Hi,
I was able to resolve the above issues and can see that syz-execprog is running all syscalls correctly and not returning 0xfffffffffff
I packed it with syz-db, but syzkaller tried the same sequence only once in few hours of fuzz, but it also mutated it, and removed couple of resources.
Initial Corpus provided as part of corpus.db:
r0 = openat$video0(0xffffffffffffff9c, &AUTO='/dev/video0\x00', 0x2, 0x0)
r1 = openat$video1(0xffffffffffffff9c, &AUTO='/dev/v4l-subdev1\x00', 0x2, 0x0)
ioctl$CMD1(r0, 0xc01856c0, &AUTO=@u1={0x10c, 0x8, 0x1, 0x0, &AUTO={<r2=>0x0, nil}})
ioctl$CMD2(r1, 0xc01856c0, &AUTO=@u1={0x102, 0x18, 0x1, 0x00, &AUTO={r2, <r3=>0x0, 0x2, 0xfefefefe, &AUTO=@v1={0x0, AUTO, 0x1, 0x0, &AUTO=[0x8, 0x63c, 0x100, 0x9, 0x7]}}})
ioctl$CMD3(r0, 0xc01856c0, &AUTO=@u1={0x118, 0x20c, 0x1, 0x0, &AUTO={r2, 0x1, [r3], <r4=>0x0}})
ioctl$CMD4(r0, 0xc01856c0, &AUTO=@u4={0x10f, 0x8, 0x1, 0x0, &AUTO={r2, r4}})
ioctl$CMD5(r0, 0xc01856c0, &AUTO=@u1={0x10d, 0x8, 0x1, 0x0, &AUTO={r2, 0x0}})
close$video0(r0)
close$video1(r1)
On syzkaller dashboard, Syzkaller tried this for CMD4:
r0 = openat$video0(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
r1 = openat$video1(0xffffffffffffff9c, &(0x7f0000000280), 0x0, 0x0)
ioctl$CMD1(r0, 0xc01856c0, &(0x7f00000002c0)=@u1={0x10c, 0x8, 0x1, 0x0, &(0x7f0000000300)={<r2=>0x0}})
ioctl$CMD2(r1, 0xc01856c0, &(0x7f0000000340)=@u1={0x102, 0x18, 0x1, 0x0, &(0x7f0000000380)={0x0, <r3=>0x0, 0x0, 0xfefefefe, 0x0}}) // Syzkaller has removed r2 resource from here, due to which this and other subsequent syscalls failed
ioctl$CMD3(r0, 0xc01856c0, &(0x7f0000000440)=@u1={0x118, 0x20c, 0x1, 0x0, &(0x7f0000000480)={r2, 0x1, [r3], <r4=>0x0}})
ioctl$CMD4(r0, 0xc01856c0, &(0x7f00000006c0)=@u4={0x10f, 0x8, 0x1, 0x0, &(0x7f0000000700)={r2, r4}})
Can you please guide how to debug the issue ? Does Syzkaller don't follow resource dependency always? how to make sure that syzkaller tries with resource dependency. If not, there will be very less coverage in subsequent dependent calls, as the syscall functions will bail out at the start.
Thanks,
Sachin