| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Update const files on the latest upstream commit
d1dc87763f406d4e67caf16dbe438a5647692395
|
| |
|
|
|
|
|
|
| |
This reverts commit 7d6ce61334a1437f59d058959ef93071446706f8.
Ashmem is removed upstream, but it's still present in LTS 5.4/10 kernels.
Add "meta noextract" to the file instead to prevent extract errors.
|
| |
|
|
|
|
|
| |
This test covers linking, renaming and exchanging (RENAME_EXCHANGE) checks
handled in security/landlock/fs.c .
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
Add the new LANDLOCK_ACCESS_FS_REFER flag for the full link and rename
handling.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
| |
* sys/linux: fix errors in dev_loop.txt
* docs: add research paper (ICSE 22)
* sys/linux: fix errors in dev_loop.txt
* sys/linux: fix errors in dev_loop.txt
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a bunch of hacks in syz-extract, syz-sysgen and syz-check
with respect to description files unsupported on some arches,
or that must not be part of make extract.
Add 2 meta attribtues to files:
meta noextract
Tells `make extract` to not extract constants for this file.
Though, `syz-extract` can still be invoked manually on this file.
meta arches["arch1", "arch2"]
Restricts this file only to the given set of architectures.
`make extract` and ``make generate` will not use it on other architectures.
Later we can potentially use meta attributes to specify git tree/commit
that must be used for extraction. Maybe something else.
Fixes #2754
|
| |
|
|
|
|
| |
Make bpf_link_create_arg a template so that it's possible to create more specialized versions.
Add a specialized version for XDP links. First, they need a special program type,
plus a special attach type and target fd is not an fd, but rather ifindex.
|
| | |
|
| |
|
|
|
| |
Regenerated on the current upstream HEAD:
22da5264abf497a10a4ed629f07f4ba28a7ed5eb
|
| |
|
|
|
| |
It was deprecated and removed from the kernel:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=721412ed3d819e767cac2b06646bf03aa158aaec
|
| |
|
|
|
|
|
|
|
|
| |
Currently mkdirat requires fd_dir as an input resource,
which means it cannot be enabled in "enable_syscalls" on its own
as it requires some other syscall that creates fd_dir
(a syscall cannot create input resources for itself).
Mark fd_dir as opt so that mkdirat can be enabled on it's own.
The default value for fd_dir is AT_FDCWD, which is a good value that works.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Randomly changing MSRs can have unpredictable results.
We tried to protect from writes on descriptions level,
but it does not work well, the fuzzer has figured out:
03:37:28 executing program 3:
syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0)
r0 = syz_open_procfs(0x0, &(0x7f0000000180)='fd/3\x00')
pwritev(r0, ...)
Fortunately there is a command line argument that disables all writes.
Use it instead.
Note: older kernels will need:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a7e1f67ed29f
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=02a16aa13574
|
| |
|
|
|
|
|
|
|
|
| |
5.15 kernel get new filesystem driver for ntfs called ntfs3. Old driver
is still in use so we do not delete it yet.
Generated test images are made with mkntfs v2021.8.22 (libntfs-3g) and
ntfs3 version from 5.17-rc7. For some reason I did not manage to
generate images with "-s 256" due some ntfs3 error. We can add those
later when we work out what is going on with those.
|
| |
|
|
|
|
|
| |
The interface has significantly changed since the first version.
Update to the upstreammed interface.
Fixes #3030
|
| |
|
|
|
| |
Regenerate on latest upstream commit
56e337f2cf1326323844927a04e9dbce9a244835.
|
| |
|
|
| |
Based on v5.17-rc1 and upstream-usb.config.
|
| | |
|
| |
|
|
| |
Regenerate const files on next-20220127.
|
| |
|
|
|
|
|
|
|
|
| |
Setting itself or another process as a real-time one leads to the
starvation of kernel threads and, as a result, to false positive stall
bug reports. We have been getting complaints about them for already
quite a long time now.
