzfree),
> > KUNIT_CASE(rcu_uaf),
> > KUNIT_CASE(workqueue_uaf),
> > --
> > 2.40.1
> >
I'll be sending a v2 patch right away.
Thank you Marco, Mark, and Andrey!
Paul
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH v2] kasan: add atomic tests
2024-02-02 11:32 ` [PATCH] " Paul Heidekrüger
` (2 preceding siblings ...)
2024-02-05 21:00 ` Andrey Konovalov
@ 2024-02-11 9:17 ` Paul Heidekrüger
2024-02-11 23:16 ` Andrey Konovalov
2024-02-12 8:33 ` [PATCH v3] " Paul Heidekrüger
3 siblings, 2 replies; 13+ messages in thread
From: Paul Heidekrüger @ 2024-02-11 9:17 UTC (permalink / raw)
To: paul.heidekrueger
Cc: akpm, andreyknvl, dvyukov, elver, glider, kasan-dev,
linux-kernel, linux-mm, ryabinin.a.a, vincenzo.frascino,
Mark Rutland
Test that KASan can detect some unsafe atomic accesses.
As discussed in the linked thread below, these tests attempt to cover
the most common uses of atomics and, therefore, aren't exhaustive.
CC: Marco Elver <elver@google.com>
CC: Andrey Konovalov <andreyknvl@gmail.com>
Link: https://lore.kernel.org/all/20240131210041.686657-1-paul.heidekrueger@tum.de/T/#u
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214055
Reviewed-by: Marco Elver <elver@google.com>
Tested-by: Marco Elver <elver@google.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Paul Heidekrüger <paul.heidekrueger@tum.de>
---
Changes PATCH v1 -> PATCH v2:
* Make explicit cast implicit as per Mark's feedback
* Increase the size of the "a2" allocation as per Andrey's feedback
* Add tags
Changes PATCH RFC v2 -> PATCH v1:
* Remove casts to void*
* Remove i_safe variable
* Add atomic_long_* test cases
* Carry over comment from kasan_bitops_tags()
Changes PATCH RFC v1 -> PATCH RFC v2:
* Adjust size of allocations to make kasan_atomics() work with all KASan modes
* Remove comments and move tests closer to the bitops tests
* For functions taking two addresses as an input, test each address in a separate function call.
* Rename variables for clarity
* Add tests for READ_ONCE(), WRITE_ONCE(), smp_load_acquire() and smp_store_release()
mm/kasan/kasan_test.c | 79 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 79 insertions(+)
diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c
index 8281eb42464b..7bf09699b145 100644
--- a/mm/kasan/kasan_test.c
+++ b/mm/kasan/kasan_test.c
@@ -1150,6 +1150,84 @@ static void kasan_bitops_tags(struct kunit *test)
kfree(bits);
}
+static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe)
+{
+ int *i_unsafe = unsafe;
+
+ KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*i_unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, smp_load_acquire(i_unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42));
+
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_read(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe));
+
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_read(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe));
+}
+
+static void kasan_atomics(struct kunit *test)
+{
+ void *a1, *a2;
+
+ /*
+ * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such
+ * that the following 16 bytes will make up the redzone.
+ */
+ a1 = kzalloc(48, GFP_KERNEL);
+ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
+ a2 = kzalloc(sizeof(atomic_long_t), GFP_KERNEL);
+ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
+
+ /* Use atomics to access the redzone. */
+ kasan_atomics_helper(test, a1 + 48, a2);
+
+ kfree(a1);
+ kfree(a2);
+}
+
static void kmalloc_double_kzfree(struct kunit *test)
{
char *ptr;
@@ -1553,6 +1631,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
KUNIT_CASE(kasan_strings),
KUNIT_CASE(kasan_bitops_generic),
KUNIT_CASE(kasan_bitops_tags),
+ KUNIT_CASE(kasan_atomics),
KUNIT_CASE(kmalloc_double_kzfree),
KUNIT_CASE(rcu_uaf),
KUNIT_CASE(workqueue_uaf),
--
2.40.1
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH v2] kasan: add atomic tests
2024-02-11 9:17 ` [PATCH v2] " Paul Heidekrüger
@ 2024-02-11 23:16 ` Andrey Konovalov
2024-02-12 8:37 ` Paul Heidekrüger
2024-02-12 8:33 ` [PATCH v3] " Paul Heidekrüger
1 sibling, 1 reply; 13+ messages in thread
From: Andrey Konovalov @ 2024-02-11 23:16 UTC (permalink / raw)
To: Paul Heidekrüger
Cc: akpm, dvyukov, elver, glider, kasan-dev, linux-kernel, linux-mm,
ryabinin.a.a, vincenzo.frascino, Mark Rutland
On Sun, Feb 11, 2024 at 10:17 AM Paul Heidekrüger
<paul.heidekrueger@tum.de> wrote:
>
> Test that KASan can detect some unsafe atomic accesses.
