include/kunit/test.h | 58 ++++++++++++++++++++++++++++++++++++++++++++ lib/kunit/device.c | 7 ++++-- 2 files changed, 63 insertions(+), 2 deletions(-)
kunit_driver_create() accepts a name for the driver, but does not copy
it, so if that name is either on the stack, or otherwise freed, we end
up with a use-after-free when the driver is cleaned up.
Instead, strdup() the name, and manage it as another KUnit allocation.
As there was no existing kunit_kstrdup(), we add one. Further, add a
kunit_ variant of strdup_const() and kfree_const(), so we don't need to
allocate and manage the string in the majority of cases where it's a
constant.
This fixes a KASAN splat with overflow.overflow_allocation_test, when
built as a module.
Fixes: d03c720e03bd ("kunit: Add APIs for managing devices")
Reported-by: Nico Pache <npache@redhat.com>
Closes: https://groups.google.com/g/kunit-dev/c/81V9b9QYON0
Signed-off-by: David Gow <davidgow@google.com>
Reviewed-by: Kees Cook <kees@kernel.org>
---
There's some more serious changes since the RFC I sent, so please take a
closer look.
Thanks,
-- David
Changes since RFC:
https://groups.google.com/g/kunit-dev/c/81V9b9QYON0/m/PFKNKDKAAAAJ
- Add and use the kunit_kstrdup_const() and kunit_free_const()
functions.
- Fix a typo in the doc comments.
---
include/kunit/test.h | 58 ++++++++++++++++++++++++++++++++++++++++++++
lib/kunit/device.c | 7 ++++--
2 files changed, 63 insertions(+), 2 deletions(-)
diff --git a/include/kunit/test.h b/include/kunit/test.h
index e2a1f0928e8b..da9e84de14c0 100644
--- a/include/kunit/test.h
+++ b/include/kunit/test.h
@@ -28,6 +28,7 @@
#include <linux/types.h>
#include <asm/rwonce.h>
+#include <asm/sections.h>
/* Static key: true if any KUnit tests are currently running */
DECLARE_STATIC_KEY_FALSE(kunit_running);
@@ -480,6 +481,63 @@ static inline void *kunit_kcalloc(struct kunit *test, size_t n, size_t size, gfp
return kunit_kmalloc_array(test, n, size, gfp | __GFP_ZERO);
}
+
+/**
+ * kunit_kfree_const() - conditionally free test managed memory
+ * @x: pointer to the memory
+ *
+ * Calls kunit_kfree() only if @x is not in .rodata section.
+ * See kunit_kstrdup_const() for more information.
+ */
+static inline void kunit_kfree_const(struct kunit *test, const void *x)
+{
+ if (!is_kernel_rodata((unsigned long)x))
+ kunit_kfree(test, x);
+}
+
+/**
+ * kunit_kstrdup() - Duplicates a string into a test managed allocation.
+ *
+ * @test: The test context object.
+ * @str: The NULL-terminated string to duplicate.
+ * @gfp: flags passed to underlying kmalloc().
+ *
+ * See kstrdup() and kunit_kmalloc_array() for more information.
+ */
+static inline char *kunit_kstrdup(struct kunit *test, const char *str, gfp_t gfp)
+{
+ size_t len;
+ char *buf;
+
+ if (!str)
+ return NULL;
+
+ len = strlen(str) + 1;
+ buf = kunit_kmalloc(test, len, gfp);
+ if (buf)
+ memcpy(buf, str, len);
+ return buf;
+}
+
+/**
+ * kunit_kstrdup_const() - Conditionally duplicates a string into a test managed allocation.
+ *
+ * @test: The test context object.
+ * @str: The NULL-terminated string to duplicate.
+ * @gfp: flags passed to underlying kmalloc().
+ *
+ * Calls kunit_kstrdup() only if @str is not in the rodata section. Must be freed with
+ * kunit_free_const() -- not kunit_free().
+ * See kstrdup_const() and kunit_kmalloc_array() for more information.
