1 // SPDX-License-Identifier: GPL-2.0
3 * Test cases for KFENCE memory safety error detector. Since the interface with
4 * which KFENCE's reports are obtained is via the console, this is the output we
5 * should verify. For each test case checks the presence (or absence) of
6 * generated reports. Relies on 'console' tracepoint to capture reports as they
7 * appear in the kernel log.
9 * Copyright (C) 2020, Google LLC.
10 * Author: Alexander Potapenko <glider@google.com>
11 * Marco Elver <elver@google.com>
14 #include <kunit/test.h>
15 #include <linux/jiffies.h>
16 #include <linux/kernel.h>
17 #include <linux/kfence.h>
19 #include <linux/random.h>
20 #include <linux/slab.h>
21 #include <linux/spinlock.h>
22 #include <linux/string.h>
23 #include <linux/tracepoint.h>
24 #include <trace/events/printk.h>
26 #include <asm/kfence.h>
30 /* May be overridden by <asm/kfence.h>. */
31 #ifndef arch_kfence_test_address
32 #define arch_kfence_test_address(addr) (addr)
35 #define KFENCE_TEST_REQUIRES(test, cond) do { \
37 kunit_skip((test), "Test requires: " #cond); \
40 /* Report as observed from console. */
46 .lock
= __SPIN_LOCK_UNLOCKED(observed
.lock
),
49 /* Probe for console output: obtains observed lines of interest. */
50 static void probe_console(void *ignore
, const char *buf
, size_t len
)
55 spin_lock_irqsave(&observed
.lock
, flags
);
56 nlines
= observed
.nlines
;
58 if (strnstr(buf
, "BUG: KFENCE: ", len
) && strnstr(buf
, "test_", len
)) {
60 * KFENCE report and related to the test.
62 * The provided @buf is not NUL-terminated; copy no more than
63 * @len bytes and let strscpy() add the missing NUL-terminator.
65 strscpy(observed
.lines
[0], buf
, min(len
+ 1, sizeof(observed
.lines
[0])));
67 } else if (nlines
== 1 && (strnstr(buf
, "at 0x", len
) || strnstr(buf
, "of 0x", len
))) {
68 strscpy(observed
.lines
[nlines
++], buf
, min(len
+ 1, sizeof(observed
.lines
[0])));
71 WRITE_ONCE(observed
.nlines
, nlines
); /* Publish new nlines. */
72 spin_unlock_irqrestore(&observed
.lock
, flags
);
75 /* Check if a report related to the test exists. */
76 static bool report_available(void)
78 return READ_ONCE(observed
.nlines
) == ARRAY_SIZE(observed
.lines
);
81 /* Information we expect in a report. */
82 struct expect_report
{
83 enum kfence_error_type type
; /* The type or error. */
84 void *fn
; /* Function pointer to expected function where access occurred. */
85 char *addr
; /* Address at which the bad access occurred. */
86 bool is_write
; /* Is access a write. */
89 static const char *get_access_type(const struct expect_report
*r
)
91 return r
->is_write
? "write" : "read";
94 /* Check observed report matches information in @r. */
95 static bool report_matches(const struct expect_report
*r
)
97 unsigned long addr
= (unsigned long)r
->addr
;
100 typeof(observed
.lines
) expect
;
104 /* Doubled-checked locking. */
105 if (!report_available())
108 /* Generate expected report contents. */
112 end
= &expect
[0][sizeof(expect
[0]) - 1];
114 case KFENCE_ERROR_OOB
:
115 cur
+= scnprintf(cur
, end
- cur
, "BUG: KFENCE: out-of-bounds %s",
118 case KFENCE_ERROR_UAF
:
119 cur
+= scnprintf(cur
, end
- cur
, "BUG: KFENCE: use-after-free %s",
122 case KFENCE_ERROR_CORRUPTION
:
123 cur
+= scnprintf(cur
