On Wed, Jul 31, 2024 at 1:02 AM David Gow davidgow@google.com wrote:

kunit_driver_create() accepts a name for the driver, but does not copy it, so if that name is either on the stack, or otherwise freed, we end up with a use-after-free when the driver is cleaned up.

Instead, strdup() the name, and manage it as another KUnit allocation. As there was no existing kunit_kstrdup(), we add one. Further, add a kunit_ variant of strdup_const() and kfree_const(), so we don't need to allocate and manage the string in the majority of cases where it's a constant.

This fixes a KASAN splat with overflow.overflow_allocation_test, when built as a module.

Fixes: d03c720e03bd ("kunit: Add APIs for managing devices") Reported-by: Nico Pache npache@redhat.com

Hi David,

This is failing in the Fedora-ark build process [1] which builds the KUNIT tests as modules.

+ /usr/bin/make <SNIP> modules ... ERROR: modpost: "__start_rodata" [lib/kunit/kunit.ko] undefined! ERROR: modpost: "__end_rodata" [lib/kunit/kunit.ko] undefined! make[2]: *** [scripts/Makefile.modpost:145: Module.symvers] Error 1 make[1]: *** [/builddir/build/BUILD/kernel-6.11.0-build/kernel-6.11-rc2/linux-6.11.0-0.rc2.22.ov.fc41.x86_64/Makefile:1895: modpost] Error 2 make: *** [Makefile:236: __sub-make] Error 2 + exit 1

This seems related to

+#include <asm/sections.h>

which defines __<start|end>_rodata.

When I tried exporting these symbols I got:

ERROR: modpost: vmlinux: '__start_rodata' exported twice. Previous export was in vmlinux

So I'm not sure what the problem is here.

[1] - https://kojipkgs.fedoraproject.org//work/tasks/9116/121539116/build.log

Cheers -- Nico

Closes: https://groups.google.com/g/kunit-dev/c/81V9b9QYON0 Signed-off-by: David Gow davidgow@google.com Reviewed-by: Kees Cook kees@kernel.org

---

There's some more serious changes since the RFC I sent, so please take a closer look.

Thanks, -- David

Changes since RFC: https://groups.google.com/g/kunit-dev/c/81V9b9QYON0/m/PFKNKDKAAAAJ

• Add and use the kunit_kstrdup_const() and kunit_free_const() functions.
• Fix a typo in the doc comments.

---

include/kunit/test.h | 58 ++++++++++++++++++++++++++++++++++++++++++++ lib/kunit/device.c | 7 ++++-- 2 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/include/kunit/test.h b/include/kunit/test.h index e2a1f0928e8b..da9e84de14c0 100644 --- a/include/kunit/test.h +++ b/include/kunit/test.h @@ -28,6 +28,7 @@ #include <linux/types.h>

#include <asm/rwonce.h> +#include <asm/sections.h>

/* Static key: true if any KUnit tests are currently running */ DECLARE_STATIC_KEY_FALSE(kunit_running); @@ -480,6 +481,63 @@ static inline void *kunit_kcalloc(struct kunit *test, size_t n, size_t size, gfp return kunit_kmalloc_array(test, n, size, gfp | __GFP_ZERO); }

+/**

• • kunit_kfree_const() - conditionally free test managed memory
• • @x: pointer to the memory
• • Calls kunit_kfree() only if @x is not in .rodata section.
• • See kunit_kstrdup_const() for more information.
• */

+static inline void kunit_kfree_const(struct kunit *test, const void *x) +{

•   if (!is_kernel_rodata((unsigned long)x))
  

•           kunit_kfree(test, x);
  

+}

+/**

• • kunit_kstrdup() - Duplicates a string into a test managed allocation.
• • @test: The test context object.
• • @str: The NULL-terminated string to duplicate.
• • @gfp: flags passed to underlying kmalloc().
• • See kstrdup() and kunit_kmalloc_array() for more information.
• */

+static inline char *kunit_kstrdup(struct kunit *test, const char *str, gfp_t gfp) +{

•   size_t len;
  

•   char *buf;
  

•   if (!str)
  

•           return NULL;
  

•   len = strlen(str) + 1;
  

•   buf = kunit_kmalloc(test, len, gfp);
  

•   if (buf)
  

•           memcpy(buf, str, len);
  

•   return buf;
  

+}

+/**

• • kunit_kstrdup_const() - Conditionally duplicates a string into a test managed allocation.
• • @test: The test context object.
• • @str: The NULL-terminated string to duplicate.
• • @gfp: flags passed to underlying kmalloc().
• • Calls kunit_kstrdup() only if @str is not in the rodata section. Must be freed with
• • kunit_free_const() -- not kunit_free().
• • See kstrdup_const() and kunit_kmalloc_array() for more information.
• */

+static inline const char *kunit_kstrdup_const(struct kunit *test, const char *str, gfp_t gfp) +{

•   if (is_kernel_rodata((unsigned long)str))
  

•           return str;
  

•   return kunit_kstrdup(test, str, gfp);
  

+}

/**

• kunit_vm_mmap() - Allocate KUnit-tracked vm_mmap() area
• @test: The test context object.

diff --git a/lib/kunit/device.c b/lib/kunit/device.c index 25c81ed465fb..520c1fccee8a 100644 --- a/lib/kunit/device.c +++ b/lib/kunit/device.c @@ -89,7 +89,7 @@ struct device_driver *kunit_driver_create(struct kunit *test, const char *name) if (!driver) return ERR_PTR(err);

•   driver->name = name;
  

•   driver->name = kunit_kstrdup_const(test, name, GFP_KERNEL);
    driver->bus = &kunit_bus_type;
    driver->owner = THIS_MODULE;
  
  

@@ -192,8 +192,11 @@ void kunit_device_unregister(struct kunit *test, struct device *dev) const struct device_driver *driver = to_kunit_device(dev)->driver;

    kunit_release_action(test, device_unregister_wrapper, dev);

•   if (driver)
  

•   if (driver) {
  

•           const char *driver_name = driver->name;
            kunit_release_action(test, driver_unregister_wrapper, (void *)driver);
  

•           kunit_kfree_const(test, driver_name);
  

•   }
  

} EXPORT_SYMBOL_GPL(kunit_device_unregister);

-- 2.46.0.rc1.232.g9752f9e123-goog