| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
NL802154_IFTYPE_UNSPEC value was changed in kernel commit 451dc48c806a7ce9fbec5e7a24ccf4b2c936e834.
dev_msr consts were not generated for non-x86 arches.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove all uses of len/flags/const/proc types in explicitly marked out fields.
Use of these types for out fields does not make sense:
a len[b, int32] (out)
b flags[foo, int32] (out)
Since kernel fills these fields, that's unnecessary details or bugs in descriptions.
In particular all of these are actually bugs:
ioctl$TUNSETQUEUE(fd fd_tun, cmd const[TUNSETQUEUE], arg ptr[in, ifreq_t[flags[tun_queue_flags, int16]]])
ioctl$TUNSETIFF(fd fd_tun, cmd const[TUNSETIFF], arg ptr[in, ifreq_t[flags[tun_setiff_flags, int16]]])
ioctl$SIOCSIFHWADDR(fd fd_tun, cmd const[SIOCSIFHWADDR], arg ptr[in, ifreq_t[mac_addr]])
ioctl$sock_inet_SIOCSIFADDR(fd sock, cmd const[SIOCSIFADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFBRDADDR(fd sock, cmd const[SIOCSIFBRDADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFNETMASK(fd sock, cmd const[SIOCSIFNETMASK], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFDSTADDR(fd sock, cmd const[SIOCSIFDSTADDR], arg ptr[inout, ifreq_t[sockaddr_in]])
ioctl$sock_inet_SIOCSIFPFLAGS(fd sock, cmd const[SIOCSIFPFLAGS], arg ptr[inout, ifreq_t[int32]])
ioctl$SIOCSIFMTU(fd sock_pppl2tp, cmd const[SIOCSIFMTU], arg ptr[in, ifreq_t[int32]])
ioctl$sock_SIOCETHTOOL(fd sock, cmd const[SIOCETHTOOL], arg ptr[inout, ifreq_t[ptr[inout, ethtool_cmd_u]]])
We pretend that we pass in some flags or addresses, but the ifreq field
was marked as (out), so we actually did not pass anything in.
|
| |
|
|
|
|
|
| |
Remove all uses of direction attributes on union fields
and use out_overlay attribute instead.
The attribute actually does what was the intention behind
use of direction attribute on unions.
|
| |
|
|
|
|
|
| |
The new neighbour flag NTF_STICKY was added upstream in commit
v4.20-rc1~14^2~392.
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
| |
The NDA_FLAGS_EXT netlink attribute was added upstream in commit
v5.16-rc1~159^2~222^2~1, to allow for new neighbor flags. The only such
flag currently supported is NTF_EXT_MANAGED.
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The structure used for BPF map creation now has an additional field,
map_extra, introduced in [1] upstream. The definition of that field
depends on the map type being created and is only used by bloom
filter maps for now. For bloom filter maps, the 4 lower bits define
the number of hash functions to use.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9330986c03006
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced support for BPF calls to kernel
functions, via a new call instruction BPF_PSEUDO_KFUNC_CALL. In this new
instruction, the immediate value is the BTF ID of the function to call
in the kernel.
This commit introduces basic support for this new instruction in
syzkaller. The immediate value will point to a BTF ID, but a fair amount
of additional work would be required to ensure that BTF ID is actually
pointing to a kernel function.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6ac2450d6dee
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced a new BPF helper, bpf_for_each_map_elem,
which comes with callback functions (BPF programs). The callback
function's address is provided via a 64-bit IMM load instruction where
the first 32-bit of the immediate value are the offset from the current
instruction to the start of the callback function. The 64-bit value is
then rewritten into the address of the callback function.
Callback BPF functions are similar to BPF_PSEUDO_CALL functions, except
the offset to the function is converted into an address to be passed to
a BPF helper. The same workaround is thus used to encode the offset in
syzkaller, given we can't currently limit the offset to the program
size.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=69c087ba6225b
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream introduced a new way to reference BPF maps in eBPF
instructions. An array of BPF map fds is passed at program load time.
Instructions can then reference fds in this array instead of carrying
the fds directly. The goal is to allow BPF instructions to be immutable
after compilation.
