1 // SPDX-License-Identifier: GPL-2.0-only
4 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
8 #include <linux/bitops.h>
9 #include <linux/delay.h>
10 #include <linux/kasan.h>
11 #include <linux/kernel.h>
13 #include <linux/mman.h>
14 #include <linux/module.h>
15 #include <linux/printk.h>
16 #include <linux/random.h>
17 #include <linux/slab.h>
18 #include <linux/string.h>
19 #include <linux/uaccess.h>
21 #include <linux/vmalloc.h>
22 #include <linux/set_memory.h>
26 #include <kunit/test.h>
28 #include "../mm/kasan/kasan.h"
30 #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
33 * Some tests use these global variables to store return values from function
34 * calls that could otherwise be eliminated by the compiler as dead code.
36 void *kasan_ptr_result;
39 static struct kunit_resource resource;
40 static struct kunit_kasan_status test_status;
41 static bool multishot;
44 * Temporarily enable multi-shot mode. Otherwise, KASAN would only report the
45 * first detected bug and panic the kernel if panic_on_warn is enabled. For
46 * hardware tag-based KASAN also allow tag checking to be reenabled for each
47 * test, see the comment for KUNIT_EXPECT_KASAN_FAIL().
49 static int kasan_test_init(struct kunit *test)
51 if (!kasan_enabled()) {
52 kunit_err(test, "can't run KASAN tests with KASAN disabled");
56 multishot = kasan_save_enable_multi_shot();
57 test_status.report_found = false;
58 test_status.sync_fault = false;
59 kunit_add_named_resource(test, NULL, NULL, &resource,
60 "kasan_status", &test_status);
64 static void kasan_test_exit(struct kunit *test)
66 kasan_restore_multi_shot(multishot);
67 KUNIT_EXPECT_FALSE(test, test_status.report_found);
71 * KUNIT_EXPECT_KASAN_FAIL() - check that the executed expression produces a
72 * KASAN report; causes a test failure otherwise. This relies on a KUnit
73 * resource named "kasan_status". Do not use this name for KUnit resources
74 * outside of KASAN tests.
76 * For hardware tag-based KASAN, when a synchronous tag fault happens, tag
77 * checking is auto-disabled. When this happens, this test handler reenables
78 * tag checking. As tag checking can be only disabled or enabled per CPU,
79 * this handler disables migration (preemption).
81 * Since the compiler doesn't see that the expression can change the test_status
82 * fields, it can reorder or optimize away the accesses to those fields.
83 * Use READ/WRITE_ONCE() for the accesses and compiler barriers around the
84 * expression to prevent that.
86 * In between KUNIT_EXPECT_KASAN_FAIL checks, test_status.report_found is kept
87 * as false. This allows detecting KASAN reports that happen outside of the
88 * checks by asserting !test_status.report_found at the start of
89 * KUNIT_EXPECT_KASAN_FAIL and in kasan_test_exit.
91 #define KUNIT_EXPECT_KASAN_FAIL(test, expression) do { \
92 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) && \
93 kasan_sync_fault_possible()) \
95 KUNIT_EXPECT_FALSE(test, READ_ONCE(test_status.report_found)); \
99 if (kasan_async_fault_possible()) \
100 kasan_force_async_fault(); \
101 if (!READ_ONCE(test_status.report_found)) { \
102 KUNIT_FAIL(test, KUNIT_SUBTEST_INDENT "KASAN failure " \
103 "expected in \"" #expression \
104 "\", but none occurred"); \
106 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) && \
107 kasan_sync_fault_possible()) { \
108 if (READ_ONCE(test_status.report_found) && \
109 READ_ONCE(test_status.sync_fault)) \
110 kasan_enable_tagging(); \
113 WRITE_ONCE(test_status.report_found, false); \
116 #define KASAN_TEST_NEEDS_CONFIG_ON(test, config) do { \
117 if (!IS_ENABLED(config)) \
118 kunit_skip((test), "Test requires " #config "=y"); \
121 #define KASAN_TEST_NEEDS_CONFIG_OFF(test, config) do { \
122 if (IS_ENABLED(config)) \
123 kunit_skip((test), "Test requires " #config "=n"); \
126 static void kmalloc_oob_right(struct kunit *test)
129 size_t size = 128 - KASAN_GRANULE_SIZE - 5;
131 ptr = kmalloc(size, GFP_KERNEL);
132 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
135 * An unaligned access past the requested kmalloc size.