, end
- cur
, "BUG: KFENCE: memory corruption");
125 case KFENCE_ERROR_INVALID
:
126 cur
+= scnprintf(cur
, end
- cur
, "BUG: KFENCE: invalid %s",
129 case KFENCE_ERROR_INVALID_FREE
:
130 cur
+= scnprintf(cur
, end
- cur
, "BUG: KFENCE: invalid free");
134 scnprintf(cur
, end
- cur
, " in %pS", r
->fn
);
135 /* The exact offset won't match, remove it; also strip module name. */
136 cur
= strchr(expect
[0], '+');
140 /* Access information */
142 end
= &expect
[1][sizeof(expect
[1]) - 1];
145 case KFENCE_ERROR_OOB
:
146 cur
+= scnprintf(cur
, end
- cur
, "Out-of-bounds %s at", get_access_type(r
));
147 addr
= arch_kfence_test_address(addr
);
149 case KFENCE_ERROR_UAF
:
150 cur
+= scnprintf(cur
, end
- cur
, "Use-after-free %s at", get_access_type(r
));
151 addr
= arch_kfence_test_address(addr
);
153 case KFENCE_ERROR_CORRUPTION
:
154 cur
+= scnprintf(cur
, end
- cur
, "Corrupted memory at");
156 case KFENCE_ERROR_INVALID
:
157 cur
+= scnprintf(cur
, end
- cur
, "Invalid %s at", get_access_type(r
));
158 addr
= arch_kfence_test_address(addr
);
160 case KFENCE_ERROR_INVALID_FREE
:
161 cur
+= scnprintf(cur
, end
- cur
, "Invalid free of");
165 cur
+= scnprintf(cur
, end
- cur
, " 0x%p", (void *)addr
);
167 spin_lock_irqsave(&observed
.lock
, flags
);
168 if (!report_available())
169 goto out
; /* A new report is being captured. */
171 /* Finally match expected output to what we actually observed. */
172 ret
= strstr(observed
.lines
[0], expect
[0]) && strstr(observed
.lines
[1], expect
[1]);
174 spin_unlock_irqrestore(&observed
.lock
, flags
);
178 /* ===== Test cases ===== */
180 #define TEST_PRIV_WANT_MEMCACHE ((void *)1)
182 /* Cache used by tests; if NULL, allocate from kmalloc instead. */
183 static struct kmem_cache
*test_cache
;
185 static size_t setup_test_cache(struct kunit
*test
, size_t size
, slab_flags_t flags
,
186 void (*ctor
)(void *))
188 if (test
->priv
!= TEST_PRIV_WANT_MEMCACHE
)
191 kunit_info(test
, "%s: size=%zu, ctor=%ps\n", __func__
, size
, ctor
);
194 * Use SLAB_NOLEAKTRACE to prevent merging with existing caches. Any
195 * other flag in SLAB_NEVER_MERGE also works. Use SLAB_ACCOUNT to
196 * allocate via memcg, if enabled.
198 flags
|= SLAB_NOLEAKTRACE
| SLAB_ACCOUNT
;
199 test_cache
= kmem_cache_create("test", size
, 1, flags
, ctor
);
200 KUNIT_ASSERT_TRUE_MSG(test
, test_cache
, "could not create cache");
205 static void test_cache_destroy(void)
210 kmem_cache_destroy(test_cache
);
214 static inline size_t kmalloc_cache_alignment(size_t size
)
216 return kmalloc_caches
[kmalloc_type(GFP_KERNEL
)][__kmalloc_index(size
, false)]->align
;
219 /* Must always inline to match stack trace against caller. */
220 static __always_inline
void test_free(void *ptr
)
223 kmem_cache_free(test_cache
, ptr
);
229 * If this should be a KFENCE allocation, and on which side the allocation and
230 * the closest guard page should be.
232 enum allocation_policy
{
233 ALLOCATE_ANY
, /* KFENCE, any side. */
234 ALLOCATE_LEFT
, /* KFENCE, left side of page. */
235 ALLOCATE_RIGHT
, /* KFENCE, right side of page. */
236 ALLOCATE_NONE
, /* No KFENCE allocation. */
240 * Try to get a guarded allocation from KFENCE. Uses either kmalloc() or the
241 * current test_cache if set up.
