lib/test_kasan.c at v5.8 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / lib / test_kasan.c
at v5.8 18 kB view raw
  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 *
  4 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
  5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
  6 */
  7
  8#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
  9
 10#include <linux/bitops.h>
 11#include <linux/delay.h>
 12#include <linux/kasan.h>
 13#include <linux/kernel.h>
 14#include <linux/mm.h>
 15#include <linux/mman.h>
 16#include <linux/module.h>
 17#include <linux/printk.h>
 18#include <linux/slab.h>
 19#include <linux/string.h>
 20#include <linux/uaccess.h>
 21#include <linux/io.h>
 22#include <linux/vmalloc.h>
 23
 24#include <asm/page.h>
 25
 26/*
 27 * We assign some test results to these globals to make sure the tests
 28 * are not eliminated as dead code.
 29 */
 30
 31int kasan_int_result;
 32void *kasan_ptr_result;
 33
 34/*
 35 * Note: test functions are marked noinline so that their names appear in
 36 * reports.
 37 */
 38
 39static noinline void __init kmalloc_oob_right(void)
 40{
 41	char *ptr;
 42	size_t size = 123;
 43
 44	pr_info("out-of-bounds to right\n");
 45	ptr = kmalloc(size, GFP_KERNEL);
 46	if (!ptr) {
 47		pr_err("Allocation failed\n");
 48		return;
 49	}
 50
 51	ptr[size] = 'x';
 52	kfree(ptr);
 53}
 54
 55static noinline void __init kmalloc_oob_left(void)
 56{
 57	char *ptr;
 58	size_t size = 15;
 59
 60	pr_info("out-of-bounds to left\n");
 61	ptr = kmalloc(size, GFP_KERNEL);
 62	if (!ptr) {
 63		pr_err("Allocation failed\n");
 64		return;
 65	}
 66
 67	*ptr = *(ptr - 1);
 68	kfree(ptr);
 69}
 70
 71static noinline void __init kmalloc_node_oob_right(void)
 72{
 73	char *ptr;
 74	size_t size = 4096;
 75
 76	pr_info("kmalloc_node(): out-of-bounds to right\n");
 77	ptr = kmalloc_node(size, GFP_KERNEL, 0);
 78	if (!ptr) {
 79		pr_err("Allocation failed\n");
 80		return;
 81	}
 82
 83	ptr[size] = 0;
 84	kfree(ptr);
 85}
 86
 87#ifdef CONFIG_SLUB
 88static noinline void __init kmalloc_pagealloc_oob_right(void)
 89{
 90	char *ptr;
 91	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
 92
 93	/* Allocate a chunk that does not fit into a SLUB cache to trigger
 94	 * the page allocator fallback.
 95	 */
 96	pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n");
 97	ptr = kmalloc(size, GFP_KERNEL);
 98	if (!ptr) {
 99		pr_err("Allocation failed\n");
100		return;
101	}
102
103	ptr[size] = 0;
104	kfree(ptr);
105}
106
107static noinline void __init kmalloc_pagealloc_uaf(void)
108{
109	char *ptr;
110	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
111
112	pr_info("kmalloc pagealloc allocation: use-after-free\n");
113	ptr = kmalloc(size, GFP_KERNEL);
114	if (!ptr) {
115		pr_err("Allocation failed\n");
116		return;
117	}
118
119	kfree(ptr);
120	ptr[0] = 0;
121}
122
123static noinline void __init kmalloc_pagealloc_invalid_free(void)
124{
125	char *ptr;
126	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
127
128	pr_info("kmalloc pagealloc allocation: invalid-free\n");
129	ptr = kmalloc(size, GFP_KERNEL);
130	if (!ptr) {
131		pr_err("Allocation failed\n");
132		return;
133	}
134
135	kfree(ptr + 1);
136}
137#endif
138
139static noinline void __init kmalloc_large_oob_right(void)
140{
141	char *ptr;
142	size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
143	/* Allocate a chunk that is large enough, but still fits into a slab
144	 * and does not trigger the page allocator fallback in SLUB.
