Merge tag 'leds-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/pavel...

[linux-2.6-microblaze.git] / lib / test_kasan_module.c

diff --git a/lib/test_kasan_module.c b/lib/test_kasan_module.c
index 2d68db6..62a8785 100644 (file)
--- a/lib/test_kasan_module.c
+++ b/lib/test_kasan_module.c
@@ -91,6 +91,34 @@ static noinline void __init kasan_rcu_uaf(void)
        call_rcu(&global_rcu_ptr->rcu, kasan_rcu_reclaim);
 }
 
+static noinline void __init kasan_workqueue_work(struct work_struct *work)
+{
+       kfree(work);
+}
+
+static noinline void __init kasan_workqueue_uaf(void)
+{
+       struct workqueue_struct *workqueue;
+       struct work_struct *work;
+
+       workqueue = create_workqueue("kasan_wq_test");
+       if (!workqueue) {
+               pr_err("Allocation failed\n");
+               return;
+       }
+       work = kmalloc(sizeof(struct work_struct), GFP_KERNEL);
+       if (!work) {
+               pr_err("Allocation failed\n");
+               return;
+       }
+
+       INIT_WORK(work, kasan_workqueue_work);
+       queue_work(workqueue, work);
+       destroy_workqueue(workqueue);
+
+       pr_info("use-after-free on workqueue\n");
+       ((volatile struct work_struct *)work)->data;
+}
 
 static int __init test_kasan_module_init(void)
 {
@@ -102,6 +130,7 @@ static int __init test_kasan_module_init(void)
 
        copy_user_test();
        kasan_rcu_uaf();
+       kasan_workqueue_uaf();
 
        kasan_restore_multi_shot(multishot);
        return -EAGAIN;