| // SPDX-License-Identifier: GPL-2.0 |
| /* |
| * Test cases for KMSAN. |
| * For each test case checks the presence (or absence) of generated reports. |
| * Relies on 'console' tracepoint to capture reports as they appear in the |
| * kernel log. |
| * |
| * Copyright (C) 2021-2022, Google LLC. |
| * Author: Alexander Potapenko <glider@google.com> |
| * |
| */ |
| |
| #include <kunit/test.h> |
| #include "kmsan.h" |
| |
| #include <linux/jiffies.h> |
| #include <linux/kernel.h> |
| #include <linux/kmsan.h> |
| #include <linux/mm.h> |
| #include <linux/random.h> |
| #include <linux/slab.h> |
| #include <linux/spinlock.h> |
| #include <linux/string.h> |
| #include <linux/tracepoint.h> |
| #include <linux/vmalloc.h> |
| #include <trace/events/printk.h> |
| |
| static DEFINE_PER_CPU(int, per_cpu_var); |
| |
| /* Report as observed from console. */ |
| static struct { |
| spinlock_t lock; |
| bool available; |
| bool ignore; /* Stop console output collection. */ |
| char header[256]; |
| } observed = { |
| .lock = __SPIN_LOCK_UNLOCKED(observed.lock), |
| }; |
| |
| /* Probe for console output: obtains observed lines of interest. */ |
| static void probe_console(void *ignore, const char *buf, size_t len) |
| { |
| unsigned long flags; |
| |
| if (observed.ignore) |
| return; |
| spin_lock_irqsave(&observed.lock, flags); |
| |
| if (strnstr(buf, "BUG: KMSAN: ", len)) { |
| /* |
| * KMSAN report and related to the test. |
| * |
| * The provided @buf is not NUL-terminated; copy no more than |
| * @len bytes and let strscpy() add the missing NUL-terminator. |
| */ |
| strscpy(observed.header, buf, |
| min(len + 1, sizeof(observed.header))); |
| WRITE_ONCE(observed.available, true); |
| observed.ignore = true; |
| } |
| spin_unlock_irqrestore(&observed.lock, flags); |
| } |
| |
| /* Check if a report related to the test exists. */ |
| static bool report_available(void) |
| { |
| return READ_ONCE(observed.available); |
| } |
| |
| /* Information we expect in a report. */ |
| struct expect_report { |
| const char *error_type; /* Error type. */ |
| /* |
| * Kernel symbol from the error header, or NULL if no report is |
| * expected. |
| */ |
| const char *symbol; |
| }; |
| |
| /* Check observed report matches information in @r. */ |
| static bool report_matches(const struct expect_report *r) |
| { |
| typeof(observed.header) expected_header; |
| unsigned long flags; |
| bool ret = false; |
| const char *end; |
| char *cur; |
| |
| /* Doubled-checked locking. */ |
| if (!report_available() || !r->symbol) |
| return (!report_available() && !r->symbol); |
| |
| /* Generate expected report contents. */ |
| |
| /* Title */ |
| cur = expected_header; |
| end = &expected_header[sizeof(expected_header) - 1]; |
| |
| cur += scnprintf(cur, end - cur, "BUG: KMSAN: %s", r->error_type); |
| |
| scnprintf(cur, end - cur, " in %s", r->symbol); |
| /* The exact offset won't match, remove it; also strip module name. */ |
| cur = strchr(expected_header, '+'); |
| if (cur) |
| *cur = '\0'; |
| |
| spin_lock_irqsave(&observed.lock, flags); |
| if (!report_available()) |
| goto out; /* A new report is being captured. */ |
| |
| /* Finally match expected output to what we actually observed. */ |
| ret = strstr(observed.header, expected_header); |
