Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
[bug report] kfence: add test suite
0 views
Skip to first unread message
Dan Carpenter
Feb 23, 2024, 8:59:30 AM2/23/24
to el...@google.com, kasa...@googlegroups.com
Hello Marco Elver,
The patch bc8fbc5f305a: "kfence: add test suite" from Feb 25, 2021
(linux-next), leads to the following Smatch static checker warning:
mm/kfence/kfence_test.c:673 test_memcache_typesafe_by_rcu()
warn: sleeping in atomic context
mm/kfence/kfence_test.c
656 static void test_memcache_typesafe_by_rcu(struct kunit *test)
657 {
658 const size_t size = 32;
659 struct expect_report expect = {
660 .type = KFENCE_ERROR_UAF,
661 .fn = test_memcache_typesafe_by_rcu,
662 .is_write = false,
663 };
664
665 setup_test_cache(test, size, SLAB_TYPESAFE_BY_RCU, NULL);
666 KUNIT_EXPECT_TRUE(test, test_cache); /* Want memcache. */
667
668 expect.addr = test_alloc(test, size, GFP_KERNEL, ALLOCATE_ANY);
669 *expect.addr = 42;
670
671 rcu_read_lock();
Preempt disabled.
672 test_free(expect.addr);
--> 673 KUNIT_EXPECT_EQ(test, *expect.addr, (char)42);
You can't call KUNIT_EXPECT_EQ() under rcu_read_lock because the failure
path does some sleeping allocations to log the errors.
674 /*
675 * Up to this point, memory should not have been freed yet, and
676 * therefore there should be no KFENCE report from the above access.
677 */
678 rcu_read_unlock();
679
680 /* Above access to @expect.addr should not have generated a report! */
681 KUNIT_EXPECT_FALSE(test, report_available());
682
683 /* Only after rcu_barrier() is the memory guaranteed to be freed. */
684 rcu_barrier();
685
686 /* Expect use-after-free. */
687 KUNIT_EXPECT_EQ(test, *expect.addr, (char)42);
688 KUNIT_EXPECT_TRUE(test, report_matches(&expect));
689 }
regards,
dan carpenter
The patch bc8fbc5f305a: "kfence: add test suite" from Feb 25, 2021
(linux-next), leads to the following Smatch static checker warning:
mm/kfence/kfence_test.c:673 test_memcache_typesafe_by_rcu()
warn: sleeping in atomic context
mm/kfence/kfence_test.c
656 static void test_memcache_typesafe_by_rcu(struct kunit *test)
657 {
658 const size_t size = 32;
659 struct expect_report expect = {
660 .type = KFENCE_ERROR_UAF,
661 .fn = test_memcache_typesafe_by_rcu,
662 .is_write = false,
663 };
664
665 setup_test_cache(test, size, SLAB_TYPESAFE_BY_RCU, NULL);
666 KUNIT_EXPECT_TRUE(test, test_cache); /* Want memcache. */
667
668 expect.addr = test_alloc(test, size, GFP_KERNEL, ALLOCATE_ANY);
669 *expect.addr = 42;
670
671 rcu_read_lock();
Preempt disabled.
672 test_free(expect.addr);
--> 673 KUNIT_EXPECT_EQ(test, *expect.addr, (char)42);
You can't call KUNIT_EXPECT_EQ() under rcu_read_lock because the failure
path does some sleeping allocations to log the errors.
674 /*
675 * Up to this point, memory should not have been freed yet, and
676 * therefore there should be no KFENCE report from the above access.
677 */
678 rcu_read_unlock();
679
680 /* Above access to @expect.addr should not have generated a report! */
681 KUNIT_EXPECT_FALSE(test, report_available());
682
683 /* Only after rcu_barrier() is the memory guaranteed to be freed. */
684 rcu_barrier();
685
686 /* Expect use-after-free. */
687 KUNIT_EXPECT_EQ(test, *expect.addr, (char)42);
688 KUNIT_EXPECT_TRUE(test, report_matches(&expect));
689 }
regards,
dan carpenter
Reply all
Reply to author
Forward
0 new messages