Hi Linus,
Please pull this kunit fixes update for Linux 7.1-rc6.
Fixes use-after-free in kunit debugfs when using kunit.filter when
the executor frees dynamically allocated resources after running
boot-time tests. This resulted in fatal hardware exception due to
invalidation of capability flags on the reclaimed memory on some
architectures such as CHERI RISC-V that support the feature, and
silent memory corruption on others.
Fix for this UAF couples the coupling the lifetime of the filtered
suite memory allocation to the lifetime of the kunit subsystem and its
associated VFS nodes. Ownership of the boot-time suite_set is now
transferred to a global tracker ('kunit_boot_suites'), and the memory
is cleanly released in kunit_exit() during module teardown.
diff is attached.
thanks,
-- Shuah
----------------------------------------------------------------
The following changes since commit 8f80b5b227ef9ea422080487715c841856339aed:
kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS (2026-05-04 12:10:40
-0600)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
tags/linux_kselftest-kunit-fixes-7.1-rc6
for you to fetch changes up to fb6988b83b4cafe8db63999c1ddff1b7c66d2ff5:
kunit: fix use-after-free in debugfs when using kunit.filter (2026-05-21
10:45:49 -0600)
----------------------------------------------------------------
linux_kselftest-kunit-fixes-7.1-rc6
Fixes use-after-free in kunit debugfs when using kunit.filter when
the executor frees dynamically allocated resources after running
boot-time tests. This resulted in fatal hardware exception due to
invalidation of capability flags on the reclaimed memory on some
architectures such as CHERI RISC-V that support the feature, and
silent memory corruption on others.
Fix for this UAF couples the coupling the lifetime of the filtered
suite memory allocation to the lifetime of the kunit subsystem and its
associated VFS nodes. Ownership of the boot-time suite_set is now
transferred to a global tracker ('kunit_boot_suites'), and the memory
is cleanly released in kunit_exit() during module teardown.
----------------------------------------------------------------
Florian Schmaus (1):
kunit: fix use-after-free in debugfs when using kunit.filter
include/kunit/test.h | 1 +
lib/kunit/executor.c | 19 ++++++++++++++++---
lib/kunit/test.c | 1 +
3 files changed, 18 insertions(+), 3 deletions(-)
----------------------------------------------------------------diff --git a/include/kunit/test.h b/include/kunit/test.h
index 9cd1594ab697..ce0573e196ce 100644
--- a/include/kunit/test.h
+++ b/include/kunit/test.h
@@ -613,6 +613,7 @@ unsigned long kunit_vm_mmap(struct kunit *test, struct file *file,
unsigned long offset);
void kunit_cleanup(struct kunit *test);
+void kunit_free_boot_suites(void);
void __printf(2, 3) kunit_log_append(struct string_stream *log, const char *fmt, ...);
diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
index 1fef217de11d..b0f8a41d61d3 100644
--- a/lib/kunit/executor.c
+++ b/lib/kunit/executor.c
@@ -15,6 +15,16 @@ extern struct kunit_suite * const __kunit_suites_end[];
extern struct kunit_suite * const __kunit_init_suites_start[];
extern struct kunit_suite * const __kunit_init_suites_end[];
+static struct kunit_suite_set kunit_boot_suites;
+
+void kunit_free_boot_suites(void)
+{
+ if (kunit_boot_suites.start) {
+ kunit_free_suite_set(kunit_boot_suites);
+ kunit_boot_suites = (struct kunit_suite_set){ NULL, NULL };
+ }
+}
+
static char *action_param;
module_param_named(action, action_param, charp, 0400);
@@ -411,9 +421,12 @@ int kunit_run_all_tests(void)
pr_err("kunit executor: unknown action '%s'\n", action_param);
free_out:
- if (filter_glob_param || filter_param)
- kunit_free_suite_set(suite_set);
- else if (init_num_suites > 0)
+ if (filter_glob_param || filter_param) {
+ if (err)
+ kunit_free_suite_set(suite_set);
+ else
+ kunit_boot_suites = suite_set;
+ } else if (init_num_suites > 0)
/* Don't use kunit_free_suite_set because suites aren't individually allocated */
kfree(suite_set.start);
diff --git a/lib/kunit/test.c b/lib/kunit/test.c
index 41e1c89799b6..99773e000e1b 100644
--- a/lib/kunit/test.c
+++ b/lib/kunit/test.c
@@ -1075,6 +1075,7 @@ static void __exit kunit_exit(void)
kunit_bus_shutdown();
kunit_debugfs_cleanup();
+ kunit_free_boot_suites();
}
module_exit(kunit_exit);