| out: |
| spin_unlock_irqrestore(&observed.lock, flags); |
| |
| return ret; |
| } |
| |
| /* ===== Test cases ===== */ |
| |
| /* Prevent replacing branch with select in LLVM. */ |
| static noinline void check_true(char *arg) |
| { |
| pr_info("%s is true\n", arg); |
| } |
| |
| static noinline void check_false(char *arg) |
| { |
| pr_info("%s is false\n", arg); |
| } |
| |
| #define USE(x) \ |
| do { \ |
| if (x) \ |
| check_true(#x); \ |
| else \ |
| check_false(#x); \ |
| } while (0) |
| |
| #define EXPECTATION_ETYPE_FN(e, reason, fn) \ |
| struct expect_report e = { \ |
| .error_type = reason, \ |
| .symbol = fn, \ |
| } |
| |
| #define EXPECTATION_NO_REPORT(e) EXPECTATION_ETYPE_FN(e, NULL, NULL) |
| #define EXPECTATION_UNINIT_VALUE_FN(e, fn) \ |
| EXPECTATION_ETYPE_FN(e, "uninit-value", fn) |
| #define EXPECTATION_UNINIT_VALUE(e) EXPECTATION_UNINIT_VALUE_FN(e, __func__) |
| #define EXPECTATION_USE_AFTER_FREE(e) \ |
| EXPECTATION_ETYPE_FN(e, "use-after-free", __func__) |
| |
| /* Test case: ensure that kmalloc() returns uninitialized memory. */ |
| static void test_uninit_kmalloc(struct kunit *test) |
| { |
| EXPECTATION_UNINIT_VALUE(expect); |
| int *ptr; |
| |
| kunit_info(test, "uninitialized kmalloc test (UMR report)\n"); |
| ptr = kmalloc(sizeof(*ptr), GFP_KERNEL); |
| USE(*ptr); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* |
| * Test case: ensure that kmalloc'ed memory becomes initialized after memset(). |
| */ |
| static void test_init_kmalloc(struct kunit *test) |
| { |
| EXPECTATION_NO_REPORT(expect); |
| int *ptr; |
| |
| kunit_info(test, "initialized kmalloc test (no reports)\n"); |
| ptr = kmalloc(sizeof(*ptr), GFP_KERNEL); |
| memset(ptr, 0, sizeof(*ptr)); |
| USE(*ptr); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* Test case: ensure that kzalloc() returns initialized memory. */ |
| static void test_init_kzalloc(struct kunit *test) |
| { |
| EXPECTATION_NO_REPORT(expect); |
| int *ptr; |
| |
| kunit_info(test, "initialized kzalloc test (no reports)\n"); |
| ptr = kzalloc(sizeof(*ptr), GFP_KERNEL); |
| USE(*ptr); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* Test case: ensure that local variables are uninitialized by default. */ |
| static void test_uninit_stack_var(struct kunit *test) |
| { |
| EXPECTATION_UNINIT_VALUE(expect); |
| volatile int cond; |
| |
| kunit_info(test, "uninitialized stack variable (UMR report)\n"); |
| USE(cond); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* Test case: ensure that local variables with initializers are initialized. */ |
| static void test_init_stack_var(struct kunit *test) |
| { |
| EXPECTATION_NO_REPORT(expect); |
| volatile int cond = 1; |
| |
| kunit_info(test, "initialized stack variable (no reports)\n"); |
| USE(cond); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| static noinline void two_param_fn_2(int arg1, int arg2) |
| { |
| USE(arg1); |
| USE(arg2); |
| } |
| |
| static noinline void one_param_fn(int arg) |
| { |
| two_param_fn_2(arg, arg); |
| USE(arg); |
| } |
| |
| static noinline void two_param_fn(int arg1, int arg2) |
| { |
| int init = 0; |
| |
| one_param_fn(init); |
| USE(arg1); |
| USE(arg2); |
| } |
| |
| static void test_params(struct kunit *test) |
| { |
| #ifdef CONFIG_KMSAN_CHECK_PARAM_RETVAL |
| /* |
