| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Which attach types are available to a BPF program depends on its type.
We can encode this using conditional fields to reduce the time syzkaller
loses on unsupported combinations of (program type; attach type).
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
How the attach target field is interpreted depends on the program type
[1], which itself depends on the attach type [2] (defined in
attach_type_to_prog_type upstream). This commit encodes the same in
syzkaller to make the attach target field more precise.
Because attach_type_to_prog_type is a simple n to 1 mapping, we can
encode it as defines. We can then use those defines in conditional
fields for the different types of attach targets.
1 - https://elixir.bootlin.com/linux/v6.10.9/source/kernel/bpf/syscall.c#L4098
2 - https://elixir.bootlin.com/linux/v6.10.9/source/kernel/bpf/syscall.c#L3913
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The id_or_fd union was introduced before we had conditional fields to
represent IDs or fds for BPF programs or links. The union was
overapproximating those specific types.
With conditional fields, we can now use information from other fields to
determine precisely which type from the union is expected. For example,
with BPF_PROG_ATTACH, if BPF_F_ID is the only flag, then the relative_fd
field should be interpreted as a program ID.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
| |
Restrict nft_chain_ids to 1:4 since they wouldn't match otherwise.
Ideally we should keep track of used ids and only choose among them.
|
| |
|
|
|
|
|
|
| |
Use the newer INET and NETDEV families.
Improve some type definitions.
Add missing flags.
Implement nft_inner and nft_last exprs.
Add all nft matches and targets for their respective exprs.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-irqfd for more details.
|
| |
|
|
|
| |
- use specific flags in kvm_msi and kvm_irq_routing_entry
- add KVM_IRQ_ROUTING_XEN_EVTCHN to kvm_irq_routing_entry_type
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-get-clock for more info.
|
| |
|
|
| |
KVM_IRQ_LINE_STATUS is declared as _IOWR(), so it should be able to return values.
|
| |
|
|
|
|
| |
Both kvm_device_attr_generic and kvm_device_attr_arm64 are passed to
ioctl$KVM_SET_DEVICE_ATTR and ioctl$KVM_GET_DEVICE_ATTR as read-only,
but the `addr` parameter should be marked as inout.
|
| |
|
|
|
|
| |
Despite it only reads data from the kernel, and CPU creation is anyway
handled by syz_kvm_setup_cpu(), adding this ioctl will increase coverage
and potentially trigger interactions with KVM_ARM_VCPU_INIT.
|
| |
|
|
|
|
| |
This ioctl is mentioned at
https://docs.kernel.org/virt/kvm/api.html#kvm-cap-dirty-log-ring-kvm-cap-dirty-log-ring-acq-rel,
but doesn't have its own doc entry.
|
| |
|
|
| |
This is an x86-only ioctl: https://docs.kernel.org/virt/kvm/api.html#kvm-get-xsave2
|
| |
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/api.html#kvm-set-memory-attributes,
this is an x86-only ioctl.
|
| |
|
|
|
|
| |
Certain ioctls accept CPU features as numbers in the range 0..6
(aka KVM_ARM_VCPU_POWER_OFF..KVM_ARM_VCPU_SVE), whereas other
ioctls accept them as a bit mask.
|
| | |
|
| |
|
|
|
|
|
|
| |
Add the capabilities described in https://docs.kernel.org/virt/kvm/api.html,
but previously missing from the descriptions.
Most of these are VM capabilities for x86 and arm64, apart from KVM_CAP_SYNC_REGS,
which is a VCPU capability.
VM/VCPU attribution is poorly documented, so I referred to LXR to figure that out.
|
| | |
|
| |
|
|
|
|
| |
KVM provides a number of vendor-specific hypercall functions that are
hard to discover without explicitly listing their IDs in the descriptions
file.
|
| |
|
|
|
|
|
|
|
| |
According to
https://elixir.bootlin.com/linux/v6.10.9/source/include/uapi/linux/kvm.h,
the third member of `struct kvm_coalesced_mmio_zone` is a union of
`__u32 pad` and `__u32 pio`, where `pio` can be 0 or 1, depending on whether
the user wants to use KVM_MMIO_BUS or KVM_PIO_BUS (see also
https://elixir.bootlin.com/linux/v6.10.9/source/virt/kvm/coalesced_mmio.c#L137)
|
| | |
|
| |
|
|
|
| |
Add automatic_helper attribute and enable it for system calls that are required to properly run automatically generated
descriptions. Enable these system calls when descriptions_mode = `Auto`.
|
| |
|
|
|
|
|
| |
This field was added upstream in commit [1].