136 * Only generic KASAN can precisely detect these.
138 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
139 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x');
142 * An aligned access into the first out-of-bounds granule that falls
143 * within the aligned kmalloc object.
145 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + 5] = 'y');
147 /* Out-of-bounds access past the aligned kmalloc object. */
148 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] =
149 ptr[size + KASAN_GRANULE_SIZE + 5]);
154 static void kmalloc_oob_left(struct kunit *test)
159 ptr = kmalloc(size, GFP_KERNEL);
160 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
162 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1));
166 static void kmalloc_node_oob_right(struct kunit *test)
171 ptr = kmalloc_node(size, GFP_KERNEL, 0);
172 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
174 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]);
179 * These kmalloc_pagealloc_* tests try allocating a memory chunk that doesn't
180 * fit into a slab cache and therefore is allocated via the page allocator
181 * fallback. Since this kind of fallback is only implemented for SLUB, these
182 * tests are limited to that allocator.
184 static void kmalloc_pagealloc_oob_right(struct kunit *test)
187 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
189 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
191 ptr = kmalloc(size, GFP_KERNEL);
192 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
194 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 0);
199 static void kmalloc_pagealloc_uaf(struct kunit *test)
202 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
204 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
206 ptr = kmalloc(size, GFP_KERNEL);
207 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
210 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
213 static void kmalloc_pagealloc_invalid_free(struct kunit *test)
216 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
218 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
220 ptr = kmalloc(size, GFP_KERNEL);
221 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
223 KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));
226 static void pagealloc_oob_right(struct kunit *test)
231 size_t size = (1UL << (PAGE_SHIFT + order));
234 * With generic KASAN page allocations have no redzones, thus
235 * out-of-bounds detection is not guaranteed.
236 * See https://bugzilla.kernel.org/show_bug.cgi?id=210503.
238 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
240 pages = alloc_pages(GFP_KERNEL, order);
241 ptr = page_address(pages);
242 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
244 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]);
245 free_pages((unsigned long)ptr, order);
248 static void pagealloc_uaf(struct kunit *test)
254 pages = alloc_pages(GFP_KERNEL, order);
255 ptr = page_address(pages);
256 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
257 free_pages((unsigned long)ptr, order);
259 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
262 static void kmalloc_large_oob_right(struct kunit *test)
265 size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
268 * Allocate a chunk that is large enough, but still fits into a slab
269 * and does not trigger the page allocator fallback in SLUB.
271 ptr = kmalloc(size, GFP_KERNEL);
272 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
274 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
278 static void krealloc_more_oob_helper(struct kunit *test,
279 size_t size1, size_t size2)
284 KUNIT_ASSERT_LT(test, size1, size2);
285 middle = size1 + (size2 - size1) / 2;
287 ptr1 = kmalloc(size1, GFP_KERNEL);
288 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
290 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
291 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
293 /* All offsets up to size2 must be accessible. */
294 ptr2[size1 - 1] = 'x';
297 ptr2[size2 - 1] = 'x';
299 /* Generic mode is precise, so unaligned size2 must be inaccessible. */
300 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
301 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x');
303 /* For all modes first aligned offset after size2 must be inaccessible. */
304 KUNIT_EXPECT_KASAN_FAIL(test,
305 ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x');
310 static void krealloc_less_oob_helper(struct kunit *test,
311 size_t size1, size_t size2)
316 KUNIT_ASSERT_LT(test, size2, size1);
317 middle = size2 + (size1 - size2) / 2;
319 ptr1 = kmalloc(size1, GFP_KERNEL);
320 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
322 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
323 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
325 /* Must be accessible for all modes. */
326 ptr2[size2 - 1] = 'x';
328 /* Generic mode is precise, so unaligned size2 must be inaccessible. */
329 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
330 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x');
332 /* For all modes first aligned offset after size2 must be inaccessible. */
333 KUNIT_EXPECT_KASAN_FAIL(test,
334 ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x');
337 * For all modes all size2, middle, and size1 should land in separate
338 * granules and thus the latter two offsets should be inaccessible.
