summaryrefslogtreecommitdiffstats
path: root/sys/dev/kcov.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Clear the kcov device for the current thread before freeing the sameanton2020-10-101-2/+3
| | | | | kcov device. Prevents a use-after-free, note I've never seen this one in practice.
* Remove outdated comment.anton2020-10-041-3/+1
|
* Collect coverage from interrupts. Currently limited to remote sectionsanton2020-10-031-24/+115
| | | | | | | | | | | | which allows coverage of timeouts executed from softclock to be collected. During boot, a dedicated coverage buffer per CPU is allocated which is used to collect coverage in interrupts. The kcov implementation in Linux recently added the same functionality. ok mpi@
* Make kd_claim() accept an explicit argument representing the number ofanton2020-09-261-10/+13
| | | | | | | entries to claim in the coverage buffer. In preparation for some upcoming changes. ok mpi@ as part of a larger diff
* Read curproc once in kcov_remote_enter() and kcov_remote_leave().anton2020-09-261-6/+10
|
* KCOV_BUF_MAX_NMEMB is defined under _KERNEL in sys/kcov.h but only usedanton2020-09-261-1/+2
| | | | in dev/kcov.c; therefore move it to dev/kcov.c.
* Fix typo in comment.anton2020-09-261-2/+2
|
* Remove work around kcov_remote_leave() that no longer is needed sinceanton2020-09-251-8/+5
| | | | the introduction of the remote barrier in revision 1.26.
* add missing wakeup for the unlikely dying caseanton2020-08-301-1/+3
|
* use unique wait messages with msleep_nsec()anton2020-08-301-2/+2
|
* Before clearing the kcov descriptor associated with a thread make sureanton2020-08-291-41/+102
| | | | | | | | | | | | | no other thread is currently within a remote section. Otherwise, the remote subsystem could end up in a broken state where it doesn't reset the necessary bits upon leaving the remote section. Therefore introduce the kr_barrier() routine which waits until all ongoing remote sections have been left. Also, extend the scope of the mutex to also cover fields of struct kcov_dev. This is necessary to ensure correctness. Reported-by: syzbot+64122a5f01be1b1abb96@syzkaller.appspotmail.com
* Prepare to extend the scope of the kcov remote mutex by renaming it toanton2020-08-291-21/+21
| | | | something more generic. It will soon cover the whole kcov subsystem.
* free the correct object when a remote subsystem already is presentanton2020-08-281-2/+2
|
* When detaching common remote coverage, do not clear any fields. Instead,anton2020-08-141-5/+7
| | | | | | | | let kr_free() do the work. Otherwise a thread currently inside a remote section could end up not decrementing the number of ongoing sections while exiting the same remote section. Reported-by: syzbot+1252e696865efc29b767@syzkaller.appspotmail.com
* Add support for remote coverage to kcov. Remote coverage is collectedanton2020-08-011-8/+251
| | | | | | | | | | | | | | | | | | | | | from threads other than the one currently having kcov enabled. A thread with kcov enabled occasionally delegates work to another thread, collecting coverage from such threads improves the ability of syzkaller to correlate side effects in the kernel caused by issuing a syscall. Remote coverage is divided into subsystems. The only supported subsystem right now collects coverage from scheduled tasks and timeouts on behalf of a kcov enabled thread. In order to make this work `struct task' and `struct timeout' must be extended with a new field keeping track of the process that scheduled the task/timeout. Both aforementioned structures have therefore increased with the size of a pointer on all architectures. The kernel API is documented in a new kcov_remote_register(9) manual. Remote coverage is also supported by kcov on NetBSD and Linux. ok mpi@
* Make writes to the coverage buffer MP-safe using atomic operations.anton2020-07-311-13/+31
| | | | | | | | | | | | The new routine kd_claim() returns the next available entry in the buffer. Since the first element in the buffer is reserved to hold the number of entries, zero can be used as a sentinel value meaning that the buffer is full. A mere preparation for upcoming remote coverage support in which the buffer can be accessed by multiple threads concurrently. ok mpi@ as part of a larger diff
* Turn anonymous state enum into preprocessor defines, paves the way foranton2020-06-071-7/+7
| | | | reuse.
* Add a comment explaining the interaction between kcovclose() andanton2020-05-251-1/+5
| | | | kcov_exit().
