| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream, and subsequent patches, extended the
BPF_PROG_DETACH command to support a new multi-prog object in the BPF
subsystem. It now supports the same fields as its BPF_PROG_ATTACH, with
one exception, replace_bpf_fd, which must stay NULL. The reference to
the relative object is supported, as well as the expected revision
number and a set of flags.
1 - 053c8e1f235dc ("bpf: Add generic attach/detach/query API for multi-progs")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream, and subsequent patches, extended the
BPF_PROG_ATTACH command to support a new multi-prog object in the BPF
subsystem. In particular, programs can now be attached relative to
another object (relative_obj), a BPF program or link, referenced via
either an fd or a BPF ID (id_or_fd). In addition, a new concept of BPF
revision number was introduced and a revision number can be passed, to
be checked at attach time. Finally, the attachment target can now also
be an ifindex.
1 - 053c8e1f235dc ("bpf: Add generic attach/detach/query API for multi-progs")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
| |
Handle torvalds/linux@96b2b072ee62 ("exportfs: allow exporting
non-decodeable file handles to userspace").
Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
|
| |
|
|
|
|
|
| |
Handle torvalds/linux@99668f618062 ("fs: expose LOOKUP_CACHED through
openat2() RESOLVE_CACHED")
Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
|
| |
|
|
|
|
| |
Handle torvalds/linux@cf264e1329fb ("cachestat: implement cachestat syscall")
Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
|
| |
|
|
|
|
|
|
|
| |
Handle torvalds/linux@b62e71be2110 ("f2fs: support
errors=remount-ro|continue|panic mountoption")
`errors=panic` is not added because it will cause many false positives.
Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
|
| |
|
|
|
|
| |
New netlink command has been added to MPTCP as well as a few getsockopt.
Add the necessary syskaller instructions.
|
| |
|
|
|
|
|
| |
Support the new field defined upstream in commit [1].
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47a71c1f9af0
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Commit [1] upstream added a new field to the anonymous struct for the
BPF_PROG_QUERY bpf(2) command, for the kernel to return the attach flags
of the program. This commit adds this field in the syzkaller struct.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b79c9fc9551b
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream added support for O_PATH fds in BPF_OBJ_* commands.
This commit implements the same support in syzkaller.
The flag BPF_F_PATH_FD must be set when passing an O_PATH to the
BPF_OBJ_* commands. We therefore declare generic and O_PATH-specific
variants of the existing BPF_OBJ structs.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cb8edce2807
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream added a new mode for the BPF command BPF_PROG_RUN
when used with XDP program (type BPF_PROG_TYPE_XDP). This new mode
allows injecting packets to the network stack after they have been
processed by the test BPF program.
This new mode expects specific arguments. Specifically, only the
BPF_F_TEST_XDP_LIVE_FRAMES flag is accepted and data_out & ctx_out must
be NULL.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b530e9e1063ed
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Commit [1] upstream added a new field to the bpf(2) PROG_LOAD command
for the kernel to return the buffer size that would be required to store
all logs. This is an output-only field so probably not much point in
fuzzing it, so let's fix it to 0.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47a71c1f9af0
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Commit [1] upstream added support via the bpf(2) PROG_LOAD command to
load BTF CO-RE relocation data. This commit adds basic support for
loading the same data in syzkaller. As usual with BTF, we are pretty
limited in what we can efficiently describe :-(
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fbd94c7afcf9
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Add some new APIs that have been added to io_uring since 6.0.
|
| |
|
|
|
|
|
|
| |
This parameter barely increases coverage since the tail is always set
to the entry that is written, but it does increase the complexity of
the api and seems to reduce coverage when I run it locally.
Remove it.
|
| |
|
|
|
|
|
|
|
|
| |
In Linux 6.4+ it is not allowed to provide a vma to mmap(2) [1]. Change
the API to request the address from the Kernel.
Note I do not know why this was done in the first place, but it seems
not to be useful.
[1]: https://github.com/torvalds/linux/commit/d808459b2e31bd5123a14258a7a529995db974c8
|
| |
|
|
|
|
| |
This is currently in linux-next make sure it gets tested.
Signed-off-by: Christian Brauner <brauner@kernel.org>
|
| |
|
|
|
|
| |
This has been supported for a while but apparently was never added.
Signed-off-by: Christian Brauner <brauner@kernel.org>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Add flag values and update constants.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sys/linux: fix count_encoders
The count_encoders field gives the length of the encoders_ptr field, not
count_modes field.
* sys/linux: make modes_ptr array of drm_mode_modeinfo structures
The modes_ptr is actually some number of drm_mode_modeinfo structures,
so make the array be properly sized.
* sys/linux: make drm_crtc_id into a resource
Calling the DRM_IOCTL_MODE_GETRESOURCES ioctl gets you available crtc
ids. Make a resource for drm_crtc_id and use it instead of trying to
guess the random number. Mark ioctl$DRM_IOCTL_MODE_GETPLANE as inout as
well so that we know it outputs a drm_crtc_id.
* sys/linux: make encoder_id into a resource
Make a resource for the encoder_id so that the
DRM_IOCTL_MODE_GETCONNECTOR ioctl can generate encoder ids. Otherwise
you have to hope that the random int32 matches the allocated number from
the kernel's idr.
* sys/linux: make prop_id into a resource
The DRM_IOCTL_MODE_GETCONNECTOR can be used to get available properties
and their ids. Otherwise you have to hope that the random int32 matches
the allocated number from the kernel's idr. Make this into a resource so
it can be used in other places as a known value.