Neutralize the policy argument of the syscall as much as possible given
the set of possible syzkaller mutations.
|
| | |
|
| |
|
|
|
|
| |
It seems we had a bogus signature for sigaltstack for all that time.
It accepts 2 sigaltstack structs according to the kernel code:
https://elixir.bootlin.com/linux/v5.16/source/kernel/signal.c#L4217
|
| |
|
|
| |
Update #590
|
| | |
|
| | |
|
| |
|
|
| |
They are not really structs in the kernel even if we describe them as structs.
|
| |
|
|
|
| |
Regenerate warn files on the latest kernel commit fe8152b38d3
and latest syzkaller commit with fresh kernel config files.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As was pointed out in #2921, the current approach of limiting the number
of pids per process does not work on all Linux-based kernels.
We could just treat fork, clone and clone3 in a special way (e.g. exit
on a zero return). However, in that case we also need to sanitize the
arguments for clone and clone3 - if CLONE_VM is passed and stack is 0,
the forked child processes (threads) will become nearly unindentifiable
and will corrupt syz-executor's memory. While we could sanitize clone's
arguments, we cannot do so for clone3 - nothing can guarantee that they
will not be changed concurrently.
Instead of calling those syscalls directly, introduce a special pseudo
syscall syz_clone3. It copies and sanitizes the arguments and then
executes clone3 (or fork, if we're on an older kernel) in such a way so
as to prevent fork bombs from happening.
Also introduce syz_clone() to still be able to fuzz it on older systems.
|
| |
|
|
|
|
|
| |
Subsequent changes will require stricter resource constructors
and checks start failing for vcontext_handle (doesn't have ctors).
I can't wrap my head around how vcontext_handle is supposed to be created,
so for now it's downgraded to just int.
|
| | |
|
| |
|
|
|
|
|
| |
Add construcor for drm_plane_id resource that returns it outside of an array.
Provide more detailed desriptions for DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD/DRM_IOCTL_SYNCOBJ_FD_TO_HANDLE
as they accept/return complete different resources.
|
| |
|
|
|
|
|
|
|
| |
Move existing bits of /dev/media descriptions from sys.txt and dev_video4linux.txt
and complete the descriptions.
Also provide more concrete specialization of VIDIOC_QUERYBUF ioctl.
Add ioctl specialization that serves as fd_v4l2_buffer resource constructor
(returns it outside of a union).
|
| | |
|
| |
|
|
| |
The ioctls actually return the dmabuf fd that can be used in other APIs.
|
| |
|
|
|
|
|
| |
The comment says:
// ION support was removed from kernel.
// We plan to leave the descriptions for some time as is and later remove them.
|
| |
|
|
|
| |
NL802154_IFTYPE_UNSPEC value was changed in kernel commit 451dc48c806a7ce9fbec5e7a24ccf4b2c936e834.
dev_msr consts were not generated for non-x86 arches.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove all uses of len/flags/const/proc types in explicitly marked out fields.
Use of these types for out fields does not make sense:
a len[b, int32] (out)
b flags[foo, int32] (out)
Since kernel fills these fields, that's unnecessary details or bugs in descriptions.
In particular all of these are actually bugs:
ioctl$TUNSETQUEUE(fd fd_tun, cmd const[TUNSETQUEUE], arg ptr[in, ifreq_t[flags[tun_queue_flags, int16]]])
ioctl$TUNSETIFF(fd fd_tun, cmd const[TUNSETIFF], arg ptr[in, ifreq_t[flags[tun_setiff_flags, int16]]])
ioctl$SIOCSIFHWADDR(fd fd_tun, cmd const[SIOCSIFHWADDR], arg ptr[in, ifreq_t[mac_addr]])
ioctl$sock_inet_SIOCSIFADDR(fd sock, cmd const[SIOCSIFADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFBRDADDR(fd sock, cmd const[SIOCSIFBRDADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFNETMASK(fd sock, cmd const[SIOCSIFNETMASK], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFDSTADDR(fd sock, cmd const[SIOCSIFDSTADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFPFLAGS(fd sock, cmd const[SIOCSIFPFLAGS], arg ptr[inout, ifreq_t[int32]])
ioctl$SIOCSIFMTU(fd sock_pppl2tp, cmd const[SIOCSIFMTU], arg ptr[in, ifreq_t[int32]])
ioctl$sock_SIOCETHTOOL(fd sock, cmd const[SIOCETHTOOL], arg ptr[inout, ifreq_t[ptr[inout, ethtool_cmd_u]]])
We pretend that we pass in some flags or addresses, but the ifreq field
was marked as (out), so we actually did not pass anything in.