>
> As discussed in the linked thread below, these tests attempt to cover
> the most common uses of atomics and, therefore, aren't exhaustive.
>
> CC: Marco Elver <elver@google.com>
> CC: Andrey Konovalov <andreyknvl@gmail.com>
> Link: https://lore.kernel.org/all/20240131210041.686657-1-paul.heidekrueger@tum.de/T/#u
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214055
> Reviewed-by: Marco Elver <elver@google.com>
> Tested-by: Marco Elver <elver@google.com>
> Acked-by: Mark Rutland <mark.rutland@arm.com>
> Signed-off-by: Paul Heidekrüger <paul.heidekrueger@tum.de>
> ---
> Changes PATCH v1 -> PATCH v2:
> * Make explicit cast implicit as per Mark's feedback
> * Increase the size of the "a2" allocation as per Andrey's feedback
> * Add tags
>
> Changes PATCH RFC v2 -> PATCH v1:
> * Remove casts to void*
> * Remove i_safe variable
> * Add atomic_long_* test cases
> * Carry over comment from kasan_bitops_tags()
>
> Changes PATCH RFC v1 -> PATCH RFC v2:
> * Adjust size of allocations to make kasan_atomics() work with all KASan modes
> * Remove comments and move tests closer to the bitops tests
> * For functions taking two addresses as an input, test each address in a separate function call.
> * Rename variables for clarity
> * Add tests for READ_ONCE(), WRITE_ONCE(), smp_load_acquire() and smp_store_release()
>
> mm/kasan/kasan_test.c | 79 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 79 insertions(+)
>
> diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c
> index 8281eb42464b..7bf09699b145 100644
> --- a/mm/kasan/kasan_test.c
> +++ b/mm/kasan/kasan_test.c
> @@ -1150,6 +1150,84 @@ static void kasan_bitops_tags(struct kunit *test)
> kfree(bits);
> }
>
> +static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe)
> +{
> + int *i_unsafe = unsafe;
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*i_unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, smp_load_acquire(i_unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42));
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_read(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe));
> +
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_read(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe));
> + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe));
> +}
> +
> +static void kasan_atomics(struct kunit *test)
> +{
> + void *a1, *a2;
> +
> + /*
> + * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such
> + * that the following 16 bytes will make up the redzone.
> + */
> + a1 = kzalloc(48, GFP_KERNEL);
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
> + a2 = kzalloc(sizeof(atomic_long_t), GFP_KERNEL);
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
This should check for a2, not a1. Sorry for not spotting this before.
> +
> + /* Use atomics to access the redzone. */
> + kasan_atomics_helper(test, a1 + 48, a2);
> +
> + kfree(a1);
> + kfree(a2);
> +}
> +
> static void kmalloc_double_kzfree(struct kunit *test)
> {
> char *ptr;
> @@ -1553,6 +1631,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> KUNIT_CASE(kasan_strings),
> KUNIT_CASE(kasan_bitops_generic),
> KUNIT_CASE(kasan_bitops_tags),
> + KUNIT_CASE(kasan_atomics),
> KUNIT_CASE(kmalloc_double_kzfree),
> KUNIT_CASE(rcu_uaf),
> KUNIT_CASE(workqueue_uaf),
> --
> 2.40.1
>
With the mentioned change:
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Thank you!