340 KUNIT_EXPECT_LE(test, round_up(size2, KASAN_GRANULE_SIZE),
341 round_down(middle, KASAN_GRANULE_SIZE));
342 KUNIT_EXPECT_LE(test, round_up(middle, KASAN_GRANULE_SIZE),
343 round_down(size1, KASAN_GRANULE_SIZE));
344 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[middle] = 'x');
345 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1 - 1] = 'x');
346 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1] = 'x');
351 static void krealloc_more_oob(struct kunit *test)
353 krealloc_more_oob_helper(test, 201, 235);
356 static void krealloc_less_oob(struct kunit *test)
358 krealloc_less_oob_helper(test, 235, 201);
361 static void krealloc_pagealloc_more_oob(struct kunit *test)
363 /* page_alloc fallback in only implemented for SLUB. */
364 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
366 krealloc_more_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 201,
367 KMALLOC_MAX_CACHE_SIZE + 235);
370 static void krealloc_pagealloc_less_oob(struct kunit *test)
372 /* page_alloc fallback in only implemented for SLUB. */
373 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
375 krealloc_less_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 235,
376 KMALLOC_MAX_CACHE_SIZE + 201);
380 * Check that krealloc() detects a use-after-free, returns NULL,
381 * and doesn't unpoison the freed object.
383 static void krealloc_uaf(struct kunit *test)
389 ptr1 = kmalloc(size1, GFP_KERNEL);
390 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
393 KUNIT_EXPECT_KASAN_FAIL(test, ptr2 = krealloc(ptr1, size2, GFP_KERNEL));
394 KUNIT_ASSERT_NULL(test, ptr2);
395 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)ptr1);
398 static void kmalloc_oob_16(struct kunit *test)
404 /* This test is specifically crafted for the generic mode. */
405 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
407 ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
408 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
410 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
411 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
413 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
418 static void kmalloc_uaf_16(struct kunit *test)
424 ptr1 = kmalloc(sizeof(*ptr1), GFP_KERNEL);
425 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
427 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
428 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
431 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
436 * Note: in the memset tests below, the written range touches both valid and
437 * invalid memory. This makes sure that the instrumentation does not only check
438 * the starting address but the whole range.
441 static void kmalloc_oob_memset_2(struct kunit *test)
444 size_t size = 128 - KASAN_GRANULE_SIZE;
446 ptr = kmalloc(size, GFP_KERNEL);
447 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
449 OPTIMIZER_HIDE_VAR(size);
450 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 1, 0, 2));
454 static void kmalloc_oob_memset_4(struct kunit *test)
457 size_t size = 128 - KASAN_GRANULE_SIZE;
459 ptr = kmalloc(size, GFP_KERNEL);
460 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
462 OPTIMIZER_HIDE_VAR(size);
463 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 3, 0, 4));
467 static void kmalloc_oob_memset_8(struct kunit *test)
470 size_t size = 128 - KASAN_GRANULE_SIZE;
472 ptr = kmalloc(size, GFP_KERNEL);
473 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
475 OPTIMIZER_HIDE_VAR(size);
476 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 7, 0, 8));
480 static void kmalloc_oob_memset_16(struct kunit *test)
483 size_t size = 128 - KASAN_GRANULE_SIZE;
485 ptr = kmalloc(size, GFP_KERNEL);
486 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
488 OPTIMIZER_HIDE_VAR(size);
489 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 15, 0, 16));
493 static void kmalloc_oob_in_memset(struct kunit *test)
496 size_t size = 128 - KASAN_GRANULE_SIZE;
498 ptr = kmalloc(size, GFP_KERNEL);
499 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
501 OPTIMIZER_HIDE_VAR(ptr);
502 OPTIMIZER_HIDE_VAR(size);
503 KUNIT_EXPECT_KASAN_FAIL(test,
504 memset(ptr, 0, size + KASAN_GRANULE_SIZE));
508 static void kmalloc_memmove_negative_size(struct kunit *test)
512 size_t invalid_size = -2;
515 * Hardware tag-based mode doesn't check memmove for negative size.
516 * As a result, this test introduces a side-effect memory corruption,
517 * which can result in a crash.
519 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS);
521 ptr = kmalloc(size, GFP_KERNEL);
522 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
524 memset((char *)ptr, 0, 64);
525 OPTIMIZER_HIDE_VAR(ptr);
526 OPTIMIZER_HIDE_VAR(invalid_size);
527 KUNIT_EXPECT_KASAN_FAIL(test,
528 memmove((char *)ptr, (char *)ptr + 4, invalid_size));
532 static void kmalloc_memmove_invalid_size(struct kunit *test)
536 volatile size_t invalid_size = size;
538 ptr = kmalloc(size, GFP_KERNEL);
539 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
541 memset((char *)ptr, 0, 64);
542 OPTIMIZER_HIDE_VAR(ptr);
543 KUNIT_EXPECT_KASAN_FAIL(test,
544 memmove((char *)ptr, (char *)ptr + 4, invalid_size));
548 static void kmalloc_uaf(struct kunit *test)
553 ptr = kmalloc(size, GFP_KERNEL);
554 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
557 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[8]);
560 static void kmalloc_uaf_memset(struct kunit *test)
566 * Only generic KASAN uses quarantine, which is required to avoid a
567 * kernel memory corruption this test causes.