+ */
+static inline const char *kunit_kstrdup_const(struct kunit *test, const char *str, gfp_t gfp)
+{
+ if (is_kernel_rodata((unsigned long)str))
+ return str;
+
+ return kunit_kstrdup(test, str, gfp);
+}
+
/**
* kunit_vm_mmap() - Allocate KUnit-tracked vm_mmap() area
* @test: The test context object.
diff --git a/lib/kunit/device.c b/lib/kunit/device.c
index 25c81ed465fb..520c1fccee8a 100644
--- a/lib/kunit/device.c
+++ b/lib/kunit/device.c
@@ -89,7 +89,7 @@ struct device_driver *kunit_driver_create(struct kunit *test, const char *name)
if (!driver)
return ERR_PTR(err);
- driver->name = name;
+ driver->name = kunit_kstrdup_const(test, name, GFP_KERNEL);
driver->bus = &kunit_bus_type;
driver->owner = THIS_MODULE;
@@ -192,8 +192,11 @@ void kunit_device_unregister(struct kunit *test, struct device *dev)
const struct device_driver *driver = to_kunit_device(dev)->driver;
kunit_release_action(test, device_unregister_wrapper, dev);
- if (driver)
+ if (driver) {
+ const char *driver_name = driver->name;
kunit_release_action(test, driver_unregister_wrapper, (void *)driver);
+ kunit_kfree_const(test, driver_name);
+ }
}
EXPORT_SYMBOL_GPL(kunit_device_unregister);
--
2.46.0.rc1.232.g9752f9e123-googOn Wed, Jul 31, 2024 at 1:02 AM David Gow <davidgow@google.com> wrote:
>
> kunit_driver_create() accepts a name for the driver, but does not copy
> it, so if that name is either on the stack, or otherwise freed, we end
> up with a use-after-free when the driver is cleaned up.
>
> Instead, strdup() the name, and manage it as another KUnit allocation.
> As there was no existing kunit_kstrdup(), we add one. Further, add a
> kunit_ variant of strdup_const() and kfree_const(), so we don't need to
> allocate and manage the string in the majority of cases where it's a
> constant.
>
> This fixes a KASAN splat with overflow.overflow_allocation_test, when
> built as a module.
>
> Fixes: d03c720e03bd ("kunit: Add APIs for managing devices")
> Reported-by: Nico Pache <npache@redhat.com>
Hi David,
This is failing in the Fedora-ark build process [1] which builds the
KUNIT tests as modules.
+ /usr/bin/make <SNIP> modules
...
ERROR: modpost: "__start_rodata" [lib/kunit/kunit.ko] undefined!
ERROR: modpost: "__end_rodata" [lib/kunit/kunit.ko] undefined!
make[2]: *** [scripts/Makefile.modpost:145: Module.symvers] Error 1
make[1]: *** [/builddir/build/BUILD/kernel-6.11.0-build/kernel-6.11-rc2/linux-6.11.0-0.rc2.22.ov.fc41.x86_64/Makefile:1895:
modpost] Error 2
make: *** [Makefile:236: __sub-make] Error 2
+ exit 1
This seems related to
+#include <asm/sections.h>
which defines __<start|end>_rodata.
When I tried exporting these symbols I got:
ERROR: modpost: vmlinux: '__start_rodata' exported twice. Previous
export was in vmlinux
So I'm not sure what the problem is here.
[1] - https://kojipkgs.fedoraproject.org//work/tasks/9116/121539116/build.log
Cheers
-- Nico
> Closes: https://groups.google.com/g/kunit-dev/c/81V9b9QYON0
> Signed-off-by: David Gow <davidgow@google.com>
> Reviewed-by: Kees Cook <kees@kernel.org>
> ---
>
> There's some more serious changes since the RFC I sent, so please take a
> closer look.
>
> Thanks,
> -- David
>
> Changes since RFC:
> https://groups.google.com/g/kunit-dev/c/81V9b9QYON0/m/PFKNKDKAAAAJ
> - Add and use the kunit_kstrdup_const() and kunit_free_const()
> functions.
> - Fix a typo in the doc comments.