Since we don't yet have a good way to reference indexes in an array, we
define a new type map_fd_id for that purpose, with indexes between 0 and
16 only.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=387544bfa291
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul@isovalent.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sys/linux/damon.txt: initial description
description of DAMON's interface mounted in debugfs: target_ids, attrs, init_regions, monitor_on
* sys/linux/damon.txt: additional damon interface description added
added DAMON interface descriptions for schemes, kdamond_pid, mk_contexts, rm_contexts
prefix of all the files with damon to avoid colliding naming
* sys/linux/damon.txt: standard copyright statement added
* sys/linux/damon.txt.const: const file of sys/linux/damon.txt added
* sys/linux/damon.txt: type fix of pid to fmt
* dashboard/config/linux/bits/subsystems.yml: damon configs added for Syzbot
* dashboard/config/linux: generated kernel configs with added damon config
* sys/linux/damon.txt: fmt type fix
* sys/linux/damon.txt: read and close syscalls removed
write and read mk_contexts summarized into one syscall
some refining of syscall interfaces
|
| |
|
|
|
|
| |
Add description of the new syscall futex_waitv.
Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
It's a somewhat common mistake to write comments instead of directives:
#include <foo>
#define FOO BAR
because that's how it's done in C.
In preparation for warning about such cases remove all existing
comments that fake directives.
|
| |
|
|
| |
Fix missed includes and renamed constants and regenerate const files on 89d714ab60.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syzkaller runs KVM until it exits and this is considered the end of
the KVM_RUN syscall. We can do a bit more with a VM if the exit was
legit (for example MMIO access or a hypercall). In such cases
the userspace emulates the request and stores the result in
the kvm_run struct (mmaped from vcpu_fd) which the next KVM_RUN
checks.
This defines specialized mmap and syz_memcpy_off to allow Syzkaller
fuzz the kvm_run struct with focus on the part where the huge union is.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
---
Changes:
v4:
* defined offset/size constants
* re-autogenerated dev_kvm.txt.const
v3:
* fixed syz_memcpy_off's src size
v2:
* limited changes to dev_kvm.txt instead of defining all new
syz_kvm_run.
|
| |
|
|
|
|
|
| |
Add description for:
67f1e027c270 drivers/cdrom: improved ioctl for media change detection
Signed-off-by: Denis Efremov <efremov@linux.com>
|
| |
|
|
|
|
|
|
|
| |
O_ACCMODE is used for ioctl-only opens in the floppy driver.
Drop O_CREAT, O_DIRECTORY, O_EXCL, O_LARGEFILE, O_NOCTTY,
O_NOFOLLOW, O_PATH and __O_TMPFILE flags. They aren't affecting
/dev/fd0.
Signed-off-by: Denis Efremov <efremov@linux.com>
|
| |
|
|
|
|
|
|
| |
Create one instance of binderfs per process and add descriptions to
enable syzkaller to create binderfs mounts and binder devices itself.
Keep descriptions compatible with the legacy mode (when devices are
created at boot time).
|
| | |
|
| |
|
|
|
| |
2 new ioctl's were added + some new flags:
https://elixir.bootlin.com/linux/v5.15-rc6/source/include/uapi/linux/userfaultfd.h#L82
|
| |
|
|
|
| |
It has been extended in the kernel, see:
https://elixir.bootlin.com/linux/v5.15-rc6/source/include/uapi/linux/tcp.h#L348
|
| |
|
|
|
| |
See https://elixir.bootlin.com/linux/v5.15-rc6/source/include/uapi/linux/futex.h#L11
And https://elixir.bootlin.com/linux/v5.15-rc6/source/include/uapi/linux/seccomp.h#L118
|
| |
|
|
| |
See: https://elixir.bootlin.com/linux/v5.15-rc6/source/include/uapi/linux/batman_adv.h#L692
|
| | |
|
| | |
|
| |
|
|
| |
See: https://elixir.bootlin.com/linux/v5.15-rc6/source/mm/secretmem.c#L194
|
| |
|
|
|
|
| |
Add descriptions of the new BINDER_FREEZE, BINDER_GET_FROZEN_INFO
and BINDER_ENABLE_ONEWAY_SPAM_DETECTION.
