linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v4 2/2] kasan: add double-free tests
@ 2016-05-29 16:17 Kuthonuzo Luruo
  2016-06-07 14:02 ` Alexander Potapenko
  0 siblings, 1 reply; 3+ messages in thread
From: Kuthonuzo Luruo @ 2016-05-29 16:17 UTC (permalink / raw)
  To: aryabinin, glider, dvyukov, cl, penberg, rientjes, iamjoonsoo.kim, akpm
  Cc: kasan-dev, linux-kernel, ynorov, kuthonuzo.luruo

This patch adds new tests for KASAN double-free error detection when the
same slab object is concurrently deallocated.

Signed-off-by: Kuthonuzo Luruo <kuthonuzo.luruo@hpe.com>
---

Changes in v4:
- There are *no* changes for v4.

Changes in v3:
- concurrent double-free test simplified to use on_each_cpu_mask() instead
  of custom threads.
- reduced #threads and removed CONFIG_SMP guards per suggestion from Dmitry
  Vyukov.

---

 lib/test_kasan.c |   47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 47 insertions(+), 0 deletions(-)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index 5e51872..0f589e7 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -411,6 +411,49 @@ static noinline void __init copy_user_test(void)
 	kfree(kmem);
 }
 
+#ifdef CONFIG_SLAB
+static void try_free(void *p)
+{
+	kfree(p);
+}
+
+static void __init kasan_double_free_concurrent(void)
+{
+#define MAX_THREADS 3
+	char *p;
+	int cpu, cnt = num_online_cpus();
+	cpumask_t mask = { CPU_BITS_NONE };
+	size_t size = 4097;     /* must be <= KMALLOC_MAX_CACHE_SIZE/2 */
+
+	if (cnt == 1)
+		return;
+	cnt = cnt < MAX_THREADS ? cnt : MAX_THREADS;
+	pr_info("concurrent double-free (%d threads)\n", cnt);
+	p = kmalloc(size, GFP_KERNEL);
+	if (!p)
+		return;
+	for_each_online_cpu(cpu) {
+		cpumask_set_cpu(cpu, &mask);
+		if (!--cnt)
+			break;
+	}
+	on_each_cpu_mask(&mask, try_free, p, 0);
+}
+
+static noinline void __init kasan_double_free(void)
+{
+	char *p;
+	size_t size = 2049;
+
+	pr_info("double-free\n");
+	p = kmalloc(size, GFP_KERNEL);
+	if (!p)
+		return;
+	kfree(p);
+	kfree(p);
+}
+#endif
+
 static int __init kmalloc_tests_init(void)
 {
 	kmalloc_oob_right();
@@ -436,6 +479,10 @@ static int __init kmalloc_tests_init(void)
 	kasan_global_oob();
 	ksize_unpoisons_memory();
 	copy_user_test();
+#ifdef CONFIG_SLAB
+	kasan_double_free();
+	kasan_double_free_concurrent();
+#endif
 	return -EAGAIN;
 }
 
-- 
1.7.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH v4 2/2] kasan: add double-free tests
  2016-05-29 16:17 [PATCH v4 2/2] kasan: add double-free tests Kuthonuzo Luruo
@ 2016-06-07 14:02 ` Alexander Potapenko
  2016-06-07 18:10   ` Luruo, Kuthonuzo
  0 siblings, 1 reply; 3+ messages in thread
From: Alexander Potapenko @ 2016-06-07 14:02 UTC (permalink / raw)
  To: Kuthonuzo Luruo
  Cc: Andrey Ryabinin, Dmitriy Vyukov, Christoph Lameter, penberg,
	rientjes, Joonsoo Kim, Andrew Morton, kasan-dev, LKML, ynorov