145	 */
146	pr_info("kmalloc large allocation: out-of-bounds to right\n");
147	ptr = kmalloc(size, GFP_KERNEL);
148	if (!ptr) {
149		pr_err("Allocation failed\n");
150		return;
151	}
152
153	ptr[size] = 0;
154	kfree(ptr);
155}
156
157static noinline void __init kmalloc_oob_krealloc_more(void)
158{
159	char *ptr1, *ptr2;
160	size_t size1 = 17;
161	size_t size2 = 19;
162
163	pr_info("out-of-bounds after krealloc more\n");
164	ptr1 = kmalloc(size1, GFP_KERNEL);
165	ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
166	if (!ptr1 || !ptr2) {
167		pr_err("Allocation failed\n");
168		kfree(ptr1);
169		kfree(ptr2);
170		return;
171	}
172
173	ptr2[size2] = 'x';
174	kfree(ptr2);
175}
176
177static noinline void __init kmalloc_oob_krealloc_less(void)
178{
179	char *ptr1, *ptr2;
180	size_t size1 = 17;
181	size_t size2 = 15;
182
183	pr_info("out-of-bounds after krealloc less\n");
184	ptr1 = kmalloc(size1, GFP_KERNEL);
185	ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
186	if (!ptr1 || !ptr2) {
187		pr_err("Allocation failed\n");
188		kfree(ptr1);
189		return;
190	}
191	ptr2[size2] = 'x';
192	kfree(ptr2);
193}
194
195static noinline void __init kmalloc_oob_16(void)
196{
197	struct {
198		u64 words[2];
199	} *ptr1, *ptr2;
200
201	pr_info("kmalloc out-of-bounds for 16-bytes access\n");
202	ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
203	ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
204	if (!ptr1 || !ptr2) {
205		pr_err("Allocation failed\n");
206		kfree(ptr1);
207		kfree(ptr2);
208		return;
209	}
210	*ptr1 = *ptr2;
211	kfree(ptr1);
212	kfree(ptr2);
213}
214
215static noinline void __init kmalloc_oob_memset_2(void)
216{
217	char *ptr;
218	size_t size = 8;
219
220	pr_info("out-of-bounds in memset2\n");
221	ptr = kmalloc(size, GFP_KERNEL);
222	if (!ptr) {
223		pr_err("Allocation failed\n");
224		return;
225	}
226
227	memset(ptr+7, 0, 2);
228	kfree(ptr);
229}
230
231static noinline void __init kmalloc_oob_memset_4(void)
232{
233	char *ptr;
234	size_t size = 8;
235
236	pr_info("out-of-bounds in memset4\n");
237	ptr = kmalloc(size, GFP_KERNEL);
238	if (!ptr) {
239		pr_err("Allocation failed\n");
240		return;
241	}
242
243	memset(ptr+5, 0, 4);
244	kfree(ptr);
245}
246
247
248static noinline void __init kmalloc_oob_memset_8(void)
249{
250	char *ptr;
251	size_t size = 8;
252
253	pr_info("out-of-bounds in memset8\n");
254	ptr = kmalloc(size, GFP_KERNEL);
255	if (!ptr) {
256		pr_err("Allocation failed\n");
257		return;
258	}
259
260	memset(ptr+1, 0, 8);
261	kfree(ptr);
262}
263
264static noinline void __init kmalloc_oob_memset_16(void)
265{
266	char *ptr;
267	size_t size = 16;
268
269	pr_info("out-of-bounds in memset16\n");
270	ptr = kmalloc(size, GFP_KERNEL);
271	if (!ptr) {
272		pr_err("Allocation failed\n");
273		return;
274	}
275
276	memset(ptr+1, 0, 16);
277	kfree(ptr);
278}
279
280static noinline void __init kmalloc_oob_in_memset(void)
281{
282	char *ptr;
283	size_t size = 666;
284
285	pr_info("out-of-bounds in memset\n");
286	ptr = kmalloc(size, GFP_KERNEL);
287	if (!ptr) {
288		pr_err("Allocation failed\n");
289		return;
290	}
291
292	memset(ptr, 0, size+5);
293	kfree(ptr);
294}
295
296static noinline void __init kmalloc_memmove_invalid_size(void)
297{
298	char *ptr;