243 static void *test_alloc(struct kunit
*test
, size_t size
, gfp_t gfp
, enum allocation_policy policy
)
246 unsigned long timeout
, resched_after
;
247 const char *policy_name
;
254 policy_name
= "left";
257 policy_name
= "right";
260 policy_name
= "none";
264 kunit_info(test
, "%s: size=%zu, gfp=%x, policy=%s, cache=%i\n", __func__
, size
, gfp
,
265 policy_name
, !!test_cache
);
268 * 100x the sample interval should be more than enough to ensure we get
269 * a KFENCE allocation eventually.
271 timeout
= jiffies
+ msecs_to_jiffies(100 * kfence_sample_interval
);
273 * Especially for non-preemption kernels, ensure the allocation-gate
274 * timer can catch up: after @resched_after, every failed allocation
275 * attempt yields, to ensure the allocation-gate timer is scheduled.
277 resched_after
= jiffies
+ msecs_to_jiffies(kfence_sample_interval
);
280 alloc
= kmem_cache_alloc(test_cache
, gfp
);
282 alloc
= kmalloc(size
, gfp
);
284 if (is_kfence_address(alloc
)) {
285 struct slab
*slab
= virt_to_slab(alloc
);
286 struct kmem_cache
*s
= test_cache
?:
287 kmalloc_caches
[kmalloc_type(GFP_KERNEL
)][__kmalloc_index(size
, false)];
290 * Verify that various helpers return the right values
291 * even for KFENCE objects; these are required so that
292 * memcg accounting works correctly.
294 KUNIT_EXPECT_EQ(test
, obj_to_index(s
, slab
, alloc
), 0U);
295 KUNIT_EXPECT_EQ(test
, objs_per_slab(s
, slab
), 1);
297 if (policy
== ALLOCATE_ANY
)
299 if (policy
== ALLOCATE_LEFT
&& IS_ALIGNED((unsigned long)alloc
, PAGE_SIZE
))
301 if (policy
== ALLOCATE_RIGHT
&&
302 !IS_ALIGNED((unsigned long)alloc
, PAGE_SIZE
))
304 } else if (policy
== ALLOCATE_NONE
)
309 if (time_after(jiffies
, resched_after
))
311 } while (time_before(jiffies
, timeout
));
313 KUNIT_ASSERT_TRUE_MSG(test
, false, "failed to allocate from KFENCE");
314 return NULL
; /* Unreachable. */
317 static void test_out_of_bounds_read(struct kunit
*test
)
320 struct expect_report expect
= {
321 .type
= KFENCE_ERROR_OOB
,
322 .fn
= test_out_of_bounds_read
,
327 setup_test_cache(test
, size
, 0, NULL
);
330 * If we don't have our own cache, adjust based on alignment, so that we
331 * actually access guard pages on either side.
334 size
= kmalloc_cache_alignment(size
);
336 /* Test both sides. */
338 buf
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_LEFT
);
339 expect
.addr
= buf
- 1;
340 READ_ONCE(*expect
.addr
);
341 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
344 buf
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_RIGHT
);
345 expect
.addr
= buf
+ size
;
346 READ_ONCE(*expect
.addr
);
347 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
351 static void test_out_of_bounds_write(struct kunit
*test
)
354 struct expect_report expect
= {
355 .type
= KFENCE_ERROR_OOB
,
356 .fn
= test_out_of_bounds_write
,
361 setup_test_cache(test
, size
, 0, NULL
);
362 buf
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_LEFT
);
363 expect
.addr
= buf
- 1;
364 WRITE_ONCE(*expect
.addr
, 42);
365 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
369 static void test_use_after_free_read(struct kunit
*test
)
371 const size_t size
= 32;
372 struct expect_report expect
= {
373 .type
= KFENCE_ERROR_UAF
,
374 .fn
= test_use_after_free_read
,
378 setup_test_cache(test
, size
, 0, NULL
);
379 expect
.addr
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_ANY
);
380 test_free(expect
