tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

kunit: Device wrappers should also manage driver name

kunit_driver_create() accepts a name for the driver, but does not copy
it, so if that name is either on the stack, or otherwise freed, we end
up with a use-after-free when the driver is cleaned up.

Instead, strdup() the name, and manage it as another KUnit allocation.
As there was no existing kunit_kstrdup(), we add one. Further, add a
kunit_ variant of strdup_const() and kfree_const(), so we don't need to
allocate and manage the string in the majority of cases where it's a
constant.

However, these are inline functions, and is_kernel_rodata() only works
for built-in code. This causes problems in two cases:
- If kunit is built as a module, __{start,end}_rodata is not defined.
- If a kunit test using these functions is built as a module, it will
suffer the same fate.

This fixes a KASAN splat with overflow.overflow_allocation_test, when
built as a module.

Restrict the is_kernel_rodata() case to when KUnit is built as a module,
which fixes the first case, at the cost of losing the optimisation.

Also, make kunit_{kstrdup,kfree}_const non-inline, so that other modules
using them will not accidentally depend on is_kernel_rodata(). If KUnit
is built-in, they'll benefit from the optimisation, if KUnit is not,
they won't, but the string will be properly duplicated.

Fixes: d03c720e03bd ("kunit: Add APIs for managing devices")
Reported-by: Nico Pache <npache@redhat.com>
Closes: https://groups.google.com/g/kunit-dev/c/81V9b9QYON0
Reviewed-by: Kees Cook <kees@kernel.org>
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Reviewed-by: Rae Moar <rmoar@google.com>
Signed-off-by: David Gow <davidgow@google.com>
Tested-by: Rae Moar <rmoar@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>

authored by David Gow and committed by Shuah Khan f2c6dbd2 8400291e

+72 -2
unified split
+48
include/kunit/test.h
··· 28 #include <linux/types.h> 29 30 #include <asm/rwonce.h> 31 32 /* Static key: true if any KUnit tests are currently running */ 33 DECLARE_STATIC_KEY_FALSE(kunit_running); ··· 480 { 481 return kunit_kmalloc_array(test, n, size, gfp | __GFP_ZERO); 482 } 483 484 /** 485 * kunit_vm_mmap() - Allocate KUnit-tracked vm_mmap() area
··· 28 #include <linux/types.h> 29 30 #include <asm/rwonce.h> 31 + #include <asm/sections.h> 32 33 /* Static key: true if any KUnit tests are currently running */ 34 DECLARE_STATIC_KEY_FALSE(kunit_running); ··· 479 { 480 return kunit_kmalloc_array(test, n, size, gfp | __GFP_ZERO); 481 } 482 + 483 + 484 + /** 485 + * kunit_kfree_const() - conditionally free test managed memory 486 + * @x: pointer to the memory 487 + * 488 + * Calls kunit_kfree() only if @x is not in .rodata section. 489 + * See kunit_kstrdup_const() for more information. 490 + */ 491 + void kunit_kfree_const(struct kunit *test, const void *x); 492 + 493 + /** 494 + * kunit_kstrdup() - Duplicates a string into a test managed allocation. 495 + * 496 + * @test: The test context object. 497 + * @str: The NULL-terminated string to duplicate. 498 + * @gfp: flags passed to underlying kmalloc(). 499 + * 500 + * See kstrdup() and kunit_kmalloc_array() for more information. 501 + */ 502 + static inline char *kunit_kstrdup(struct kunit *test, const char *str, gfp_t gfp) 503 + { 504 + size_t len; 505 + char *buf; 506 + 507 + if (!str) 508 + return NULL; 509 + 510 + len = strlen(str) + 1; 511 + buf = kunit_kmalloc(test, len, gfp); 512 + if (buf) 513 + memcpy(buf, str, len); 514 + return buf; 515 + } 516 + 517 + /** 518 + * kunit_kstrdup_const() - Conditionally duplicates a string into a test managed allocation. 519 + * 520 + * @test: The test context object. 521 + * @str: The NULL-terminated string to duplicate. 522 + * @gfp: flags passed to underlying kmalloc(). 523 + * 524 + * Calls kunit_kstrdup() only if @str is not in the rodata section. Must be freed with 525 + * kunit_kfree_const() -- not kunit_kfree(). 526 + * See kstrdup_const() and kunit_kmalloc_array() for more information. 527 + */ 528 + const char *kunit_kstrdup_const(struct kunit *test, const char *str, gfp_t gfp); 529 530 /** 531 * kunit_vm_mmap() - Allocate KUnit-tracked vm_mmap() area
+5 -2
lib/kunit/device.c
··· 89 if (!driver) 90 return ERR_PTR(err); 91 92 - driver->name = name; 93 driver->bus = &kunit_bus_type; 94 driver->owner = THIS_MODULE; 95 ··· 192 const struct device_driver *driver = to_kunit_device(dev)->driver; 193 194 kunit_release_action(test, device_unregister_wrapper, dev); 195 - if (driver) 196 kunit_release_action(test, driver_unregister_wrapper, (void *)driver); 197 } 198 EXPORT_SYMBOL_GPL(kunit_device_unregister); 199
··· 89 if (!driver) 90 return ERR_PTR(err); 91 92 + driver->name = kunit_kstrdup_const(test, name, GFP_KERNEL); 93 driver->bus = &kunit_bus_type; 94 driver->owner = THIS_MODULE; 95 ··· 192 const struct device_driver *driver = to_kunit_device(dev)->driver; 193 194 kunit_release_action(test, device_unregister_wrapper, dev); 195 + if (driver) { 196 + const char *driver_name = driver->name; 197 kunit_release_action(test, driver_unregister_wrapper, (void *)driver); 198 + kunit_kfree_const(test, driver_name); 199 + } 200 } 201 EXPORT_SYMBOL_GPL(kunit_device_unregister); 202
+19
lib/kunit/test.c
··· 874 } 875 EXPORT_SYMBOL_GPL(kunit_kfree); 876 877 void kunit_cleanup(struct kunit *test) 878 { 879 struct kunit_resource *res;
··· 874 } 875 EXPORT_SYMBOL_GPL(kunit_kfree); 876 877 + void kunit_kfree_const(struct kunit *test, const void *x) 878 + { 879 + #if !IS_MODULE(CONFIG_KUNIT) 880 + if (!is_kernel_rodata((unsigned long)x)) 881 + #endif 882 + kunit_kfree(test, x); 883 + } 884 + EXPORT_SYMBOL_GPL(kunit_kfree_const); 885 + 886 + const char *kunit_kstrdup_const(struct kunit *test, const char *str, gfp_t gfp) 887 + { 888 + #if !IS_MODULE(CONFIG_KUNIT) 889 + if (is_kernel_rodata((unsigned long)str)) 890 + return str; 891 + #endif 892 + return kunit_kstrdup(test, str, gfp); 893 + } 894 + EXPORT_SYMBOL_GPL(kunit_kstrdup_const); 895 + 896 void kunit_cleanup(struct kunit *test) 897 { 898 struct kunit_resource *res;