| * With eager param/retval checking enabled, KMSAN will report an error |
| * before the call to two_param_fn(). |
| */ |
| EXPECTATION_UNINIT_VALUE_FN(expect, "test_params"); |
| #else |
| EXPECTATION_UNINIT_VALUE_FN(expect, "two_param_fn"); |
| #endif |
| volatile int uninit, init = 1; |
| |
| kunit_info(test, |
| "uninit passed through a function parameter (UMR report)\n"); |
| two_param_fn(uninit, init); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| static int signed_sum3(int a, int b, int c) |
| { |
| return a + b + c; |
| } |
| |
| /* |
| * Test case: ensure that uninitialized values are tracked through function |
| * arguments. |
| */ |
| static void test_uninit_multiple_params(struct kunit *test) |
| { |
| EXPECTATION_UNINIT_VALUE(expect); |
| volatile char b = 3, c; |
| volatile int a; |
| |
| kunit_info(test, "uninitialized local passed to fn (UMR report)\n"); |
| USE(signed_sum3(a, b, c)); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* Helper function to make an array uninitialized. */ |
| static noinline void do_uninit_local_array(char *array, int start, int stop) |
| { |
| volatile char uninit; |
| |
| for (int i = start; i < stop; i++) |
| array[i] = uninit; |
| } |
| |
| /* |
| * Test case: ensure kmsan_check_memory() reports an error when checking |
| * uninitialized memory. |
| */ |
| static void test_uninit_kmsan_check_memory(struct kunit *test) |
| { |
| EXPECTATION_UNINIT_VALUE_FN(expect, "test_uninit_kmsan_check_memory"); |
| volatile char local_array[8]; |
| |
| kunit_info( |
| test, |
| "kmsan_check_memory() called on uninit local (UMR report)\n"); |
| do_uninit_local_array((char *)local_array, 5, 7); |
| |
| kmsan_check_memory((char *)local_array, 8); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* |
| * Test case: check that a virtual memory range created with vmap() from |
| * initialized pages is still considered as initialized. |
| */ |
| static void test_init_kmsan_vmap_vunmap(struct kunit *test) |
| { |
| EXPECTATION_NO_REPORT(expect); |
| const int npages = 2; |
| struct page **pages; |
| void *vbuf; |
| |
| kunit_info(test, "pages initialized via vmap (no reports)\n"); |
| |
| pages = kmalloc_array(npages, sizeof(*pages), GFP_KERNEL); |
| for (int i = 0; i < npages; i++) |
| pages[i] = alloc_page(GFP_KERNEL); |
| vbuf = vmap(pages, npages, VM_MAP, PAGE_KERNEL); |
| memset(vbuf, 0xfe, npages * PAGE_SIZE); |
| for (int i = 0; i < npages; i++) |
| kmsan_check_memory(page_address(pages[i]), PAGE_SIZE); |
| |
| if (vbuf) |
| vunmap(vbuf); |
| for (int i = 0; i < npages; i++) { |
| if (pages[i]) |
| __free_page(pages[i]); |
| } |
| kfree(pages); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* |
| * Test case: ensure that memset() can initialize a buffer allocated via |
| * vmalloc(). |
| */ |
| static void test_init_vmalloc(struct kunit *test) |
| { |
| EXPECTATION_NO_REPORT(expect); |
| int npages = 8; |
| char *buf; |
| |
| kunit_info(test, "vmalloc buffer can be initialized (no reports)\n"); |
| buf = vmalloc(PAGE_SIZE * npages); |
| buf[0] = 1; |
| memset(buf, 0xfe, PAGE_SIZE * npages); |
| USE(buf[0]); |
| for (int i = 0; i < npages; i++) |
| kmsan_check_memory(&buf[PAGE_SIZE * i], PAGE_SIZE); |