.addr
);
381 READ_ONCE(*expect
.addr
);
382 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
385 static void test_double_free(struct kunit
*test
)
387 const size_t size
= 32;
388 struct expect_report expect
= {
389 .type
= KFENCE_ERROR_INVALID_FREE
,
390 .fn
= test_double_free
,
393 setup_test_cache(test
, size
, 0, NULL
);
394 expect
.addr
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_ANY
);
395 test_free(expect
.addr
);
396 test_free(expect
.addr
); /* Double-free. */
397 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
400 static void test_invalid_addr_free(struct kunit
*test
)
402 const size_t size
= 32;
403 struct expect_report expect
= {
404 .type
= KFENCE_ERROR_INVALID_FREE
,
405 .fn
= test_invalid_addr_free
,
409 setup_test_cache(test
, size
, 0, NULL
);
410 buf
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_ANY
);
411 expect
.addr
= buf
+ 1; /* Free on invalid address. */
412 test_free(expect
.addr
); /* Invalid address free. */
413 test_free(buf
); /* No error. */
414 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
417 static void test_corruption(struct kunit
*test
)
420 struct expect_report expect
= {
421 .type
= KFENCE_ERROR_CORRUPTION
,
422 .fn
= test_corruption
,
426 setup_test_cache(test
, size
, 0, NULL
);
428 /* Test both sides. */
430 buf
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_LEFT
);
431 expect
.addr
= buf
+ size
;
432 WRITE_ONCE(*expect
.addr
, 42);
434 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
436 buf
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_RIGHT
);
437 expect
.addr
= buf
- 1;
438 WRITE_ONCE(*expect
.addr
, 42);
440 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
444 * KFENCE is unable to detect an OOB if the allocation's alignment requirements
445 * leave a gap between the object and the guard page. Specifically, an
446 * allocation of e.g. 73 bytes is aligned on 8 and 128 bytes for SLUB or SLAB
447 * respectively. Therefore it is impossible for the allocated object to
448 * contiguously line up with the right guard page.
450 * However, we test that an access to memory beyond the gap results in KFENCE
451 * detecting an OOB access.
453 static void test_kmalloc_aligned_oob_read(struct kunit
*test
)
455 const size_t size
= 73;
456 const size_t align
= kmalloc_cache_alignment(size
);
457 struct expect_report expect
= {
458 .type
= KFENCE_ERROR_OOB
,
459 .fn
= test_kmalloc_aligned_oob_read
,
464 buf
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_RIGHT
);
467 * The object is offset to the right, so there won't be an OOB to the
470 READ_ONCE(*(buf
- 1));
471 KUNIT_EXPECT_FALSE(test
, report_available());
474 * @buf must be aligned on @align, therefore buf + size belongs to the
475 * same page -> no OOB.
477 READ_ONCE(*(buf
+ size
));
478 KUNIT_EXPECT_FALSE(test
, report_available());
480 /* Overflowing by @align bytes will result in an OOB. */
481 expect
.addr
= buf
+ size
+ align
;
482 READ_ONCE(*expect
.addr
);
483 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
488 static void test_kmalloc_aligned_oob_write(struct kunit
*test
)
490 const size_t size
= 73;
491 struct expect_report expect
= {
492 .type
= KFENCE_ERROR_CORRUPTION
,
493 .fn
= test_kmalloc_aligned_oob_write
,
497 buf
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_RIGHT
);
499 * The object is offset to the right, so we won't get a page
500 * fault immediately after it.