* Prevent kcov from collecting coverage after the kernel has panicked.anton2020-05-171-1/+8
| | | | | | This could happen if curproc had kcov enabled while panicking. ok mpi@ visa@
* remove unused debug statementsanton2020-05-161-26/+1
|
* In preparation for stopping coverage collection once the kernel hasanton2020-05-161-35/+27
| | | | | | | panicked, extract common parts between the two coverage collection functions to a new helper called kd_curproc(). While here, sprinkle a few branch prediction hints borrowed from NetBSD. ok mpi@ visa@
* During fuzzing, one or many fuzzing processes are often stuck waiting onanton2019-05-191-7/+12
| | | | | | | | memory from the subproc malloc subsystem which is exhausted. Attempt to circumvent such scenarios by allocation the kcov coverage buffer using km_alloc() instead. With help from kettenis@ and ok visa@
* armv7 and arm64 also have ci_idepthjsg2019-05-141-2/+3
| | | | ok anton@
* Add support for a new kcov trace mode called KCOV_MODE_TRACE_CMP whereanton2019-01-201-2/+133
| | | | | | | | | | comparison instructions and switch statements are being traced. This mode will be used during fuzzing to generate even more coverage. The same mode is also supported by FreeBSD and Linux. Thanks to jmc@ for improving the manual bits. ok bluhm@ visa@
* Rework conditional for clarity, no functional change.anton2019-01-201-2/+2
| | | | ok bluhm@ visa@ (as part of a larger diff)
* backout previous; syzkaller did not cope well with this changeanton2019-01-191-2/+2
|
* Deny mmap() on enabled kcov fds. Sometimes syzkaller manages to duplicate ananton2019-01-161-2/+2
| | | | | | existing kcov fd and corrupt the coverage buffer. ok bluhm@ visa@
* Favor ENOTTY for unknown ioctl commands.anton2019-01-031-3/+2
|
* Make KIOENABLE accept a mode argument, currently limited to KCOV_MODE_TRACE_PC.anton2018-12-271-2/+8
| | | | | | Thanks to jmc@ for improving the manual bits. ok deraadt@ mpi@
* Separate kcov descriptor state and trace mode as a first step towards supportinganton2018-12-271-23/+33
| | | | | | different trace modes. ok mpi@
* In the kcov ioctl(KIOSETBUFSIZE) path, malloc() can sleep. Double check thatanton2018-12-251-11/+16
| | | | | | someone else didn't win the race. ok mpi@
* Make kcov MP-safe. Calling the injected tracing functionanton2018-12-121-4/+12
| | | | | | | | | | | | | | | | | | | | | | | __sanitizer_cov_trace_pc() early in the boot process caused a subtle crash while booting the secondary CPU(s). On amd64, accessing curcpu during this period is not safe since its GSBASE register is yet not written. After the CPU has been booted curproc can also be NULL for a brief period of time before the idle thread tied to the same CPU has started. The two problems can simply be avoided by postponing access to curcpu and curproc until /dev/kcov has been opened at least once. The end goal here is to allow fuzzing of MP kernels, which already is in full swing. This work has gone through many iterations before settling on the least intrusive change; many thanks for visa@ for reviewing and providing valuable input. Issue originally reported by Greg Steuck on tech@ who also took the time to test all iterations and providing me access to a virtualised OpenBSD machine for easier testing. ok mpi@ visa@
* Rename struct kd -> kcov_dev. The terse name was initially fine since it wasn'tanton2018-08-271-19/+18
| | | | | | | used outside of dev/kcov.c. Nowadays, struct proc includes a kcov pointer and it therefore deserves a more descriptive name. Prodded by visa@; ok deraadt@ visa@
* Change kcov semantics, kernel code coverage tracing is now enabled on a peranton2018-08-251-29/+34
| | | | | | | | | thread basis instead of process. The decision to enable on process made development easier initially but could lead to non-deterministic results for processes with more than one thread. This behavior matches the implementation found on both Linux and FreeBSD. With help and ok mpi@ visa@
* Rework kcov kernel config. Instead of treating kcov as both an option and aanton2018-08-211-5/+1
| | | | | | | | | | | | pseudo-device, get rid of the option. Enabling kcov now requires the following line to be added to the kernel config: pseudo-device kcov 1 This is how pseudo devices are enabled in general. A side-effect of this change is that dev/kcov.c will no longer be compiled by default. Prodded by deraadt@; ok mpi@ visa@
* Add kcov(4), a kernel code coverage tracing driver. It's used in conjunctionanton2018-08-191-0/+277
with the syzkaller kernel fuzzer. So far, 8 distinct panics have been found and fixed. This effort will continue. kcov is limited to architectures using Clang as their default compiler and is not enabled by default. With help from mpi@, thanks! ok kettenis@ mpi@ visa@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.