569 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
571 ptr = kmalloc(size, GFP_KERNEL);
572 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
575 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));
578 static void kmalloc_uaf2(struct kunit *test)
585 ptr1 = kmalloc(size, GFP_KERNEL);
586 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
590 ptr2 = kmalloc(size, GFP_KERNEL);
591 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
594 * For tag-based KASAN ptr1 and ptr2 tags might happen to be the same.
595 * Allow up to 16 attempts at generating different tags.
597 if (!IS_ENABLED(CONFIG_KASAN_GENERIC) && ptr1 == ptr2 && counter++ < 16) {
602 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[40]);
603 KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
608 static void kfree_via_page(struct kunit *test)
613 unsigned long offset;
615 ptr = kmalloc(size, GFP_KERNEL);
616 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
618 page = virt_to_page(ptr);
619 offset = offset_in_page(ptr);
620 kfree(page_address(page) + offset);
623 static void kfree_via_phys(struct kunit *test)
629 ptr = kmalloc(size, GFP_KERNEL);
630 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
632 phys = virt_to_phys(ptr);
633 kfree(phys_to_virt(phys));
636 static void kmem_cache_oob(struct kunit *test)
640 struct kmem_cache *cache;
642 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
643 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
645 p = kmem_cache_alloc(cache, GFP_KERNEL);
647 kunit_err(test, "Allocation failed: %s\n", __func__);
648 kmem_cache_destroy(cache);
652 KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size + OOB_TAG_OFF]);
654 kmem_cache_free(cache, p);
655 kmem_cache_destroy(cache);
658 static void kmem_cache_accounted(struct kunit *test)
663 struct kmem_cache *cache;
665 cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
666 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
669 * Several allocations with a delay to allow for lazy per memcg kmem
672 for (i = 0; i < 5; i++) {
673 p = kmem_cache_alloc(cache, GFP_KERNEL);
677 kmem_cache_free(cache, p);
682 kmem_cache_destroy(cache);
685 static void kmem_cache_bulk(struct kunit *test)
687 struct kmem_cache *cache;
693 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
694 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
696 ret = kmem_cache_alloc_bulk(cache, GFP_KERNEL, ARRAY_SIZE(p), (void **)&p);
698 kunit_err(test, "Allocation failed: %s\n", __func__);
699 kmem_cache_destroy(cache);
703 for (i = 0; i < ARRAY_SIZE(p); i++)
704 p[i][0] = p[i][size - 1] = 42;
706 kmem_cache_free_bulk(cache, ARRAY_SIZE(p), (void **)&p);
707 kmem_cache_destroy(cache);
710 static char global_array[10];
712 static void kasan_global_oob_right(struct kunit *test)
715 * Deliberate out-of-bounds access. To prevent CONFIG_UBSAN_LOCAL_BOUNDS
716 * from failing here and panicking the kernel, access the array via a
717 * volatile pointer, which will prevent the compiler from being able to
718 * determine the array bounds.
720 * This access uses a volatile pointer to char (char *volatile) rather
721 * than the more conventional pointer to volatile char (volatile char *)
722 * because we want to prevent the compiler from making inferences about
723 * the pointer itself (i.e. its array bounds), not the data that it
726 char *volatile array = global_array;
727 char *p = &array[ARRAY_SIZE(global_array) + 3];
729 /* Only generic mode instruments globals. */
730 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
732 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
735 static void kasan_global_oob_left(struct kunit *test)
737 char *volatile array = global_array;
741 * GCC is known to fail this test, skip it.
742 * See https://bugzilla.kernel.org/show_bug.cgi?id=215051.