502 expect
.addr
= buf
+ size
;
503 WRITE_ONCE(*expect
.addr
, READ_ONCE(*expect
.addr
) + 1);
504 KUNIT_EXPECT_FALSE(test
, report_available());
506 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
509 /* Test cache shrinking and destroying with KFENCE. */
510 static void test_shrink_memcache(struct kunit
*test
)
512 const size_t size
= 32;
515 setup_test_cache(test
, size
, 0, NULL
);
516 KUNIT_EXPECT_TRUE(test
, test_cache
);
517 buf
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_ANY
);
518 kmem_cache_shrink(test_cache
);
521 KUNIT_EXPECT_FALSE(test
, report_available());
524 static void ctor_set_x(void *obj
)
526 /* Every object has at least 8 bytes. */
530 /* Ensure that SL*B does not modify KFENCE objects on bulk free. */
531 static void test_free_bulk(struct kunit
*test
)
535 for (iter
= 0; iter
< 5; iter
++) {
536 const size_t size
= setup_test_cache(test
, 8 + prandom_u32_max(300), 0,
537 (iter
& 1) ? ctor_set_x
: NULL
);
539 test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_RIGHT
),
540 test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_NONE
),
541 test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_LEFT
),
542 test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_NONE
),
543 test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_NONE
),
546 kmem_cache_free_bulk(test_cache
, ARRAY_SIZE(objects
), objects
);
547 KUNIT_ASSERT_FALSE(test
, report_available());
548 test_cache_destroy();
552 /* Test init-on-free works. */
553 static void test_init_on_free(struct kunit
*test
)
555 const size_t size
= 32;
556 struct expect_report expect
= {
557 .type
= KFENCE_ERROR_UAF
,
558 .fn
= test_init_on_free
,
563 KFENCE_TEST_REQUIRES(test
, IS_ENABLED(CONFIG_INIT_ON_FREE_DEFAULT_ON
));
564 /* Assume it hasn't been disabled on command line. */
566 setup_test_cache(test
, size
, 0, NULL
);
567 expect
.addr
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_ANY
);
568 for (i
= 0; i
< size
; i
++)
569 expect
.addr
[i
] = i
+ 1;
570 test_free(expect
.addr
);
572 for (i
= 0; i
< size
; i
++) {
574 * This may fail if the page was recycled by KFENCE and then
575 * written to again -- this however, is near impossible with a
578 KUNIT_EXPECT_EQ(test
, expect
.addr
[i
], (char)0);
580 if (!i
) /* Only check first access to not fail test if page is ever re-protected. */
581 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
585 /* Ensure that constructors work properly. */
586 static void test_memcache_ctor(struct kunit
*test
)
588 const size_t size
= 32;
592 setup_test_cache(test
, size
, 0, ctor_set_x
);
593 buf
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_ANY
);
595 for (i
= 0; i
< 8; i
++)
596 KUNIT_EXPECT_EQ(test
, buf
[i
], (char)'x');
600 KUNIT_EXPECT_FALSE(test
, report_available());
603 /* Test that memory is zeroed if requested. */
604 static void test_gfpzero(struct kunit
*test
)
606 const size_t size
= PAGE_SIZE
; /* PAGE_SIZE so we can use ALLOCATE_ANY. */
610 /* Skip if we think it'd take too long. */
611 KFENCE_TEST_REQUIRES(test
, kfence_sample_interval
<= 100);
613 setup_test_cache(test
, size
, 0, NULL
);
614 buf1
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_ANY
);
615 for (i
= 0; i
< size
; i
++)
619 /* Try to get same address again -- this can take a while. */
621 buf2
= test_alloc(test
, size
, GFP_KERNEL
| __GFP_ZERO
, ALLOCATE_ANY
);
626 if (i
== CONFIG_KFENCE_NUM_OBJECTS
) {
627 kunit_warn(test
, "giving up ... cannot get same object back\n");
632 for (i
= 0; i
< size
; i
++)
633 KUNIT_EXPECT_EQ(test
, buf2
[i
], (char)0);
637 KUNIT_EXPECT_FALSE(test
, report_available());
640 static void test_invalid_access(struct kunit
*test
)
642 const struct expect_report expect
= {
643 .type
= KFENCE_ERROR_INVALID
,
644 .fn
= test_invalid_access
,
645 .addr
= &__kfence_pool
[10],
649 READ_ONCE(__kfence_pool
[10]);
650 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
653 /* Test SLAB_TYPESAFE_BY_RCU works. */
654 static void test_memcache_typesafe_by_rcu(struct kunit
*test
)
656 const size_t size
= 32;
657 struct expect_report expect
= {
658 .type
= KFENCE_ERROR_UAF
,
659 .fn
= test_memcache_typesafe_by_rcu
,
663 setup_test_cache(test
, size
, SLAB_TYPESAFE_BY_RCU
, NULL
);
664 KUNIT_EXPECT_TRUE(test
, test_cache
); /* Want memcache. */
666 expect
.addr
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_ANY
);
670 test_free(expect
.addr
);
671 KUNIT_EXPECT_EQ(test
, *expect
.addr
, (char)42);
673 * Up to this point, memory should not have been freed yet, and
674 * therefore there should be no KFENCE report from the above access.