See: https://elixir.bootlin.com/linux/v5.15-rc6/source/include/uapi/linux/android/binder.h#L249
|
| |
|
|
| |
See: https://elixir.bootlin.com/linux/v5.15-rc6/source/fs/eventpoll.c#L2279
|
| |
|
|
| |
See: https://elixir.bootlin.com/linux/v5.15-rc6/source/mm/oom_kill.c#L1146
|
| |
|
|
| |
Add missing VM/CPU caps and specify type of arguments for each cap.
|
| |
|
|
| |
Cgroup mounts also accept a list of subsystem controllers.
|
| | |
|
| |
|
|
|
|
| |
Regenerate const files on the latest upstream tree.
Remove IPX support since it was removed from the kernel
in 7a2e838d28 ("staging: ipx: delete it from the tree").
|
| |
|
|
| |
These may be interesting to test, esp since they are marked as FS_USERNS_MOUNT.
|
| |
|
|
| |
Add new and missing cgroup controls.
|
| |
|
|
|
|
| |
O_RDONLY is not really a flag. Not providing O_WRONLY means O_RDONLY.
Signed-off-by: Denis Efremov <efremov@linux.com>
|
| |
|
|
|
|
| |
Describe virtual Trusted Platform Module (vTPM) proxy device driver.
Signed-off-by: Denis Efremov <efremov@linux.com>
|
| |
|
|
|
| |
Create a constructor for the prog.Call type. It allows to reduce
the duplication of code now and during further changes.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
We don't support # comments at the end of defines.
This never worked and .const file wasn't even re-generated
(otherwise it would contain ???).
|
| |
|
|
| |
Signed-off-by: Denis Efremov <efremov@linux.com>
|
| |
|
|
| |
Mali GPU is at /dev/mali0 on Android.
|
| |
|
|
|
|
|
| |
Add recvmsg$unix() and recvmmsg$unix().
Update sendmmsg$unix to use the correct type, the old description was using
an array of struct msghdr instead of struct mmsghdr.
Set addr field of msghdr structs to optional.
|
| |
|
|
|
|
|
| |
Update dev_vhci consts as they were updated to use inclusive language in
commit 3d4f9c00492b and 6397729bb74d.
Remove caif_hsi consts as they were removed in commit ca75bcf0a83b.
Remove raw driver ioctls as they were removed in commit 603e4922f1c8.
|
| |
|
|
| |
Syscall `openat$random` should open /dev/random device.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This sets up a page table to map the text in order to exercise
more code paths in the KVM.
This defines flags to control the MMU state. When enabled, this
creates a simple page table at the 64K offset and maps all the RAM.
The fuzzer code is placed right after the table.
The flags are:
IR - enables MMU for instruction fetches
DR - enables MMU for data loads/stores
PR - "problem state", i.e. userspace (implies DR and IR)
PID1 - initializes a process table for PID>0 (PID#0 is used by the VM OS
normally)
This adds a simple "syz_kvm_setup_cpu_ppc64" syz-test with MSR=IR|DR|LE
which is a typical Linux kernel mode.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Turns out the ifuzz on powerpc did not ever properly work. This fixes
syz_kvm_setup_cpu$ppc64:
Enable the PAPR KVM capability (otherwise KVM_RUN fails right away).
Finish generated sequences with the software debug breakpoint as
there is no x86's "hlt" variant on POWER and otherwise KVM won't exit.
Add exception handlers, use the software debug breakpoint instruction
to trigger immediate exit from KVM with the only exception of
the decrementer interrupt handler (timer) to recharge the timer and
continue.
Define and use endianness selection flag (Big vs. Little endian).
Define the code generator similar to kvm_gen.cc which for now contains
2 simple tests and the decrementer interrupt handler code.
Add test cases to the executor so "bin/linux_ppc64le/syz-executor test"
can run some sensible tests. The tests copy 0xbadc0de around similar
to x86 and uses gpr[3] is a return value register (similar to EAX).
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