| vfree(buf); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* Test case: ensure that use-after-free reporting works. */ |
| static void test_uaf(struct kunit *test) |
| { |
| EXPECTATION_USE_AFTER_FREE(expect); |
| volatile int value; |
| volatile int *var; |
| |
| kunit_info(test, "use-after-free in kmalloc-ed buffer (UMR report)\n"); |
| var = kmalloc(80, GFP_KERNEL); |
| var[3] = 0xfeedface; |
| kfree((int *)var); |
| /* Copy the invalid value before checking it. */ |
| value = var[3]; |
| USE(value); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* |
| * Test case: ensure that uninitialized values are propagated through per-CPU |
| * memory. |
| */ |
| static void test_percpu_propagate(struct kunit *test) |
| { |
| EXPECTATION_UNINIT_VALUE(expect); |
| volatile int uninit, check; |
| |
| kunit_info(test, |
| "uninit local stored to per_cpu memory (UMR report)\n"); |
| |
| this_cpu_write(per_cpu_var, uninit); |
| check = this_cpu_read(per_cpu_var); |
| USE(check); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* |
| * Test case: ensure that passing uninitialized values to printk() leads to an |
| * error report. |
| */ |
| static void test_printk(struct kunit *test) |
| { |
| #ifdef CONFIG_KMSAN_CHECK_PARAM_RETVAL |
| /* |
| * With eager param/retval checking enabled, KMSAN will report an error |
| * before the call to pr_info(). |
| */ |
| EXPECTATION_UNINIT_VALUE_FN(expect, "test_printk"); |
| #else |
| EXPECTATION_UNINIT_VALUE_FN(expect, "number"); |
| #endif |
| volatile int uninit; |
| |
| kunit_info(test, "uninit local passed to pr_info() (UMR report)\n"); |
| pr_info("%px contains %d\n", &uninit, uninit); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* |
| * Prevent the compiler from optimizing @var away. Without this, Clang may |
| * notice that @var is uninitialized and drop memcpy() calls that use it. |
| * |
| * There is OPTIMIZER_HIDE_VAR() in linux/compier.h that we cannot use here, |
| * because it is implemented as inline assembly receiving @var as a parameter |
| * and will enforce a KMSAN check. Same is true for e.g. barrier_data(var). |
| */ |
| #define DO_NOT_OPTIMIZE(var) barrier() |
| |
| /* |
| * Test case: ensure that memcpy() correctly copies initialized values. |
| * Also serves as a regression test to ensure DO_NOT_OPTIMIZE() does not cause |
| * extra checks. |
| */ |
| static void test_init_memcpy(struct kunit *test) |
| { |
| EXPECTATION_NO_REPORT(expect); |
| volatile int src; |
| volatile int dst = 0; |
| |
| DO_NOT_OPTIMIZE(src); |
| src = 1; |
| kunit_info( |
| test, |
| "memcpy()ing aligned initialized src to aligned dst (no reports)\n"); |
| memcpy((void *)&dst, (void *)&src, sizeof(src)); |
| kmsan_check_memory((void *)&dst, sizeof(dst)); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* |
| * Test case: ensure that memcpy() correctly copies uninitialized values between |
| * aligned `src` and `dst`. |
| */ |
| static void test_memcpy_aligned_to_aligned(struct kunit *test) |
| { |
| EXPECTATION_UNINIT_VALUE_FN(expect, "test_memcpy_aligned_to_aligned"); |
| volatile int uninit_src; |
| volatile int dst = 0; |
| |
| kunit_info( |
| test, |
| "memcpy()ing aligned uninit src to aligned dst (UMR report)\n"); |
| DO_NOT_OPTIMIZE(uninit_src); |
| memcpy((void *)&dst, (void *)&uninit_src, sizeof(uninit_src)); |