299	size_t size = 64;
300	volatile size_t invalid_size = -2;
301
302	pr_info("invalid size in memmove\n");
303	ptr = kmalloc(size, GFP_KERNEL);
304	if (!ptr) {
305		pr_err("Allocation failed\n");
306		return;
307	}
308
309	memset((char *)ptr, 0, 64);
310	memmove((char *)ptr, (char *)ptr + 4, invalid_size);
311	kfree(ptr);
312}
313
314static noinline void __init kmalloc_uaf(void)
315{
316	char *ptr;
317	size_t size = 10;
318
319	pr_info("use-after-free\n");
320	ptr = kmalloc(size, GFP_KERNEL);
321	if (!ptr) {
322		pr_err("Allocation failed\n");
323		return;
324	}
325
326	kfree(ptr);
327	*(ptr + 8) = 'x';
328}
329
330static noinline void __init kmalloc_uaf_memset(void)
331{
332	char *ptr;
333	size_t size = 33;
334
335	pr_info("use-after-free in memset\n");
336	ptr = kmalloc(size, GFP_KERNEL);
337	if (!ptr) {
338		pr_err("Allocation failed\n");
339		return;
340	}
341
342	kfree(ptr);
343	memset(ptr, 0, size);
344}
345
346static noinline void __init kmalloc_uaf2(void)
347{
348	char *ptr1, *ptr2;
349	size_t size = 43;
350
351	pr_info("use-after-free after another kmalloc\n");
352	ptr1 = kmalloc(size, GFP_KERNEL);
353	if (!ptr1) {
354		pr_err("Allocation failed\n");
355		return;
356	}
357
358	kfree(ptr1);
359	ptr2 = kmalloc(size, GFP_KERNEL);
360	if (!ptr2) {
361		pr_err("Allocation failed\n");
362		return;
363	}
364
365	ptr1[40] = 'x';
366	if (ptr1 == ptr2)
367		pr_err("Could not detect use-after-free: ptr1 == ptr2\n");
368	kfree(ptr2);
369}
370
371static noinline void __init kfree_via_page(void)
372{
373	char *ptr;
374	size_t size = 8;
375	struct page *page;
376	unsigned long offset;
377
378	pr_info("invalid-free false positive (via page)\n");
379	ptr = kmalloc(size, GFP_KERNEL);
380	if (!ptr) {
381		pr_err("Allocation failed\n");
382		return;
383	}
384
385	page = virt_to_page(ptr);
386	offset = offset_in_page(ptr);
387	kfree(page_address(page) + offset);
388}
389
390static noinline void __init kfree_via_phys(void)
391{
392	char *ptr;
393	size_t size = 8;
394	phys_addr_t phys;
395
396	pr_info("invalid-free false positive (via phys)\n");
397	ptr = kmalloc(size, GFP_KERNEL);
398	if (!ptr) {
399		pr_err("Allocation failed\n");
400		return;
401	}
402
403	phys = virt_to_phys(ptr);
404	kfree(phys_to_virt(phys));
405}
406
407static noinline void __init kmem_cache_oob(void)
408{
409	char *p;
410	size_t size = 200;
411	struct kmem_cache *cache = kmem_cache_create("test_cache",
412						size, 0,
413						0, NULL);
414	if (!cache) {
415		pr_err("Cache allocation failed\n");
416		return;
417	}
418	pr_info("out-of-bounds in kmem_cache_alloc\n");
419	p = kmem_cache_alloc(cache, GFP_KERNEL);
420	if (!p) {
421		pr_err("Allocation failed\n");
422		kmem_cache_destroy(cache);
423		return;
424	}
425
426	*p = p[size];
427	kmem_cache_free(cache, p);
428	kmem_cache_destroy(cache);
429}
430
431static noinline void __init memcg_accounted_kmem_cache(void)
432{
433	int i;
434	char *p;
435	size_t size = 200;
436	struct kmem_cache *cache;
437
438	cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
439	if (!cache) {
440		pr_err("Cache allocation failed\n");
441		return;
442	}
443
444	pr_info("allocate memcg accounted object\n");
445	/*
446	 * Several allocations with a delay to allow for lazy per memcg kmem
447	 * cache creation.