>
>
> ---
> include/kunit/test.h | 58 ++++++++++++++++++++++++++++++++++++++++++++
> lib/kunit/device.c | 7 ++++--
> 2 files changed, 63 insertions(+), 2 deletions(-)
>
> diff --git a/include/kunit/test.h b/include/kunit/test.h
> index e2a1f0928e8b..da9e84de14c0 100644
> --- a/include/kunit/test.h
> +++ b/include/kunit/test.h
> @@ -28,6 +28,7 @@
> #include <linux/types.h>
>
> #include <asm/rwonce.h>
> +#include <asm/sections.h>
>
> /* Static key: true if any KUnit tests are currently running */
> DECLARE_STATIC_KEY_FALSE(kunit_running);
> @@ -480,6 +481,63 @@ static inline void *kunit_kcalloc(struct kunit *test, size_t n, size_t size, gfp
> return kunit_kmalloc_array(test, n, size, gfp | __GFP_ZERO);
> }
>
> +
> +/**
> + * kunit_kfree_const() - conditionally free test managed memory
> + * @x: pointer to the memory
> + *
> + * Calls kunit_kfree() only if @x is not in .rodata section.
> + * See kunit_kstrdup_const() for more information.
> + */
> +static inline void kunit_kfree_const(struct kunit *test, const void *x)
> +{
> + if (!is_kernel_rodata((unsigned long)x))
> + kunit_kfree(test, x);
> +}
> +
> +/**
> + * kunit_kstrdup() - Duplicates a string into a test managed allocation.
> + *
> + * @test: The test context object.
> + * @str: The NULL-terminated string to duplicate.
> + * @gfp: flags passed to underlying kmalloc().
> + *
> + * See kstrdup() and kunit_kmalloc_array() for more information.
> + */
> +static inline char *kunit_kstrdup(struct kunit *test, const char *str, gfp_t gfp)
> +{
> + size_t len;
> + char *buf;
> +
> + if (!str)
> + return NULL;
> +
> + len = strlen(str) + 1;
> + buf = kunit_kmalloc(test, len, gfp);
> + if (buf)
> + memcpy(buf, str, len);
> + return buf;
> +}
> +
> +/**
> + * kunit_kstrdup_const() - Conditionally duplicates a string into a test managed allocation.
> + *
> + * @test: The test context object.
> + * @str: The NULL-terminated string to duplicate.
> + * @gfp: flags passed to underlying kmalloc().
> + *
> + * Calls kunit_kstrdup() only if @str is not in the rodata section. Must be freed with
> + * kunit_free_const() -- not kunit_free().
> + * See kstrdup_const() and kunit_kmalloc_array() for more information.
> + */
> +static inline const char *kunit_kstrdup_const(struct kunit *test, const char *str, gfp_t gfp)
> +{
> + if (is_kernel_rodata((unsigned long)str))
> + return str;
> +
> + return kunit_kstrdup(test, str, gfp);
> +}
> +
> /**
> * kunit_vm_mmap() - Allocate KUnit-tracked vm_mmap() area
> * @test: The test context object.
> diff --git a/lib/kunit/device.c b/lib/kunit/device.c
> index 25c81ed465fb..520c1fccee8a 100644
> --- a/lib/kunit/device.c
> +++ b/lib/kunit/device.c
> @@ -89,7 +89,7 @@ struct device_driver *kunit_driver_create(struct kunit *test, const char *name)
> if (!driver)
> return ERR_PTR(err);
>
> - driver->name = name;
> + driver->name = kunit_kstrdup_const(test, name, GFP_KERNEL);
> driver->bus = &kunit_bus_type;
> driver->owner = THIS_MODULE;
>
> @@ -192,8 +192,11 @@ void kunit_device_unregister(struct kunit *test, struct device *dev)
> const struct device_driver *driver = to_kunit_device(dev)->driver;
>
> kunit_release_action(test, device_unregister_wrapper, dev);
> - if (driver)
> + if (driver) {
> + const char *driver_name = driver->name;
> kunit_release_action(test, driver_unregister_wrapper, (void *)driver);
> + kunit_kfree_const(test, driver_name);
> + }
> }
> EXPORT_SYMBOL_GPL(kunit_device_unregister);
>
> --
> 2.46.0.rc1.232.g9752f9e123-goog
>
On Tue, 6 Aug 2024 at 08:23, Nico Pache <npache@redhat.com> wrote:
>
> On Wed, Jul 31, 2024 at 1:02 AM David Gow <davidgow@google.com> wrote:
> >
> > kunit_driver_create() accepts a name for the driver, but does not copy
> > it, so if that name is either on the stack, or otherwise freed, we end
> > up with a use-after-free when the driver is cleaned up.
> >
> > Instead, strdup() the name, and manage it as another KUnit allocation.
