8e4319a4e9
[ Upstream commit a1af6a2bfa0cb46d70b7df5352993e750da6c79b ]
Commit 2810c1e99867 ("kunit: Fix wild-memory-access bug in
kunit_free_suite_set()") fixed a wild-memory-access bug that could have
happened during the loading phase of test suites built and executed as
loadable modules. However, it also introduced a problematic side effect
that causes test suites modules to crash when they attempt to register
fake devices.
When a module is loaded, it traverses the MODULE_STATE_UNFORMED and
MODULE_STATE_COMING states before reaching the normal operating state
MODULE_STATE_LIVE. Finally, when the module is removed, it moves to
MODULE_STATE_GOING before being released. However, if the loading
function load_module() fails between complete_formation() and
do_init_module(), the module goes directly from MODULE_STATE_COMING to
MODULE_STATE_GOING without passing through MODULE_STATE_LIVE.
This behavior was causing kunit_module_exit() to be called without
having first executed kunit_module_init(). Since kunit_module_exit() is
responsible for freeing the memory allocated by kunit_module_init()
through kunit_filter_suites(), this behavior was resulting in a
wild-memory-access bug.
Commit 2810c1e99867 ("kunit: Fix wild-memory-access bug in
kunit_free_suite_set()") fixed this issue by running the tests when the
module is still in MODULE_STATE_COMING. However, modules in that state
are not fully initialized, lacking sysfs kobjects. Therefore, if a test
module attempts to register a fake device, it will inevitably crash.
This patch proposes a different approach to fix the original
wild-memory-access bug while restoring the normal module execution flow
by making kunit_module_exit() able to detect if kunit_module_init() has
previously initialized the tests suite set. In this way, test modules
can once again register fake devices without crashing.
This behavior is achieved by checking whether mod->kunit_suites is a
virtual or direct mapping address. If it is a virtual address, then
kunit_module_init() has allocated the suite_set in kunit_filter_suites()
using kmalloc_array(). On the contrary, if mod->kunit_suites is still
pointing to the original address that was set when looking up the
.kunit_test_suites section of the module, then the loading phase has
failed and there's no memory to be freed.
v4:
- rebased on 6.8
- noted that kunit_filter_suites() must return a virtual address
v3:
- add a comment to clarify why the start address is checked
v2:
- add include <linux/mm.h>
Fixes: 2810c1e99867 ("kunit: Fix wild-memory-access bug in kunit_free_suite_set()")
Reviewed-by: David Gow <davidgow@google.com>
Tested-by: Rae Moar <rmoar@google.com>
Tested-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Marco Pagani <marpagan@redhat.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|---|---|---|
| .. | ||
| 842 | ||
| crypto | ||
| dim | ||
| fonts | ||
| kunit | ||
| livepatch | ||
| lz4 | ||
| lzo | ||
| math | ||
| pldmfw | ||
| raid6 | ||