448	 */
449	for (i = 0; i < 5; i++) {
450		p = kmem_cache_alloc(cache, GFP_KERNEL);
451		if (!p)
452			goto free_cache;
453
454		kmem_cache_free(cache, p);
455		msleep(100);
456	}
457
458free_cache:
459	kmem_cache_destroy(cache);
460}
461
462static char global_array[10];
463
464static noinline void __init kasan_global_oob(void)
465{
466	volatile int i = 3;
467	char *p = &global_array[ARRAY_SIZE(global_array) + i];
468
469	pr_info("out-of-bounds global variable\n");
470	*(volatile char *)p;
471}
472
473static noinline void __init kasan_stack_oob(void)
474{
475	char stack_array[10];
476	volatile int i = 0;
477	char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
478
479	pr_info("out-of-bounds on stack\n");
480	*(volatile char *)p;
481}
482
483static noinline void __init ksize_unpoisons_memory(void)
484{
485	char *ptr;
486	size_t size = 123, real_size;
487
488	pr_info("ksize() unpoisons the whole allocated chunk\n");
489	ptr = kmalloc(size, GFP_KERNEL);
490	if (!ptr) {
491		pr_err("Allocation failed\n");
492		return;
493	}
494	real_size = ksize(ptr);
495	/* This access doesn't trigger an error. */
496	ptr[size] = 'x';
497	/* This one does. */
498	ptr[real_size] = 'y';
499	kfree(ptr);
500}
501
502static noinline void __init copy_user_test(void)
503{
504	char *kmem;
505	char __user *usermem;
506	size_t size = 10;
507	int unused;
508
509	kmem = kmalloc(size, GFP_KERNEL);
510	if (!kmem)
511		return;
512
513	usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,
514			    PROT_READ | PROT_WRITE | PROT_EXEC,
515			    MAP_ANONYMOUS | MAP_PRIVATE, 0);
516	if (IS_ERR(usermem)) {
517		pr_err("Failed to allocate user memory\n");
518		kfree(kmem);
519		return;
520	}
521
522	pr_info("out-of-bounds in copy_from_user()\n");
523	unused = copy_from_user(kmem, usermem, size + 1);
524
525	pr_info("out-of-bounds in copy_to_user()\n");
526	unused = copy_to_user(usermem, kmem, size + 1);
527
528	pr_info("out-of-bounds in __copy_from_user()\n");
529	unused = __copy_from_user(kmem, usermem, size + 1);
530
531	pr_info("out-of-bounds in __copy_to_user()\n");
532	unused = __copy_to_user(usermem, kmem, size + 1);
533
534	pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
535	unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
536
537	pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
538	unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
539
540	pr_info("out-of-bounds in strncpy_from_user()\n");
541	unused = strncpy_from_user(kmem, usermem, size + 1);
542
543	vm_munmap((unsigned long)usermem, PAGE_SIZE);
544	kfree(kmem);
545}
546
547static noinline void __init kasan_alloca_oob_left(void)
548{
549	volatile int i = 10;
550	char alloca_array[i];
551	char *p = alloca_array - 1;
552
553	pr_info("out-of-bounds to left on alloca\n");
554	*(volatile char *)p;
555}
556
557static noinline void __init kasan_alloca_oob_right(void)
558{
559	volatile int i = 10;
560	char alloca_array[i];
561	char *p = alloca_array + i;
562
563	pr_info("out-of-bounds to right on alloca\n");
564	*(volatile char *)p;
565}
566
567static noinline void __init kmem_cache_double_free(void)
568{
569	char *p;
570	size_t size = 200;
571	struct kmem_cache *cache;
572
573	cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
574	if (!cache) {
575		pr_err("Cache allocation failed\n");
576		return;
577	}
578	pr_info("double-free on heap object\n");
579	p = kmem_cache_alloc(cache, GFP_KERNEL);
580	if (!p) {
581		pr_err("Allocation failed\n");
582		kmem_cache_destroy(cache);
583		return;
584	}
585
586	kmem_cache_free(cache, p);
587	kmem_cache_free(cache, p);
588	kmem_cache_destroy(cache);
589}
590
591static noinline void __init kmem_cache_invalid_free(void)
592{
593	char *p;
594	size_t size = 200;
595	struct kmem_cache *cache;
596
597	cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
598				  NULL);
599	if (!cache) {
600		pr_err("Cache allocation failed\n");
601		return;
602	}
603	pr_info("invalid-free of heap object\n");
604	p = kmem_cache_alloc(cache, GFP_KERNEL);
605	if (!p) {
606		pr_err("Allocation failed\n");
607		kmem_cache_destroy(cache);
608		return;
609	}
610
611	/* Trigger invalid free, the object doesn't get freed */
612	kmem_cache_free(cache, p + 1);
613
614	/*
615	 * Properly free the object to prevent the "Objects remaining in
616	 * test_cache on __kmem_cache_shutdown" BUG failure.