> > As there was no existing kunit_kstrdup(), we add one. Further, add a
> > kunit_ variant of strdup_const() and kfree_const(), so we don't need to
> > allocate and manage the string in the majority of cases where it's a
> > constant.
> >
> > This fixes a KASAN splat with overflow.overflow_allocation_test, when
> > built as a module.
> >
> > Fixes: d03c720e03bd ("kunit: Add APIs for managing devices")
> > Reported-by: Nico Pache <npache@redhat.com>
>
> Hi David,
>
> This is failing in the Fedora-ark build process [1] which builds the
> KUNIT tests as modules.
>
> + /usr/bin/make <SNIP> modules
> ...
> ERROR: modpost: "__start_rodata" [lib/kunit/kunit.ko] undefined!
> ERROR: modpost: "__end_rodata" [lib/kunit/kunit.ko] undefined!
> make[2]: *** [scripts/Makefile.modpost:145: Module.symvers] Error 1
> make[1]: *** [/builddir/build/BUILD/kernel-6.11.0-build/kernel-6.11-rc2/linux-6.11.0-0.rc2.22.ov.fc41.x86_64/Makefile:1895:
> modpost] Error 2
> make: *** [Makefile:236: __sub-make] Error 2
> + exit 1
>
> This seems related to
>
> +#include <asm/sections.h>
>
> which defines __<start|end>_rodata.
>
> When I tried exporting these symbols I got:
>
> ERROR: modpost: vmlinux: '__start_rodata' exported twice. Previous
> export was in vmlinux
>
> So I'm not sure what the problem is here.
>
> [1] - https://kojipkgs.fedoraproject.org//work/tasks/9116/121539116/build.log
>
> Cheers
> -- Nico
>
Thanks -- I've tried disabling the use of is_kernel_rodata() if KUnit
is built as a module, and that seems to fix it here. I've also moved
the new kunit_kstrdup_const() and kunit_kfree_const() functions into
kunit.ko, so they're not inlined into other modules where they could
cause problems:
https://lore.kernel.org/linux-kselftest/20240806020136.3481593-1-davidgow@google.com/
-- David
On Wed, Jul 31, 2024 at 3:02 AM David Gow <davidgow@google.com> wrote:
>
> kunit_driver_create() accepts a name for the driver, but does not copy
> it, so if that name is either on the stack, or otherwise freed, we end
> up with a use-after-free when the driver is cleaned up.
>
> Instead, strdup() the name, and manage it as another KUnit allocation.
> As there was no existing kunit_kstrdup(), we add one. Further, add a
> kunit_ variant of strdup_const() and kfree_const(), so we don't need to
> allocate and manage the string in the majority of cases where it's a
> constant.
>
> This fixes a KASAN splat with overflow.overflow_allocation_test, when
> built as a module.
>
> Fixes: d03c720e03bd ("kunit: Add APIs for managing devices")
> Reported-by: Nico Pache <npache@redhat.com>
> Closes: https://groups.google.com/g/kunit-dev/c/81V9b9QYON0
> Signed-off-by: David Gow <davidgow@google.com>
> Reviewed-by: Kees Cook <kees@kernel.org>
> ---
>
> There's some more serious changes since the RFC I sent, so please take a
> closer look.
>
> Thanks,
> -- David
>
Hello!
These changes look good to me. Fun patch to review! Only comment is
that we could potentially add tests for these functions in a future
patch.
Reviewed-by: Rae Moar <rmoar@google.com>
Thanks!
-Rae
> Changes since RFC:
> https://groups.google.com/g/kunit-dev/c/81V9b9QYON0/m/PFKNKDKAAAAJ
> - Add and use the kunit_kstrdup_const() and kunit_free_const()
> functions.
> - Fix a typo in the doc comments.
