From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
To: linuxppc-dev@lists.ozlabs.org, kasan-dev@googlegroups.com
Cc: Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Christophe Leroy <christophe.leroy@csgroup.eu>,
Hari Bathini <hbathini@linux.ibm.com>,
"Aneesh Kumar K . V" <aneesh.kumar@kernel.org>,
Donet Tom <donettom@linux.vnet.ibm.com>,
Pavithra Prakash <pavrampu@linux.vnet.ibm.com>,
Nirjhar Roy <nirjhar@linux.ibm.com>,
LKML <linux-kernel@vger.kernel.org>,
Alexander Potapenko <glider@google.com>,
linux-mm@kvack.org, Heiko Carstens <hca@linux.ibm.com>
Subject: Re: [RFC v2 01/13] mm/kfence: Add a new kunit test test_use_after_free_read_nofault()
Date: Thu, 03 Oct 2024 10:36:08 +0530 [thread overview]
Message-ID: <87cykhydvj.fsf@gmail.com> (raw)
In-Reply-To: <a8ca8bd5eb4114304b34dd8bac7a6280d358c728.1726571179.git.ritesh.list@gmail.com>
Hello Kasan/kfence-devs,
Wanted your inputs on this kfence kunit test [PATCH-1] and it's respective
powerpc fix [Patch-2]. The commit msgs has a good description of it. I
see that the same problem was noticed on s390 as well [1] a while ago.
So that makes me believe that maybe we should have a kunit test for the
same to make sure all architectures handles this properly.
Thoughts?
[1]: https://lore.kernel.org/all/20230213183858.1473681-1-hca@linux.ibm.com/
-ritesh
"Ritesh Harjani (IBM)" <ritesh.list@gmail.com> writes:
> From: Nirjhar Roy <nirjhar@linux.ibm.com>
>
> Faults from copy_from_kernel_nofault() needs to be handled by fixup
> table and should not be handled by kfence. Otherwise while reading
> /proc/kcore which uses copy_from_kernel_nofault(), kfence can generate
> false negatives. This can happen when /proc/kcore ends up reading an
> unmapped address from kfence pool.
>
> Let's add a testcase to cover this case.
>
> Co-developed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
> Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
> Signed-off-by: Nirjhar Roy <nirjhar@linux.ibm.com>
> Cc: kasan-dev@googlegroups.com
> Cc: Alexander Potapenko <glider@google.com>
> Cc: linux-mm@kvack.org
> ---
> mm/kfence/kfence_test.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/mm/kfence/kfence_test.c b/mm/kfence/kfence_test.c
> index 00fd17285285..f65fb182466d 100644
> --- a/mm/kfence/kfence_test.c
> +++ b/mm/kfence/kfence_test.c
> @@ -383,6 +383,22 @@ static void test_use_after_free_read(struct kunit *test)
> KUNIT_EXPECT_TRUE(test, report_matches(&expect));
> }
>
> +static void test_use_after_free_read_nofault(struct kunit *test)
> +{
> + const size_t size = 32;
> + char *addr;
> + char dst;
> + int ret;
> +
> + setup_test_cache(test, size, 0, NULL);
> + addr = test_alloc(test, size, GFP_KERNEL, ALLOCATE_ANY);
> + test_free(addr);
> + /* Use after free with *_nofault() */
> + ret = copy_from_kernel_nofault(&dst, addr, 1);
> + KUNIT_EXPECT_EQ(test, ret, -EFAULT);
> + KUNIT_EXPECT_FALSE(test, report_available());
> +}
> +
> static void test_double_free(struct kunit *test)
> {
> const size_t size = 32;
> @@ -780,6 +796,7 @@ static struct kunit_case kfence_test_cases[] = {
> KFENCE_KUNIT_CASE(test_out_of_bounds_read),
> KFENCE_KUNIT_CASE(test_out_of_bounds_write),
> KFENCE_KUNIT_CASE(test_use_after_free_read),
> + KFENCE_KUNIT_CASE(test_use_after_free_read_nofault),
> KFENCE_KUNIT_CASE(test_double_free),
> KFENCE_KUNIT_CASE(test_invalid_addr_free),
> KFENCE_KUNIT_CASE(test_corruption),
> --
> 2.46.0
next prev parent reply other threads:[~2024-10-03 5:17 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-19 2:55 [RFC v2 00/13] powerpc/kfence: Improve kfence support Ritesh Harjani (IBM)
2024-09-19 2:55 ` [RFC v2 01/13] mm/kfence: Add a new kunit test test_use_after_free_read_nofault() Ritesh Harjani (IBM)
2024-10-03 5:06 ` Ritesh Harjani [this message]
2024-09-19 2:56 ` [RFC v2 02/13] powerpc: mm: Fix kfence page fault reporting Ritesh Harjani (IBM)
2024-09-19 5:12 ` Christophe Leroy
2024-09-19 5:47 ` Ritesh Harjani
2024-09-19 2:56 ` [RFC v2 03/13] book3s64/hash: Remove kfence support temporarily Ritesh Harjani (IBM)
2024-09-19 5:20 ` Christophe Leroy
2024-09-19 6:23 ` Ritesh Harjani
2024-09-19 2:56 ` [RFC v2 04/13] book3s64/hash: Refactor kernel linear map related calls Ritesh Harjani (IBM)
2024-09-19 2:56 ` [RFC v2 05/13] book3s64/hash: Add hash_debug_pagealloc_add_slot() function Ritesh Harjani (IBM)
2024-09-19 2:56 ` [RFC v2 06/13] book3s64/hash: Add hash_debug_pagealloc_alloc_slots() function Ritesh Harjani (IBM)
2024-09-19 2:56 ` [RFC v2 07/13] book3s64/hash: Refactor hash__kernel_map_pages() function Ritesh Harjani (IBM)
2024-09-19 2:56 ` [RFC v2 08/13] book3s64/hash: Make kernel_map_linear_page() generic Ritesh Harjani (IBM)
2024-09-19 2:56 ` [RFC v2 09/13] book3s64/hash: Disable debug_pagealloc if it requires more memory Ritesh Harjani (IBM)
2024-09-19 2:56 ` [RFC v2 10/13] book3s64/hash: Add kfence functionality Ritesh Harjani (IBM)
2024-09-19 2:56 ` [RFC v2 11/13] book3s64/radix: Refactoring common kfence related functions Ritesh Harjani (IBM)
2024-09-19 2:56 ` [RFC v2 12/13] book3s64/hash: Disable kfence if not early init Ritesh Harjani (IBM)
2024-09-19 2:56 ` [RFC v2 13/13] book3s64/hash: Early detect debug_pagealloc size requirement Ritesh Harjani (IBM)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87cykhydvj.fsf@gmail.com \
--to=ritesh.list@gmail.com \
--cc=aneesh.kumar@kernel.org \
--cc=christophe.leroy@csgroup.eu \
--cc=donettom@linux.vnet.ibm.com \
--cc=glider@google.com \
--cc=hbathini@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=nirjhar@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=pavrampu@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.