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=68ca5d4eebb8
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new BPF_TOKEN_CREATE bpf(2) command was introduced in commit [1]
upstream. This command takes a BPF filesystem fd and returns a BPF
token [2]. This token can then be passed to commands BPF_PROG_LOAD,
BPF_MAP_CREATE, and BPF_BTF_LOAD and the kernel will use it to check if
the operation is allowed. What operations a token allows is defined by
the mount options of the BPF filesystem.
No flags are currently supported for the BPF_TOKEN_CREATE command.
The fd should point to the BPF filesystem, but we don't have a specific
resource for this yet so just point to a generic fd. This command also
doesn't add support for the new mount options.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=35f96de04127
2 - https://lwn.net/Articles/947173/
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This new field for the bpf(2) command BPF_MAP_CREATE was introduced in
[1] upstream. It is conditioned on both the map type and its flags
(BPF_F_VTYPE_BTF_OBJ_FD).
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fcc2c1fb0651
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-set-user-memory-region2
for more details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-create-guest-memfd
for more details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-pre-fault-memory
for details
|
| |
|
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-arm-set-counter-offset
for more details.
|
| |
|
|
| |
See https://docs.kernel.org/virt/kvm/api.html#kvm-arm-vcpu-finalize for details
|
| |
|
|
|
| |
Add KVM_ARM_VCPU_PTRAUTH_ADDRESS, KVM_ARM_VCPU_PTRAUTH_GENERIC, KVM_ARM_VCPU_SVE
from https://docs.kernel.org/virt/kvm/api.html#kvm-arm-vcpu-init
|
| | |
|
| |
|
|
|
| |
Add KVM_GUESTDBG_EXIT_PENDING (s390) and KVM_GUESTDBG_BLOCKIRQ (x86)
that were previously missing.
|
| |
|
|
| |
As per https://docs.kernel.org/virt/kvm/api.html#kvm-get-vcpu-events
|
| |
|
|
|
|
|
|
| |
The new API call will be used to write values to guest memory specified
by base+offset.
Writing to e.g. MMIO registers for VGIC (or any other MMIO ranges) may
result in new coverage.
|
| |
|
|
| |
Add addresses from executor/kvm.h used by guest code on ARM64 to kvm_guest_addrs.
|
| |
|
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/api.html#kvm-ioeventfd,
datam should be the optional expected data value written by
the guest (we keep it random for now), whereas addr is the MMIO address.
|
| |
|
|
| |
Do not specify the attribute input types for now.
|
| |
|
|
|
|
| |
According to https://docs.kernel.org/virt/kvm/devices/vcpu.html,
VCPUs also have device attributes. Add descriptions for ioctls that
manipulate those attributes.
|
| | |
|
| |
|
|
|
|
|
|
| |
Implement basic IRQ controller setup for VMs with a single CPU.
SYZOS_API_IRQ_SETUP sets up the VGICv3 distributor/redistributor and
enables the specified number of SPIs starting from 32.
The default IRQ handler is set up to perform a uexit(-2).
|
| |
|
|
|
| |
The new pseudo-syscall sets up VGICv3 IRQ controller on the host.
That still requires guest setup code, which will be submitted separately.
|
| |
|
|
| |
Added the result of running syz-declextract. Added auto-manual.txt containing necessary manually written descriptions.
|
| | |
|
| |
|
|
| |
default config of the Linux kernel
|
| |
|
|
|
|
|
|
|
| |
and filter syscalls based on architectures
Start generating descriptions directly in syz-declextract. Automatically generated descriptions are marked with "auto"
attribute and parameter names are changed if they use a reserved keyword. By default, all parameters are of type intptr;
This is intended to change later. "run" now produces deterministic output and filters system calls to only allow ones
supported by syzkaller supported architectures, and renames any system calls that need to be renamed.
|
| | |
|
| | |
|
| | |
|
