| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
kcov device. Prevents a use-after-free, note I've never seen this one in
practice.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
which allows coverage of timeouts executed from softclock to be
collected.
During boot, a dedicated coverage buffer per CPU is allocated which is
used to collect coverage in interrupts.
The kcov implementation in Linux recently added the same functionality.
ok mpi@
|
|
|
|
|
|
|
| |
entries to claim in the coverage buffer. In preparation for some
upcoming changes.
ok mpi@ as part of a larger diff
|
| |
|
|
|
|
| |
in dev/kcov.c; therefore move it to dev/kcov.c.
|
| |
|
|
|
|
| |
the introduction of the remote barrier in revision 1.26.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
no other thread is currently within a remote section. Otherwise, the
remote subsystem could end up in a broken state where it doesn't reset
the necessary bits upon leaving the remote section.
Therefore introduce the kr_barrier() routine which waits until all
ongoing remote sections have been left. Also, extend the scope of the
mutex to also cover fields of struct kcov_dev. This is necessary to
ensure correctness.
Reported-by: syzbot+64122a5f01be1b1abb96@syzkaller.appspotmail.com
|
|
|
|
| |
something more generic. It will soon cover the whole kcov subsystem.
|
| |
|
|
|
|
|
|
|
|
| |
let kr_free() do the work. Otherwise a thread currently inside a remote
section could end up not decrementing the number of ongoing sections
while exiting the same remote section.
Reported-by: syzbot+1252e696865efc29b767@syzkaller.appspotmail.com
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
from threads other than the one currently having kcov enabled. A thread
with kcov enabled occasionally delegates work to another thread,
collecting coverage from such threads improves the ability of syzkaller
to correlate side effects in the kernel caused by issuing a syscall.
Remote coverage is divided into subsystems. The only supported subsystem
right now collects coverage from scheduled tasks and timeouts on behalf
of a kcov enabled thread. In order to make this work `struct task' and
`struct timeout' must be extended with a new field keeping track of the
process that scheduled the task/timeout. Both aforementioned structures
have therefore increased with the size of a pointer on all
architectures.
The kernel API is documented in a new kcov_remote_register(9) manual.
Remote coverage is also supported by kcov on NetBSD and Linux.
ok mpi@
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new routine kd_claim() returns the next available entry in the
buffer. Since the first element in the buffer is reserved to hold the
number of entries, zero can be used as a sentinel value meaning that the
buffer is full.
A mere preparation for upcoming remote coverage support in which the
buffer can be accessed by multiple threads concurrently.
ok mpi@ as part of a larger diff
|
|
|
|
| |
reuse.
|
|
|
|
| |
kcov_exit().
|
|
|
|
|
|
| |
This could happen if curproc had kcov enabled while panicking.
ok mpi@ visa@
|
| |
|
|
|
|
|
|
|
| |
panicked, extract common parts between the two coverage collection
functions to a new helper called kd_curproc(). While here, sprinkle a
few branch prediction hints borrowed from NetBSD.
ok mpi@ visa@
|
|
|
|
|
|
|
|
| |
memory from the subproc malloc subsystem which is exhausted. Attempt to
circumvent such scenarios by allocation the kcov coverage buffer using
km_alloc() instead.
With help from kettenis@ and ok visa@
|
|
|
|
| |
ok anton@
|
|
|
|
|
|
|
|
|
|
| |
comparison instructions and switch statements are being traced. This mode will
be used during fuzzing to generate even more coverage. The same mode is also
supported by FreeBSD and Linux.
Thanks to jmc@ for improving the manual bits.
ok bluhm@ visa@
|
|
|
|
| |
ok bluhm@ visa@ (as part of a larger diff)
|
| |
|
|
|
|
|
|
| |
existing kcov fd and corrupt the coverage buffer.
ok bluhm@ visa@
|
| |
|
|
|
|
|
|
| |
Thanks to jmc@ for improving the manual bits.
ok deraadt@ mpi@
|
|
|
|
|
|
| |
different trace modes.
ok mpi@
|
|
|
|
|
|
| |
someone else didn't win the race.
ok mpi@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
__sanitizer_cov_trace_pc() early in the boot process caused a subtle
crash while booting the secondary CPU(s). On amd64, accessing curcpu
during this period is not safe since its GSBASE register is yet not
written. After the CPU has been booted curproc can also be NULL for a
brief period of time before the idle thread tied to the same CPU has
started. The two problems can simply be avoided by postponing access to
curcpu and curproc until /dev/kcov has been opened at least once.
The end goal here is to allow fuzzing of MP kernels, which already is in
full swing.
This work has gone through many iterations before settling on the least
intrusive change; many thanks for visa@ for reviewing and providing
valuable input.
Issue originally reported by Greg Steuck on tech@ who also took the time
to test all iterations and providing me access to a virtualised OpenBSD
machine for easier testing.
ok mpi@ visa@
|
|
|
|
|
|
|
| |
used outside of dev/kcov.c. Nowadays, struct proc includes a kcov pointer and it
therefore deserves a more descriptive name.
Prodded by visa@; ok deraadt@ visa@
|
|
|
|
|
|
|
|
|
| |
thread basis instead of process. The decision to enable on process made
development easier initially but could lead to non-deterministic results for
processes with more than one thread. This behavior matches the implementation
found on both Linux and FreeBSD.
With help and ok mpi@ visa@
|
|
|
|
|
|
|
|
|
|
|
|
| |
pseudo-device, get rid of the option. Enabling kcov now requires the following
line to be added to the kernel config:
pseudo-device kcov 1
This is how pseudo devices are enabled in general. A side-effect of this change
is that dev/kcov.c will no longer be compiled by default.
Prodded by deraadt@; ok mpi@ visa@
|
|
with the syzkaller kernel fuzzer. So far, 8 distinct panics have been found and
fixed. This effort will continue.
kcov is limited to architectures using Clang as their default compiler and is
not enabled by default.
With help from mpi@, thanks!
ok kettenis@ mpi@ visa@
|