Eric Lee / smarc-fsl-linux-kernel

08 Dec, 2016

1 commit

  • 166ad0e1e   kcov: add missing #include <linux/sched.h> ... Browse Code »

    In __sanitizer_cov_trace_pc we use task_struct and fields within it, but
    as we haven't included , it is not guaranteed to be
    defined. While we usually happen to acquire the definition through a
    transitive include, this is fragile (and hasn't been true in the past,
    causing issues with backports).

    Include to avoid any fragility.

    [mark.rutland@arm.com: rewrote changelog]
    Link: http://lkml.kernel.org/r/1481007384-27529-1-git-send-email-wangkefeng.wang@huawei.com
    Signed-off-by: Kefeng Wang
    Acked-by: Mark Rutland
    Cc: Dmitry Vyukov
    Cc: Andrey Ryabinin
    Cc: James Morse
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Kefeng Wang
     

28 Oct, 2016

1 commit

  • b274c0bb3   kcov: properly check if we are in an interrupt ... Browse Code »

    in_interrupt() returns a nonzero value when we are either in an
    interrupt or have bh disabled via local_bh_disable(). Since we are
    interested in only ignoring coverage from actual interrupts, do a proper
    check instead of just calling in_interrupt().

    As a result of this change, kcov will start to collect coverage from
    within local_bh_disable()/local_bh_enable() sections.

    Link: http://lkml.kernel.org/r/1476115803-20712-1-git-send-email-andreyknvl@google.com
    Signed-off-by: Andrey Konovalov
    Acked-by: Dmitry Vyukov
    Cc: Nicolai Stange
    Cc: Andrey Ryabinin
    Cc: Kees Cook
    Cc: James Morse
    Cc: Vegard Nossum
    Cc: Quentin Casasnovas
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Andrey Konovalov
     

15 Jun, 2016

1 commit

  • df4565f9e   kernel/kcov: unproxify debugfs file's fops ... Browse Code »

    Since commit 49d200deaa68 ("debugfs: prevent access to removed files'
    private data"), a debugfs file's file_operations methods get proxied
    through lifetime aware wrappers.

    However, only a certain subset of the file_operations members is supported
    by debugfs and ->mmap isn't among them -- it appears to be NULL from the
    VFS layer's perspective.

    This behaviour breaks the /sys/kernel/debug/kcov file introduced
    concurrently with commit 5c9a8750a640 ("kernel: add kcov code coverage").

    Since that file never gets removed, there is no file removal race and thus,
    a lifetime checking proxy isn't needed.

    Avoid the proxying for /sys/kernel/debug/kcov by creating it via
    debugfs_create_file_unsafe() rather than debugfs_create_file().

    Fixes: 49d200deaa68 ("debugfs: prevent access to removed files' private data")
    Fixes: 5c9a8750a640 ("kernel: add kcov code coverage")
    Reported-by: Sasha Levin
    Signed-off-by: Nicolai Stange
    Signed-off-by: Greg Kroah-Hartman

    Nicolai Stange
     

29 Apr, 2016

2 commits

  • 36f05ae8b   kcov: don't profile branches in kcov ... Browse Code »

    Profiling 'if' statements in __sanitizer_cov_trace_pc() leads to
    unbound recursion and crash:

    __sanitizer_cov_trace_pc() ->
    ftrace_likely_update ->
    __sanitizer_cov_trace_pc() ...

    Define DISABLE_BRANCH_PROFILING to disable this tracer.

    Signed-off-by: Andrey Ryabinin
    Cc: Dmitry Vyukov
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Andrey Ryabinin
     
  • bdab42dfc   kcov: don't trace the code coverage code ... Browse Code »

    Kcov causes the compiler to add a call to __sanitizer_cov_trace_pc() in
    every basic block. Ftrace patches in a call to _mcount() to each
    function it has annotated.

    Letting these mechanisms annotate each other is a bad thing. Break the
    loop by adding 'notrace' to __sanitizer_cov_trace_pc() so that ftrace
    won't try to patch this code.

    This patch lets arm64 with KCOV and STACK_TRACER boot.

    Signed-off-by: James Morse
    Acked-by: Dmitry Vyukov
    Cc: Alexander Potapenko
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    James Morse
     

23 Mar, 2016

1 commit

  • 5c9a8750a   kernel: add kcov code coverage ... Browse Code »

    kcov provides code coverage collection for coverage-guided fuzzing
    (randomized testing). Coverage-guided fuzzing is a testing technique
    that uses coverage feedback to determine new interesting inputs to a
    system. A notable user-space example is AFL
    (http://lcamtuf.coredump.cx/afl/). However, this technique is not
    widely used for kernel testing due to missing compiler and kernel
    support.

    kcov does not aim to collect as much coverage as possible. It aims to
    collect more or less stable coverage that is function of syscall inputs.
    To achieve this goal it does not collect coverage in soft/hard
    interrupts and instrumentation of some inherently non-deterministic or
    non-interesting parts of kernel is disbled (e.g. scheduler, locking).

    Currently there is a single coverage collection mode (tracing), but the
    API anticipates additional collection modes. Initially I also
    implemented a second mode which exposes coverage in a fixed-size hash
    table of counters (what Quentin used in his original patch). I've
    dropped the second mode for simplicity.

    This patch adds the necessary support on kernel side. The complimentary
    compiler support was added in gcc revision 231296.

    We've used this support to build syzkaller system call fuzzer, which has
    found 90 kernel bugs in just 2 months:

    https://github.com/google/syzkaller/wiki/Found-Bugs

    We've also found 30+ bugs in our internal systems with syzkaller.
    Another (yet unexplored) direction where kcov coverage would greatly
    help is more traditional "blob mutation". For example, mounting a
    random blob as a filesystem, or receiving a random blob over wire.

    Why not gcov. Typical fuzzing loop looks as follows: (1) reset
    coverage, (2) execute a bit of code, (3) collect coverage, repeat. A
    typical coverage can be just a dozen of basic blocks (e.g. an invalid
    input). In such context gcov becomes prohibitively expensive as
    reset/collect coverage steps depend on total number of basic
    blocks/edges in program (in case of kernel it is about 2M). Cost of
    kcov depends only on number of executed basic blocks/edges. On top of
    that, kernel requires per-thread coverage because there are always
    background threads and unrelated processes that also produce coverage.
    With inlined gcov instrumentation per-thread coverage is not possible.

    kcov exposes kernel PCs and control flow to user-space which is
    insecure. But debugfs should not be mapped as user accessible.

    Based on a patch by Quentin Casasnovas.

    [akpm@linux-foundation.org: make task_struct.kcov_mode have type `enum kcov_mode']
    [akpm@linux-foundation.org: unbreak allmodconfig]
    [akpm@linux-foundation.org: follow x86 Makefile layout standards]
    Signed-off-by: Dmitry Vyukov
    Reviewed-by: Kees Cook
    Cc: syzkaller
    Cc: Vegard Nossum
    Cc: Catalin Marinas
    Cc: Tavis Ormandy
    Cc: Will Deacon
    Cc: Quentin Casasnovas
    Cc: Kostya Serebryany
    Cc: Eric Dumazet
    Cc: Alexander Potapenko
    Cc: Kees Cook
    Cc: Bjorn Helgaas
    Cc: Sasha Levin
    Cc: David Drysdale
    Cc: Ard Biesheuvel
    Cc: Andrey Ryabinin
    Cc: Kirill A. Shutemov
    Cc: Jiri Slaby
    Cc: Ingo Molnar
    Cc: Thomas Gleixner
    Cc: "H. Peter Anvin"
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Dmitry Vyukov