diff options
| author | David S. Miller <davem@davemloft.net> | 2016-12-03 11:46:54 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-12-03 12:29:53 -0500 |
| commit | 2745529ac7358fdac72e6b388da2e934bd9da82c (patch) | |
| tree | 245bb05b1a18189c5a5212db914c70a636d8267a /lib/test_kasan.c | |
| parent | ab17cb1fea82b346bdecd4f2d7f0e84e80f847af (diff) | |
| parent | 8dc0f265d39a3933f4c1f846c7c694f12a2ab88a (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Couple conflicts resolved here:
1) In the MACB driver, a bug fix to properly initialize the
RX tail pointer properly overlapped with some changes
to support variable sized rings.
2) In XGBE we had a "CONFIG_PM" --> "CONFIG_PM_SLEEP" fix
overlapping with a reorganization of the driver to support
ACPI, OF, as well as PCI variants of the chip.
3) In 'net' we had several probe error path bug fixes to the
stmmac driver, meanwhile a lot of this code was cleaned up
and reorganized in 'net-next'.
4) The cls_flower classifier obtained a helper function in
'net-next' called __fl_delete() and this overlapped with
Daniel Borkamann's bug fix to use RCU for object destruction
in 'net'. It also overlapped with Jiri's change to guard
the rhashtable_remove_fast() call with a check against
tc_skip_sw().
5) In mlx4, a revert bug fix in 'net' overlapped with some
unrelated changes in 'net-next'.
6) In geneve, a stale header pointer after pskb_expand_head()
bug fix in 'net' overlapped with a large reorganization of
the same code in 'net-next'. Since the 'net-next' code no
longer had the bug in question, there was nothing to do
other than to simply take the 'net-next' hunks.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'lib/test_kasan.c')
| -rw-r--r-- | lib/test_kasan.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 5e51872b3fc1..fbdf87920093 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c | |||
| @@ -20,6 +20,11 @@ | |||
| 20 | #include <linux/uaccess.h> | 20 | #include <linux/uaccess.h> |
| 21 | #include <linux/module.h> | 21 | #include <linux/module.h> |
| 22 | 22 | ||
| 23 | /* | ||
| 24 | * Note: test functions are marked noinline so that their names appear in | ||
| 25 | * reports. | ||
| 26 | */ | ||
| 27 | |||
| 23 | static noinline void __init kmalloc_oob_right(void) | 28 | static noinline void __init kmalloc_oob_right(void) |
| 24 | { | 29 | { |
| 25 | char *ptr; | 30 | char *ptr; |
| @@ -411,6 +416,29 @@ static noinline void __init copy_user_test(void) | |||
| 411 | kfree(kmem); | 416 | kfree(kmem); |
| 412 | } | 417 | } |
| 413 | 418 | ||
| 419 | static noinline void __init use_after_scope_test(void) | ||
| 420 | { | ||
| 421 | volatile char *volatile p; | ||
| 422 | |||
| 423 | pr_info("use-after-scope on int\n"); | ||
| 424 | { | ||
| 425 | int local = 0; | ||
| 426 | |||
| 427 | p = (char *)&local; | ||
| 428 | } | ||
| 429 | p[0] = 1; | ||
| 430 | p[3] = 1; | ||
| 431 | |||
| 432 | pr_info("use-after-scope on array\n"); | ||
| 433 | { | ||
| 434 | char local[1024] = {0}; | ||
| 435 | |||
| 436 | p = local; | ||
| 437 | } | ||
| 438 | p[0] = 1; | ||
| 439 | p[1023] = 1; | ||
| 440 | } | ||
| 441 | |||
| 414 | static int __init kmalloc_tests_init(void) | 442 | static int __init kmalloc_tests_init(void) |
| 415 | { | 443 | { |
| 416 | kmalloc_oob_right(); | 444 | kmalloc_oob_right(); |
| @@ -436,6 +464,7 @@ static int __init kmalloc_tests_init(void) | |||
| 436 | kasan_global_oob(); | 464 | kasan_global_oob(); |
| 437 | ksize_unpoisons_memory(); | 465 | ksize_unpoisons_memory(); |
| 438 | copy_user_test(); | 466 | copy_user_test(); |
| 467 | use_after_scope_test(); | ||
| 439 | return -EAGAIN; | 468 | return -EAGAIN; |
| 440 | } | 469 | } |
| 441 | 470 | ||