678 /* Above access to @expect.addr should not have generated a report! */
679 KUNIT_EXPECT_FALSE(test
, report_available());
681 /* Only after rcu_barrier() is the memory guaranteed to be freed. */
684 /* Expect use-after-free. */
685 KUNIT_EXPECT_EQ(test
, *expect
.addr
, (char)42);
686 KUNIT_EXPECT_TRUE(test
, report_matches(&expect
));
689 /* Test krealloc(). */
690 static void test_krealloc(struct kunit
*test
)
692 const size_t size
= 32;
693 const struct expect_report expect
= {
694 .type
= KFENCE_ERROR_UAF
,
696 .addr
= test_alloc(test
, size
, GFP_KERNEL
, ALLOCATE_ANY
),
699 char *buf
= expect
.addr
;
702 KUNIT_EXPECT_FALSE(test
, test_cache
);
703 KUNIT_EXPECT_EQ(test
, ksize(buf
), size
); /* Precise size match after KFENCE alloc. */
704 for (i
= 0; i
< size
; i
++)
707 /* Check that we successfully change the size. */
708 buf
= krealloc(buf
, size
* 3, GFP_KERNEL
); /* Grow. */
709 /* Note: Might no longer be a KFENCE alloc. */
710 KUNIT_EXPECT_GE(test
, ksize(buf
), size
* 3);
711 for (i
= 0; i
< size
; i
++)
712 KUNIT_EXPECT_EQ(test
, buf
[i
], (char)(i
+ 1));
713 for (; i
< size
* 3; i
++) /* Fill to extra bytes. */
716 buf
= krealloc(buf
, size
* 2, GFP_KERNEL
); /* Shrink. */
717 KUNIT_EXPECT_GE(test
, ksize(buf
), size
* 2);
718 for (i
= 0; i
< size
* 2; i
++)
719 KUNIT_EXPECT_EQ(test
, buf
[i
], (char)(i
+ 1));
721 buf
= krealloc(buf
, 0, GFP_KERNEL
); /* Free. */
722 KUNIT_EXPECT_EQ(test
, (unsigned long)buf
, (unsigned long)ZERO_SIZE_PTR
);
723 KUNIT_ASSERT_FALSE(test
, report_available()); /* No reports yet! */
725 READ_ONCE(*expect
.addr
); /* Ensure krealloc() actually freed earlier KFENCE object. */
726 KUNIT_ASSERT_TRUE(test
, report_matches(&expect
));
729 /* Test that some objects from a bulk allocation belong to KFENCE pool. */
730 static void test_memcache_alloc_bulk(struct kunit
*test
)
732 const size_t size
= 32;
734 unsigned long timeout
;
736 setup_test_cache(test
, size
, 0, NULL
);
737 KUNIT_EXPECT_TRUE(test
, test_cache
); /* Want memcache. */
739 * 100x the sample interval should be more than enough to ensure we get
740 * a KFENCE allocation eventually.
742 timeout
= jiffies
+ msecs_to_jiffies(100 * kfence_sample_interval
);
745 int i
, num
= kmem_cache_alloc_bulk(test_cache
, GFP_ATOMIC
, ARRAY_SIZE(objects
),
749 for (i
= 0; i
< ARRAY_SIZE(objects
); i
++) {
750 if (is_kfence_address(objects
[i
])) {
755 kmem_cache_free_bulk(test_cache
, num
, objects
);
757 * kmem_cache_alloc_bulk() disables interrupts, and calling it
758 * in a tight loop may not give KFENCE a chance to switch the
759 * static branch. Call cond_resched() to let KFENCE chime in.
