From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 50552C433EF
	for <linux-mm@archiver.kernel.org>; Thu, 10 Mar 2022 08:09:15 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id BA3928D0003; Thu, 10 Mar 2022 03:09:14 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B533B8D0001; Thu, 10 Mar 2022 03:09:14 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A69F78D0003; Thu, 10 Mar 2022 03:09:14 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.27])
	by kanga.kvack.org (Postfix) with ESMTP id 99F488D0001
	for <linux-mm@kvack.org>; Thu, 10 Mar 2022 03:09:14 -0500 (EST)
Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay11.hostedemail.com (Postfix) with ESMTP id 6B8DC8045B
	for <linux-mm@kvack.org>; Thu, 10 Mar 2022 08:09:14 +0000 (UTC)
X-FDA: 79227751428.11.C1E857F
Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46])
	by imf12.hostedemail.com (Postfix) with ESMTP id E027C40013
	for <linux-mm@kvack.org>; Thu, 10 Mar 2022 08:09:13 +0000 (UTC)
Received: by mail-ed1-f46.google.com with SMTP id s10so5977093edd.0
        for <linux-mm@kvack.org>; Thu, 10 Mar 2022 00:09:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=YWbAcZy/i8HBYK2+LI1DmtpGjLhVyIVjDAmA+olRSX0=;
        b=r6m/oi9HM5b3ptgnBPdqU/JT11+emPMCtpY8bhdnL6IBAKJN+vphDQcvrhnJTPc3pR
         1JsCGgXBT8DO2kGWTbC0J+9Z3EF3A1Tp90hZAOCvXwlJkOLfxDgGSS5Pce72/04ugPzQ
         +WnXeDRI7/T/T/lhFL0US+S7Z5tXpNe0WU+/m+G/P7ZZrvOJNGBx2WcsIgtZZQw5yIrK
         UbvFaNl8O93Sd8kRmpWwK+FbCU9LXfog05Qc632veitsNPPygsBjRmw5wWM9NIsRTIpS
         6Az7Jceq2XZi1vWGRXTwAUJYPWZpcrMA1R0yKz/ZJ3fGc1Cg3uz+4B2170k94UUMLIMf
         /KGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=YWbAcZy/i8HBYK2+LI1DmtpGjLhVyIVjDAmA+olRSX0=;
        b=TQYxrnmsTEDCEbD8nLNZJBQb2wrefSlrzhQX8ziujJ8urMeDjR8pJDoWFdJS1QQIV4
         2CMQyATTE/kaD29qZldKI10LuLO1SUfG1DXo0PlC05OY6DIlasR8h202F4G6t/1W2o0t
         C8xYJAUFgK2wcUsB0vRAH3do7uYWE2d7Ra7G1W7t8yjuCttbjHOhoFlYdCcOFo2nJ8xs
         JBo67A5Da+rZMvlhcKNK2GcS2yO1CIVMUni1ErKGPoMujHJ9rI6UpkbCLLWtwxl1kTMd
         tTicMw964yrw8mEsZpigtPtTIzML0wbOc2H0CpFKgHNH7X6P1ukfOEdl/tc4ogbPs/dG
         dz0A==
X-Gm-Message-State: AOAM530tP9k9OgYjNQA+SnDwVt469U5OcX2yJPf0ff/mf2Tl0rJMoF2E
	bvdaCEF70jSZIAe0/pZIsvO1IUWoPxAqzUMHmo38Vg==
X-Google-Smtp-Source: ABdhPJxKFn6YeDUx1PfZdbOvWIU7l3YrlqtrpTJvp5FIfH8MbYGg9inD0E2JsB/SRJMRmxjPhbDJO14wMifzXIGlkxQ=
X-Received: by 2002:a05:6402:26d3:b0:416:4186:6d7d with SMTP id
 x19-20020a05640226d300b0041641866d7dmr3159206edd.129.1646899752425; Thu, 10
 Mar 2022 00:09:12 -0800 (PST)
MIME-Version: 1.0
References: <20220309083753.1561921-1-liupeng256@huawei.com> <20220309083753.1561921-2-liupeng256@huawei.com>
In-Reply-To: <20220309083753.1561921-2-liupeng256@huawei.com>
From: Brendan Higgins <brendanhiggins@google.com>
Date: Thu, 10 Mar 2022 03:08:59 -0500
Message-ID: <CAFd5g466XMWRszdn=Wdg4GXNv=KR-CZmWYZ0j0bG7_1QXtu-LQ@mail.gmail.com>
Subject: Re: [PATCH v2 1/3] kunit: fix UAF when run kfence test case test_gfpzero
To: Peng Liu <liupeng256@huawei.com>
Cc: glider@google.com, elver@google.com, dvyukov@google.com, 
	akpm@linux-foundation.org, linux-kselftest@vger.kernel.org, 
	kunit-dev@googlegroups.com, linux-kernel@vger.kernel.org, 
	kasan-dev@googlegroups.com, linux-mm@kvack.org, wangkefeng.wang@huawei.com
Content-Type: text/plain; charset="UTF-8"
X-Rspam-User: 
X-Rspamd-Server: rspam12
X-Rspamd-Queue-Id: E027C40013
X-Stat-Signature: ucg1uc9pe5tuyd9d6efcd3i14ck5iakw
Authentication-Results: imf12.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b="r6m/oi9H";
	spf=pass (imf12.hostedemail.com: domain of brendanhiggins@google.com designates 209.85.208.46 as permitted sender) smtp.mailfrom=brendanhiggins@google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-HE-Tag: 1646899753-935731
X-Bogosity: Ham, tests=bogofilter, spamicity=0.003373, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Mar 9, 2022 at 3:19 AM 'Peng Liu' via KUnit Development
<kunit-dev@googlegroups.com> wrote:
>
> Kunit will create a new thread to run an actual test case, and the
> main process will wait for the completion of the actual test thread
> until overtime. The variable "struct kunit test" has local property
> in function kunit_try_catch_run, and will be used in the test case
> thread. Task kunit_try_catch_run will free "struct kunit test" when
> kunit runs overtime, but the actual test case is still run and an
> UAF bug will be triggered.
>
> The above problem has been both observed in a physical machine and
> qemu platform when running kfence kunit tests. The problem can be
> triggered when setting CONFIG_KFENCE_NUM_OBJECTS = 65535. Under
> this setting, the test case test_gfpzero will cost hours and kunit
> will run to overtime. The follows show the panic log.
>
>   BUG: unable to handle page fault for address: ffffffff82d882e9
>
>   Call Trace:
>    kunit_log_append+0x58/0xd0
>    ...
>    test_alloc.constprop.0.cold+0x6b/0x8a [kfence_test]
>    test_gfpzero.cold+0x61/0x8ab [kfence_test]
>    kunit_try_run_case+0x4c/0x70
>    kunit_generic_run_threadfn_adapter+0x11/0x20
>    kthread+0x166/0x190
>    ret_from_fork+0x22/0x30
>   Kernel panic - not syncing: Fatal exception
>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>   Ubuntu-1.8.2-1ubuntu1 04/01/2014
>
> To solve this problem, the test case thread should be stopped when
> the kunit frame runs overtime. The stop signal will send in function
> kunit_try_catch_run, and test_gfpzero will handle it.
>
> Signed-off-by: Peng Liu <liupeng256@huawei.com>

Thanks for taking care of this.

Reviewed-by: Brendan Higgins <brendanhiggins@google.com>