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v2] kasan: add atomic tests
2024-02-11 23:16 ` Andrey Konovalov
@ 2024-02-12 8:37 ` Paul Heidekrüger
0 siblings, 0 replies; 13+ messages in thread
From: Paul Heidekrüger @ 2024-02-12 8:37 UTC (permalink / raw)
To: Andrey Konovalov
Cc: akpm, dvyukov, elver, glider, kasan-dev, linux-kernel, linux-mm,
ryabinin.a.a, vincenzo.frascino, Mark Rutland
On 12.02.2024 00:16, Andrey Konovalov wrote:
> On Sun, Feb 11, 2024 at 10:17 AM Paul Heidekrüger
> <paul.heidekrueger@tum.de> wrote:
> >
> > Test that KASan can detect some unsafe atomic accesses.
> >
> > As discussed in the linked thread below, these tests attempt to cover
> > the most common uses of atomics and, therefore, aren't exhaustive.
> >
> > CC: Marco Elver <elver@google.com>
> > CC: Andrey Konovalov <andreyknvl@gmail.com>
> > Link: https://lore.kernel.org/all/20240131210041.686657-1-paul.heidekrueger@tum.de/T/#u
> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214055
> > Reviewed-by: Marco Elver <elver@google.com>
> > Tested-by: Marco Elver <elver@google.com>
> > Acked-by: Mark Rutland <mark.rutland@arm.com>
> > Signed-off-by: Paul Heidekrüger <paul.heidekrueger@tum.de>
> > ---
> > Changes PATCH v1 -> PATCH v2:
> > * Make explicit cast implicit as per Mark's feedback
> > * Increase the size of the "a2" allocation as per Andrey's feedback
> > * Add tags
> >
> > Changes PATCH RFC v2 -> PATCH v1:
> > * Remove casts to void*
> > * Remove i_safe variable
> > * Add atomic_long_* test cases
> > * Carry over comment from kasan_bitops_tags()
> >
> > Changes PATCH RFC v1 -> PATCH RFC v2:
> > * Adjust size of allocations to make kasan_atomics() work with all KASan modes
> > * Remove comments and move tests closer to the bitops tests
> > * For functions taking two addresses as an input, test each address in a separate function call.
> > * Rename variables for clarity
> > * Add tests for READ_ONCE(), WRITE_ONCE(), smp_load_acquire() and smp_store_release()
> >
> > mm/kasan/kasan_test.c | 79 +++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 79 insertions(+)
> >
> > diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c
> > index 8281eb42464b..7bf09699b145 100644
> > --- a/mm/kasan/kasan_test.c
> > +++ b/mm/kasan/kasan_test.c
> > @@ -1150,6 +1150,84 @@ static void kasan_bitops_tags(struct kunit *test)
> > kfree(bits);
> > }
> >
> > +static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe)
> > +{
> > + int *i_unsafe = unsafe;
> > +
> > + KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*i_unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, smp_load_acquire(i_unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42));
> > +
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_read(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe));
> > +
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_read(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe));
> > + KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe));
> > +}
> > +
> > +static void kasan_atomics(struct kunit *test)
> > +{
> > + void *a1, *a2;
> > +
> > + /*
> > + * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such
> > + * that the following 16 bytes will make up the redzone.
> > + */
> > + a1 = kzalloc(48, GFP_KERNEL);
> > + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
> > + a2 = kzalloc(sizeof(atomic_long_t), GFP_KERNEL);
> > + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
>
> This should check for a2, not a1. Sorry for not spotting this before.
No need to apologise. I'm the one who made the mistake, so I'm the one who
should've spotted it in the first place :-)
> > +
> > + /* Use atomics to access the redzone. */
> > + kasan_atomics_helper(test, a1 + 48, a2);
> > +
> > + kfree(a1);
> > + kfree(a2);
> > +}
> > +
> > static void kmalloc_double_kzfree(struct kunit *test)
> > {
> > char *ptr;
> > @@ -1553,6 +1631,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> > KUNIT_CASE(kasan_strings),
> > KUNIT_CASE(kasan_bitops_generic),
> > KUNIT_CASE(kasan_bitops_tags),
> > + KUNIT_CASE(kasan_atomics),
> > KUNIT_CASE(kmalloc_double_kzfree),
> > KUNIT_CASE(rcu_uaf),
> > KUNIT_CASE(workqueue_uaf),
> > --
> > 2.40.1
> >
>
> With the mentioned change:
>
> Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
>
> Thank you!