617	 */
618	kmem_cache_free(cache, p);
619
620	kmem_cache_destroy(cache);
621}
622
623static noinline void __init kasan_memchr(void)
624{
625	char *ptr;
626	size_t size = 24;
627
628	pr_info("out-of-bounds in memchr\n");
629	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
630	if (!ptr)
631		return;
632
633	kasan_ptr_result = memchr(ptr, '1', size + 1);
634	kfree(ptr);
635}
636
637static noinline void __init kasan_memcmp(void)
638{
639	char *ptr;
640	size_t size = 24;
641	int arr[9];
642
643	pr_info("out-of-bounds in memcmp\n");
644	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
645	if (!ptr)
646		return;
647
648	memset(arr, 0, sizeof(arr));
649	kasan_int_result = memcmp(ptr, arr, size + 1);
650	kfree(ptr);
651}
652
653static noinline void __init kasan_strings(void)
654{
655	char *ptr;
656	size_t size = 24;
657
658	pr_info("use-after-free in strchr\n");
659	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
660	if (!ptr)
661		return;
662
663	kfree(ptr);
664
665	/*
666	 * Try to cause only 1 invalid access (less spam in dmesg).
667	 * For that we need ptr to point to zeroed byte.
668	 * Skip metadata that could be stored in freed object so ptr
669	 * will likely point to zeroed byte.
670	 */
671	ptr += 16;
672	kasan_ptr_result = strchr(ptr, '1');
673
674	pr_info("use-after-free in strrchr\n");
675	kasan_ptr_result = strrchr(ptr, '1');
676
677	pr_info("use-after-free in strcmp\n");
678	kasan_int_result = strcmp(ptr, "2");
679
680	pr_info("use-after-free in strncmp\n");
681	kasan_int_result = strncmp(ptr, "2", 1);
682
683	pr_info("use-after-free in strlen\n");
684	kasan_int_result = strlen(ptr);
685
686	pr_info("use-after-free in strnlen\n");
687	kasan_int_result = strnlen(ptr, 1);
688}
689
690static noinline void __init kasan_bitops(void)
691{
692	/*
693	 * Allocate 1 more byte, which causes kzalloc to round up to 16-bytes;
694	 * this way we do not actually corrupt other memory.
695	 */
696	long *bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
697	if (!bits)
698		return;
699
700	/*
701	 * Below calls try to access bit within allocated memory; however, the
702	 * below accesses are still out-of-bounds, since bitops are defined to
703	 * operate on the whole long the bit is in.
704	 */
705	pr_info("out-of-bounds in set_bit\n");
706	set_bit(BITS_PER_LONG, bits);
707
708	pr_info("out-of-bounds in __set_bit\n");
709	__set_bit(BITS_PER_LONG, bits);
710
711	pr_info("out-of-bounds in clear_bit\n");
712	clear_bit(BITS_PER_LONG, bits);
713
714	pr_info("out-of-bounds in __clear_bit\n");
715	__clear_bit(BITS_PER_LONG, bits);
716
717	pr_info("out-of-bounds in clear_bit_unlock\n");
718	clear_bit_unlock(BITS_PER_LONG, bits);
719
720	pr_info("out-of-bounds in __clear_bit_unlock\n");
721	__clear_bit_unlock(BITS_PER_LONG, bits);
722
723	pr_info("out-of-bounds in change_bit\n");
724	change_bit(BITS_PER_LONG, bits);
725
726	pr_info("out-of-bounds in __change_bit\n");
727	__change_bit(BITS_PER_LONG, bits);
728
729	/*
730	 * Below calls try to access bit beyond allocated memory.