>
>
> ---
> include/kunit/test.h | 58 ++++++++++++++++++++++++++++++++++++++++++++
> lib/kunit/device.c | 7 ++++--
> 2 files changed, 63 insertions(+), 2 deletions(-)
>
> diff --git a/include/kunit/test.h b/include/kunit/test.h
> index e2a1f0928e8b..da9e84de14c0 100644
> --- a/include/kunit/test.h
> +++ b/include/kunit/test.h
> @@ -28,6 +28,7 @@
> #include <linux/types.h>
>
> #include <asm/rwonce.h>
> +#include <asm/sections.h>
>
> /* Static key: true if any KUnit tests are currently running */
> DECLARE_STATIC_KEY_FALSE(kunit_running);
> @@ -480,6 +481,63 @@ static inline void *kunit_kcalloc(struct kunit *test, size_t n, size_t size, gfp
> return kunit_kmalloc_array(test, n, size, gfp | __GFP_ZERO);
> }
>
> +
> +/**
> + * kunit_kfree_const() - conditionally free test managed memory
> + * @x: pointer to the memory
> + *
> + * Calls kunit_kfree() only if @x is not in .rodata section.
> + * See kunit_kstrdup_const() for more information.
> + */
> +static inline void kunit_kfree_const(struct kunit *test, const void *x)
> +{
> + if (!is_kernel_rodata((unsigned long)x))
> + kunit_kfree(test, x);
> +}
> +
> +/**
> + * kunit_kstrdup() - Duplicates a string into a test managed allocation.
> + *
> + * @test: The test context object.
> + * @str: The NULL-terminated string to duplicate.
> + * @gfp: flags passed to underlying kmalloc().
> + *
> + * See kstrdup() and kunit_kmalloc_array() for more information.
> + */
> +static inline char *kunit_kstrdup(struct kunit *test, const char *str, gfp_t gfp)
> +{
> + size_t len;
> + char *buf;
> +
> + if (!str)
> + return NULL;
> +
> + len = strlen(str) + 1;
> + buf = kunit_kmalloc(test, len, gfp);
> + if (buf)
> + memcpy(buf, str, len);
> + return buf;
> +}
> +
> +/**
> + * kunit_kstrdup_const() - Conditionally duplicates a string into a test managed allocation.
> + *
> + * @test: The test context object.
> + * @str: The NULL-terminated string to duplicate.
> + * @gfp: flags passed to underlying kmalloc().
> + *
> + * Calls kunit_kstrdup() only if @str is not in the rodata section. Must be freed with
> + * kunit_free_const() -- not kunit_free().
> + * See kstrdup_const() and kunit_kmalloc_array() for more information.
> + */
> +static inline const char *kunit_kstrdup_const(struct kunit *test, const char *str, gfp_t gfp)
> +{
> + if (is_kernel_rodata((unsigned long)str))
> + return str;
> +
> + return kunit_kstrdup(test, str, gfp);
> +}
> +
> /**
> * kunit_vm_mmap() - Allocate KUnit-tracked vm_mmap() area
> * @test: The test context object.
> diff --git a/lib/kunit/device.c b/lib/kunit/device.c
> index 25c81ed465fb..520c1fccee8a 100644
> --- a/lib/kunit/device.c
> +++ b/lib/kunit/device.c
> @@ -89,7 +89,7 @@ struct device_driver *kunit_driver_create(struct kunit *test, const char *name)
> if (!driver)
> return ERR_PTR(err);
>
> - driver->name = name;
> + driver->name = kunit_kstrdup_const(test, name, GFP_KERNEL);
> driver->bus = &kunit_bus_type;
> driver->owner = THIS_MODULE;
>
> @@ -192,8 +192,11 @@ void kunit_device_unregister(struct kunit *test, struct device *dev)
> const struct device_driver *driver = to_kunit_device(dev)->driver;
>
> kunit_release_action(test, device_unregister_wrapper, dev);
> - if (driver)
> + if (driver) {
> + const char *driver_name = driver->name;
> kunit_release_action(test, driver_unregister_wrapper, (void *)driver);
> + kunit_kfree_const(test, driver_name);
> + }
> }
> EXPORT_SYMBOL_GPL(kunit_device_unregister);
>
> --
> 2.46.0.rc1.232.g9752f9e123-goog
>
On Wed, 31 Jul 2024 15:02:06 +0800, David Gow wrote: > kunit_driver_create() accepts a name for the driver, but does not copy > it, so if that name is either on the stack, or otherwise freed, we end > up with a use-after-free when the driver is cleaned up. > > Instead, strdup() the name, and manage it as another KUnit allocation. > > [ ... ] Reviewed-by: Maxime Ripard <mripard@kernel.org> Thanks! Maxime
© 2016 - 2025 Red Hat, Inc.