| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Update to upstream commit 228a1157fb9f.
VFIO_TYPE1_NESTING_IOMMU const was removed in 35890f85573c.
Remove it from descriptions.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
New ioctl to create hwpt objects directly with two forms.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This should run without any errno returns. A number of problems have crept
in:
The kernel changed the size of the test ioctl from 0x38 to 0x48. The
generated description picked this up but the hardwired constant in the
test did not. Update all cases.
Fix TEST_OP_MOCK_DOMAIN to use the kernel changed ID layout and new
destruction sequence.
Move TEST_OP_MD_CHECK_* up into a region with a MOCK_DOMAIN and fix their
arguments so they work properly.
The test now passes on v6.8-rc3 with no error failures.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some small mistakes have crept into here and the definitions are not
working quite right
The kernel changed the layout of the mock_domain test command to have
three handles and moved the device_handl to the end. A new handle - the
"selftest_device" was returned instead.
check_map/check_refs takes in a hwpt_handle not an fd_access
domain_replace takes in the selftest_device_handle and an ioas/pt
access_replace_ioas uses the ioas_handle not a naked int32.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All flags that are subset of other flags were identified with the
following Bash script [1]. Only a small set of flags identified by the
script were rewritten to use nested flag definitions, after manually
checking if it makes sense (based on syzkaller context and man pages).
For example, msgget_flags was rewritten as follows:
-msgget_flags = IPC_CREAT, IPC_EXCL, S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH
+msgget_flags = IPC_CREAT, IPC_EXCL, open_mode
According to the msgget(2) man page:
Upon creation, the least significant bits of the argument msgflg
define the permissions of the message queue. These permission bits
have the same format and semantics as the permissions specified for
the mode argument of open(2).
So it is correct to use open_mode directly in the definition of the
flags for msgget(2).
1 -
#!/bin/bash
regexp_flags="^(\w+)\s*=\s+([a-zA-Z\"][^=]*)$"
is_subset() {
local -n subset=$1
local -n superset=$2
for element in "${subset[@]}"; do
if [[ ! " ${superset[@]} " =~ " $element " ]]; then
return 1
fi
done
return 0
}
declare -A parsed_lines
while IFS= read -r line; do
if [[ ! "$line" =~ $regexp_flags ]]; then
continue
fi
list_name="${BASH_REMATCH[1]}"
values="${BASH_REMATCH[2]}"
IFS=',' read -r -a values_array <<< "$(echo "$values" | sed 's/ //g' | tr ',' '\n' | sort | tr '\n' ',')"
# Skip flags with too few value.
if [ "${#values_array[@]}" -lt 3 ]; then
continue
fi
# Skip the syz0, syz1, etc. lists.
if [ "${values_array[0]}" = "\"syz0\"" ]; then
continue
fi
parsed_lines["${list_name}"]="${values_array[@]}"
done
for list_name in "${!parsed_lines[@]}"; do
values_array=(${parsed_lines["$list_name"]})
for other_list_name in "${!parsed_lines[@]}"; do
other_values_array=(${parsed_lines["$other_list_name"]})
if [ "$list_name" = "$other_list_name" ]; then
continue
fi
if is_subset values_array other_values_array; then
if [ "${#values_array[@]}" -eq "${#other_values_array[@]}" ]; then
echo "$list_name EQUALS $other_list_name"
else
echo "$list_name is a SUBET of $other_list_name"
fi
fi
done
done
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
Added IOMMU_TEST_OP_MOCK_DOMAIN_REPLACE and IOMMU_TEST_OP_ACCESS_REPLACE_IOAS
ioctl syscall descriptions and let syzkaller hit these ioctls easily and
quickly.
Signed-off-by: Pengfei Xu <pengfei.xu@intel.com>
|
| |
|
|
|
|
|
|
| |
Based on Linux kernel iommufd_test.h line 68 struct check_refs:
https://github.com/torvalds/linux/blob/master/drivers/iommu/iommufd/iommufd_test.h
correct the md_check_refs variable length and uptr in correct position.
Signed-off-by: Pengfei Xu <pengfei.xu@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Background:
Linux kernel v6.2-rc1 and later versions have merged IOMMU_TEST_OP_MD_CHECK_MAP
and IOMMU_TEST_OP_MD_CHECK_REFS ioctl syscalls:
https://elixir.bootlin.com/linux/v6.2-rc1/source/drivers/iommu/iommufd/iommufd_test.h#L13
The Problem:
Syzkaller accidentally found a bug related to IOMMU_TEST_OP_MD_CHECK_REFS after
about 3 weeks fuzzing, and Jason Gunthorpe fixed it after the issue report:
Reported link: https://lore.kernel.org/all/Y%2FhOiilV1wJvu%2FHv@xpf.sh.intel.com/
Final fixed patch: https://lore.kernel.org/linux-iommu/0-v1-95390ed1df8d+8f-iommufd_mock_overflow_jgg@nvidia.com/
The Improvement:
Let syzkaller hit IOMMU_TEST_OP_MD_CHECK_MAP and IOMMU_TEST_OP_MD_CHECK_REFS
related syscalls easily and quickly, add these 2 new iommufd ioctl syscall
descriptions:
1. ioctl$IOMMU_TEST_OP_MD_CHECK_MAP(...);
2. ioctl$IOMMU_TEST_OP_MD_CHECK_REFS(...).
Signed-off-by: Pengfei Xu <pengfei.xu@intel.com>
|
| |
|