731	 */
732	pr_info("out-of-bounds in test_and_set_bit\n");
733	test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
734
735	pr_info("out-of-bounds in __test_and_set_bit\n");
736	__test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
737
738	pr_info("out-of-bounds in test_and_set_bit_lock\n");
739	test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits);
740
741	pr_info("out-of-bounds in test_and_clear_bit\n");
742	test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
743
744	pr_info("out-of-bounds in __test_and_clear_bit\n");
745	__test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
746
747	pr_info("out-of-bounds in test_and_change_bit\n");
748	test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
749
750	pr_info("out-of-bounds in __test_and_change_bit\n");
751	__test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
752
753	pr_info("out-of-bounds in test_bit\n");
754	kasan_int_result = test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
755
756#if defined(clear_bit_unlock_is_negative_byte)
757	pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n");
758	kasan_int_result = clear_bit_unlock_is_negative_byte(BITS_PER_LONG +
759		BITS_PER_BYTE, bits);
760#endif
761	kfree(bits);
762}
763
764static noinline void __init kmalloc_double_kzfree(void)
765{
766	char *ptr;
767	size_t size = 16;
768
769	pr_info("double-free (kzfree)\n");
770	ptr = kmalloc(size, GFP_KERNEL);
771	if (!ptr) {
772		pr_err("Allocation failed\n");
773		return;
774	}
775
776	kzfree(ptr);
777	kzfree(ptr);
778}
779
780#ifdef CONFIG_KASAN_VMALLOC
781static noinline void __init vmalloc_oob(void)
782{
783	void *area;
784
785	pr_info("vmalloc out-of-bounds\n");
786
787	/*
788	 * We have to be careful not to hit the guard page.
789	 * The MMU will catch that and crash us.
790	 */
791	area = vmalloc(3000);
792	if (!area) {
793		pr_err("Allocation failed\n");
794		return;
795	}
796
797	((volatile char *)area)[3100];
798	vfree(area);
799}
800#else
801static void __init vmalloc_oob(void) {}
802#endif
803
804static int __init kmalloc_tests_init(void)
805{
806	/*
807	 * Temporarily enable multi-shot mode. Otherwise, we'd only get a
808	 * report for the first case.
809	 */
810	bool multishot = kasan_save_enable_multi_shot();
811
812	kmalloc_oob_right();
813	kmalloc_oob_left();
814	kmalloc_node_oob_right();
815#ifdef CONFIG_SLUB
816	kmalloc_pagealloc_oob_right();
817	kmalloc_pagealloc_uaf();
818	kmalloc_pagealloc_invalid_free();
819#endif
820	kmalloc_large_oob_right();
821	kmalloc_oob_krealloc_more();
822	kmalloc_oob_krealloc_less();
823	kmalloc_oob_16();
824	kmalloc_oob_in_memset();
825	kmalloc_oob_memset_2();
826	kmalloc_oob_memset_4();
827	kmalloc_oob_memset_8();
828	kmalloc_oob_memset_16();
829	kmalloc_memmove_invalid_size();
830	kmalloc_uaf();
831	kmalloc_uaf_memset();
832	kmalloc_uaf2();
833	kfree_via_page();
834	kfree_via_phys();
835	kmem_cache_oob();
836	memcg_accounted_kmem_cache();
837	kasan_stack_oob();
838	kasan_global_oob();
839	kasan_alloca_oob_left();
840	kasan_alloca_oob_right();
841	ksize_unpoisons_memory();
842	copy_user_test();
843	kmem_cache_double_free();
844	kmem_cache_invalid_free();
845	kasan_memchr();
846	kasan_memcmp();
847	kasan_strings();
848	kasan_bitops();
849	kmalloc_double_kzfree();
850	vmalloc_oob();
851
852	kasan_restore_multi_shot(multishot);
853
854	return -EAGAIN;
855}
856
857module_init(kmalloc_tests_init);
858MODULE_LICENSE("GPL");