On Sun, May 29, 2016 at 6:17 PM, Kuthonuzo Luruo
<kuthonuzo.luruo@hpe.com> wrote:
> This patch adds new tests for KASAN double-free error detection when the
> same slab object is concurrently deallocated.
>
> Signed-off-by: Kuthonuzo Luruo <kuthonuzo.luruo@hpe.com>
> ---
>
> Changes in v4:
> - There are *no* changes for v4.
>
> Changes in v3:
> - concurrent double-free test simplified to use on_each_cpu_mask() instead
>   of custom threads.
> - reduced #threads and removed CONFIG_SMP guards per suggestion from Dmitry
>   Vyukov.
>
> ---
>
>  lib/test_kasan.c |   47 +++++++++++++++++++++++++++++++++++++++++++++++
>  1 files changed, 47 insertions(+), 0 deletions(-)
>
> diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> index 5e51872..0f589e7 100644
> --- a/lib/test_kasan.c
> +++ b/lib/test_kasan.c
> @@ -411,6 +411,49 @@ static noinline void __init copy_user_test(void)
>         kfree(kmem);
>  }
>
> +#ifdef CONFIG_SLAB
> +static void try_free(void *p)
> +{
> +       kfree(p);
> +}
> +
> +static void __init kasan_double_free_concurrent(void)
> +{
> +#define MAX_THREADS 3
> +       char *p;
> +       int cpu, cnt = num_online_cpus();
> +       cpumask_t mask = { CPU_BITS_NONE };
> +       size_t size = 4097;     /* must be <= KMALLOC_MAX_CACHE_SIZE/2 */
Can you please explicitly calculate |size| from KMALLOC_MAX_CACHE_SIZE?
> +
> +       if (cnt == 1)
> +               return;
> +       cnt = cnt < MAX_THREADS ? cnt : MAX_THREADS;
> +       pr_info("concurrent double-free (%d threads)\n", cnt);
> +       p = kmalloc(size, GFP_KERNEL);
> +       if (!p)
> +               return;
> +       for_each_online_cpu(cpu) {
> +               cpumask_set_cpu(cpu, &mask);
> +               if (!--cnt)
> +                       break;
> +       }
> +       on_each_cpu_mask(&mask, try_free, p, 0);
> +}
> +
> +static noinline void __init kasan_double_free(void)
> +{
> +       char *p;
> +       size_t size = 2049;
Please avoid using magic constants.
> +
> +       pr_info("double-free\n");
> +       p = kmalloc(size, GFP_KERNEL);
> +       if (!p)
> +               return;
> +       kfree(p);
> +       kfree(p);
> +}
> +#endif
> +
>  static int __init kmalloc_tests_init(void)
>  {
>         kmalloc_oob_right();
> @@ -436,6 +479,10 @@ static int __init kmalloc_tests_init(void)
>         kasan_global_oob();
>         ksize_unpoisons_memory();
>         copy_user_test();
> +#ifdef CONFIG_SLAB
> +       kasan_double_free();
> +       kasan_double_free_concurrent();
> +#endif
>         return -EAGAIN;
>  }
>
> --
> 1.7.1
>



-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: [PATCH v4 2/2] kasan: add double-free tests
  2016-06-07 14:02 ` Alexander Potapenko
@ 2016-06-07 18:10   ` Luruo, Kuthonuzo
  0 siblings, 0 replies; 3+ messages in thread
From: Luruo, Kuthonuzo @ 2016-06-07 18:10 UTC (permalink / raw)
  To: Alexander Potapenko
  Cc: Andrey Ryabinin, Dmitriy Vyukov, Christoph Lameter, penberg,
	rientjes, Joonsoo Kim, Andrew Morton, kasan-dev, LKML, ynorov

> > +       int cpu, cnt = num_online_cpus();
> > +       cpumask_t mask = { CPU_BITS_NONE };
> > +       size_t size = 4097;     /* must be <= KMALLOC_MAX_CACHE_SIZE/2 */
> Can you please explicitly calculate |size| from KMALLOC_MAX_CACHE_SIZE?
> > +
> > +       if (cnt == 1)
> > +               return;
> > +       cnt = cnt < MAX_THREADS ? cnt : MAX_THREADS;
> > +       pr_info("concurrent double-free (%d threads)\n", cnt);
> > +       p = kmalloc(size, GFP_KERNEL);
> > +       if (!p)
> > +               return;
> > +       for_each_online_cpu(cpu) {
> > +               cpumask_set_cpu(cpu, &mask);
> > +               if (!--cnt)
> > +                       break;
> > +       }
> > +       on_each_cpu_mask(&mask, try_free, p, 0);
> > +}
> > +
> > +static noinline void __init kasan_double_free(void)
> > +{
> > +       char *p;
> > +       size_t size = 2049;
> Please avoid using magic constants.

Alexander,

Thanks very much for the review.  I've changed alloc size for both to 100
in v5.

Kuthonuzo

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-06-07 18:43 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-29 16:17 [PATCH v4 2/2] kasan: add double-free tests Kuthonuzo Luruo
2016-06-07 14:02 ` Alexander Potapenko
2016-06-07 18:10   ` Luruo, Kuthonuzo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).