* sys/linux: make connector_id into a resource
Use the DRM_IOCTL_GETRESOURCES ioctl to get the connector id. Make the
id into a resource so it can be used throughout instead of guessing the
int32. Similarly mark DRM_IOCTL_GETRESOURCES pointer argument as 'inout'
because the whole structure is an output that is used to get the
resources associated with a card (or fd_dri).
* sys/linux: make fb_id into a resource
Use the DRM_IOCTL_GETRESOURCES ioctl to get the framebuffer id. Make the
id into a resource so it can be used throughout instead of guessing the
int32.
* sys/linux: make a resource for base drm mode object
The drm UAPI treats an object id as generic int32 in the
DRM_IOCTL_MODE_OBJ_GETPROPERTIES ioctl. You use the id along with the
type field to find the properties associated with a particular object.
Make the object id be the base int32 that all other drm mode objects
inherit from.
* sys/linux: split DRM get/set crtc ioctls into two
These ioctls use the same structure but in the "get" case everything
besides the crtc_id is an output and the set_connectors_ptr is unused.
Split the ioctls into two so we can describe the differences.
* sys/linux: drm's DRM_IOCTL_VERSION takes an inout pointer
This is actually an inout pointer. Mark it as such although this
probably won't really do much because no resource is created by this
ioctl.
* sys/linux: indicate in and out for DRM_IOCTL_IRQ_BUSID
Mark the structure argument to this ioctl as inout and indicate that the
irq is the only element that is an output. This clarifies how this ioctl
works, although it is deprecated and is largely useless.
* sys/linux: handles for drm_mode_fb_cmd2 are GEM handles
The handles member of drm_mode_fb_cmd2 is an array of 4 drm_gem_handle
resources. Mark it as such.
* sys/linux: mark pointer to DRM_IOCTL_MODE_GETPLANERESOURCES inout
This ioctl is inout, because it gets the number of planes and their ids.
* sys/linux: add DRM_IOCTL_MODE_GETFB2 ioctl
This ioctl is missing from dev_dri.txt
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SHSTK(Shadow Stack) test file
CET(Control-flow Enforcement Technology) is a security feature that includes
shadow stack and end branch to prevent ROP(Return Oriented programming)/JOP
(Jump Oriented Programming) attack from the root cause.
User space SHSTK which prevents ROP attack for user space process is in Linux
tip repo:
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/shstk
Add CET user space SHSTK test file in syzkaller to cover related fuzzing
tests.
Signed-off-by: Pengfei Xu <pengfei.xu@intel.com>
|
| |
|
|
|
| |
Add a regression test for:
https://github.com/torvalds/linux/commit/1c5950fc6fe996235f1d18539b9c6b64b597f50f
|
| |
|
|
|
|
|
| |
The msm gpu driver has a submit queue and some associated ioctls for it.
The driver uses an 'id' to identify an element in the queue. Make a
resource for this id and update the descriptions to use the resource so
we can provide better hints about what sorts of numbers to try here.
|
| |
|
|
| |
This comment is no longer relevant once we removed fd_msm_fence.
|
| |
|
|
|
| |
The handle is an output value, used for other gem handle inputs. Mark it
as such to clarify where gem handles come from.
|
| |
|
|
|
|
|
| |
Add test program for ioctl$IOMMU_TEST_OP_MD_CHECK_MAP and
ioctl$IOMMU_TEST_OP_MD_CHECK_REFS to hit them quickly.
Signed-off-by: yantingj <yanting.jiang@intel.com>
|
| |
|
|
| |
The syscall sets PKRU register which is part of protection keys (pkey).
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Background:
Linux kernel v6.2-rc1 and later versions have merged IOMMU_TEST_OP_MD_CHECK_MAP
and IOMMU_TEST_OP_MD_CHECK_REFS ioctl syscalls:
https://elixir.bootlin.com/linux/v6.2-rc1/source/drivers/iommu/iommufd/iommufd_test.h#L13
The Problem:
Syzkaller accidentally found a bug related to IOMMU_TEST_OP_MD_CHECK_REFS after
about 3 weeks fuzzing, and Jason Gunthorpe fixed it after the issue report:
Reported link: https://lore.kernel.org/all/Y%2FhOiilV1wJvu%2FHv@xpf.sh.intel.com/
Final fixed patch: https://lore.kernel.org/linux-iommu/0-v1-95390ed1df8d+8f-iommufd_mock_overflow_jgg@nvidia.com/
The Improvement:
Let syzkaller hit IOMMU_TEST_OP_MD_CHECK_MAP and IOMMU_TEST_OP_MD_CHECK_REFS
related syscalls easily and quickly, add these 2 new iommufd ioctl syscall
descriptions:
1. ioctl$IOMMU_TEST_OP_MD_CHECK_MAP(...);
2. ioctl$IOMMU_TEST_OP_MD_CHECK_REFS(...).
Signed-off-by: Pengfei Xu <pengfei.xu@intel.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
We already try as hard as possible to not generate escaping (global) filenames.
However, it's possible we read them from the corpus if it happens to contain some.
Also check for escaping filenames during deserialization.
Fixes #3678
|
| | |
|
| |
|
|
|
| |
Fill fake images with unique 4-byte values.
This allows hints mutation to easily guess magic numbers and checksums.
|
