Implement several performance improvements:
1. Don't run addr2line for the whole binary.
Frequently only a small part of the vmlinux is covered,
running addr2line over whole binary ahead of time takes insane amount of time.
Instread run addr2line incrementally only for symbols that have any coverage.
2. Run addr2line in parallel.
3. Instead of running objdump -d on the whole object file to find
coverage points, look for call instructions in the .text section directly.
Currently this is implemented only for amd64.
Also this Go change cuts another 7 seconds:
f92c64045f
(faster interation over DWARF compile units, should speed up syz-check as well).
Update #2006
The HTML code assumes that files and functions match one-to-one
as they are identified by indices (file_N should match function_N).
Since we only add non-empty functions, this relation is broken
and a the report shows function coverage for a random file.
Moreover, since the order is based on map iteration (random each time),
function coverage shown for a file also randomly changes each time.
Follow up to #2074
Add new command line option for exporting coverage information
calculated form rawcover file input into CSV file. The columns of
the exported file are:
Filename - function source file path
Function - function name
Percent - coverage percentage
PCs - number of total program counters
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Add fstab entry to mount the root filesystem read-write after boot. This
has been done with commit 873745 for create-image.sh. Maybe this hint is
not necessary for GCE but it is required when running on other platforms
(e.g. VMware).
Add new page for fuzzing x86-64 Linux kernel on VMware VMs.
It explains how to create a VMDK image and how to run it on Ubuntu host
with Workstation installed. For now only the isolated mode of syzkaller
is supported.
fail()'s are often used during the validation of kernel reactions to
queries that were issued by pseudo syscalls implementations. As fault
injection may cause the kernel not to succeed in handling these
queries (e.g. socket writes or reads may fail), this could ultimately
lead to unwanted "lost connection to test machine" crashes.
In order to avoid this and, on the other hand, to still have the
ability to signal a disastrous situation, the exit code of this
function now depends on the current context.
All fail() invocations during system call execution with enabled fault
injection lead to termination with zero exit code. In all other cases,
the exit code is kFailStatus.
This is achieved by introduction of a special thread-specific variable
`current_thread` that allows to access information about the thread in
which the current code is executing.
Also, this commit eliminates current_cover as it is no longer needed.
nl80211 descriptions depend on a variety of parameters specific to the
wireless devices/networks that we act upon. This patch adjusts these
values to match the hard-coded parameters of the pre-created virtual
wireless devices.
Two virtual wireless devices are instantiated during network devices
initialization.
A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.
Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.
Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)
Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.
Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.
As netlink helpers now include a function to query generic netlink
familty id, it makes no sense to duplicate implementation of
essentially the same function.
The code in common_linux.h assumes that nlmsgerr can either be 0 or a
negative value in case of an error. However, this is not always the
case. For example, some commands of mac80211_hwsim use nonnegative
values to indicate success (e.g. HWSIM_CMD_NEW_RADIO returns either a
negative error or a nonnegative radio index). Therefore, negation of
error code inside netlink_send_ext is not correct.
This patch changes this behavior. Now netlink_send_ext returns the
exact value it received via netlink.
This global variable cannot be used for pseudo syscalls as they can
run concurrently (in threaded mode). It can only be used during
initialization, and if initialization routines are not enabled, nlmsg
will become an unused variable.
Since some scripts are executed using "python", create a symlink when "python3" exists
and "python" does not exist, by installing python-is-python3 package.
/bin/sh: 1: python: not found
make[2]: *** [Makefile:364: check_links] Error 127
And populate images with some files,
which should make both mounting and resulting dir more interesting.
Note: this adds 100MB of image files into the repo...
Maybe we need to think of some other way of string these images...
syz_mount_image tests are very large and TestSysTests takes too long.
syz-imagegen that generates them does some of this testing
(Deserialize/SerializeForExec).
We use bufio.Scanner and it has mandatory limit on line length.
The file system tests (sys/linux/test/syz_mount_image_*) has
very long lines (megabytes).
Remove the restriction on line length.
tools/create_{f2fs,btrfs}_image.sh are... well, shell scripts.
It's hard to scale this appraoch to more file systems
avoiding duplication and stupid errors while doing proper
error handling and parallelization.
Upgrade syz-imagegen to generate full test files and replace
the shell scripts.
f2fs -O=compression options is removed, it does not seem to be
supported by mkfs.f2fs, it always says:
Error: Wrong features
The shell script used it, but it seems that the way it passed
arguments (in a single '-quoted string) just made mkfs misparse
the arguments (use only the first one?) and so -O=compression
and most other arguments were simply ignored.
Fixes the issue with gcc 10 on Fedora 32 s390x:
In file included from ../../executor/executor.cc:147:
../../executor/common.h: In function ‘void remove_dir(const char*)’:
../../executor/common.h:229:44: error: ‘%s’ directive output may be
truncated writing up to 255 bytes into a region of size between 0 and 4095 [-Werror=format-truncation=]
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
| ^~
../../executor/common.h:229:11: note: ‘snprintf’ output between 2 and 4352 bytes into a destination of size 4096
229 | snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
../../executor/common.h:243:1: error: the frame size of 21200 bytes is larger than 16384 bytes
[-Werror=frame-larger-than=]
243 | }
| ^
cc1plus: all warnings being treated as errors
compiler invocation: gcc [-o /tmp/syz-executor383272105 -DGOOS_test=1 -DGOARCH_64_fork=1 -DHOSTGOOS_linux=1
../../executor/executor.cc -m64 -no-pie -O2 -pthread -Wall -Werror -Wparentheses
-Wunused-const-variable -Wframe-larger-than=16384]
FAIL
FAIL github.com/google/syzkaller/pkg/runtest 0.998s
FAIL
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
create-image.sh assumes that the qemu name and the Debian name for the
target architecture are the same. This is not always true.
For comedy and/or historical reasons, Debian refers to 64-bit little
endian PowerPC as ppc64el, whereas qemu and most other things use ppc64le.
Debian refers to aarch64 as arm64, and 32-bit little endian arm as armel.
Add special cases to handle this.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
In ESA/S390 mode, the CPU is able to address only 31bit of
memory address space. GCC on s390x expects the flag -m31 instead
of -m32 for 32bit code.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>