744 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_CC_IS_CLANG);
745 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
746 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
749 /* Check that ksize() makes the whole object accessible. */
750 static void ksize_unpoisons_memory(struct kunit *test)
753 size_t size = 123, real_size;
755 ptr = kmalloc(size, GFP_KERNEL);
756 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
757 real_size = ksize(ptr);
759 /* This access shouldn't trigger a KASAN report. */
763 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size]);
769 * Check that a use-after-free is detected by ksize() and via normal accesses
772 static void ksize_uaf(struct kunit *test)
775 int size = 128 - KASAN_GRANULE_SIZE;
777 ptr = kmalloc(size, GFP_KERNEL);
778 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
781 KUNIT_EXPECT_KASAN_FAIL(test, ksize(ptr));
782 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]);
783 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]);
786 static void kasan_stack_oob(struct kunit *test)
788 char stack_array[10];
789 /* See comment in kasan_global_oob_right. */
790 char *volatile array = stack_array;
791 char *p = &array[ARRAY_SIZE(stack_array) + OOB_TAG_OFF];
793 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
795 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
798 static void kasan_alloca_oob_left(struct kunit *test)
801 char alloca_array[i];
802 /* See comment in kasan_global_oob_right. */
803 char *volatile array = alloca_array;
806 /* Only generic mode instruments dynamic allocas. */
807 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
808 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
810 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
813 static void kasan_alloca_oob_right(struct kunit *test)
816 char alloca_array[i];
817 /* See comment in kasan_global_oob_right. */
818 char *volatile array = alloca_array;
821 /* Only generic mode instruments dynamic allocas. */
822 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
823 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
825 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
828 static void kmem_cache_double_free(struct kunit *test)
832 struct kmem_cache *cache;
834 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
835 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
837 p = kmem_cache_alloc(cache, GFP_KERNEL);
839 kunit_err(test, "Allocation failed: %s\n", __func__);
840 kmem_cache_destroy(cache);
844 kmem_cache_free(cache, p);
845 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p));
846 kmem_cache_destroy(cache);
849 static void kmem_cache_invalid_free(struct kunit *test)
853 struct kmem_cache *cache;
855 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
857 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
859 p = kmem_cache_alloc(cache, GFP_KERNEL);
861 kunit_err(test, "Allocation failed: %s\n", __func__);
862 kmem_cache_destroy(cache);
866 /* Trigger invalid free, the object doesn't get freed. */
867 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1));
870 * Properly free the object to prevent the "Objects remaining in
871 * test_cache on __kmem_cache_shutdown" BUG failure.
873 kmem_cache_free(cache, p);
875 kmem_cache_destroy(cache);
878 static void empty_cache_ctor(void *object) { }
880 static void kmem_cache_double_destroy(struct kunit *test)
882 struct kmem_cache *cache;
884 /* Provide a constructor to prevent cache merging. */
885 cache = kmem_cache_create("test_cache", 200, 0, 0, empty_cache_ctor);
886 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
887 kmem_cache_destroy(cache);
888 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_destroy(cache));
891 static void kasan_memchr(struct kunit *test)
897 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
898 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
900 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
903 size = round_up(size, OOB_TAG_OFF);
905 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
906 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
908 OPTIMIZER_HIDE_VAR(ptr);
909 OPTIMIZER_HIDE_VAR(size);
910 KUNIT_EXPECT_KASAN_FAIL(test,
911 kasan_ptr_result = memchr(ptr, '1', size + 1));
916 static void kasan_memcmp(struct kunit *test)
923 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
924 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
926 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
929 size = round_up(size, OOB_TAG_OFF);
931 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
932 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
933 memset(arr, 0, sizeof(arr));
935 OPTIMIZER_HIDE_VAR(ptr);
936 OPTIMIZER_HIDE_VAR(size);
937 KUNIT_EXPECT_KASAN_FAIL(test,
938 kasan_int_result = memcmp(ptr, arr, size+1));
942 static void kasan_strings(struct kunit *test)
948 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
949 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
951 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
953 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
954 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
959 * Try to cause only 1 invalid access (less spam in dmesg).
960 * For that we need ptr to point to zeroed byte.
961 * Skip metadata that could be stored in freed object so ptr
962 * will likely point to zeroed byte.
