kasan: add memcg kmem_cache test
Make a kasan test which uses a SLAB_ACCOUNT slab cache. If the test is run within a non default memcg, then it uncovers the bug fixed by "kasan: drain quarantine of memcg slab objects"[1]. If run without fix [1] it shows "Slab cache still has objects", and the kmem_cache structure is leaked. Here's an unpatched kernel test: $ dmesg -c > /dev/null $ mkdir /sys/fs/cgroup/memory/test $ echo $$ > /sys/fs/cgroup/memory/test/tasks $ modprobe test_kasan 2> /dev/null $ dmesg | grep -B1 still [ 123.456789] kasan test: memcg_accounted_kmem_cache allocate memcg accounted object [ 124.456789] kmem_cache_destroy test_cache: Slab cache still has objects Kernels with fix [1] don't have the "Slab cache still has objects" warning or the underlying leak. The new test runs and passes in the default (root) memcg, though in the root memcg it won't uncover the problem fixed by [1]. Link: http://lkml.kernel.org/r/1482257462-36948-2-git-send-email-gthelen@google.com Signed-off-by: Greg Thelen <gthelen@google.com> Reviewed-by: Vladimir Davydov <vdavydov.dev@gmail.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
f9fa1d919c
commit
0386bf385d
|
@ -11,6 +11,7 @@
|
||||||
|
|
||||||
#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
|
#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
|
||||||
|
|
||||||
|
#include <linux/delay.h>
|
||||||
#include <linux/kernel.h>
|
#include <linux/kernel.h>
|
||||||
#include <linux/mman.h>
|
#include <linux/mman.h>
|
||||||
#include <linux/mm.h>
|
#include <linux/mm.h>
|
||||||
|
@ -331,6 +332,38 @@ static noinline void __init kmem_cache_oob(void)
|
||||||
kmem_cache_destroy(cache);
|
kmem_cache_destroy(cache);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static noinline void __init memcg_accounted_kmem_cache(void)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
char *p;
|
||||||
|
size_t size = 200;
|
||||||
|
struct kmem_cache *cache;
|
||||||
|
|
||||||
|
cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
|
||||||
|
if (!cache) {
|
||||||
|
pr_err("Cache allocation failed\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
pr_info("allocate memcg accounted object\n");
|
||||||
|
/*
|
||||||
|
* Several allocations with a delay to allow for lazy per memcg kmem
|
||||||
|
* cache creation.
|
||||||
|
*/
|
||||||
|
for (i = 0; i < 5; i++) {
|
||||||
|
p = kmem_cache_alloc(cache, GFP_KERNEL);
|
||||||
|
if (!p) {
|
||||||
|
pr_err("Allocation failed\n");
|
||||||
|
goto free_cache;
|
||||||
|
}
|
||||||
|
kmem_cache_free(cache, p);
|
||||||
|
msleep(100);
|
||||||
|
}
|
||||||
|
|
||||||
|
free_cache:
|
||||||
|
kmem_cache_destroy(cache);
|
||||||
|
}
|
||||||
|
|
||||||
static char global_array[10];
|
static char global_array[10];
|
||||||
|
|
||||||
static noinline void __init kasan_global_oob(void)
|
static noinline void __init kasan_global_oob(void)
|
||||||
|
@ -460,6 +493,7 @@ static int __init kmalloc_tests_init(void)
|
||||||
kmalloc_uaf_memset();
|
kmalloc_uaf_memset();
|
||||||
kmalloc_uaf2();
|
kmalloc_uaf2();
|
||||||
kmem_cache_oob();
|
kmem_cache_oob();
|
||||||
|
memcg_accounted_kmem_cache();
|
||||||
kasan_stack_oob();
|
kasan_stack_oob();
|
||||||
kasan_global_oob();
|
kasan_global_oob();
|
||||||
ksize_unpoisons_memory();
|
ksize_unpoisons_memory();
|
||||||
|
|
Loading…
Reference in New Issue