|
| |
|
|
|
|
|
| |
Remove all uses of direction attributes on union fields
and use out_overlay attribute instead.
The attribute actually does what was the intention behind
use of direction attribute on unions.
|
| |
|
|
|
|
|
| |
The new neighbour flag NTF_STICKY was added upstream in commit
v4.20-rc1~14^2~392.
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
| |
The NDA_FLAGS_EXT netlink attribute was added upstream in commit
v5.16-rc1~159^2~222^2~1, to allow for new neighbor flags. The only such
flag currently supported is NTF_EXT_MANAGED.
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The structure used for BPF map creation now has an additional field,
map_extra, introduced in [1] upstream. The definition of that field
depends on the map type being created and is only used by bloom
filter maps for now. For bloom filter maps, the 4 lower bits define
the number of hash functions to use.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9330986c03006
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced support for BPF calls to kernel
functions, via a new call instruction BPF_PSEUDO_KFUNC_CALL. In this new
instruction, the immediate value is the BTF ID of the function to call
in the kernel.
This commit introduces basic support for this new instruction in
syzkaller. The immediate value will point to a BTF ID, but a fair amount
of additional work would be required to ensure that BTF ID is actually
pointing to a kernel function.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6ac2450d6dee
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced a new BPF helper, bpf_for_each_map_elem,
which comes with callback functions (BPF programs). The callback
function's address is provided via a 64-bit IMM load instruction where
the first 32-bit of the immediate value are the offset from the current
instruction to the start of the callback function. The 64-bit value is
then rewritten into the address of the callback function.
Callback BPF functions are similar to BPF_PSEUDO_CALL functions, except
the offset to the function is converted into an address to be passed to
a BPF helper. The same workaround is thus used to encode the offset in
syzkaller, given we can't currently limit the offset to the program
size.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=69c087ba6225b
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced a new way to reference BPF maps in eBPF
instructions. An array of BPF map fds is passed at program load time.
Instructions can then reference fds in this array instead of carrying
the fds directly. The goal is to allow BPF instructions to be immutable
after compilation.
Since we don't yet have a good way to reference indexes in an array, we
define a new type map_fd_id for that purpose, with indexes between 0 and
16 only.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=387544bfa291
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sys/linux/damon.txt: initial description
description of DAMON's interface mounted in debugfs: target_ids, attrs, init_regions, monitor_on
* sys/linux/damon.txt: additional damon interface description added
added DAMON interface descriptions for schemes, kdamond_pid, mk_contexts, rm_contexts
prefix of all the files with damon to avoid colliding naming
* sys/linux/damon.txt: standard copyright statement added
* sys/linux/damon.txt.const: const file of sys/linux/damon.txt added
* sys/linux/damon.txt: type fix of pid to fmt
* dashboard/config/linux/bits/subsystems.yml: damon configs added for Syzbot
* dashboard/config/linux: generated kernel configs with added damon config
* sys/linux/damon.txt: fmt type fix
* sys/linux/damon.txt: read and close syscalls removed
write and read mk_contexts summarized into one syscall
some refining of syscall interfaces
|
| |
|
|
|
|
| |
Add description of the new syscall futex_waitv.
Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
It's a somewhat common mistake to write comments instead of directives:
#include <foo>
#define FOO BAR
because that's how it's done in C.
In preparation for warning about such cases remove all existing
comments that fake directives.
|
