| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Add automatic_helper attribute and enable it for system calls that are required to properly run automatically generated
descriptions. Enable these system calls when descriptions_mode = `Auto`.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All flags that are subset of other flags were identified with the
following Bash script [1]. Only a small set of flags identified by the
script were rewritten to use nested flag definitions, after manually
checking if it makes sense (based on syzkaller context and man pages).
For example, msgget_flags was rewritten as follows:
-msgget_flags = IPC_CREAT, IPC_EXCL, S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH
+msgget_flags = IPC_CREAT, IPC_EXCL, open_mode
According to the msgget(2) man page:
Upon creation, the least significant bits of the argument msgflg
define the permissions of the message queue. These permission bits
have the same format and semantics as the permissions specified for
the mode argument of open(2).
So it is correct to use open_mode directly in the definition of the
flags for msgget(2).
1 -
#!/bin/bash
regexp_flags="^(\w+)\s*=\s+([a-zA-Z\"][^=]*)$"
is_subset() {
local -n subset=$1
local -n superset=$2
for element in "${subset[@]}"; do
if [[ ! " ${superset[@]} " =~ " $element " ]]; then
return 1
fi
done
return 0
}
declare -A parsed_lines
while IFS= read -r line; do
if [[ ! "$line" =~ $regexp_flags ]]; then
continue
fi
list_name="${BASH_REMATCH[1]}"
values="${BASH_REMATCH[2]}"
IFS=',' read -r -a values_array <<< "$(echo "$values" | sed 's/ //g' | tr ',' '\n' | sort | tr '\n' ',')"
# Skip flags with too few value.
if [ "${#values_array[@]}" -lt 3 ]; then
continue
fi
# Skip the syz0, syz1, etc. lists.
if [ "${values_array[0]}" = "\"syz0\"" ]; then
continue
fi
parsed_lines["${list_name}"]="${values_array[@]}"
done
for list_name in "${!parsed_lines[@]}"; do
values_array=(${parsed_lines["$list_name"]})
for other_list_name in "${!parsed_lines[@]}"; do
other_values_array=(${parsed_lines["$other_list_name"]})
if [ "$list_name" = "$other_list_name" ]; then
continue
fi
if is_subset values_array other_values_array; then
if [ "${#values_array[@]}" -eq "${#other_values_array[@]}" ]; then
echo "$list_name EQUALS $other_list_name"
else
echo "$list_name is a SUBET of $other_list_name"
fi
fi
done
done
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
| |
This was removed from the upstream kernel in:
torvalds/linux@1202cdd665315c525b5237e96e0bedc76d7e754f
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for moving a NIC PCI pass-through VF into Syzkaller's network
namespace so that it will tested. As DEVLINK support is triggered by
setting the pass-through device to "addr=0x10", NIC PCI pass-through VF
support will be triggered by setting the device to "addr=0x11".
If a NIC PCI pass-through VF is detected in do_sandbox, setup a staging
namespace before the fork() and transfer the NIC VF interface to it.
After the fork() and in the child transfer the NIC VF interface to
Syzkaller's network namespace and rename the interface to netpci0 so
that it will be tested.
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
|
| |
|
|
|
|
| |
Add descriptions for:
https://elixir.bootlin.com/linux/v5.19-rc1/source/include/uapi/linux/mroute.h
https://elixir.bootlin.com/linux/v5.19-rc1/source/include/uapi/linux/mroute6.h
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove all uses of len/flags/const/proc types in explicitly marked out fields.
Use of these types for out fields does not make sense:
a len[b, int32] (out)
b flags[foo, int32] (out)
Since kernel fills these fields, that's unnecessary details or bugs in descriptions.