965 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strchr(ptr, '1'));
967 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strrchr(ptr, '1'));
969 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strcmp(ptr, "2"));
971 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strncmp(ptr, "2", 1));
973 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strlen(ptr));
975 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strnlen(ptr, 1));
978 static void kasan_bitops_modify(struct kunit *test, int nr, void *addr)
980 KUNIT_EXPECT_KASAN_FAIL(test, set_bit(nr, addr));
981 KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(nr, addr));
982 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(nr, addr));
983 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(nr, addr));
984 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(nr, addr));
985 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(nr, addr));
986 KUNIT_EXPECT_KASAN_FAIL(test, change_bit(nr, addr));
987 KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(nr, addr));
990 static void kasan_bitops_test_and_modify(struct kunit *test, int nr, void *addr)
992 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit(nr, addr));
993 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_set_bit(nr, addr));
994 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit_lock(nr, addr));
995 KUNIT_EXPECT_KASAN_FAIL(test, test_and_clear_bit(nr, addr));
996 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_clear_bit(nr, addr));
997 KUNIT_EXPECT_KASAN_FAIL(test, test_and_change_bit(nr, addr));
998 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_change_bit(nr, addr));
999 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = test_bit(nr, addr));
1001 #if defined(clear_bit_unlock_is_negative_byte)
1002 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result =
1003 clear_bit_unlock_is_negative_byte(nr, addr));
1007 static void kasan_bitops_generic(struct kunit *test)
1011 /* This test is specifically crafted for the generic mode. */
1012 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
1015 * Allocate 1 more byte, which causes kzalloc to round up to 16 bytes;
1016 * this way we do not actually corrupt other memory.
1018 bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
1019 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
1022 * Below calls try to access bit within allocated memory; however, the
1023 * below accesses are still out-of-bounds, since bitops are defined to
1024 * operate on the whole long the bit is in.
1026 kasan_bitops_modify(test, BITS_PER_LONG, bits);
1029 * Below calls try to access bit beyond allocated memory.
1031 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, bits);
1036 static void kasan_bitops_tags(struct kunit *test)
1040 /* This test is specifically crafted for tag-based modes. */
1041 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1043 /* kmalloc-64 cache will be used and the last 16 bytes will be the redzone. */
1044 bits = kzalloc(48, GFP_KERNEL);
1045 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
1047 /* Do the accesses past the 48 allocated bytes, but within the redone. */
1048 kasan_bitops_modify(test, BITS_PER_LONG, (void *)bits + 48);
1049 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, (void *)bits + 48);
1054 static void kmalloc_double_kzfree(struct kunit *test)
1059 ptr = kmalloc(size, GFP_KERNEL);
1060 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1062 kfree_sensitive(ptr);
1063 KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr));
1066 static void vmalloc_helpers_tags(struct kunit *test)
1070 /* This test is intended for tag-based modes. */
1071 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1073 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1075 ptr = vmalloc(PAGE_SIZE);
1076 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1078 /* Check that the returned pointer is tagged. */
1079 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1080 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1082 /* Make sure exported vmalloc helpers handle tagged pointers. */
1083 KUNIT_ASSERT_TRUE(test, is_vmalloc_addr(ptr));
1084 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, vmalloc_to_page(ptr));
1086 #if !IS_MODULE(CONFIG_KASAN_KUNIT_TEST)
1090 /* Make sure vmalloc'ed memory permissions can be changed. */
1091 rv = set_memory_ro((unsigned long)ptr, 1);
1092 KUNIT_ASSERT_GE(test, rv, 0);
1093 rv = set_memory_rw((unsigned long)ptr, 1);
1094 KUNIT_ASSERT_GE(test, rv, 0);
1101 static void vmalloc_oob(struct kunit *test)
1103 char *v_ptr, *p_ptr;
1105 size_t size = PAGE_SIZE / 2 - KASAN_GRANULE_SIZE - 5;
1107 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1109 v_ptr = vmalloc(size);
1110 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1112 OPTIMIZER_HIDE_VAR(v_ptr);
1115 * We have to be careful not to hit the guard page in vmalloc tests.
1116 * The MMU will catch that and crash us.
1119 /* Make sure in-bounds accesses are valid. */
1121 v_ptr[size - 1] = 0;
1124 * An unaligned access past the requested vmalloc size.
1125 * Only generic KASAN can precisely detect these.
1127 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
1128 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)v_ptr)[size]);
1130 /* An aligned access into the first out-of-bounds granule. */
1131 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)v_ptr)[size + 5]);
1133 /* Check that in-bounds accesses to the physical page are valid. */
1134 page = vmalloc_to_page(v_ptr);
1135 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page);
1136 p_ptr = page_address(page);
1137 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1143 * We can't check for use-after-unmap bugs in this nor in the following
1144 * vmalloc tests, as the page might be fully unmapped and accessing it
1145 * will crash the kernel.
1149 static void vmap_tags(struct kunit *test)
1151 char *p_ptr, *v_ptr;
1152 struct page *p_page, *v_page;
1155 * This test is specifically crafted for the software tag-based mode,
1156 * the only tag-based mode that poisons vmap mappings.