| reed_solomon | ||
| test_fortify | ||
| vdso | ||
| xz | ||
| zlib_deflate | ||
| zlib_dfltcc | ||
| zlib_inflate | ||
| zstd | ||
| .gitignore | ||
| argv_split.c | ||
| ashldi3.c | ||
| ashrdi3.c | ||
| asn1_decoder.c | ||
| asn1_encoder.c | ||
| assoc_array.c | ||
| atomic64_test.c | ||
| atomic64.c | ||
| audit.c | ||
| base64.c | ||
| bcd.c | ||
| bch.c | ||
| bitfield_kunit.c | ||
| bitmap.c | ||
| bitrev.c | ||
| bootconfig-data.S | ||
| bootconfig.c | ||
| bsearch.c | ||
| btree.c | ||
| bucket_locks.c | ||
| bug.c | ||
| build_OID_registry | ||
| buildid.c | ||
| bust_spinlocks.c | ||
| check_signature.c | ||
| checksum_kunit.c | ||
| checksum.c | ||
| clz_ctz.c | ||
| clz_tab.c | ||
| cmdline_kunit.c | ||
| cmdline.c | ||
| cmpdi2.c | ||
| compat_audit.c | ||
| cpu_rmap.c | ||
| cpumask_kunit.c | ||
| cpumask.c | ||
| crc4.c | ||
| crc7.c | ||
| crc8.c | ||
| crc16.c | ||
| crc32.c | ||
| crc32defs.h | ||
| crc32test.c | ||
| crc64-rocksoft.c | ||
| crc64.c | ||
| crc-ccitt.c | ||
| crc-itu-t.c | ||
| crc-t10dif.c | ||
| ctype.c | ||
| debug_info.c | ||
| debug_locks.c | ||
| debugobjects.c | ||
| dec_and_lock.c | ||
| decompress_bunzip2.c | ||
| decompress_inflate.c | ||
| decompress_unlz4.c | ||
| decompress_unlzma.c | ||
| decompress_unlzo.c | ||
| decompress_unxz.c | ||
| decompress_unzstd.c | ||
| decompress.c | ||
| devmem_is_allowed.c | ||
| devres.c | ||
| dhry_1.c | ||
| dhry_2.c | ||
| dhry_run.c | ||
| dhry.h | ||
| digsig.c | ||
| dump_stack.c | ||
| dynamic_debug.c | ||
| dynamic_queue_limits.c | ||
| earlycpio.c | ||
| errname.c | ||
| error-inject.c | ||
| errseq.c | ||
| extable.c | ||
| fault-inject-usercopy.c | ||
| fault-inject.c | ||
| fdt_addresses.c | ||
| fdt_empty_tree.c | ||
| fdt_ro.c | ||
| fdt_rw.c | ||
| fdt_strerror.c | ||
| fdt_sw.c | ||
| fdt_wip.c | ||
| fdt.c | ||
| find_bit_benchmark.c | ||
| find_bit.c | ||
| flex_proportions.c | ||
| fortify_kunit.c | ||
| gen_crc32table.c | ||
| gen_crc64table.c | ||
| genalloc.c | ||
| generic-radix-tree.c | ||
| glob.c | ||
| globtest.c | ||
| group_cpus.c | ||
| hashtable_test.c | ||
| hexdump.c | ||
| hweight.c | ||
| idr.c | ||
| inflate.c | ||
| interval_tree_test.c | ||
| interval_tree.c | ||
| iomap_copy.c | ||
| iomap.c | ||
| iommu-helper.c | ||
| iov_iter.c | ||
| irq_poll.c | ||
| irq_regs.c | ||
| is_signed_type_kunit.c | ||
| is_single_threaded.c | ||
| kasprintf.c | ||
| Kconfig | ||
| Kconfig.debug | ||
| Kconfig.kasan | ||
| Kconfig.kcsan | ||
| Kconfig.kfence | ||
| Kconfig.kgdb | ||
| Kconfig.kmsan | ||
| Kconfig.ubsan | ||
| kfifo.c | ||
| klist.c | ||
| kobject_uevent.c | ||
| kobject.c | ||
| kstrtox.c | ||
| kstrtox.h | ||
| kunit_iov_iter.c | ||
| libcrc32c.c | ||
| linear_ranges.c | ||
| list_debug.c | ||
| list_sort.c | ||
| list-test.c | ||
| llist.c | ||
| locking-selftest-hardirq.h | ||
| locking-selftest-mutex.h | ||
| locking-selftest-rlock-hardirq.h | ||
| locking-selftest-rlock-softirq.h | ||
| locking-selftest-rlock.h | ||