Just sent v3.
Many thanks,
Paul
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH v3] kasan: add atomic tests
2024-02-11 9:17 ` [PATCH v2] " Paul Heidekrüger
2024-02-11 23:16 ` Andrey Konovalov
@ 2024-02-12 8:33 ` Paul Heidekrüger
1 sibling, 0 replies; 13+ messages in thread
From: Paul Heidekrüger @ 2024-02-12 8:33 UTC (permalink / raw)
To: paul.heidekrueger
Cc: akpm, andreyknvl, dvyukov, elver, glider, kasan-dev,
linux-kernel, linux-mm, mark.rutland, ryabinin.a.a,
vincenzo.frascino
Test that KASan can detect some unsafe atomic accesses.
As discussed in the linked thread below, these tests attempt to cover
the most common uses of atomics and, therefore, aren't exhaustive.
CC: Marco Elver <elver@google.com>
CC: Andrey Konovalov <andreyknvl@gmail.com>
Link: https://lore.kernel.org/all/20240131210041.686657-1-paul.heidekrueger@tum.de/T/#u
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214055
Reviewed-by: Marco Elver <elver@google.com>
Tested-by: Marco Elver <elver@google.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Signed-off-by: Paul Heidekrüger <paul.heidekrueger@tum.de>
---
Changes PATCH v2 -> PATCH v3:
* Fix the wrong variable being used when checking a2 after allocation
* Add Andrey's reviewed-by tag
Changes PATCH v1 -> PATCH v2:
* Make explicit cast implicit as per Mark's feedback
* Increase the size of the "a2" allocation as per Andrey's feedback
* Add tags
Changes PATCH RFC v2 -> PATCH v1:
* Remove casts to void*
* Remove i_safe variable
* Add atomic_long_* test cases
* Carry over comment from kasan_bitops_tags()
Changes PATCH RFC v1 -> PATCH RFC v2:
* Adjust size of allocations to make kasan_atomics() work with all KASan modes
* Remove comments and move tests closer to the bitops tests
* For functions taking two addresses as an input, test each address in a separate function call.
* Rename variables for clarity
* Add tests for READ_ONCE(), WRITE_ONCE(), smp_load_acquire() and smp_store_release()
mm/kasan/kasan_test.c | 79 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 79 insertions(+)
diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c
index 8281eb42464b..7f0f87a2c3c4 100644
--- a/mm/kasan/kasan_test.c
+++ b/mm/kasan/kasan_test.c
@@ -1150,6 +1150,84 @@ static void kasan_bitops_tags(struct kunit *test)
kfree(bits);
}
+static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe)
+{
+ int *i_unsafe = unsafe;
+
+ KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*i_unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, smp_load_acquire(i_unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42));
+
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_read(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe));
+
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_read(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe));
+ KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe));
+}
+
+static void kasan_atomics(struct kunit *test)
+{
+ void *a1, *a2;
+
+ /*
+ * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such
+ * that the following 16 bytes will make up the redzone.
+ */
+ a1 = kzalloc(48, GFP_KERNEL);
+ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1);
+ a2 = kzalloc(sizeof(atomic_long_t), GFP_KERNEL);
+ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a2);
+
+ /* Use atomics to access the redzone. */
+ kasan_atomics_helper(test, a1 + 48, a2);
+
+ kfree(a1);
+ kfree(a2);
+}
+
static void kmalloc_double_kzfree(struct kunit *test)
{
char *ptr;
@@ -1553,6 +1631,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
KUNIT_CASE(kasan_strings),
KUNIT_CASE(kasan_bitops_generic),
KUNIT_CASE(kasan_bitops_tags),
+ KUNIT_CASE(kasan_atomics),
KUNIT_CASE(kmalloc_double_kzfree),
KUNIT_CASE(rcu_uaf),
KUNIT_CASE(workqueue_uaf),
--
2.40.1
^ permalink raw reply related [flat|nested] 13+ messages in thread