sys/linux: add syzkaller defintions to fuzz ublk driver#7039
sys/linux: add syzkaller defintions to fuzz ublk driver#7039tejavojjala wants to merge 12 commits intogoogle:masterfrom
Conversation
tejavojjala
force-pushed
the
google-ublk
branch
5 times, most recently
from
8f35a37 to
a6e1b67
Compare
|
|
||
| #if SYZ_EXECUTOR || __NR_syz_ublk_setup_io_uring || __NR_syz_ublk_setup_queues | ||
|
|
||
| static long syz_ublk_setup_io_uring(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) |
There was a problem hiding this comment.
Maybe this one could also be a syzlang description? Compared to other new pseudo syscalls, syz_ublk_setup_io_uring seems to do little on top of the already existing syz_io_uring_setup.
There was a problem hiding this comment.
Sorry, didn't get what you mean by that
There was a problem hiding this comment.
I meant that syz_ublk_setup_io_uring is just too simple to warrant a pseudo syscall - it only sets a few flags and calls syz_io_uring_setup.
But it seems that there's no easy way to enforce certain flags in syzlang, so let it be as is for now.
tejavojjala
force-pushed
the
google-ublk
branch
3 times, most recently
from
1d16e62 to
0986cc0
Compare
|
@tejavojjala I don't believe you're in the contributors file, please sign the Google CLA if you haven't already, and add your name to the file as a first commit |
tejavojjala
force-pushed
the
google-ublk
branch
from
0986cc0 to
878aa8e
Compare
Missed it. Done. |
tejavojjala
force-pushed
the
google-ublk
branch
2 times, most recently
from
ca02db5 to
df84d10
Compare
|
Please note this CI check failure: https://github.com/google/syzkaller/actions/runs/24360466136/job/71226046590?pr=7039 |
Yeah, it is failing on presubmit_old. It couldn't find the kernel header The only way I could think of to fix this is to copy the struct definitions I need into |
|
Oh, interesting. AFAIK so far we've just copy-pasted the structures / consts to Just in case: @dvyukov do you see any simpler workarounds here? |
There are no simpler workarounds for this on Linux. The Linux kernel also copies all definitions for unit tests. |
Thanks, copied the required definitions. |
|
https://github.com/google/syzkaller/actions/runs/24686410856/job/72197305890?pr=7039
|
The existing io_uring_sqe type only 64 bytes of data. For ioring_op_uring_cmds, 128 bytes are used to support 80 bytes of uring cmd data
ublk needs IORING_SETUP_SQE128 | IORING_SETUP_CQE32 to work Without this, the cmds would just fail and fuzzer wastes time
All ublk ctrl commands operate on a particular device. Instead of submitting control commands with random device ids using syz_io_uring_submit, its better to record the ublk dev id as a resource using a custom syzcall. This also lets us capture the fuzzer generated dev info which we can use in subsequent syzcalls
I added customer syzcalls to initialize queues and process IO on it The queue initialization complex is pretty complex and it would be very hard for the fuzzer to get it right due to the mmap setup and submitting and SQE with appropriate details for every slot in queue to indicate ublk readiness of the queue Also, we need to provide a custom syscall to process io on queue. Once cqe is advanced, we need to send a response back to make progress It can be hard for fuzzer to figure out the flow by itself
tejavojjala
force-pushed
the
google-ublk
branch
from
bc2a75b to
f304ce7
Compare
I am not sure why. When i run syz-env make presubmit_old locally, it does succeed. Taking a look |
4 participants
No description provided.