| locking-selftest-rsem.h | ||
| locking-selftest-rtmutex.h | ||
| locking-selftest-softirq.h | ||
| locking-selftest-spin-hardirq.h | ||
| locking-selftest-spin-softirq.h | ||
| locking-selftest-spin.h | ||
| locking-selftest-wlock-hardirq.h | ||
| locking-selftest-wlock-softirq.h | ||
| locking-selftest-wlock.h | ||
| locking-selftest-wsem.h | ||
| locking-selftest.c | ||
| lockref.c | ||
| logic_iomem.c | ||
| logic_pio.c | ||
| lru_cache.c | ||
| lshrdi3.c | ||
| Makefile | ||
| maple_tree.c | ||
| memcat_p.c | ||
| memcpy_kunit.c | ||
| memory-notifier-error-inject.c | ||
| memregion.c | ||
| memweight.c | ||
| muldi3.c | ||
| net_utils.c | ||
| netdev-notifier-error-inject.c | ||
| nlattr.c | ||
| nmi_backtrace.c | ||
| notifier-error-inject.c | ||
| notifier-error-inject.h | ||
| objagg.c | ||
| of-reconfig-notifier-error-inject.c | ||
| oid_registry.c | ||
| once.c | ||
| overflow_kunit.c | ||
| packing.c | ||
| parman.c | ||
| parser.c | ||
| pci_iomap.c | ||
| percpu_counter.c | ||
| percpu_test.c | ||
| percpu-refcount.c | ||
| plist.c | ||
| pm-notifier-error-inject.c | ||
| polynomial.c | ||
| radix-tree.c | ||
| radix-tree.h | ||
| random32.c | ||
| ratelimit.c | ||
| rbtree_test.c | ||
| rbtree.c | ||
| rcuref.c | ||
| ref_tracker.c | ||
| refcount.c | ||
| rhashtable.c | ||
| sbitmap.c | ||
| scatterlist.c | ||
| seq_buf.c | ||
| sg_pool.c | ||
| sg_split.c | ||
| siphash_kunit.c | ||
| siphash.c | ||
| slub_kunit.c | ||
| smp_processor_id.c | ||
| sort.c | ||
| stackdepot.c | ||
| stackinit_kunit.c | ||
| stmp_device.c | ||
| strcat_kunit.c | ||
| string_helpers.c | ||
| string.c | ||
| strncpy_from_user.c | ||
| strnlen_user.c | ||
| strscpy_kunit.c | ||
| syscall.c | ||
| test_bitmap.c | ||
| test_bitops.c | ||
| test_bits.c | ||
| test_blackhole_dev.c | ||
| test_bpf.c | ||
| test_debug_virtual.c | ||
| test_dynamic_debug.c | ||
| test_firmware.c | ||
| test_fprobe.c | ||
| test_fpu.c | ||
| test_free_pages.c | ||
| test_hash.c | ||
| test_hexdump.c | ||
| test_hmm_uapi.h | ||
| test_hmm.c | ||
| test_ida.c | ||
| test_kmod.c | ||
| test_kprobes.c | ||
| test_linear_ranges.c | ||
| test_list_sort.c | ||
| test_lockup.c | ||
| test_maple_tree.c | ||
| test_memcat_p.c | ||
| test_meminit.c | ||
| test_min_heap.c | ||
| test_module.c | ||
| test_objagg.c | ||
| test_parman.c | ||
| test_printf.c | ||
| test_ref_tracker.c | ||
| test_rhashtable.c | ||
| test_scanf.c | ||
| test_sort.c | ||
| test_static_key_base.c | ||
| test_static_keys.c | ||
| test_string.c | ||
| test_sysctl.c | ||
| test_ubsan.c | ||
| test_user_copy.c | ||
| test_uuid.c | ||
| test_vmalloc.c | ||
| test_xarray.c | ||
| test-kstrtox.c | ||
| test-string_helpers.c | ||
| textsearch.c | ||
| timerqueue.c | ||
| trace_readwrite.c | ||
| ts_bm.c | ||
| ts_fsm.c | ||
| ts_kmp.c | ||
| ubsan.c | ||
| ubsan.h | ||
| ucmpdi2.c | ||
| ucs2_string.c | ||
| usercopy.c | ||
| uuid.c | ||
| vsprintf.c | ||
| win_minmax.c | ||
| xarray.c | ||
| xxhash.c | ||