1158 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1160 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
1162 p_page = alloc_pages(GFP_KERNEL, 1);
1163 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_page);
1164 p_ptr = page_address(p_page);
1165 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1167 v_ptr = vmap(&p_page, 1, VM_MAP, PAGE_KERNEL);
1168 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1171 * We can't check for out-of-bounds bugs in this nor in the following
1172 * vmalloc tests, as allocations have page granularity and accessing
1173 * the guard page will crash the kernel.
1176 KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN);
1177 KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL);
1179 /* Make sure that in-bounds accesses through both pointers work. */
1183 /* Make sure vmalloc_to_page() correctly recovers the page pointer. */
1184 v_page = vmalloc_to_page(v_ptr);
1185 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_page);
1186 KUNIT_EXPECT_PTR_EQ(test, p_page, v_page);
1189 free_pages((unsigned long)p_ptr, 1);
1192 static void vm_map_ram_tags(struct kunit *test)
1194 char *p_ptr, *v_ptr;
1198 * This test is specifically crafted for the software tag-based mode,
1199 * the only tag-based mode that poisons vm_map_ram mappings.
1201 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1203 page = alloc_pages(GFP_KERNEL, 1);
1204 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page);
1205 p_ptr = page_address(page);
1206 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr);
1208 v_ptr = vm_map_ram(&page, 1, -1);
1209 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr);
1211 KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN);
1212 KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL);
1214 /* Make sure that in-bounds accesses through both pointers work. */
1218 vm_unmap_ram(v_ptr, 1);
1219 free_pages((unsigned long)p_ptr, 1);
1222 static void vmalloc_percpu(struct kunit *test)
1228 * This test is specifically crafted for the software tag-based mode,
1229 * the only tag-based mode that poisons percpu mappings.
1231 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS);
1233 ptr = __alloc_percpu(PAGE_SIZE, PAGE_SIZE);
1235 for_each_possible_cpu(cpu) {
1236 char *c_ptr = per_cpu_ptr(ptr, cpu);
1238 KUNIT_EXPECT_GE(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_MIN);
1239 KUNIT_EXPECT_LT(test, (u8)get_tag(c_ptr), (u8)KASAN_TAG_KERNEL);
1241 /* Make sure that in-bounds accesses don't crash the kernel. */
1249 * Check that the assigned pointer tag falls within the [KASAN_TAG_MIN,
1250 * KASAN_TAG_KERNEL) range (note: excluding the match-all tag) for tag-based
1253 static void match_all_not_assigned(struct kunit *test)
1259 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1261 for (i = 0; i < 256; i++) {
1262 size = (get_random_int() % 1024) + 1;
1263 ptr = kmalloc(size, GFP_KERNEL);
1264 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1265 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1266 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1270 for (i = 0; i < 256; i++) {
1271 order = (get_random_int() % 4) + 1;
1272 pages = alloc_pages(GFP_KERNEL, order);
1273 ptr = page_address(pages);
1274 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1275 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1276 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1277 free_pages((unsigned long)ptr, order);
1280 if (!IS_ENABLED(CONFIG_KASAN_VMALLOC))
1283 for (i = 0; i < 256; i++) {
1284 size = (get_random_int() % 1024) + 1;
1285 ptr = vmalloc(size);
1286 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1287 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1288 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1293 /* Check that 0xff works as a match-all pointer tag for tag-based modes. */
