| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
* sys/linux: add description for mali bifrost driver
* sys/linux: regenerate dev_bifrost.txt.const
* sys/linux/dev_bifrost: separate BASE_*_GROUP_ID_* to individual bits
* sys/linux/dev_bifrost: format code
|
| |
|
|
| |
Based on 5.11-rc1 and upstream-usb.config.
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
|
|
|
| |
FUTEX_WAIT_MULTIPLE was added before it was merged, and nowadays we have
other plans for futex. Remove all WAIT_MULTIPLE references so futex
fuzzing can be re-enabled.
Signed-off-by: André Almeida <andrealmeid@collabora.com>
|
| | |
|
| | |
|
| |
|
|
| |
Both are ChromeOS-specific.
|
| |
|
|
|
|
|
|
|
|
| |
Also flip these:
/proc/sys/net/ipv4/tcp_dsack
/proc/sys/net/ipv4/tcp_recovery
/proc/sys/net/ipv4/tcp_mtu_probing
/proc/sys/net/ipv4/tcp_rfc1337
/proc/sys/net/ipv4/tcp_rmem
/proc/sys/net/ipv4/tcp_wmem
|
| |
|
|
|
|
| |
- Add a test for BPF_PROG_TYPE_CGROUP_SYSCTL. This could be used as a
corpus.
- Remove an unnecessary file sys/linux/bpf_lsm.txt.const.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Apply ignore_return to semctl$GETVAL which produces random errno
values on linux and freebsd.
2. Apply ignore_return to prctl and remove the custom code in executor.
3. Remove the custom errno ignoring code in fuchsia executor.
The calls are already marked as ignore_return, so this is just a leftover.
4. Only reset errno for ignore_return.
The syscall can still return a resource (maybe).
We only need to reset errno for fallback coverage.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With fscrypt (a.k.a. ext4, f2fs, and ubifs encryption), several steps
are required to get to a properly set-up encrypted directory:
- Mount a filesystem that supports encryption.
- Call FS_IOC_ADD_ENCRYPTION_KEY on the mountpoint.
- Create a directory in the filesystem.
- Call FS_IOC_SET_ENCRYPTION_POLICY on the directory, specifying the
encryption key that was added earlier.
- Then actually create stuff in the directory.
It may be too hard for syzkaller to generate all these steps, which may
explain why syzbot isn't yet properly covering the fscrypt code; see
https://storage.googleapis.com/syzkaller/cover/ci-upstream-kasan-gce.html
which currently shows only 5% coverage of the fs/crypto/ directory.
Therefore add some test programs which do this setup on ext4 and f2fs.
Note that ubifs support can't be included yet because syzkaller doesn't
yet know how to mount an ubifs filesystem (which would likely require
using block2mtd, as ubifs uses MTD devices rather than block devices).
|
| |
|
|
|
|
|
| |
These have some non-trivial effects like compacting memory
or changing TCP parameters in realistic ways.
Fixes #1671
|
| |
|
|
|
|
| |
Add per-field direction attributes to the fields in fscrypt ioctl
argument structs, where the struct is marked as "inout" but the
individual fields should be either "in" or "out" (not both).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add some sample keys with their precomputed fscrypt key identifiers, and
add some sample fscrypt key descriptors.
This hopefully makes it much more likely that syzkaller will generate
programs that both add an encryption key to the kernel
(FS_IOC_ADD_ENCRYPTION_KEY or add_key$fscrypt_v1) *and* create a
directory that is encrypted using that key (mkdir() +
FS_IOC_SET_ENCRYPTION_POLICY). Doing this requires matching up the
value of the fscrypt key identifier or the fscrypt key descriptor.
|
| |
|
|
|
|
|
| |
Add a syscall "add_key$fscrypt_v1" which describes the old way of adding
fscrypt keys. Previously only the new way (FS_IOC_ADD_ENCRYPTION_KEY)
was described. Keys added by "add_key$fscrypt_v1" can be referred to
later in the fscrypt_policy_v1 passed to FS_IOC_SET_ENCRYPTION_POLICY.
|
| |
|
|
|
|
|
| |
Make ioctls take fd_dir rather than fd when they are primarily intended
to be used on directories. Especially for FS_IOC_SET_ENCRYPTION_POLICY,
this should increase the chance that syzkaller does something useful
with these ioctls.
|
| | |
|
| |
|
|
|
| |
Regenerate consts on upstream 585e5b17b92dead8a3aca4e3c9876fbca5f7e0ba.