In particular all of these are actually bugs:
ioctl$TUNSETQUEUE(fd fd_tun, cmd const[TUNSETQUEUE], arg ptr[in, ifreq_t[flags[tun_queue_flags, int16]]])
ioctl$TUNSETIFF(fd fd_tun, cmd const[TUNSETIFF], arg ptr[in, ifreq_t[flags[tun_setiff_flags, int16]]])
ioctl$SIOCSIFHWADDR(fd fd_tun, cmd const[SIOCSIFHWADDR], arg ptr[in, ifreq_t[mac_addr]])
ioctl$sock_inet_SIOCSIFADDR(fd sock, cmd const[SIOCSIFADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFBRDADDR(fd sock, cmd const[SIOCSIFBRDADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFNETMASK(fd sock, cmd const[SIOCSIFNETMASK], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFDSTADDR(fd sock, cmd const[SIOCSIFDSTADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFPFLAGS(fd sock, cmd const[SIOCSIFPFLAGS], arg ptr[inout, ifreq_t[int32]])
ioctl$SIOCSIFMTU(fd sock_pppl2tp, cmd const[SIOCSIFMTU], arg ptr[in, ifreq_t[int32]])
ioctl$sock_SIOCETHTOOL(fd sock, cmd const[SIOCETHTOOL], arg ptr[inout, ifreq_t[ptr[inout, ethtool_cmd_u]]])
We pretend that we pass in some flags or addresses, but the ifreq field
was marked as (out), so we actually did not pass anything in.
|
| |
|
|
|
|
| |
Regenerate const files on the latest upstream tree.
Remove IPX support since it was removed from the kernel
in 7a2e838d28 ("staging: ipx: delete it from the tree").
|
| | |
|
| |
|
|
|
| |
This modification allows to remove [opt] modified for all uses of
ifreq_dev_t and ifreq_t
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
|
| |
Added descriptions to test Qualcomm's IPC router protocol for sockets.
Update #533.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Introduce common infrastructure for describing and parsing attribute
instead of custom per-attribute code scattered across several locations.
Change align attribute syntax from the weird align_N to align[N].
This also allows to use literal constants as N.
Introduce notion of builtin constants.
Currently we have only PTR_SIZE, which is needed to replace
align_ptr with align[PTR_SIZE].
|
| |
|
|
|
| |
const[0x12345678, int8] is always an error, detect these cases.
Found some bugs in mptcp, socket proto and fuchsia fidl descriptions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that we don't have conflicting sizes for the same argument
of the same syscall, e.g.:
foo$1(a int16)
foo$2(a int32)
This is useful for several reasons:
- we will be able avoid morphing syscalls into other syscalls
- we will be able to figure out more precise sizes for args
(lots of them are implicitly intptr, which is the largest
type on most important arches)
- found few bugs in linux descriptions
Update #477
Update #502
|
| |
|
|
|
| |
This matches more closely what people are used to dealing with. We also
add one additional device for interesting multi-interface effects.
|
| |
|
|
| |
Update #806
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Mark ifindex as opt in SIOCGIFINDEX.
Otherwise it's considered inout and SIOCGIFINDEX can't be used
to produce ifindex'es on its own. It requires an input ifindex
first and only then it can output own ifindex.
|
| |
|
|
|
|
| |
virt_wifi docs say that the enslaved device won't be usable
on itself. It's probably not a good idea to make lo unusable.
Enslave a dedicated veth instead.
|
| | |
|
| |
|
|
| |
+ some netlink descriptions
|
| |
|
|
|
|
| |
Some sounds ioctls are now explicitly doubled for 32/64 bits. Support that.
Fix mips SOL_SOCKET issues by rearranging includes.
Improve few other fields.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Add netdev name related to pci netdev and fix comment for netdevsim0.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
|
| |
|
|
|
|
|
|
|
| |
Update socket timeval, timestamp options and flags.
v2: separate SO_{TIMESTAMP, TIMESTAMPNS}_{OLD, NEW} as they only need
enable/disable option value.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
|
| |
|
|
| |
All cmsg's must be intptr aligned within the array.
|
| |
|
|
| |
Fix the descriptions of cmsghdr.
Add sendmsg$sock and sendmmsg$sock for __sock_cmsg_send.
|
| |
|
|
|
|
|
|
| |
1. Move fsverity descriptions to a separate file which
is not regenerated automatically. It was dropped from linux-next.
2. Fix tlk_device.txt name in syz-extract.
3. Update some socket consts e.g. s/SO_TIMESTAMPING/SO_TIMESTAMPING_OLD/.
4. Regenerate const files on current upstream head.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Error on unused structs/unions/resources/flags.
Finds tons of bugs.
|
| | |
|