| kmsan_check_memory((void *)&dst, sizeof(dst)); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* |
| * Test case: ensure that memcpy() correctly copies uninitialized values between |
| * aligned `src` and unaligned `dst`. |
| * |
| * Copying aligned 4-byte value to an unaligned one leads to touching two |
| * aligned 4-byte values. This test case checks that KMSAN correctly reports an |
| * error on the first of the two values. |
| */ |
| static void test_memcpy_aligned_to_unaligned(struct kunit *test) |
| { |
| EXPECTATION_UNINIT_VALUE_FN(expect, "test_memcpy_aligned_to_unaligned"); |
| volatile int uninit_src; |
| volatile char dst[8] = { 0 }; |
| |
| kunit_info( |
| test, |
| "memcpy()ing aligned uninit src to unaligned dst (UMR report)\n"); |
| DO_NOT_OPTIMIZE(uninit_src); |
| memcpy((void *)&dst[1], (void *)&uninit_src, sizeof(uninit_src)); |
| kmsan_check_memory((void *)dst, 4); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* |
| * Test case: ensure that memcpy() correctly copies uninitialized values between |
| * aligned `src` and unaligned `dst`. |
| * |
| * Copying aligned 4-byte value to an unaligned one leads to touching two |
| * aligned 4-byte values. This test case checks that KMSAN correctly reports an |
| * error on the second of the two values. |
| */ |
| static void test_memcpy_aligned_to_unaligned2(struct kunit *test) |
| { |
| EXPECTATION_UNINIT_VALUE_FN(expect, |
| "test_memcpy_aligned_to_unaligned2"); |
| volatile int uninit_src; |
| volatile char dst[8] = { 0 }; |
| |
| kunit_info( |
| test, |
| "memcpy()ing aligned uninit src to unaligned dst - part 2 (UMR report)\n"); |
| DO_NOT_OPTIMIZE(uninit_src); |
| memcpy((void *)&dst[1], (void *)&uninit_src, sizeof(uninit_src)); |
| kmsan_check_memory((void *)&dst[4], sizeof(uninit_src)); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* Generate test cases for memset16(), memset32(), memset64(). */ |
| #define DEFINE_TEST_MEMSETXX(size) \ |
| static void test_memset##size(struct kunit *test) \ |
| { \ |
| EXPECTATION_NO_REPORT(expect); \ |
| volatile uint##size##_t uninit; \ |
| \ |
| kunit_info(test, \ |
| "memset" #size "() should initialize memory\n"); \ |
| DO_NOT_OPTIMIZE(uninit); \ |
| memset##size((uint##size##_t *)&uninit, 0, 1); \ |
| kmsan_check_memory((void *)&uninit, sizeof(uninit)); \ |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); \ |
| } |
| |
| DEFINE_TEST_MEMSETXX(16) |
| DEFINE_TEST_MEMSETXX(32) |
| DEFINE_TEST_MEMSETXX(64) |
| |
| static noinline void fibonacci(int *array, int size, int start) |
| { |
| if (start < 2 || (start == size)) |
| return; |
| array[start] = array[start - 1] + array[start - 2]; |
| fibonacci(array, size, start + 1); |
| } |
| |
| static void test_long_origin_chain(struct kunit *test) |
| { |
| EXPECTATION_UNINIT_VALUE_FN(expect, "test_long_origin_chain"); |
| /* (KMSAN_MAX_ORIGIN_DEPTH * 2) recursive calls to fibonacci(). */ |
| volatile int accum[KMSAN_MAX_ORIGIN_DEPTH * 2 + 2]; |
| int last = ARRAY_SIZE(accum) - 1; |
| |
| kunit_info( |
| test, |
| "origin chain exceeding KMSAN_MAX_ORIGIN_DEPTH (UMR report)\n"); |
| /* |
| * We do not set accum[1] to 0, so the uninitializedness will be carried |
| * over to accum[2..last]. |
| */ |
| accum[0] = 1; |
| fibonacci((int *)accum, ARRAY_SIZE(accum), 2); |