These consts were removed from txt files recently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds KVM's syz_kvm_setup_cpu pseudo syscall. This adds placeholder
for options (none implemented yet).
This adds instruction generator for ifuzz; this also adds a few pseudo
instructions to simulate super/hyper/ultracalls
(a PPC64/pseries platform thing).
The insns.go is generated from PowerISA_public.v3.0B.pdf [1] by
a horrendous python3 script on top of pdftotext. The ISA covers POWER9
which is the latest available POWER CPU at the moment. The next ISA
for POWER10 is quite different and we will deal with it later.
The // comment after every instruction is a fixed opcode list for
verification purposes.
This does not define DecodeExt as there is no obvious replacement of
the Intel XED library for POWERPC (gapstone-capstone, later, may be).
[1] https://openpowerfoundation.org/?resource_lib=power-isa-version-3-0
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
| |
There is no point in having flags when values are equal.
This can only mean a typo or other bug. Check for such cases
and fix 3 existing precedents.
|
| |
|
|
|
| |
Regenerate consts on upstream 585e5b17b92dead8a3aca4e3c9876fbca5f7e0ba.
Fix vmw_vmci.txt const extraction.
|
| |
|
|
|
|
|
| |
These new fields were introduced in commit 1b4d60e ("bpf: Enable
BPF_PROG_TEST_RUN for raw_tracepoint") upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
| |
These two fields are not used in the BPF_PROG_GET_FD_BY_ID bpf(2) command.
See BPF_PROG_GET_FD_BY_ID_LAST_FIELD upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
| |
This new ld_imm instruction was introduced in commit 4976b71 ("bpf:
Introduce pseudo_btf_id") upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
|
| |
This new command was introduced in commit ef15314 ("bpf: Add
BPF_PROG_BIND_MAP syscall") upstream. The flags field is not currently
used.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
| |
This new command was introduced in commit 73b11c2 ("bpf: Add support for
forced LINK_DETACH command") upstream.
Signed-off-by: Paul Chaignon <paul@cilium.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://lore.kernel.org/linuxppc-dev/20190418100218.0a4afd51@mschwideX1/
The test triggers this bug:
[ 224.294341] ==================================================================
[ 224.294389] BUG: KASAN: stack-out-of-bounds in gup_pgd_range+0x124a/0x1398
[ 224.294405] Read of size 8 at addr 000003e002e8f3d8 by task gup_fast_regr-s/633
[ 224.294417]
[ 224.294431] CPU: 0 PID: 633 Comm: gup_fast_regr-s Not tainted 5.9.0-rc6 #1
[ 224.294443] Hardware name: IBM 8561 T01 701 (KVM/Linux)
[ 224.294454] Call Trace:
[ 224.294470] [<0000000047708384>] show_stack+0x174/0x220
[ 224.294488] [<000000004bbcfb9c>] dump_stack+0x274/0x2f8
[ 224.294506] [<0000000047f4e8e6>] print_address_description.constprop.0+0x5e/0x550
[ 224.294523] [<0000000047f4e4ea>] kasan_report+0x11a/0x168
[ 224.294538] [<0000000047e4a77a>] gup_pgd_range+0x124a/0x1398
[ 224.294554] [<0000000047e4cbea>] internal_get_user_pages_fast+0x212/0x460
[ 224.294571] [<0000000047e4cf10>] get_user_pages_fast+0x70/0xb0
[ 224.294588] [<0000000049886cee>] iov_iter_get_pages+0x2d6/0xdf0
[ 224.294605] [<000000004974aaca>] bio_iov_iter_get_pages+0x2ca/0x1088
[ 224.294623] [<0000000048210282>] iomap_dio_bio_actor+0x8e2/0x1118
[ 224.294638] [<0000000048210b64>] iomap_dio_actor+0xac/0x550
[ 224.294655] [<000000004820212a>] iomap_apply+0x21a/0x9d0
[ 224.294670] [<00000000482118ae>] iomap_dio_rw+0x7c6/0x11e8
[ 224.294689] [<0000000048374ca8>] ext4_file_read_iter+0x4b0/0x638
[ 224.294707] [<0000000047fd85ec>] new_sync_read+0x444/0x6d0
[ 224.294722] [<0000000047fde212>] vfs_read+0x2c2/0x4e0
[ 224.294737] [<0000000047fdf3ba>] ksys_read+0x16a/0x298
[ 224.294754] [<000000004bc37ee8>] system_call+0xdc/0x298
[ 224.294794]
[ 224.294800]
[ 224.294809] addr 000003e002e8f3d8 is located in stack of task gup_fast_regr-s/633 at offset 72 in frame:
[ 224.294827] gup_pgd_range+0x0/0x1398
[ 224.294837]
[ 224.294844] this frame has 3 objects:
[ 224.294854] [32, 40) 'pgd'
[ 224.294858] [64, 72) 'p4d'
[ 224.294867] [96, 104) 'pud'
[ 224.294874]
[ 224.294885] Memory state around the buggy address:
[ 224.294900] 000003e002e8f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294915] 000003e002e8f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294930] >000003e002e8f380: 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f3
[ 224.294943] ^
[ 224.294957] 000003e002e8f400: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 224.294972] 000003e002e8f480: 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 00 00
[ 224.294984] ==================================================================
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
80211_setup_station is extended with frame injections and delays that
are arranged in such a way that the device successuflly joins an
access point.