1294 static void match_all_ptr_tag(struct kunit *test)
1299 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1301 ptr = kmalloc(128, GFP_KERNEL);
1302 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1304 /* Backup the assigned tag. */
1306 KUNIT_EXPECT_NE(test, tag, (u8)KASAN_TAG_KERNEL);
1308 /* Reset the tag to 0xff.*/
1309 ptr = set_tag(ptr, KASAN_TAG_KERNEL);
1311 /* This access shouldn't trigger a KASAN report. */
1314 /* Recover the pointer tag and free. */
1315 ptr = set_tag(ptr, tag);
1319 /* Check that there are no match-all memory tags for tag-based modes. */
1320 static void match_all_mem_tag(struct kunit *test)
1325 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1327 ptr = kmalloc(128, GFP_KERNEL);
1328 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1329 KUNIT_EXPECT_NE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1331 /* For each possible tag value not matching the pointer tag. */
1332 for (tag = KASAN_TAG_MIN; tag <= KASAN_TAG_KERNEL; tag++) {
1333 if (tag == get_tag(ptr))
1336 /* Mark the first memory granule with the chosen memory tag. */
1337 kasan_poison(ptr, KASAN_GRANULE_SIZE, (u8)tag, false);
1339 /* This access must cause a KASAN report. */
1340 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = 0);
1343 /* Recover the memory tag and free. */
1344 kasan_poison(ptr, KASAN_GRANULE_SIZE, get_tag(ptr), false);
1348 static struct kunit_case kasan_kunit_test_cases[] = {
1349 KUNIT_CASE(kmalloc_oob_right),
1350 KUNIT_CASE(kmalloc_oob_left),
1351 KUNIT_CASE(kmalloc_node_oob_right),
1352 KUNIT_CASE(kmalloc_pagealloc_oob_right),
1353 KUNIT_CASE(kmalloc_pagealloc_uaf),
1354 KUNIT_CASE(kmalloc_pagealloc_invalid_free),
1355 KUNIT_CASE(pagealloc_oob_right),
1356 KUNIT_CASE(pagealloc_uaf),
1357 KUNIT_CASE(kmalloc_large_oob_right),
1358 KUNIT_CASE(krealloc_more_oob),
1359 KUNIT_CASE(krealloc_less_oob),
1360 KUNIT_CASE(krealloc_pagealloc_more_oob),
1361 KUNIT_CASE(krealloc_pagealloc_less_oob),
1362 KUNIT_CASE(krealloc_uaf),
1363 KUNIT_CASE(kmalloc_oob_16),
1364 KUNIT_CASE(kmalloc_uaf_16),
1365 KUNIT_CASE(kmalloc_oob_in_memset),
1366 KUNIT_CASE(kmalloc_oob_memset_2),
1367 KUNIT_CASE(kmalloc_oob_memset_4),
1368 KUNIT_CASE(kmalloc_oob_memset_8),
1369 KUNIT_CASE(kmalloc_oob_memset_16),
1370 KUNIT_CASE(kmalloc_memmove_negative_size),
1371 KUNIT_CASE(kmalloc_memmove_invalid_size),
1372 KUNIT_CASE(kmalloc_uaf),
1373 KUNIT_CASE(kmalloc_uaf_memset),
1374 KUNIT_CASE(kmalloc_uaf2),
1375 KUNIT_CASE(kfree_via_page),
1376 KUNIT_CASE(kfree_via_phys),
1377 KUNIT_CASE(kmem_cache_oob),
1378 KUNIT_CASE(kmem_cache_accounted),
1379 KUNIT_CASE(kmem_cache_bulk),
1380 KUNIT_CASE(kasan_global_oob_right),
1381 KUNIT_CASE(kasan_global_oob_left),
1382 KUNIT_CASE(kasan_stack_oob),
1383 KUNIT_CASE(kasan_alloca_oob_left),
1384 KUNIT_CASE(kasan_alloca_oob_right),
1385 KUNIT_CASE(ksize_unpoisons_memory),
1386 KUNIT_CASE(ksize_uaf),
1387 KUNIT_CASE(kmem_cache_double_free),
1388 KUNIT_CASE(kmem_cache_invalid_free),
1389 KUNIT_CASE(kmem_cache_double_destroy),
1390 KUNIT_CASE(kasan_memchr),
1391 KUNIT_CASE(kasan_memcmp),
1392 KUNIT_CASE(kasan_strings),
1393 KUNIT_CASE(kasan_bitops_generic),
1394 KUNIT_CASE(kasan_bitops_tags),
1395 KUNIT_CASE(kmalloc_double_kzfree),
1396 KUNIT_CASE(vmalloc_helpers_tags),
1397 KUNIT_CASE(vmalloc_oob),
1398 KUNIT_CASE(vmap_tags),
1399 KUNIT_CASE(vm_map_ram_tags),
1400 KUNIT_CASE(vmalloc_percpu),
1401 KUNIT_CASE(match_all_not_assigned),
1402 KUNIT_CASE(match_all_ptr_tag),
1403 KUNIT_CASE(match_all_mem_tag),
1407 static struct kunit_suite kasan_kunit_test_suite = {
1409 .init = kasan_test_init,
1410 .test_cases = kasan_kunit_test_cases,
1411 .exit = kasan_test_exit,
1414 kunit_test_suite(kasan_kunit_test_suite);
1416 MODULE_LICENSE("GPL");
projects / releases.git / blob