| kmsan_check_memory((void *)&accum[last], sizeof(int)); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| /* |
| * Test case: ensure that saving/restoring/printing stacks to/from stackdepot |
| * does not trigger errors. |
| * |
| * KMSAN uses stackdepot to store origin stack traces, that's why we do not |
| * instrument lib/stackdepot.c. Yet it must properly mark its outputs as |
| * initialized because other kernel features (e.g. netdev tracker) may also |
| * access stackdepot from instrumented code. |
| */ |
| static void test_stackdepot_roundtrip(struct kunit *test) |
| { |
| unsigned long src_entries[16], *dst_entries; |
| unsigned int src_nentries, dst_nentries; |
| EXPECTATION_NO_REPORT(expect); |
| depot_stack_handle_t handle; |
| |
| kunit_info(test, "testing stackdepot roundtrip (no reports)\n"); |
| |
| src_nentries = |
| stack_trace_save(src_entries, ARRAY_SIZE(src_entries), 1); |
| handle = stack_depot_save(src_entries, src_nentries, GFP_KERNEL); |
| stack_depot_print(handle); |
| dst_nentries = stack_depot_fetch(handle, &dst_entries); |
| KUNIT_EXPECT_TRUE(test, src_nentries == dst_nentries); |
| |
| kmsan_check_memory((void *)dst_entries, |
| sizeof(*dst_entries) * dst_nentries); |
| KUNIT_EXPECT_TRUE(test, report_matches(&expect)); |
| } |
| |
| static struct kunit_case kmsan_test_cases[] = { |
| KUNIT_CASE(test_uninit_kmalloc), |
| KUNIT_CASE(test_init_kmalloc), |
| KUNIT_CASE(test_init_kzalloc), |
| KUNIT_CASE(test_uninit_stack_var), |
| KUNIT_CASE(test_init_stack_var), |
| KUNIT_CASE(test_params), |
| KUNIT_CASE(test_uninit_multiple_params), |
| KUNIT_CASE(test_uninit_kmsan_check_memory), |
| KUNIT_CASE(test_init_kmsan_vmap_vunmap), |
| KUNIT_CASE(test_init_vmalloc), |
| KUNIT_CASE(test_uaf), |
| KUNIT_CASE(test_percpu_propagate), |
| KUNIT_CASE(test_printk), |
| KUNIT_CASE(test_init_memcpy), |
| KUNIT_CASE(test_memcpy_aligned_to_aligned), |
| KUNIT_CASE(test_memcpy_aligned_to_unaligned), |
| KUNIT_CASE(test_memcpy_aligned_to_unaligned2), |
| KUNIT_CASE(test_memset16), |
| KUNIT_CASE(test_memset32), |
| KUNIT_CASE(test_memset64), |
| KUNIT_CASE(test_long_origin_chain), |
| KUNIT_CASE(test_stackdepot_roundtrip), |
| {}, |
| }; |
| |
| /* ===== End test cases ===== */ |
| |
| static int test_init(struct kunit *test) |
| { |
| unsigned long flags; |
| |
| spin_lock_irqsave(&observed.lock, flags); |
| observed.header[0] = '\0'; |
| observed.ignore = false; |
| observed.available = false; |
| spin_unlock_irqrestore(&observed.lock, flags); |
| |
| return 0; |
| } |
| |
| static void test_exit(struct kunit *test) |
| { |
| } |
| |
| static int kmsan_suite_init(struct kunit_suite *suite) |
| { |
| register_trace_console(probe_console, NULL); |
| return 0; |
| } |
| |
| static void kmsan_suite_exit(struct kunit_suite *suite) |
| { |
| unregister_trace_console(probe_console, NULL); |
| tracepoint_synchronize_unregister(); |
| } |
| |
| static struct kunit_suite kmsan_test_suite = { |
| .name = "kmsan", |
| .test_cases = kmsan_test_cases, |
| .init = test_init, |
| .exit = test_exit, |
| .suite_init = kmsan_suite_init, |
| .suite_exit = kmsan_suite_exit, |
| }; |
| kunit_test_suites(&kmsan_test_suite); |
| |
| MODULE_LICENSE("GPL"); |
| MODULE_AUTHOR("Alexander Potapenko <glider@google.com>"); |