80211_scan is a new test that starts a channel scan and then injects a
beacon and a probe response.
These additions were tested manually and were observed to fulfill
their purpose.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit enables accurate generation of 802.11 frames for
injection. The descriptions only include frames/fields/elements that
are supported by mac80211.
Also, this commit includes fixes to tests that were affected by
modification of the existing descriptions.
The validity of the frames was verified by capturing the generated
packets and examining them in Wirehark.
|
| | |
|
| |
|
|
|
|
| |
1. A runtest that sets up an access point.
2. A runtest that configures a station.
3. A runtest that configures a mesh device.
|
| |
|
|
|
| |
Completed netlink descriptions for nl80211. Verified by executing
syzkaller locally and exploring coverage of the corresponding code.
|
| | |
|
| |
|
|
|
| |
This modification allows to remove [opt] modified for all uses of
ifreq_dev_t and ifreq_t
|
| |
|
|
|
|
|
| |
nl80211 descriptions depend on a variety of parameters specific to the
wireless devices/networks that we act upon. This patch adjusts these
values to match the hard-coded parameters of the pre-created virtual
wireless devices.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
|
| |
|
|
|
|
|
|
| |
And populate images with some files,
which should make both mounting and resulting dir more interesting.
Note: this adds 100MB of image files into the repo...
Maybe we need to think of some other way of string these images...
|
| | |
|
| |
|
|
| |
Add flexible_inline_xattr, inode_checksum, inode_crtime, project_quota features.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tools/create_{f2fs,btrfs}_image.sh are... well, shell scripts.
It's hard to scale this appraoch to more file systems
avoiding duplication and stupid errors while doing proper
error handling and parallelization.
Upgrade syz-imagegen to generate full test files and replace
the shell scripts.
f2fs -O=compression options is removed, it does not seem to be
supported by mkfs.f2fs, it always says:
Error: Wrong features
The shell script used it, but it seems that the way it passed
arguments (in a single '-quoted string) just made mkfs misparse
the arguments (use only the first one?) and so -O=compression
and most other arguments were simply ignored.
|
| |
|
|
|
|
| |
The previous commit did not get all intended changes.
Follow up to 2066
|
| |
|
|
|
|
|
|
|
| |
1. Use set -eu
2. Use consistent name of the generated files
3. Add "requires: manual"
4. Fix some option combinations that lead to errors
Follow up to 2066
|
| |
|
|
|
| |
Add several unit tests that mount different versions of btrfs images, and
the .sh file that generates these tests.
|
| |
|
|
|
|
| |
Make things consistent.
Follow up to #2032
|
| |
|
|
|
|
|
|
|
| |
Currently we only test parsing in tools/syz-runtest
and for test OS in pkg/runtest tests.
This means errors in tests for other OSes won't be
noticed until somebody runs tests manually.
Test parsing of all tests in pkg/runtest tests.
Fix up 2 broken tests.
|
| |
|
|
|
|
|
| |
Introduce "manual" requirement for tests (only run if explicitly selected)
and mark f2fs tests as manual. There are too many of them.
Follow up to #2032
|
| |
|
|
|
| |
Add several unit tests that mount different versions of f2fs image, and
the .sh file that generates these tests.
|
