There are three tests remaining in lib/kasan_test_module.c: 1. kasan_rcu_uaf() and 2. kasan_workqueue_uaf() that trigger KASAN bug reports in a different task than where the test is run. Porting those should be easy once tests start using tracepoints instead of a per-task flag to check for bug reports: https://bugzilla.kernel.org/show_bug.cgi?id=212203 3. copy_user_test(). The issue with this one is that it requires a user context to work. It's unclear what's the best/easiest approach to port this one to KUnit.
Some options for #3: - Spawning a user task from the kernel. - Creating fake mm structs. - Using kernel memory as arguments to copy_to/from_user. (It might make sense to add tests for this in either case.)
Note: currently, lib/kasan_test_module.c doesn't work with HW_TAGS KASAN. When the tests are ported to KUnit, they should be explicitly checked with that KASAN mode.
Posted patches porting #1 and #2 to KUnit [1]. For #3, another potential approach is to hijack a userspace process via tracepoints, and execute the test there. However, this can only be done when userspace processes are launched (=> when KUnit tests are loaded as a module) and also requires the faultable tracepoints patchset [2]. [1] https://lore.kernel.org/linux-mm/653d43e9a6d9aad2ae148a941dab048cb8e765a8.1664044241.git.andreyknvl@google.com/T/ [2] https://lore.kernel.org/bpf/20210218222125.46565-5-mjeanson@efficios.com/T/
Non-copy_to/from_user tests have been ported to KUnit in [1] and [2]. For copy_to/from_user tests, we could keep them in a module, but nevertheless integrate with KUnit. This won't allow easily running them during boot, but other approaches seem overly complicated to implement. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b2c5bd4c69ce28500ed2176d11002a4e9b30da36 [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8516e837cab0b2c740b90603b66039aa7dcecda4