762 } while (!pass
&& time_before(jiffies
, timeout
));
764 KUNIT_EXPECT_TRUE(test
, pass
);
765 KUNIT_EXPECT_FALSE(test
, report_available());
769 * KUnit does not provide a way to provide arguments to tests, and we encode
770 * additional info in the name. Set up 2 tests per test case, one using the
771 * default allocator, and another using a custom memcache (suffix '-memcache').
773 #define KFENCE_KUNIT_CASE(test_name) \
774 { .run_case = test_name, .name = #test_name }, \
775 { .run_case = test_name, .name = #test_name "-memcache" }
777 static struct kunit_case kfence_test_cases
[] = {
778 KFENCE_KUNIT_CASE(test_out_of_bounds_read
),
779 KFENCE_KUNIT_CASE(test_out_of_bounds_write
),
780 KFENCE_KUNIT_CASE(test_use_after_free_read
),
781 KFENCE_KUNIT_CASE(test_double_free
),
782 KFENCE_KUNIT_CASE(test_invalid_addr_free
),
783 KFENCE_KUNIT_CASE(test_corruption
),
784 KFENCE_KUNIT_CASE(test_free_bulk
),
785 KFENCE_KUNIT_CASE(test_init_on_free
),
786 KUNIT_CASE(test_kmalloc_aligned_oob_read
),
787 KUNIT_CASE(test_kmalloc_aligned_oob_write
),
788 KUNIT_CASE(test_shrink_memcache
),
789 KUNIT_CASE(test_memcache_ctor
),
790 KUNIT_CASE(test_invalid_access
),
791 KUNIT_CASE(test_gfpzero
),
792 KUNIT_CASE(test_memcache_typesafe_by_rcu
),
793 KUNIT_CASE(test_krealloc
),
794 KUNIT_CASE(test_memcache_alloc_bulk
),
798 /* ===== End test cases ===== */
800 static int test_init(struct kunit
*test
)
808 spin_lock_irqsave(&observed
.lock
, flags
);
809 for (i
= 0; i
< ARRAY_SIZE(observed
.lines
); i
++)
810 observed
.lines
[i
][0] = '\0';
812 spin_unlock_irqrestore(&observed
.lock
, flags
);
814 /* Any test with 'memcache' in its name will want a memcache. */
815 if (strstr(test
->name
, "memcache"))
816 test
->priv
= TEST_PRIV_WANT_MEMCACHE
;
823 static void test_exit(struct kunit
*test
)
825 test_cache_destroy();
828 static struct kunit_suite kfence_test_suite
= {
830 .test_cases
= kfence_test_cases
,
834 static struct kunit_suite
*kfence_test_suites
[] = { &kfence_test_suite
, NULL
};
836 static void register_tracepoints(struct tracepoint
*tp
, void *ignore
)
838 check_trace_callback_type_console(probe_console
);
839 if (!strcmp(tp
->name
, "console"))
840 WARN_ON(tracepoint_probe_register(tp
, probe_console
, NULL
));
843 static void unregister_tracepoints(struct tracepoint
*tp
, void *ignore
)
845 if (!strcmp(tp
->name
, "console"))
846 tracepoint_probe_unregister(tp
, probe_console
, NULL
);
850 * We only want to do tracepoints setup and teardown once, therefore we have to
851 * customize the init and exit functions and cannot rely on kunit_test_suite().
853 static int __init
kfence_test_init(void)
856 * Because we want to be able to build the test as a module, we need to
857 * iterate through all known tracepoints, since the static registration
860 for_each_kernel_tracepoint(register_tracepoints
, NULL
);
861 return __kunit_test_suites_init(kfence_test_suites
);
864 static void kfence_test_exit(void)
866 __kunit_test_suites_exit(kfence_test_suites
);
867 for_each_kernel_tracepoint(unregister_tracepoints
, NULL
);
868 tracepoint_synchronize_unregister();
871 late_initcall_sync(kfence_test_init
);
872 module_exit(kfence_test_exit
);
874 MODULE_LICENSE("GPL v2");
875 MODULE_AUTHOR("Alexander Potapenko <glider@google.com>, Marco Elver <elver@google.com>");